Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
04/06/2024, 20:12
Static task
static1
Behavioral task
behavioral1
Sample
Rose-Stealer-main/payload/main.py
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
Rose-Stealer-main/payload/main.py
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
Rose-Stealer-main/utils/aes_encrypt.py
Resource
win7-20240419-en
Behavioral task
behavioral4
Sample
Rose-Stealer-main/utils/aes_encrypt.py
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
Rose-Stealer-main/utils/b85_encode.py
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
Rose-Stealer-main/utils/b85_encode.py
Resource
win10v2004-20240426-en
General
-
Target
Rose-Stealer-main/utils/aes_encrypt.py
-
Size
2KB
-
MD5
2d308ed55531923e9b2c9a0502af8401
-
SHA1
509e61f5ab8f4666b955ec71ce09c2081d07d8b6
-
SHA256
89212b4a8408b8acbac15c698f7c5a1c89e62b9de8073ff93dc118013fe20a88
-
SHA512
be73ae524bbc3251a647198f7f4fb7cf9a5ac3343603ceeceba407daed8bea24bf39a8c11fa7295c17dcb65308d70a8e23e0af659aea8f20537a48c6ee572f18
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\py_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\py_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.py rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.py\ = "py_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\py_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\py_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\py_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2808 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2808 AcroRd32.exe 2808 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2844 wrote to memory of 2740 2844 cmd.exe 29 PID 2844 wrote to memory of 2740 2844 cmd.exe 29 PID 2844 wrote to memory of 2740 2844 cmd.exe 29 PID 2740 wrote to memory of 2808 2740 rundll32.exe 30 PID 2740 wrote to memory of 2808 2740 rundll32.exe 30 PID 2740 wrote to memory of 2808 2740 rundll32.exe 30 PID 2740 wrote to memory of 2808 2740 rundll32.exe 30
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Rose-Stealer-main\utils\aes_encrypt.py1⤵
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Rose-Stealer-main\utils\aes_encrypt.py2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Rose-Stealer-main\utils\aes_encrypt.py"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2808
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD51db0b25502dbb6f7cc9e2126a6b9ffd6
SHA1cfed81c44fa18aeab7c4b244883dee0ed323d659
SHA2566940bd7c179e3a9ae9c2c259ad49cc8753012d6ee5cbd33d9cdfde1828d1298c
SHA512c269a6c6c8cb7d08b06631754711fce5e350f88ed5b73c1e1f62e3f5a75f94767b5b56f0230f0afc1e8d1e19c834e9ec2974d2f6aefb888a157fdbb8dc5c19b2