Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
06-06-2024 07:04
Behavioral task
behavioral1
Sample
tbk.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
tbk.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
tbk.pyc
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
tbk.pyc
Resource
win10v2004-20240508-en
General
-
Target
tbk.pyc
-
Size
3KB
-
MD5
d8b7458a5a3348f1c80114e6fd6d5169
-
SHA1
6ceb929dbd6ee5aa98e31011caa164e02a5e282b
-
SHA256
2a96c8523b2c46053758d516847a193f82c7ea42bba62a67225eb86b36e1898a
-
SHA512
89cca90cadf572cebbdfb57b7a7a3f5c7c9cc6acfdc5f2391db377dc7e34eedc7f3a0ca2fb91e6ce455ca087d6d30fba7cb4edf53fef006630b34081830a1405
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\pyc_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\pyc_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\.pyc rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\.pyc\ = "pyc_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\pyc_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\pyc_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\pyc_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2772 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2772 AcroRd32.exe 2772 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 2036 wrote to memory of 2620 2036 cmd.exe rundll32.exe PID 2036 wrote to memory of 2620 2036 cmd.exe rundll32.exe PID 2036 wrote to memory of 2620 2036 cmd.exe rundll32.exe PID 2620 wrote to memory of 2772 2620 rundll32.exe AcroRd32.exe PID 2620 wrote to memory of 2772 2620 rundll32.exe AcroRd32.exe PID 2620 wrote to memory of 2772 2620 rundll32.exe AcroRd32.exe PID 2620 wrote to memory of 2772 2620 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\tbk.pyc1⤵
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\tbk.pyc2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\tbk.pyc"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2772
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD55540b6c6d4f266cde49f17c862558058
SHA14a1fce051eab88d153b21afdccc7afb85d2ac433
SHA256d5571449ac0eb3db854910fd6b10d4451b4ea93e2a478bf5f43abe3037ef9791
SHA51278e0fbe7261ce561e75b7e480a87add4721c28c09b8c5f094aac2efa40d603f54a1719c8794739d90d2577ecb957d3acc3ddce853db6a618f6f71f6ee46a2fa5