Overview

overview

3

Static

static

3

bot.exe

windows7-x64

1

bot.exe

windows10-2004-x64

1

bot.pyc

windows7-x64

3

bot.pyc

windows10-2004-x64

3

Analysis

  • max time kernel
    43s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    25/09/2024, 09:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bot.pyc

  • Size

    337B

  • MD5

    b187e4bff89f49f8ed54744e0005edf5

  • SHA1

    eb3553b7cf867abbbbfee01fd17428e40014019c

  • SHA256

    2dc6f32580c9765d8efec2767a22c7a3f17b744904a36d9ddc78b8717e3190c6

  • SHA512

    8cdc98ec828301481c57e44b69affc9fe5b87b571c5da617c948f3b35e0a79db3a0a0e3389ab99686927f573f425c877e431a7f0eb2e29cb301b592ccadc17f9

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 9 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 10 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\bot.pyc
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:528
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bot.pyc
      2⤵
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of WriteProcessMemory
      PID:2976
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\bot.pyc"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2824
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\bot.pyc
          4⤵
          • Checks processor information in registry
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:2868
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2868.0.1104028796\585900817" -parentBuildID 20221007134813 -prefsHandle 1220 -prefMapHandle 1212 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef2aeb47-f01f-49ae-9e1f-22c927fbb85c} 2868 "\\.\pipe\gecko-crash-server-pipe.2868" 1284 120d7c58 gpu
            5⤵
              PID:1636
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2868.1.1233837181\17308747" -parentBuildID 20221007134813 -prefsHandle 1484 -prefMapHandle 1480 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b6cf3d65-d6ba-49e8-a390-5ad2012a5d54} 2868 "\\.\pipe\gecko-crash-server-pipe.2868" 1496 e6fe58 socket
              5⤵
              • Checks processor information in registry
              PID:2236
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2868.2.1063974988\1877867369" -childID 1 -isForBrowser -prefsHandle 2136 -prefMapHandle 2132 -prefsLen 21811 -prefMapSize 233444 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {851ef452-0a8f-472a-b9d6-d94e2ca33b32} 2868 "\\.\pipe\gecko-crash-server-pipe.2868" 2148 1a67cb58 tab
              5⤵
                PID:1016
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2868.3.1676847721\2062121439" -childID 2 -isForBrowser -prefsHandle 576 -prefMapHandle 1676 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {97c9cd80-1198-4477-bb01-674e920de82f} 2868 "\\.\pipe\gecko-crash-server-pipe.2868" 2852 e62b58 tab
                5⤵
                  PID:2664
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2868.4.2145989534\187102607" -childID 3 -isForBrowser -prefsHandle 3800 -prefMapHandle 3828 -prefsLen 26450 -prefMapSize 233444 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {06a10879-9cea-4500-ac8c-621d593b614f} 2868 "\\.\pipe\gecko-crash-server-pipe.2868" 3816 1f7ebf58 tab
                  5⤵
                    PID:3056
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2868.5.710387237\1838003565" -childID 4 -isForBrowser -prefsHandle 3948 -prefMapHandle 3952 -prefsLen 26450 -prefMapSize 233444 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7a88633c-357f-441d-9566-35324116bac0} 2868 "\\.\pipe\gecko-crash-server-pipe.2868" 3936 20f79b58 tab
                    5⤵
                      PID:1860
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2868.6.287956882\604078315" -childID 5 -isForBrowser -prefsHandle 4112 -prefMapHandle 4116 -prefsLen 26450 -prefMapSize 233444 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {79ab9d1d-0cb1-4d3a-9413-618ea35bd759} 2868 "\\.\pipe\gecko-crash-server-pipe.2868" 4104 20f77158 tab
                      5⤵
                        PID:1288
              • C:\Windows\explorer.exe
                "C:\Windows\explorer.exe"
                1⤵
                  PID:2924
                • C:\Windows\system32\AUDIODG.EXE
                  C:\Windows\system32\AUDIODG.EXE 0x548
                  1⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2964

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n3lsnn48.default-release\activity-stream.discovery_stream.json.tmp
                  Filesize

                  36KB

                  MD5

                  2c29723ca222751b70f4fdac42ec398f

                  SHA1

                  5ba87a66acc42ed9e6be76e86fb1e7ee528f6253

                  SHA256

                  2a8daf67dc893dfaa7e45106e7a692fa760c735aacbe9e6064902b25e9ca43d2

                  SHA512

                  19a767164d892a879b0b32a5a1091b722a50c28e546dcf12d21cadeadd9bb6dcde604f38639c577c07a22a8bf4d114974e19c6438c8f4a2b57d919a502b6c6a4

                  Download Submit

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n3lsnn48.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
                  Filesize

                  7KB

                  MD5

                  c460716b62456449360b23cf5663f275

                  SHA1

                  06573a83d88286153066bae7062cc9300e567d92

                  SHA256

                  0ec0f16f92d876a9c1140d4c11e2b346a9292984d9a854360e54e99fdcd99cc0

                  SHA512

                  476bc3a333aace4c75d9a971ef202d5889561e10d237792ca89f8d379280262ce98cf3d4728460696f8d7ff429a508237764bf4a9ccb59fd615aee07bdcadf30

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\datareporting\glean\db\data.safe.bin
                  Filesize

                  2KB

                  MD5

                  13c43980a98d91e70d4d1ed09db91a1a

                  SHA1

                  dd06218392a722ca9c2ae787f099ce9c27935cce

                  SHA256

                  ed60ccf94480f90044223c4fedc823ba1aa1717626360cd7c4725107a28183e9

                  SHA512

                  36afb40e6195ec2b011a65927fae7117d3eb96c5e208fcca5158f254dc72252438b238876358cedb1cf9423b1f8c5fc748e94162235eae09419208a7a515f00e

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\datareporting\glean\pending_pings\35773804-9301-438c-bde4-11458587f50b
                  Filesize

                  10KB

                  MD5

                  2a59e0da08ea489a850ad513d928cd45

                  SHA1

                  6cf134be5e6e24de2f9fbc724a367c99ec3e8870

                  SHA256

                  6c32c4ea14a16b7cb77aafcd69f68e8ed9ea7bd8bcfb58091d760e0d794a2168

                  SHA512

                  05f0c7db3875c69817a2341e2015ba1d540317064890ad93ddda9ef37e9d246559ead4701c1ea1be958703918824948bdaeca3809434bea6d958cc2960cdb372

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\datareporting\glean\pending_pings\e50da430-5551-4e16-986d-e88d51ec65ec
                  Filesize

                  745B

                  MD5

                  5cff38d90714784e0d973abf8693881e

                  SHA1

                  3f7ce3dc14fb86212bcf00c056a746a45e8d7602

                  SHA256

                  2159faf2d923161ad21377fa27d340ed32cd93e18dce1d690fdd21227ea3e399

                  SHA512

                  108a71d79c1f8634b425bb715558d260f5b010fe9e99370ce48ad25be71f66df972eb0eea1cef55f9c02d2fe57f2e9ae24018f3e430d3cfa829a4d21271753d2

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\prefs-1.js
                  Filesize

                  6KB

                  MD5

                  b10870e23fbcde45a716a6084f0bc74d

                  SHA1

                  6b611c3574dbbf97d7cc52d8987e80ae95804ebf

                  SHA256

                  2f1ad54797b1f8bbc326e4d5b4c93d6d7671be7341e2a44317218723c444a903

                  SHA512

                  e9e23cb17ff09649bc47d46417eb0999b0f062870981aff70f75e9d8f2ab5bb41466b4409213e7990e0d14d3c6861e22b026f499469309884a383235e7a8a803

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\sessionstore-backups\recovery.jsonlz4
                  Filesize

                  935B

                  MD5

                  537c7b3083bfe6b33eaf3004decd2d63

                  SHA1

                  5bf2ca51dd921bc63385ce58378dc55a0dfea42b

                  SHA256

                  f651ecd504ff49ec672f74c5a93f86a7a245310c3d9a63f6c145b8e137205c60

                  SHA512

                  6795293d4bae5ed8f654c69d07c5b1299f5efaea53b7d0da59287184b5e921dee57255840a5bfb0f661cf250e0042de7f5e7b9cacbc3c6cf4ec1b381364fef3e

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\sessionstore.jsonlz4
                  Filesize

                  585B

                  MD5

                  a062271bf0c54d1475e956ee4d8cd583

                  SHA1

                  617a744df63134a20fc38a63c816436f94b10713

                  SHA256

                  3f0612f1354091211167a5b62c26c0e34a2f18b7d630e6d2cd3a8fa873ae54a0

                  SHA512

                  873eb5ef6cfac38f6771c51119d533bc601db65251f9558aa8fd8cc3b2c55410d5b4c80ad1602e8d24dd7f292e27b25bfbeacb0e4d710974a47a13037b188f60

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                  Filesize

                  184KB

                  MD5

                  92e8ec5aa8036c140036cd9fee54c2e3

                  SHA1

                  c2da28589c00b1c2846a6e5c554472d7e93a9f4a

                  SHA256

                  78205cd9091d5f354be57f73cbfc010b0b96894fc48e91140b541913b7af9663

                  SHA512

                  babd843754d72b10fc7d77ae0465ff3749c4da09e40960d699662ae8c472a8cfebde875f081dc6347d61c5e8822810deefd6437265055584965d660d2c2a7fc7

                  Download Submit