Analysis
-
max time kernel
118s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
01-07-2024 02:42
Behavioral task
behavioral1
Sample
IncognitoReborn.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
IncognitoReborn.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
w4sp-v2-4.pyc
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
w4sp-v2-4.pyc
Resource
win10v2004-20240611-en
General
-
Target
w4sp-v2-4.pyc
-
Size
45KB
-
MD5
9416bd3645986392c2926fd29d324674
-
SHA1
8d4baadec5e349faab47c012a14c3f902baf6476
-
SHA256
4ab8668d8ca06cdfabf44231bb6a5ab8c18429522955117ff55c881d93409cfa
-
SHA512
6e1c0c479c0244a8ff706ae4ed47c8d630d8cd4e96a6a87db76a0b1d0d64c3137c72f5afcfb85371cfad6bdbc8d51a8d6c84fb72262645491c24cf2186d0b61b
-
SSDEEP
768:i9CYRCJJsXH9rtx/iat10gH3zVo/wfEqBzL1jMmSIhX9UzBQFYCH50kITCes95ZI:AcJsXH9JQw10gjWofECzLVSmeyFL0CZI
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_Classes\Local Settings rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pyc_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.pyc rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.pyc\ = "pyc_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pyc_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pyc_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pyc_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pyc_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2588 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2588 AcroRd32.exe 2588 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 1632 wrote to memory of 3048 1632 cmd.exe rundll32.exe PID 1632 wrote to memory of 3048 1632 cmd.exe rundll32.exe PID 1632 wrote to memory of 3048 1632 cmd.exe rundll32.exe PID 3048 wrote to memory of 2588 3048 rundll32.exe AcroRd32.exe PID 3048 wrote to memory of 2588 3048 rundll32.exe AcroRd32.exe PID 3048 wrote to memory of 2588 3048 rundll32.exe AcroRd32.exe PID 3048 wrote to memory of 2588 3048 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\w4sp-v2-4.pyc1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\w4sp-v2-4.pyc2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\w4sp-v2-4.pyc"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEventsFilesize
3KB
MD519f3f8d789025826666f6cf495cead92
SHA120ac1c66e365172a2e1d164a73db7a961eb46c4b
SHA256c24f2b503dc1abb94141107ad267a02195aeb9e5f5ee5761041573ea67be4502
SHA5120ba4694ce74ed766a68c70eee91f611e383cb801d8be86a13633f9bc703755312798cc89eb2735a3e5f59ef3f2c22a0f5c42439c4f81acb426500900aec99532