Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
01-07-2024 08:29
Behavioral task
behavioral1
Sample
SOSA.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
SOSA.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
SOSA.pyc
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
SOSA.pyc
Resource
win10v2004-20240226-en
General
-
Target
SOSA.pyc
-
Size
14KB
-
MD5
29087598f55b19f875ba04c9ccf94ccf
-
SHA1
725ce1fd2149d36186a88289b49ded17be8d13e6
-
SHA256
685d53117ad5127cebb8f6423795f078caedacb6c2d4f2e26fe0bb2d4aa95f57
-
SHA512
8d1f207d45a5563d2b5a7132f8b157b4037c24afa3d875445d39415a0cc6fb636f92627317a794c104e4514c3c231bf53b7cc02fb04274cd16dcf69eedb18987
-
SSDEEP
192:uJ8x7+tkOU36SfmdMzjzZzHP+MBjGy/OKW70RYgl2zKwuHPu4uRWrFFFO:uJ8x7+tkOU36SfmdMzjzZ5jG0BKNQ8
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_Classes\Local Settings rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pyc_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pyc_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pyc_auto_file\shell rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pyc_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.pyc rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.pyc\ = "pyc_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pyc_auto_file\shell\Read\command rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2468 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2468 AcroRd32.exe 2468 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 1796 wrote to memory of 2652 1796 cmd.exe rundll32.exe PID 1796 wrote to memory of 2652 1796 cmd.exe rundll32.exe PID 1796 wrote to memory of 2652 1796 cmd.exe rundll32.exe PID 2652 wrote to memory of 2468 2652 rundll32.exe AcroRd32.exe PID 2652 wrote to memory of 2468 2652 rundll32.exe AcroRd32.exe PID 2652 wrote to memory of 2468 2652 rundll32.exe AcroRd32.exe PID 2652 wrote to memory of 2468 2652 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\SOSA.pyc1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\SOSA.pyc2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\SOSA.pyc"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEventsFilesize
3KB
MD5154c3fa786323b4ed79b518c5f329f48
SHA14d93a4a2e8a539fed3bd655f23b763ebd1703a70
SHA256b1f2acc300c3344d81d0f8e1338a5c030c5133d567c548f459d333767e03ad35
SHA512278b5bf12592241f9695ad210f7a580623a95bfdc402b1b73e4907955d8b4ec967aa811ec86648d7735e68e5e8d5c545dec3650af0ecb69cf25b5d3772580bfa