Overview

overview

5

Static

static

1

5-3-23 0927.eml

windows7-x64

5

5-3-23 0927.eml

windows10-2004-x64

3

attachment-2.eml

windows7-x64

5

attachment-2.eml

windows10-2004-x64

3

email-html-2.txt

windows7-x64

1

email-html-2.txt

windows10-2004-x64

1

email-plain-1.txt

windows7-x64

1

email-plain-1.txt

windows10-2004-x64

1

message_v4.rpmsg

windows7-x64

3

message_v4.rpmsg

windows10-2004-x64

3

email-plain-1.txt

windows7-x64

1

email-plain-1.txt

windows10-2004-x64

1

Resubmissions

04/05/2023, 14:58

230504-scg21sdb73 5

04/05/2023, 14:52

230504-r88n6sdb54 5

Analysis

  • max time kernel
    150s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    04/05/2023, 14:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    message_v4.rpmsg

  • Size

    280KB

  • MD5

    521ed05cacb0f90a242d3438c51dcdbf

  • SHA1

    83d42fe6c2ff8fa6cb57a4b6189ca4acd23779ba

  • SHA256

    f9e029d7855922179ccbaf0bd5f755ea953adde97c4bd588fef8dd349c0d57ae

  • SHA512

    e66b2a3270273392aedb5cb22daedc0157dc1a85383e7a2f41cd565b71a3faecf51372be52b588c1918c23bc5a42caea5cfe612f1788b43211f14c1e2024a558

  • SSDEEP

    6144:TmdWAaDOMDSkITQbtNw/N59nB8iw7gdFpahtXii+VfHNj+UAq:TqzMDSkIitSF59B8iScpaHXii+5H1

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 9 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\message_v4.rpmsg
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1388
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\message_v4.rpmsg
      2⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:608
      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\message_v4.rpmsg"
        3⤵
        • Suspicious use of SetWindowsHookEx
        PID:1772

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads