1948fa9631d28f672ba3a052efb5ffd5ced46cf8cd3f07e32a79fdd6675c6491

Analysis

max time kernel
150s
max time network
31s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
18-05-2023 04:28

Target

2-Protection.mof
Size

1.6MB
MD5

5b5b293488c9e2cf22ae06b9fea69e71
SHA1

f9a71e14b03356154dd523d3ecee60e84b2b9aba
SHA256

dc492a6bd7223b9cf7576f608a4d44a4b0094782e4b890d6dcebd5d1ba7f2dcf
SHA512

f7c7070c6dc9b64cea1ddc863a838f6f1b0a17412ff65ec89c5d1708730e811a0a53a8d0cb412c7a3f6bf932162df8d4ed8ebf70366ffc8fc44e4d653343ab79
SSDEEP

49152:iRZFZag7Q0J0eGg36H5VCSTvQVnAjo0Nre:+aEQ0SOUzTodb0k

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\mof_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\mof_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\.mof	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\mof_auto_file\shell\Read	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\.mof\ = "mof_auto_file"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\mof_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\mof_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\mof_auto_file\	rundll32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1524	AcroRd32.exe
1524	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1236 wrote to memory of 756	1236	cmd.exe	29
PID 1236 wrote to memory of 756	1236	cmd.exe	29
PID 1236 wrote to memory of 756	1236	cmd.exe	29
PID 756 wrote to memory of 1524	756	rundll32.exe	30
PID 756 wrote to memory of 1524	756	rundll32.exe	30
PID 756 wrote to memory of 1524	756	rundll32.exe	30
PID 756 wrote to memory of 1524	756	rundll32.exe	30

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\2-Protection.mof
1⤵
- Suspicious use of WriteProcessMemory
PID:1236
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\2-Protection.mof
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:756
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\2-Protection.mof"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1524

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact