e08cefc50d013844b2e87e7505886ee21e3f9fe308e7bf960874138f974a89c5

Analysis

max time kernel
150s
max time network
30s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
22/05/2023, 20:24

Target

Season Pass/Headers/00000002/DCD596DA00A14B7986331BBC26355D106076D1A458.header
Size

328B
MD5

38bff03bf0588b0fc92cb11a70aba632
SHA1

08093ec7088175adef19ad91abc983fbe78ed8c5
SHA256

2f8598ef6e9c4d90ecd248534c3f800c68ed57fa34c3aaec93435410bd816452
SHA512

813f11205cebc196cf6af18d5d54ee7ae270e4391645a7ee1f4e730bca273e5d9bdf3b1bc3565780f0f886421bceaa88339d9554dffd5d890fdb06571e6da835

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000_CLASSES\.header	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000_CLASSES\header_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000_CLASSES\header_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000_CLASSES\header_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000_CLASSES\header_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000_CLASSES\header_auto_file\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000_CLASSES\.header\ = "header_auto_file"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000_CLASSES\header_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 1476	1744	cmd.exe	29
PID 1744 wrote to memory of 1476	1744	cmd.exe	29
PID 1744 wrote to memory of 1476	1744	cmd.exe	29
PID 1476 wrote to memory of 1556	1476	rundll32.exe	30
PID 1476 wrote to memory of 1556	1476	rundll32.exe	30
PID 1476 wrote to memory of 1556	1476	rundll32.exe	30
PID 1476 wrote to memory of 1556	1476	rundll32.exe	30

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Season Pass\Headers\00000002\DCD596DA00A14B7986331BBC26355D106076D1A458.header"
1⤵
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Season Pass\Headers\00000002\DCD596DA00A14B7986331BBC26355D106076D1A458.header
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1476
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Season Pass\Headers\00000002\DCD596DA00A14B7986331BBC26355D106076D1A458.header"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1556

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact