f5134e10ca4c52c993a1deefeae187df072c4ad6f34909bb6baf0b36caa92d1e

Analysis

max time kernel
150s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
25/05/2023, 17:35

Target

SportsPageDefaultConfigResponse.json
Size

1KB
MD5

2b682858a9492017765240d3b7ff7831
SHA1

54269a95cfa97fff13a348b979bbd26940b93713
SHA256

ef327c5721641547fc532f1653c1ad822c8703592fc67b331a400f783603271f
SHA512

e1c04f629500b2901de85d679ef40a9b55834c19d5bebeff3b3a9df5075f2cc2b37f10e7209c42d89996296681c43278233592179bf50a0de11d355d38f778ad

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\.json	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\json_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\json_auto_file\shell	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\json_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\json_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\json_auto_file\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\.json\ = "json_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\json_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_Classes\Local Settings	rundll32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1304 wrote to memory of 1504	1304	cmd.exe	29
PID 1304 wrote to memory of 1504	1304	cmd.exe	29
PID 1304 wrote to memory of 1504	1304	cmd.exe	29
PID 1504 wrote to memory of 1724	1504	rundll32.exe	30
PID 1504 wrote to memory of 1724	1504	rundll32.exe	30
PID 1504 wrote to memory of 1724	1504	rundll32.exe	30
PID 1504 wrote to memory of 1724	1504	rundll32.exe	30

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\SportsPageDefaultConfigResponse.json
1⤵
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\SportsPageDefaultConfigResponse.json
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1504
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\SportsPageDefaultConfigResponse.json"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1724

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact