Overview

overview

3

Static

static

1

piper.gresource

windows10-1703-x64

3

piper.gresource

windows7-x64

3

piper.gresource

windows10-2004-x64

3

piper.gresource

android-10-x64

piper.gresource

android-11-x64

piper.gresource

android-9-x86

piper.gresource

macos-10.15-amd64

1

piper.gresource

debian-9-armhf

piper.gresource

debian-9-mips

piper.gresource

debian-9-mipsel

piper.gresource

ubuntu-18.04-amd64

Analysis

  • max time kernel
    1193s
  • max time network
    872s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    15/06/2023, 16:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    piper.gresource

  • Size

    1.4MB

  • MD5

    4766bda5e5f80ad42f1390e88596d341

  • SHA1

    56bb0a24d30477c211748580301f72f932686a2a

  • SHA256

    cc56b9cfcd837d58fc48d030158f5f247f95638f0ccf47105411a6ba5270cdac

  • SHA512

    4a5960f33da500f148fb2b61474cc8c3feda6ffbde562850555aa6a1acfcb3eced2298518e50950f84f40ac8fe3315da659c7dff401eee53cca6d47acdb9fb45

  • SSDEEP

    6144:CK0ddwwzkaUwiJonPw0kUqznDMoPIDcwXsy/DMoPIDcwXsyJNxSj/65RFJgAwCuO:xF

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 10 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\piper.gresource
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1692
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\piper.gresource
      2⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:268
      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\piper.gresource"
        3⤵
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:452

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
    Filesize

    3KB

    MD5

    536e325e27bc6f6586d5ea5da5009bc3

    SHA1

    cfaf6e00fbad2927552152954ded10da46a339e9

    SHA256

    b6c612f3203534a19ea15d5fc7f657ebfa3884f5c88c7ef38f4009a71083e5d5

    SHA512

    3ed9585307ae4ca71a81bfb3f1058394bab888244dad09f6ee32899757f936d2ee932932cb5d67d011465d2636964b9578583ebee4ebf01256b074d55b778971

    Download Submit