Malware Analysis Report

2024-12-07 20:45

Sample ID 230621-njrsksgh47
Target 03175399.jar
SHA256 a67fc3dec1318660696b553653929426bc6a061031de462ab57ceace5754a821
Tags
strrat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a67fc3dec1318660696b553653929426bc6a061031de462ab57ceace5754a821

Threat Level: Known bad

The file 03175399.jar was found to be: Known bad.

Malicious Activity Summary

strrat

Strrat family

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-06-21 11:25

Signatures

Strrat family

strrat

Analysis: behavioral13

Detonation Overview

Submitted

2023-06-21 11:25

Reported

2023-06-21 11:28

Platform

win7-20230220-en

Max time kernel

151s

Max time network

46s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\carLambo\MvtPefgRyYqmhJkLbJFZM.class

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\class_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\class_auto_file\ C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\class_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\.class\ = "class_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\class_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\class_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\class_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\.class C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\carLambo\MvtPefgRyYqmhJkLbJFZM.class

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\carLambo\MvtPefgRyYqmhJkLbJFZM.class

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\carLambo\MvtPefgRyYqmhJkLbJFZM.class"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 f57e135a9cd2983a1cc5d84d9d1142a1
SHA1 a913068f180aa7384c074ae8b98fbcf592472ba2
SHA256 8bee1d254a4d306749c43f8cec03d56fcf2e16b4c9c5d62ce8e1bcd8a9a416fb
SHA512 f6b5d2f1aea64593cb41e8b7dbfa05a42de234669c59ef5b6dc28d134ec1fcd4fc814aeda6dddd5f960a754513425b55269209e8c3fd22d02679d2dcad3b180a

Analysis: behavioral11

Detonation Overview

Submitted

2023-06-21 11:25

Reported

2023-06-21 11:28

Platform

win7-20230220-en

Max time kernel

150s

Max time network

31s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\carLambo\KhMkDuVtwQiqTmvRKNRUO.class

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\.class\ = "class_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\class_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\class_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\class_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\.class C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\class_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\class_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\class_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\carLambo\KhMkDuVtwQiqTmvRKNRUO.class

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\carLambo\KhMkDuVtwQiqTmvRKNRUO.class

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\carLambo\KhMkDuVtwQiqTmvRKNRUO.class"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 b9d71fe7f30804934e26f096fa7a794f
SHA1 d1f98f7daae7018ac2f6a305b8cf2ba792cb755c
SHA256 85939f9dab0fe342b3455cb6feb70d4fee1aecf2193b768c84b8919b62732f72
SHA512 2cc072bcb503bfb26f5315e4766d4451bf96861d14c40a91f5f908eaef1b1ef62f08b7b67859cf0e1a37d70f788353f49cd519e7a173571e6edf05b0ba358e42

Analysis: behavioral14

Detonation Overview

Submitted

2023-06-21 11:25

Reported

2023-06-21 11:28

Platform

win10v2004-20230621-en

Max time kernel

71s

Max time network

95s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\carLambo\MvtPefgRyYqmhJkLbJFZM.class

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\carLambo\MvtPefgRyYqmhJkLbJFZM.class

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
NL 87.248.202.1:80 tcp
US 8.8.8.8:53 126.165.241.8.in-addr.arpa udp
US 20.189.173.5:443 tcp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp
NL 87.248.202.1:80 tcp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2023-06-21 11:25

Reported

2023-06-21 11:28

Platform

win10v2004-20230621-en

Max time kernel

97s

Max time network

102s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\carLambo\ODxCDSlzXcVsVaqVcnjYn.class

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\carLambo\ODxCDSlzXcVsVaqVcnjYn.class

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 20.189.173.7:443 tcp
US 209.197.3.8:80 tcp
GB 96.16.110.41:443 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2023-06-21 11:25

Reported

2023-06-21 11:28

Platform

win7-20230220-en

Max time kernel

150s

Max time network

33s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\carLambo\QULuOzqHXCcwKyTrdxVnN.class

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\class_auto_file\ C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\.class\ = "class_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\class_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\class_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\class_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\class_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\.class C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\class_auto_file\shell C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\carLambo\QULuOzqHXCcwKyTrdxVnN.class

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\carLambo\QULuOzqHXCcwKyTrdxVnN.class

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\carLambo\QULuOzqHXCcwKyTrdxVnN.class"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 9bc5604b0a753905e167825d014f2751
SHA1 b03dabe31969d753b117eb8a57a302b94a968b85
SHA256 f0e2804b447e30de41f62be73165b7316a6561f25e004ba21d76c8b44ed5dfa2
SHA512 23301e22edbf4d215f442f615fa6e3cfebfe975d7d30f6e8ad99e422de67bb7f9140f48e6723a14e8f1daae116442420004b54ca7dca479ae014848d31b13abf

Analysis: behavioral21

Detonation Overview

Submitted

2023-06-21 11:25

Reported

2023-06-21 11:28

Platform

win7-20230220-en

Max time kernel

150s

Max time network

37s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\carLambo\VQZSJWtbIIIWStAmVeEzG.class

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\class_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\class_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\.class\ = "class_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\class_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\class_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\class_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\class_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\.class C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\carLambo\VQZSJWtbIIIWStAmVeEzG.class

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\carLambo\VQZSJWtbIIIWStAmVeEzG.class

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\carLambo\VQZSJWtbIIIWStAmVeEzG.class"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 495b6e01bd5cffab18a6c2e1bc3a27e1
SHA1 7d5c774d68b351c5f45698c25fe687bdcbb30403
SHA256 87f021f90e8d3c795d4c7c6c317705a102cd085809cbf402178ec8dd3ff9a914
SHA512 29212b488e703e0ddd36679e548e5aa8e11856deedbf5341ba82dc3d1b1bdf0ceda546bfea0157cfca4da6d20ccb168ce416ac7973457f760395e30ad7b041fd

Analysis: behavioral2

Detonation Overview

Submitted

2023-06-21 11:25

Reported

2023-06-21 11:28

Platform

win10v2004-20230621-en

Max time kernel

52s

Max time network

76s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\carLambo\EpWofAJVbFslmSVoJiOKl.class

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\carLambo\EpWofAJVbFslmSVoJiOKl.class

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 192.229.221.95:80 tcp
US 8.248.1.254:80 tcp
US 8.248.1.254:80 tcp
US 8.248.1.254:80 tcp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2023-06-21 11:25

Reported

2023-06-21 11:28

Platform

win10v2004-20230621-en

Max time kernel

127s

Max time network

133s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\carLambo\FirstRun.class

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\carLambo\FirstRun.class

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 13.89.178.26:443 tcp
GB 96.16.110.41:443 tcp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 192.229.221.95:80 tcp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2023-06-21 11:25

Reported

2023-06-21 11:28

Platform

win7-20230621-en

Max time kernel

150s

Max time network

31s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\carLambo\HBrowserNativeApis.class

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000_CLASSES\class_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000_CLASSES\class_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000_CLASSES\class_auto_file\ C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000_CLASSES\.class\ = "class_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000_CLASSES\class_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000_CLASSES\class_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000_CLASSES\class_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000_CLASSES\.class C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\carLambo\HBrowserNativeApis.class

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\carLambo\HBrowserNativeApis.class

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\carLambo\HBrowserNativeApis.class"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 aab00ee5888bd4e50a3035948405b9a5
SHA1 238e5c2369ce87aacb0497b85b8577397f154a82
SHA256 9f487bb70dadc090b25c95c37b3b97dcd83dd050383235b25847503bc999211f
SHA512 d46329467122ec7be19fd4ff93dfd5bdddf71f93276fa2f4dbd2723f8a1e538278e65538ce6a1c99347fa566e497bca5f8d77ff55396d5c67541cade656b1107

Analysis: behavioral22

Detonation Overview

Submitted

2023-06-21 11:25

Reported

2023-06-21 11:28

Platform

win10v2004-20230621-en

Max time kernel

91s

Max time network

96s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\carLambo\VQZSJWtbIIIWStAmVeEzG.class

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\carLambo\VQZSJWtbIIIWStAmVeEzG.class

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 20.42.65.89:443 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 192.229.221.95:80 tcp

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2023-06-21 11:25

Reported

2023-06-21 11:28

Platform

win10v2004-20230621-en

Max time kernel

68s

Max time network

109s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\carLambo\dDWcwWhGOWwQQirQcyCEh.class

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\carLambo\dDWcwWhGOWwQQirQcyCEh.class

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 20.42.73.25:443 tcp
SG 8.241.135.254:80 tcp
NL 8.253.208.120:80 tcp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2023-06-21 11:25

Reported

2023-06-21 11:28

Platform

win10v2004-20230621-en

Max time kernel

102s

Max time network

129s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\carLambo\ZBbWBpgOmMTESxYNmfXpX.class

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\carLambo\ZBbWBpgOmMTESxYNmfXpX.class

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 20.42.65.88:443 tcp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2023-06-21 11:25

Reported

2023-06-21 11:28

Platform

win7-20230220-en

Max time kernel

150s

Max time network

31s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\carLambo\dDWcwWhGOWwQQirQcyCEh.class

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\class_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\class_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\class_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\class_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\class_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\.class C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\.class\ = "class_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\class_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\carLambo\dDWcwWhGOWwQQirQcyCEh.class

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\carLambo\dDWcwWhGOWwQQirQcyCEh.class

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\carLambo\dDWcwWhGOWwQQirQcyCEh.class"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 7a9a620a778940ad345ff7b645ae70bd
SHA1 cda5ef242d39109ca54872e210f79fecce69c520
SHA256 24352e42bf6f9eb8d030b5cc4da3ea5a388d0b77712af3e0a407eb2f1254f068
SHA512 b58b93457f550135c03a8b670608aa54920b1fe98e154d525bb5fafebf85c988f5f69e7e99fc94efe05ba4f47d1e48a6d67f4bafaab98208a3f3b680b48c3231

Analysis: behavioral3

Detonation Overview

Submitted

2023-06-21 11:25

Reported

2023-06-21 11:28

Platform

win7-20230220-en

Max time kernel

150s

Max time network

33s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\carLambo\FirstRun.class

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\class_auto_file\ C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\.class\ = "class_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\class_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\class_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\class_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\.class C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\class_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\class_auto_file C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\carLambo\FirstRun.class

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\carLambo\FirstRun.class

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\carLambo\FirstRun.class"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 e702add63afef423543693d14ccf0a65
SHA1 07db36196b7c409f759983c9b336154c195008ea
SHA256 f504671e2eaef145bef1581edcb93326b8cdc8643fa2af462578bd7ac039b77f
SHA512 77ff8600745ade709db9a2face8634556eda6d8584ef793fba9321e456fa214a25cef2936d2ab6c254ef2be954b51437c2f5ce51e6c1465916f2427c88abe9d8

Analysis: behavioral18

Detonation Overview

Submitted

2023-06-21 11:25

Reported

2023-06-21 11:28

Platform

win10v2004-20230621-en

Max time kernel

97s

Max time network

103s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\carLambo\QULuOzqHXCcwKyTrdxVnN.class

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\carLambo\QULuOzqHXCcwKyTrdxVnN.class

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 74.121.18.2.in-addr.arpa udp
US 52.168.112.66:443 tcp
US 8.8.8.8:53 62.13.109.52.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
GB 96.16.110.41:443 tcp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2023-06-21 11:25

Reported

2023-06-21 11:28

Platform

win7-20230220-en

Max time kernel

150s

Max time network

35s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\carLambo\GDI32.class

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\class_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\.class C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\class_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\class_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\class_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\class_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\.class\ = "class_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\class_auto_file\shell C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\carLambo\GDI32.class

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\carLambo\GDI32.class

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\carLambo\GDI32.class"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 23a6c0c2fe5cd4452e19d68a26e85acc
SHA1 7d8f20a7141399ff501723e31cfb057de880d772
SHA256 adccb69fdad01b8e62965da97aefd3e7b3a151a3caf156e886b31a51e774e61e
SHA512 5bee264281679f056d7f05f99bf7299cf138cb6759c42dfdf2671f78edc155e7fa52e3cfd03e4e82a32cb703f588077711f18d87649450c504554767b26a4b16

Analysis: behavioral20

Detonation Overview

Submitted

2023-06-21 11:25

Reported

2023-06-21 11:28

Platform

win10v2004-20230621-en

Max time kernel

72s

Max time network

94s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\carLambo\RZyWOkqJLQlVrMxWGpvsk.class

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\carLambo\RZyWOkqJLQlVrMxWGpvsk.class

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 20.189.173.15:443 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2023-06-21 11:25

Reported

2023-06-21 11:28

Platform

win7-20230621-en

Max time kernel

150s

Max time network

30s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\carLambo\Kernel32.class

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\class_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\class_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\class_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\.class C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\.class\ = "class_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\class_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\class_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\class_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\carLambo\Kernel32.class

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\carLambo\Kernel32.class

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\carLambo\Kernel32.class"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 303933bebd5db1d2a8969ee41e13970d
SHA1 a21125036ad871f5552f233c7669befc279a0b9f
SHA256 0791a4893187fb2e0872d3f6b9b4bff962bb6f7ce3a44ba6cd480ad1849b5c64
SHA512 04b0537c17a9d4a33f3a3a99e031e32724104127dc4faa87f98abbbfc1719f74975fb79da2b810e35609635f704d3252009a24480669e4875a610ff6fde0d862

Analysis: behavioral10

Detonation Overview

Submitted

2023-06-21 11:25

Reported

2023-06-21 11:28

Platform

win10v2004-20230621-en

Max time kernel

66s

Max time network

92s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\carLambo\Kernel32.class

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\carLambo\Kernel32.class

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 52.168.117.169:443 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 62.13.109.52.in-addr.arpa udp
DE 23.218.209.198:443 tcp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2023-06-21 11:25

Reported

2023-06-21 11:28

Platform

win10v2004-20230621-en

Max time kernel

92s

Max time network

95s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\carLambo\KhMkDuVtwQiqTmvRKNRUO.class

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\carLambo\KhMkDuVtwQiqTmvRKNRUO.class

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
NL 87.248.202.1:80 tcp
US 8.8.8.8:53 254.5.248.8.in-addr.arpa udp
US 20.42.65.90:443 tcp
US 192.229.221.95:80 tcp
US 8.8.8.8:53 62.13.109.52.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 254.177.238.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2023-06-21 11:25

Reported

2023-06-21 11:28

Platform

win10v2004-20230621-en

Max time kernel

80s

Max time network

104s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\carLambo\WeZvnzdveHuSZcFllCmbF.class

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\carLambo\WeZvnzdveHuSZcFllCmbF.class

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 52.182.143.209:443 tcp
US 93.184.221.240:80 tcp
US 23.39.157.169:443 tcp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2023-06-21 11:25

Reported

2023-06-21 11:28

Platform

win7-20230220-en

Max time kernel

150s

Max time network

31s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\carLambo\cnrXdWOSpajnDCDOTKUUo.class

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\class_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\class_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\.class C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\class_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\class_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\class_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\class_auto_file\ C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\.class\ = "class_auto_file" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\carLambo\cnrXdWOSpajnDCDOTKUUo.class

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\carLambo\cnrXdWOSpajnDCDOTKUUo.class

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\carLambo\cnrXdWOSpajnDCDOTKUUo.class"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 f38a6f06b5ff6b7497864ccd55210fa3
SHA1 b1e9b3147c4f45c2f2606bf740444384d9104a91
SHA256 9f48f86b1e4ac3ed551021d5de707012c2ccf67da5b36c3b5fb72d36c7be1b23
SHA512 e5f1346282d523b545227a1d43a4e3e5f76a7b1c91b238be8a74be6d959df6a25172521278ecac8fe839ae30f947a0816e4764c4b249a2153e9dea96e29afcee

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-21 11:25

Reported

2023-06-21 11:28

Platform

win7-20230220-en

Max time kernel

85s

Max time network

33s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\carLambo\EpWofAJVbFslmSVoJiOKl.class

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1324 wrote to memory of 1840 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1324 wrote to memory of 1840 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1324 wrote to memory of 1840 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\carLambo\EpWofAJVbFslmSVoJiOKl.class

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\carLambo\EpWofAJVbFslmSVoJiOKl.class

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2023-06-21 11:25

Reported

2023-06-21 11:28

Platform

win10v2004-20230621-en

Max time kernel

90s

Max time network

97s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\carLambo\GDI32.class

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\carLambo\GDI32.class

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 20.189.173.2:443 tcp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp
US 192.229.221.95:80 tcp
US 8.248.7.254:80 tcp
US 8.248.7.254:80 tcp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2023-06-21 11:25

Reported

2023-06-21 11:28

Platform

win10v2004-20230621-en

Max time kernel

108s

Max time network

125s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\carLambo\HBrowserNativeApis.class

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\carLambo\HBrowserNativeApis.class

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 42.220.44.20.in-addr.arpa udp
US 8.8.8.8:53 105.104.123.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
GB 51.104.15.252:443 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 7.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.0.3.0.1.3.0.6.2.ip6.arpa udp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2023-06-21 11:25

Reported

2023-06-21 11:28

Platform

win10v2004-20230621-en

Max time kernel

70s

Max time network

81s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\carLambo\cnrXdWOSpajnDCDOTKUUo.class

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\carLambo\cnrXdWOSpajnDCDOTKUUo.class

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 20.189.173.14:443 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
GB 96.16.110.41:443 tcp
US 8.248.1.254:80 tcp
US 8.248.1.254:80 tcp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2023-06-21 11:25

Reported

2023-06-21 11:28

Platform

win7-20230220-en

Max time kernel

150s

Max time network

30s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\carLambo\ZBbWBpgOmMTESxYNmfXpX.class

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\class_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\class_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\.class C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\.class\ = "class_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\class_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\class_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\class_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\class_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\carLambo\ZBbWBpgOmMTESxYNmfXpX.class

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\carLambo\ZBbWBpgOmMTESxYNmfXpX.class

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\carLambo\ZBbWBpgOmMTESxYNmfXpX.class"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 ca51053e8e7b3dc6f0ef337410872b2a
SHA1 4f01c3e4864360252495c5ac7895f0ccefc5a2c1
SHA256 550b8342a732a8fbb0aa1ef207a19dbb105c019ea2e13db915b4d812d2db238a
SHA512 e52a2c3629dae1eb3ecc25f0a8541aa49d4b3756c0a6329648f90f67603a4d3ce675ef50413a2f485c061107305ec3d9fb58fb59c30b1f87301740f5e30d7404

Analysis: behavioral19

Detonation Overview

Submitted

2023-06-21 11:25

Reported

2023-06-21 11:28

Platform

win7-20230621-en

Max time kernel

150s

Max time network

34s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\carLambo\RZyWOkqJLQlVrMxWGpvsk.class

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\class_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\.class\ = "class_auto_file" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\class_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\.class C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\class_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\class_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\class_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\class_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\carLambo\RZyWOkqJLQlVrMxWGpvsk.class

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\carLambo\RZyWOkqJLQlVrMxWGpvsk.class

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\carLambo\RZyWOkqJLQlVrMxWGpvsk.class"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 f3c95579a95cec2db11df7bd1eec062d
SHA1 80235c32d760e26d47a42212fbf0f015d1728a51
SHA256 cb238f201237a1fe40c6766103710b5999ab21b9326e4ff24f496ec130b009f0
SHA512 ce227fa9784330ef88de9216d7094ec481aecc984e8c63665d8a90a7d590ca9bd31bbda4454d4f3ce749e6451902dba771e610db13c8a2b8e085506c28f54cf9

Analysis: behavioral23

Detonation Overview

Submitted

2023-06-21 11:25

Reported

2023-06-21 11:28

Platform

win7-20230220-en

Max time kernel

150s

Max time network

31s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\carLambo\WeZvnzdveHuSZcFllCmbF.class

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\class_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\class_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\.class C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\class_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\class_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\class_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\class_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\.class\ = "class_auto_file" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\carLambo\WeZvnzdveHuSZcFllCmbF.class

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\carLambo\WeZvnzdveHuSZcFllCmbF.class

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\carLambo\WeZvnzdveHuSZcFllCmbF.class"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 c52e3f9e397fba33fbba02fe26ff45b8
SHA1 aaec0c44ea17a5b7b032db50e5ce31995592b778
SHA256 71533c3542df29f347818f71307657ab929d342f8b400804e8309ce0d79d182a
SHA512 11527c1e96dcbe1656dbd85d92d8b9c913be64f8412f67ca6ce6fe4aa18ffc331cbbfd975af8a75ccdfa70d6a20573a8de047dfa1e12feb4458976846975174e

Analysis: behavioral26

Detonation Overview

Submitted

2023-06-21 11:25

Reported

2023-06-21 11:28

Platform

win10v2004-20230621-en

Max time kernel

53s

Max time network

64s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\carLambo\XYRGkdetsPPNCXpnbnjzm.class

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\carLambo\XYRGkdetsPPNCXpnbnjzm.class

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 20.42.65.89:443 tcp
US 8.8.8.8:53 44.8.109.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2023-06-21 11:25

Reported

2023-06-21 11:28

Platform

win7-20230621-en

Max time kernel

150s

Max time network

34s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\carLambo\XYRGkdetsPPNCXpnbnjzm.class

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\class_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\class_auto_file\ C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\class_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\.class C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\.class\ = "class_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\class_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\class_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\class_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\carLambo\XYRGkdetsPPNCXpnbnjzm.class

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\carLambo\XYRGkdetsPPNCXpnbnjzm.class

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\carLambo\XYRGkdetsPPNCXpnbnjzm.class"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 6c364d18eda47e7ddee9a13157becf96
SHA1 6a89ccc4c29376d3236a9384609cc2c1f9fc829e
SHA256 4d5d28c1b2175a1a7726e8caf293656decc691f12bd942a362f314e5c0af7229
SHA512 5f11ca44a261fde0a6aaf8977bdf01728756085225e02456eedb901217a801271aa60835f82a5510f68e1cc0f970d78bb91c64c522b3436f4534613d4d231669

Analysis: behavioral15

Detonation Overview

Submitted

2023-06-21 11:25

Reported

2023-06-21 11:28

Platform

win7-20230621-en

Max time kernel

150s

Max time network

30s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\carLambo\ODxCDSlzXcVsVaqVcnjYn.class

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\class_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\.class C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\.class\ = "class_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\class_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\class_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\class_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\class_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1437583205-2177757337-340526699-1000_CLASSES\class_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\carLambo\ODxCDSlzXcVsVaqVcnjYn.class

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\carLambo\ODxCDSlzXcVsVaqVcnjYn.class

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\carLambo\ODxCDSlzXcVsVaqVcnjYn.class"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 e31a7f09069a020eeb8185bd91e21217
SHA1 655c670ebe678696d12b078a85cb9c32fe169076
SHA256 48e0e01956cc5092eb9852d12d53f2a0a85b6376e62499253cbba48884210acd
SHA512 20d9cd9696aa5020f11a6fcd18d211090d9d416cd232ee36a647bd2e075bec562fcc2b153fe1a5e87f6258fcdceea047aec6ab2b7c1f8d046189a9f894d785ce