67586741734c93aebfe46208a8d5e47bcb007107c725e722b44611f729987418

Analysis

max time kernel
150s
max time network
33s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
30/06/2023, 15:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

JustPlay10192ALLCOUNTRIES.apk
Size

29.7MB
MD5

d825f7b04d5e7b3fcdec8d1328d649e5
SHA1

7fe79daa805524962eb034f41b5486d177b9d103
SHA256

67586741734c93aebfe46208a8d5e47bcb007107c725e722b44611f729987418
SHA512

ab624e9545796dab73478cadaf6d1ddb97fb80710d28bbf343371ecb00dce581db7e64868fb1a72aa2829f10b4423532111c1c9217364961b4f3e2241a8dfec4
SSDEEP

786432:fSreU2KsKm17tn2pu0YNy4WK52eqemjNZ28LcH1b:fjKMtn0DYfWK8fi1

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 10 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000_CLASSES\apk_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000_CLASSES\apk_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000_CLASSES\apk_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000_CLASSES\apk_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000_CLASSES\apk_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000_CLASSES\apk_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000_CLASSES\.apk	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000_CLASSES\.apk\ = "apk_auto_file"	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1484	AcroRd32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1484	AcroRd32.exe
1484	AcroRd32.exe
1484	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 520	1620	cmd.exe	28
PID 1620 wrote to memory of 520	1620	cmd.exe	28
PID 1620 wrote to memory of 520	1620	cmd.exe	28
PID 520 wrote to memory of 1484	520	rundll32.exe	29
PID 520 wrote to memory of 1484	520	rundll32.exe	29
PID 520 wrote to memory of 1484	520	rundll32.exe	29
PID 520 wrote to memory of 1484	520	rundll32.exe	29

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\JustPlay10192ALLCOUNTRIES.apk
1⤵
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\JustPlay10192ALLCOUNTRIES.apk
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:520
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\JustPlay10192ALLCOUNTRIES.apk"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:1484

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
a3cfcc2414a41bd44c20bef0e91fbcca

SHA1
b1572cfeda1e12c7199d7ff76b2e10a262750339

SHA256
99687f4134893dbcfad32193d7272a36592e77276a4a7c5965f495ad103d086c

SHA512
f5c729896a6934d0fdffe2bc56bd7a81c1f75506ca0c11a5691cbb8131434eb96b9688d30cc3532d5457e7475ff2c64bf2ff885d9775edf49d037a78288dc7ac

Download Submit