4058bde8974da0952b95736c0fa26ce98ef5aa8ca754af9b48980eafae263050

Analysis

max time kernel
1800s
max time network
1612s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
01/07/2023, 15:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

controlloid-server-master/dist/linux/udev/77-controlloid-uinput.rules
Size

70B
MD5

76b1380215f173064b7c89553394c372
SHA1

b5c22f19ec767a8ab35c982f7ad2cc6492d78e8d
SHA256

39d0873154a96be37461ef6f61fdb1b03b6ed670f3a8ab2323b4a216f54550af
SHA512

1235fb20ff99cb364dc57861b667c36c858a696d3dcd311648a785fa58ab84b0105bb52e81d3f616ee9ec59251a4888a8fb6bff6d86a22852340ea36c86219fc

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000_CLASSES\rules_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000_CLASSES\rules_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000_CLASSES\rules_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000_CLASSES\rules_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000_CLASSES\rules_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000_CLASSES\rules_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000_CLASSES\.rules	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000_CLASSES\.rules\ = "rules_auto_file"	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1268	AcroRd32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1268	AcroRd32.exe
1268	AcroRd32.exe
1268	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1352 wrote to memory of 1876	1352	cmd.exe	29
PID 1352 wrote to memory of 1876	1352	cmd.exe	29
PID 1352 wrote to memory of 1876	1352	cmd.exe	29
PID 1876 wrote to memory of 1268	1876	rundll32.exe	30
PID 1876 wrote to memory of 1268	1876	rundll32.exe	30
PID 1876 wrote to memory of 1268	1876	rundll32.exe	30
PID 1876 wrote to memory of 1268	1876	rundll32.exe	30

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\controlloid-server-master\dist\linux\udev\77-controlloid-uinput.rules
1⤵
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\controlloid-server-master\dist\linux\udev\77-controlloid-uinput.rules
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1876
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\controlloid-server-master\dist\linux\udev\77-controlloid-uinput.rules"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:1268

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
9b007f879831256109024b56003db8bd

SHA1
465364ff767f58393e8e3eaf37872062a3f0b26e

SHA256
d1c4d4add17dfdf5d29e3bc705b4934ee26c2c9db741131c5e7ff03f6a2989a7

SHA512
8b3607fc7bffde7e3f45b7e3577f64bd22198c2170b7a02fffa26c70e4192f7d791541bb0bba9652a3c79d3affe2bb855b18a22f4f91cf665f2144bdf52eb794

Download Submit