b653631708cdf4b2ec872b4dca10f3c23380c7a2b2029e20f23b590602d1bcfe

max time kernel
157s
max time network
34s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
05-07-2023 06:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1296.obi
Size

1KB
MD5

ed9a157142b0d1f361a23c4792c1cef0
SHA1

ec514648196cf365a89ef2504b80de207ecc5862
SHA256

c8d567fae9cb8862d101d9043503da34bd8c115477cba18a7af3eb1236c8ecea
SHA512

605dc24efcf60516fd0a74cda3ba36b0b871ead6286d225b117619a5937f2d8885abdec2a949bbf9e544cafbc0ffe5f6ee3071800b11916199bb610e56b0b71f

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000_CLASSES\obi_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000_CLASSES\.obi	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000_CLASSES\obi_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000_CLASSES\obi_auto_file\shell	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000_CLASSES\obi_auto_file\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000_CLASSES\.obi\ = "obi_auto_file"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000_CLASSES\obi_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000_CLASSES\obi_auto_file	rundll32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
528	AcroRd32.exe
528	AcroRd32.exe
528	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1116 wrote to memory of 656	1116	cmd.exe	28
PID 1116 wrote to memory of 656	1116	cmd.exe	28
PID 1116 wrote to memory of 656	1116	cmd.exe	28
PID 656 wrote to memory of 528	656	rundll32.exe	29
PID 656 wrote to memory of 528	656	rundll32.exe	29
PID 656 wrote to memory of 528	656	rundll32.exe	29
PID 656 wrote to memory of 528	656	rundll32.exe	29

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\e1296.obi
1⤵
- Suspicious use of WriteProcessMemory
PID:1116
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\e1296.obi
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:656
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\e1296.obi"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
bbd78bcdcda378b5e05da11b260e9a42

SHA1
9023b9835f6282025464abbfef7de7671aea55ed

SHA256
a7a84e08f683b85e0765f40aa5d4f4e21fd51d3563cc475d57f76109bce14afe

SHA512
cdb1c151078daa64f675ef8740f1fb0bab720e406ac7d81ffc2666fa506efcca026d749210cc6065278762bb913d7bf97f210c3eeac0e15b191cdf3113dead14

Download Submit

Resubmissions

Analysis