b653631708cdf4b2ec872b4dca10f3c23380c7a2b2029e20f23b590602d1bcfe

max time kernel
135s
max time network
80s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
05/07/2023, 06:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1441.obi
Size

765B
MD5

1bf6c7aa10ef1aa789f9183fb3184253
SHA1

d7f41db0f9657b22434960ddb5861bb7044e5be8
SHA256

b61de6c773623883c3fbe9b0366410198c5c598da725d2abaee376a55e8f87e1
SHA512

5098845598efa2185454f679637adf843627fd35a61a142ae203c5ce90629957feb16f0adc7855c3a9bd9c12fc77a7335b87913544f69270d71e85820e87c3ed

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000_CLASSES\.obi\ = "obi_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000_CLASSES\obi_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000_CLASSES\obi_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000_CLASSES\obi_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000_CLASSES\obi_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000_CLASSES\obi_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000_CLASSES\obi_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000_CLASSES\.obi	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2056	AcroRd32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2056	AcroRd32.exe
2056	AcroRd32.exe
2056	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 1684	2100	cmd.exe	30
PID 2100 wrote to memory of 1684	2100	cmd.exe	30
PID 2100 wrote to memory of 1684	2100	cmd.exe	30
PID 1684 wrote to memory of 2056	1684	rundll32.exe	31
PID 1684 wrote to memory of 2056	1684	rundll32.exe	31
PID 1684 wrote to memory of 2056	1684	rundll32.exe	31
PID 1684 wrote to memory of 2056	1684	rundll32.exe	31

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\e1441.obi
1⤵
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\e1441.obi
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1684
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\e1441.obi"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2056

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
d28c68d5e3f09b363c5eb18e0d2e0097

SHA1
62190909e0ef7c09b2b57b198f5b3b8ce01fb1b2

SHA256
7fc24d1e950cae23232c1b810504c53c9238afd8c9a0739c9f2a25049972dad4

SHA512
46dbd242094a07d91e050fe33ed45929e4084b205be8c3423a418fe46c01c7940bfc8cbd464a904681dc7f781be024b4d6da718879bde10a4276fc10eacc0cc2

Download Submit

Resubmissions

Analysis