8f75e0958f99e96dc69b2e13d5a51b1faf03fb3224d8ab072997e3007c9940c3

Analysis

max time kernel
150s
max time network
75s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
10/07/2023, 21:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Yarbrough/Mk2Y/Assets/2CPint.mu
Size

1.2MB
MD5

738a0b6e30c77eb97e7c1cd756fb67db
SHA1

cb36783cb894be349449e01b180ec02c43021cca
SHA256

736ced0280201efd66076ac6f65b45e3a50cbbf5abff138011886ffd03b60323
SHA512

d79b8d85e4a73d8806feecdac8c913c0335a8eaeef6f3551c2b3cba4595cc29e104c89462c0565280acf4f6bc4786b4b1c51fb84b26c84e42f12fd6ba1f266ae
SSDEEP

24576:XmKfN7PSdbACZkoD7THnDaBEUhuuvovYUuzHXXequ8kZeSLNG:zNrSd0oXnaB9QjuzHXuqu/Q

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1724861073-2584418204-2594431177-1000_CLASSES\mu_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1724861073-2584418204-2594431177-1000_CLASSES\mu_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1724861073-2584418204-2594431177-1000_CLASSES\.mu	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1724861073-2584418204-2594431177-1000_CLASSES\mu_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1724861073-2584418204-2594431177-1000_CLASSES\mu_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1724861073-2584418204-2594431177-1000_CLASSES\mu_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1724861073-2584418204-2594431177-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1724861073-2584418204-2594431177-1000_CLASSES\mu_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1724861073-2584418204-2594431177-1000_CLASSES\.mu\ = "mu_auto_file"	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2072	AcroRd32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2072	AcroRd32.exe
2072	AcroRd32.exe
2072	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 2288	2292	cmd.exe	29
PID 2292 wrote to memory of 2288	2292	cmd.exe	29
PID 2292 wrote to memory of 2288	2292	cmd.exe	29
PID 2288 wrote to memory of 2072	2288	rundll32.exe	30
PID 2288 wrote to memory of 2072	2288	rundll32.exe	30
PID 2288 wrote to memory of 2072	2288	rundll32.exe	30
PID 2288 wrote to memory of 2072	2288	rundll32.exe	30

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Yarbrough\Mk2Y\Assets\2CPint.mu
1⤵
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Yarbrough\Mk2Y\Assets\2CPint.mu
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Yarbrough\Mk2Y\Assets\2CPint.mu"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2072

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
f3af956814b357df5ae1e49d90bb29d7

SHA1
33804382c14ac1cacb6b2d79eb885651f858f68e

SHA256
76599002c018e353a2e7606594322748294b356ecdb1f24caec728fc7fb4685b

SHA512
a1538400bd7027ed964047d28bc051fdecd2535debcd40d209dd18b03a375fa2c4a74b388dc6e8b5fd0635914d6c702b93180951fc51e19e4b4e567b1310b23f

Download Submit