bbcc6444202f68e4154063fe28d7a5bd1dde6de140b7e80d707060bb7dbe1650

Analysis

max time kernel
153s
max time network
151s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
18/07/2023, 12:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Among Us v2022.12.14i-Pivigames.blog/Among Us_Data/StreamingAssets/aa/Itch/StandaloneWindows/initialmaps_assets_all.bundle
Size

70.7MB
MD5

560d533b0842d00094bde38ac0a66f8c
SHA1

4a27a662f389958d5804e7f47e1721b84a4c3ae7
SHA256

5a213f22f408035a016d267eba468da11d3804c56cc53fd5bd02c9957baf9344
SHA512

4864d262df49bb9dadef97f2f5e3d28450de579a8f55930761241cca6abe0ac6e5a3fb5104738c8165d4c98bc17c2c88fc49160dc3b70e81bbec7b1082e0fe53
SSDEEP

1572864:uJ1st1h0i1aDxMW9JHy4UtxWUtW2cj6aD6xl6m9DFlR/APUMxy:uHs5a2W9JHy4ctWH6aqNNwU

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\bundle_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\bundle_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\bundle_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\bundle_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\.bundle	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\bundle_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\.bundle\ = "bundle_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\bundle_auto_file\shell\Read	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2736	AcroRd32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2736	AcroRd32.exe
2736	AcroRd32.exe
2736	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 3032	2884	cmd.exe	31
PID 2884 wrote to memory of 3032	2884	cmd.exe	31
PID 2884 wrote to memory of 3032	2884	cmd.exe	31
PID 3032 wrote to memory of 2736	3032	rundll32.exe	32
PID 3032 wrote to memory of 2736	3032	rundll32.exe	32
PID 3032 wrote to memory of 2736	3032	rundll32.exe	32
PID 3032 wrote to memory of 2736	3032	rundll32.exe	32

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Among Us v2022.12.14i-Pivigames.blog\Among Us_Data\StreamingAssets\aa\Itch\StandaloneWindows\initialmaps_assets_all.bundle"
1⤵
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Among Us v2022.12.14i-Pivigames.blog\Among Us_Data\StreamingAssets\aa\Itch\StandaloneWindows\initialmaps_assets_all.bundle
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3032
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Among Us v2022.12.14i-Pivigames.blog\Among Us_Data\StreamingAssets\aa\Itch\StandaloneWindows\initialmaps_assets_all.bundle"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
b3e7df64f19c5f151fcabf668533cab8

SHA1
fd83036bb85300bfd13b29de9fd9ac4b5dbc9ee3

SHA256
acde28d6c5cab2aa42375eb2ee36fa49182cebd794506cd28d16aecfe2e1f3cd

SHA512
249aea4fd2031ff23ce2cb81753706c7750a0d55d67a1d5d2ad58fc584c18e86c1f61fde0e8f427a77a52446caaaf0c8993ee6f1665cf335f68947612edc8272

Download Submit