5fcf334055fac13b19af791b8afeeae7146570ab704a03b96a70f8e3dd416ad5

Analysis

max time kernel
1200s
max time network
849s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
02-08-2023 04:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

com.termux_118_src.tar.gz/.gitattributes
Size

120B
MD5

d39a57dfc6ba724e4c63d8399718ca48
SHA1

fdc77631336b7ca24f9476ba6abbe0bba5eeca4e
SHA256

2920101dfb2d1fcdef31b07f7b270b4466f20406db7253559124ebcd2ea4be64
SHA512

ceb146d4a37a04fcad109b52b5d802ea567b85b3941ab01abe9aedf3d8e657e7f10113e520a5556017edb77a5da4f25d4df500a08b2eb079d81bb91a5bd3e5b4

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000_CLASSES\.gitattributes	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000_CLASSES\.gitattributes\ = "gitattributes_auto_file"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000_CLASSES\gitattributes_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000_CLASSES\gitattributes_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000_CLASSES\gitattributes_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000_CLASSES\gitattributes_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000_CLASSES\gitattributes_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000_CLASSES\gitattributes_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2204	AcroRd32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2204	AcroRd32.exe
2204	AcroRd32.exe
2204	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1148 wrote to memory of 2320	1148	cmd.exe	29
PID 1148 wrote to memory of 2320	1148	cmd.exe	29
PID 1148 wrote to memory of 2320	1148	cmd.exe	29
PID 2320 wrote to memory of 2204	2320	rundll32.exe	30
PID 2320 wrote to memory of 2204	2320	rundll32.exe	30
PID 2320 wrote to memory of 2204	2320	rundll32.exe	30
PID 2320 wrote to memory of 2204	2320	rundll32.exe	30

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\com.termux_118_src.tar.gz\.gitattributes
1⤵
- Suspicious use of WriteProcessMemory
PID:1148
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\com.termux_118_src.tar.gz\.gitattributes
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\com.termux_118_src.tar.gz\.gitattributes"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
709341cb78dcc56e6f9cf4129630dc80

SHA1
99b7b06620c80c1ccff8382ee533614d0773c5ba

SHA256
df742dcad4d0046c7a3c3aee8002930daa94fdce2f72e8aaaf470f61527f1fae

SHA512
3ca56eb1bf343086b98c265d4f69ccbad073f8c7509247f99ff97e2aac011a7245d4d2aa018c1f20909c3a04499675a1e118888becb2979798fc44b93b70e746

Download Submit