41caeb1dab6ab9da4571b88cd0a0a2b3a21ce305909358e538a04f988d4a139f

Resubmissions

06/08/2023, 21:02

230806-zvwfpacc88 10

06/08/2023, 20:46

230806-zkhrvacc65 10

Analysis

max time kernel
152s
max time network
129s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
06/08/2023, 20:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

hwid pack/uninstall/ctrlbars.dat
Size

818B
MD5

307d73e5a0cd909f0f1aba49d7f8ccaa
SHA1

99408011e00e620ade9089a40ea0669a0db5dff2
SHA256

be8c1cc4dbc123555effe0b37d77afab8eda3d3c9f8b2e9e857546c9547261b3
SHA512

f2a9ba218fcb722d7b5ae78446628d1a21a15ba02657f2116656d70e2437005e236e2c0f938dc06b10e17ec15ebda107eff55d51e146cba7b155296729fd5daa

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\dat_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\dat_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\dat_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\dat_auto_file\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\.dat\ = "dat_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\.dat	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\dat_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\dat_auto_file	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2980	AcroRd32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2980	AcroRd32.exe
2980	AcroRd32.exe
2980	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 3024	2056	cmd.exe	29
PID 2056 wrote to memory of 3024	2056	cmd.exe	29
PID 2056 wrote to memory of 3024	2056	cmd.exe	29
PID 3024 wrote to memory of 2980	3024	rundll32.exe	30
PID 3024 wrote to memory of 2980	3024	rundll32.exe	30
PID 3024 wrote to memory of 2980	3024	rundll32.exe	30
PID 3024 wrote to memory of 2980	3024	rundll32.exe	30

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\hwid pack\uninstall\ctrlbars.dat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\hwid pack\uninstall\ctrlbars.dat
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\hwid pack\uninstall\ctrlbars.dat"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
2b3dae54cac45d53950118c5057373ec

SHA1
375f8e9bad149d0bbb8535a3ee7820863c4921d2

SHA256
0796b029478c2160a477c4111601f573c8eb960137d27446011481c803cc94f0

SHA512
1bae744ab1af845d297befc81187750fa1e31cb0e843f3e580c27da3cace0f1985d9b7d643d3aee2b569e35404e58d4a3d2a364c28e5d5018d3bc6d4a2faa073

Download Submit