8cbcf688d8cf2be8cfcdb397569fc979c8ac591b7a8d0056e897093ef069ffc6

Resubmissions

15/08/2023, 18:42

230815-xcjytsda27 3

15/08/2023, 18:09

230815-wrmgtscg74 3

Analysis

max time kernel
150s
max time network
128s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
15/08/2023, 18:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

whirlpool/D/Whirlpool-ip-statement.tex
Size

2KB
MD5

646669335c7d4d80b7cfd4fdc83e4833
SHA1

f6794e60297a01f8459d17ed4bf51f5e939b532a
SHA256

0e82633fd35a023b59a6c00d7facba37c8a7a10336454eb731970eef689400e1
SHA512

7b67abe26ef6cfacc035460f33cc21c48fe7efe2185e8b517ae8be1b72461ce50b91b8952dcef4bbaac5dc4ca1446545d7debcb131f59f5da46525cf45e625a3

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000_CLASSES\.tex	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000_CLASSES\tex_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000_CLASSES\tex_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000_CLASSES\tex_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000_CLASSES\tex_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000_CLASSES\tex_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000_CLASSES\tex_auto_file\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000_CLASSES\.tex\ = "tex_auto_file"	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1992	AcroRd32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1992	AcroRd32.exe
1992	AcroRd32.exe
1992	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2668	2336	cmd.exe	29
PID 2336 wrote to memory of 2668	2336	cmd.exe	29
PID 2336 wrote to memory of 2668	2336	cmd.exe	29
PID 2668 wrote to memory of 1992	2668	rundll32.exe	30
PID 2668 wrote to memory of 1992	2668	rundll32.exe	30
PID 2668 wrote to memory of 1992	2668	rundll32.exe	30
PID 2668 wrote to memory of 1992	2668	rundll32.exe	30

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\whirlpool\D\Whirlpool-ip-statement.tex
1⤵
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\whirlpool\D\Whirlpool-ip-statement.tex
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\whirlpool\D\Whirlpool-ip-statement.tex"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:1992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
a48e67bc0613d2f122232b25708c10f9

SHA1
cf312cc749309bcdb7707fe98234d23a800798cf

SHA256
1ef9c243e522c562274962537e0f7700cca97928d9520f924befafb1cb9501f2

SHA512
19c19985c2dba11f1264ea599726ee6b90f1e6acc3e80f91b897f0a12d243b79d1de869318f3adf31a76f6f9421b79872801f83be1b736d73120e0d670a1cc8b

Download Submit