46df94d126ed67857062d22471e48b50c4bf388da1da9f544532671dcb1f4f96

Analysis

max time kernel
60s
max time network
19s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
24/08/2023, 14:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Pago fra.tar
Size

487KB
MD5

a99f3dee30d113301039bb19ab48b650
SHA1

e983b28b102edd2c5150408c0c4c63d2f9e1b1c1
SHA256

46df94d126ed67857062d22471e48b50c4bf388da1da9f544532671dcb1f4f96
SHA512

e527e7cd10ddc437119776ecbde6e02b6549c1733dab7f1c0e5887a68979a4295e5f3adc102c75a9511ce702af81804597e3d5a3958a74797057e6f3804ce5eb
SSDEEP

6144:EC2OPZVheNA+ff0nehDE/13A9z3GIKW3+UGPypnnxpof0sQXFdNcW/eBsF4RslKn:znhe2eoCDDaK+U2Snnxuc/unNsM

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\tar_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\tar_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\tar_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\tar_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\.tar	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\.tar\ = "tar_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\tar_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000_CLASSES\tar_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1568	AcroRd32.exe
1568	AcroRd32.exe
1568	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 1576	2400	cmd.exe	29
PID 2400 wrote to memory of 1576	2400	cmd.exe	29
PID 2400 wrote to memory of 1576	2400	cmd.exe	29
PID 1576 wrote to memory of 1568	1576	rundll32.exe	30
PID 1576 wrote to memory of 1568	1576	rundll32.exe	30
PID 1576 wrote to memory of 1568	1576	rundll32.exe	30
PID 1576 wrote to memory of 1568	1576	rundll32.exe	30

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Pago fra.tar"
1⤵
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Pago fra.tar
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1576
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Pago fra.tar"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
cdf0f6e4346adc3847de480573619101

SHA1
d72e9337823bca0b49eca978dbe4f36b083b71b7

SHA256
8baed80aea4a2bc003fa5d8d63379adb71447d020bd57e2659e62c4bd2c8a2ba

SHA512
6ca6df6a946f960f92fc498a0cfb9c69a592993ced630f8a7d8e6a8ddbe6287bfaf76601456ab949025ab532ac7a3cd8bc61660d34472bfb34e7cfd2f540d4d7

Download Submit