6c90dfc63bce24689c0c5922f8eac1779c01156dc54c3066bae8ca65198949f5

Analysis

max time kernel
151s
max time network
126s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
26-08-2023 22:06

Target

com/google/android/gms/measurement/internal/zzi.class
Size

1KB
MD5

235863387a180dadf3e2575d6847b408
SHA1

a19f7f9a832b3eab6fbd8dce97c94fda9e9f190d
SHA256

f66e0fa4c898292118dd07a3b6a0d060db2210254752d9f64d0caa19b4724c9d
SHA512

67886456410e8ccfbb7be7657061b0df4c474938be599f15cf07b6d0aae4cff23ad7db42bb460b936395d1d20965f71ef7a527a0d523a51de0ca5b44da654332

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\.class	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\.class\ = "class_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\class_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\class_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\class_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\class_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\class_auto_file\shell\Read	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\class_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

2836 AcroRd32.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

AcroRd32.exe

pid process

2836 AcroRd32.exe
2836 AcroRd32.exe
2836 AcroRd32.exe

pid	process
2836	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

cmd.exerundll32.exe

description	pid	process	target process
PID 844 wrote to memory of 2356	844	cmd.exe	rundll32.exe
PID 844 wrote to memory of 2356	844	cmd.exe	rundll32.exe
PID 844 wrote to memory of 2356	844	cmd.exe	rundll32.exe
PID 2356 wrote to memory of 2836	2356	rundll32.exe	AcroRd32.exe
PID 2356 wrote to memory of 2836	2356	rundll32.exe	AcroRd32.exe
PID 2356 wrote to memory of 2836	2356	rundll32.exe	AcroRd32.exe
PID 2356 wrote to memory of 2836	2356	rundll32.exe	AcroRd32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\com\google\android\gms\measurement\internal\zzi.class
1⤵
- Suspicious use of WriteProcessMemory
PID:844
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\com\google\android\gms\measurement\internal\zzi.class
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\com\google\android\gms\measurement\internal\zzi.class"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2836

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
dfb1401fd13249e3864f3137b4549cc4

SHA1
f28402601f8a13cbfcffd8dbdfffcc157f36b19b

SHA256
517204320b5e971c27bb138d293cac17a2f55e117706dd7304bd76a6e6a62bd7

SHA512
0ac53743bc97342d2329696eaa472945da34ad59887d1f935709d63b84d8b92edf7fb35b3d5e98d05eddd0a22ca2e4c33e995be42cdcaad76af05a071da78603

Download Submit