c57874bd743b57f73d8aaefa042428012ce07353eea1a500883df4b63a0d144d

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
04/09/2023, 10:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Combine Stock as on 31032017.xlsx.nztt
Size

21KB
MD5

2a509f5c5af3b9e3776ee5980596f2f3
SHA1

9c580c3917616831a86681f342a054d377ae63ca
SHA256

c57874bd743b57f73d8aaefa042428012ce07353eea1a500883df4b63a0d144d
SHA512

53533adff8229dc561d415815ebe7ee376a6e3dffa6fe69fa2fed84b11d3ec8da93dc854c879b822bcdc65e6b8f591bf21441d02895b8fc7e02e37dd3c0c8826
SSDEEP

384:C6HPYaErW9viD515nbwTK42UiX90B2lu7yzV4S8upgjXsCWgRv+OJWMynurQRhaw:C6HPYc2tnbG2UiXMnUm1EgRLMMRU6O

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\nztt_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\nztt_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\nztt_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\nztt_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\nztt_auto_file\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\.nztt\ = "nztt_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\nztt_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\.nztt	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2472	AcroRd32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2472	AcroRd32.exe
2472	AcroRd32.exe
2472	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 2708	2260	cmd.exe	29
PID 2260 wrote to memory of 2708	2260	cmd.exe	29
PID 2260 wrote to memory of 2708	2260	cmd.exe	29
PID 2708 wrote to memory of 2472	2708	rundll32.exe	30
PID 2708 wrote to memory of 2472	2708	rundll32.exe	30
PID 2708 wrote to memory of 2472	2708	rundll32.exe	30
PID 2708 wrote to memory of 2472	2708	rundll32.exe	30

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Combine Stock as on 31032017.xlsx.nztt"
1⤵
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Combine Stock as on 31032017.xlsx.nztt
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Combine Stock as on 31032017.xlsx.nztt"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
5b63223998110baf86dd71367fbbf3dc

SHA1
8f27efc7c102f4956a60379b758034d2ba63028e

SHA256
989e9106c405353ad103fae1a1de5663ad05cdc854f1fd5c93ea12cbb5111e44

SHA512
489f2836947c9af74b5b685c64b283d2a4ee66df12676ab0f9086337a0a6ee9f108cb05c0b0480bbda81d806d240126e003da05d7b8cbefbabce3956e6e7368d

Download Submit