5e236acff828a79b31f44e491d8c4932a3eb6688ce83d24ed7f59fa69117cb6e

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
18/09/2023, 20:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

IntelAudioService.exe.config
Size

308B
MD5

e672c208b899e19473840b0a0e0fd6f4
SHA1

0e72b1ac55a6f2097578b02799a94c314d1e98ca
SHA256

b880e615bfb2a6c187aff785c6558664b2f905d1179f034b545d693b71c073cc
SHA512

ca23958533d956064f60da79bd3811b967b8cdaa60e73b054405bed971ed74af07993349995f7f21eb489501425e4b3b8e7626dea4e7252d799b34e578d92b2b

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2500	AcroRd32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2500	AcroRd32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2500	AcroRd32.exe
2500	AcroRd32.exe
2500	AcroRd32.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 2500	1732	cmd.exe	29
PID 1732 wrote to memory of 2500	1732	cmd.exe	29
PID 1732 wrote to memory of 2500	1732	cmd.exe	29
PID 1732 wrote to memory of 2500	1732	cmd.exe	29

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe.config
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\IntelAudioService.exe.config"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
09803ddb36a5c731e3b9a27a35cbdadd

SHA1
8d941616ecd46674d42c5576b5ff57be3f0a38cf

SHA256
1ee6f6efb243fb3a853518e96a06e57ebf761b57682f404af5adb8c05145414d

SHA512
4f90c8a1048067843014e9af32414727f2e46d0af457a13c86f3d5702ec589ec7a9e0930927d557444fc1f424fba7966ea12a27907ea9b96ce18e795dc2e76d2

Download Submit