9895f3c95ba7f94a8b615e88b78e23619265a67f92eabe2f720aaa92a05ae639

Analysis

max time kernel
73s
max time network
19s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
26-09-2023 17:43

Target

masscan-1.0.3-5.el7.x86_64/masscan-1.0.3-5.el7.x86_64.rpm
Size

146KB
MD5

d901256374ddd1770270971856bf735a
SHA1

492e1537a87bf66c3d998d51bfe87b53d300b04a
SHA256

a1e2c6a4ed237e8e867464a97ee3945f5605ac44ecb9b2daa3c2e770a5eeda6f
SHA512

16139a5391d63d68f8cac495714c226f2ce4d8d63f7a1f5355976d7615e560d9f9ca09bbc050a418480c1cc339cf1b005e7031776b1b823e43a8db798a3b5dd2
SSDEEP

3072:JefQZDObL3TyGY6gBdwijh9Yqc6uZW1FLuZM1+uHsgv:JBQyGABdd/c6UWPKZg

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\rpm_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\rpm_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\rpm_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\rpm_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\.rpm	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\.rpm\ = "rpm_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\rpm_auto_file\shell\Read	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\rpm_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

AcroRd32.exe

pid process

2596 AcroRd32.exe
2596 AcroRd32.exe
2596 AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

cmd.exerundll32.exe

description	pid	process	target process
PID 2368 wrote to memory of 2008	2368	cmd.exe	rundll32.exe
PID 2368 wrote to memory of 2008	2368	cmd.exe	rundll32.exe
PID 2368 wrote to memory of 2008	2368	cmd.exe	rundll32.exe
PID 2008 wrote to memory of 2596	2008	rundll32.exe	AcroRd32.exe
PID 2008 wrote to memory of 2596	2008	rundll32.exe	AcroRd32.exe
PID 2008 wrote to memory of 2596	2008	rundll32.exe	AcroRd32.exe
PID 2008 wrote to memory of 2596	2008	rundll32.exe	AcroRd32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\masscan-1.0.3-5.el7.x86_64\masscan-1.0.3-5.el7.x86_64.rpm
1⤵
- Suspicious use of WriteProcessMemory
PID:2368

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\masscan-1.0.3-5.el7.x86_64\masscan-1.0.3-5.el7.x86_64.rpm"
3⤵
- Suspicious use of SetWindowsHookEx
PID:2596

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
944600b77a1913b191b16f1bbaa66985

SHA1
0a30b76000584cb2cdc254e607b6053aff32316c

SHA256
5e6b7c8474ec503519966027638fd219f0d9b45aa1eb18c182a1b8b5a8bf73d1

SHA512
89297b4a637a3698a20b6dc10414e1b81a52a1e41ea15e3148f2c0928d48c47a636319bcb62fced5f8196d7fff42a7569df83a16c61d07451d709af98aa1f0b6

Download Submit