c3d118812e55bc5a51eeb6c4c254abc744b3b7e58450212a153bbc2c8af196c8

Analysis

max time kernel
123s
max time network
128s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
23-10-2023 22:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

KeyViewer.pdb
Size

145KB
MD5

31e4181f42b1000d23f1b05a8ce1870e
SHA1

f7b027296ea2a15df3af4df2a7915ba47a73a17e
SHA256

935de74bc9fb2f290460b70c0d7351a9f0f1ffe2a04283ce7bebdf50d5197465
SHA512

82ccfe52fd102999bbe71ebe06413651098b6a91258753cd6ad78c22310918585e987a9704eba0c7073bb8715a53702d15f57a65f5895c24231b665c0a3303d2
SSDEEP

768:L+BQBNVTCc5j/p3AVvgT5wtJFxbK1Fdkkasa+zixEKBfN5I8eApZJ6o1qG/a+tjD:++zGHXI9A96/G/akjQ+2

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\pdb_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\pdb_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\.pdb	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\.pdb\ = "pdb_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\pdb_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\pdb_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\pdb_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\pdb_auto_file\shell	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2672	AcroRd32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2672	AcroRd32.exe
2672	AcroRd32.exe
2672	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 2708	2868	cmd.exe	29
PID 2868 wrote to memory of 2708	2868	cmd.exe	29
PID 2868 wrote to memory of 2708	2868	cmd.exe	29
PID 2708 wrote to memory of 2672	2708	rundll32.exe	30
PID 2708 wrote to memory of 2672	2708	rundll32.exe	30
PID 2708 wrote to memory of 2672	2708	rundll32.exe	30
PID 2708 wrote to memory of 2672	2708	rundll32.exe	30

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\KeyViewer.pdb
1⤵
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\KeyViewer.pdb
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\KeyViewer.pdb"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
abc9dbcb19ed5b31a3ca8e012dc5ddb0

SHA1
34e7018dd5bd41f5f9907a807344762542a9dc78

SHA256
12988977a1f55764cbf96ff6e28916c673bd467a113469108918edfa539794f1

SHA512
521bb5ca99b13f9d197568d9ad64e23d32a074b580cb8e6f5174c86ba35e6207ec4a87940618e2c2c0220c8708015e723825fe9390021f47911fcc1b413ac1b5

Download Submit