Analysis
-
max time kernel
121s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231025-en -
resource tags
arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system -
submitted
01-11-2023 13:25
Static task
static1
Behavioral task
behavioral1
Sample
site.webmanifest
Resource
win7-20231025-en
Behavioral task
behavioral2
Sample
site.webmanifest
Resource
win10v2004-20231020-en
General
-
Target
site.webmanifest
-
Size
263B
-
MD5
053100cb84a50d2ae7f5492f7dd7f25e
-
SHA1
bf31baf91bdd2fcde24a45e3f2a1be33733c6f69
-
SHA256
7a9e07ce1f7386689917602ddc5a75750ad842e605ff764f67173529c181bf04
-
SHA512
2a5fabd751ff563ac33105c0ab1bc849134a5eb3c9d3397effedb31949f789afae10d429ebbebe3d0ad6a9c98ecb79bbfd1072c7bd43034dce7aa92c2f3d3fe3
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\.webmanifest rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\webmanifest_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\webmanifest_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\webmanifest_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\webmanifest_auto_file\ rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\.webmanifest\ = "webmanifest_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\webmanifest_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\webmanifest_auto_file\shell rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2708 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2708 AcroRd32.exe 2708 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 292 wrote to memory of 2752 292 cmd.exe rundll32.exe PID 292 wrote to memory of 2752 292 cmd.exe rundll32.exe PID 292 wrote to memory of 2752 292 cmd.exe rundll32.exe PID 2752 wrote to memory of 2708 2752 rundll32.exe AcroRd32.exe PID 2752 wrote to memory of 2708 2752 rundll32.exe AcroRd32.exe PID 2752 wrote to memory of 2708 2752 rundll32.exe AcroRd32.exe PID 2752 wrote to memory of 2708 2752 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\site.webmanifest1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\site.webmanifest2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\site.webmanifest"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEventsFilesize
3KB
MD5fc45e81fca2f8cc4d46a1cb6f5ee13f5
SHA1ee50787b215ba9ee7c8fe94b5f3e3c39793a3d15
SHA256145ac123f58e1ceb1fbbe559e8bca8741ce72b3886bcdd0223cd4314f4070d37
SHA5124120af53ed5ea5ae98e0894b62422e892ccc880f103163abfd7e8e853d272dbfa285e91ef6ea0ffc1e84dbac84f971d2f70d744e70be161eb96e34e5b4081030