7a9e07ce1f7386689917602ddc5a75750ad842e605ff764f67173529c181bf04

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
01-11-2023 13:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

site.webmanifest
Size

263B
MD5

053100cb84a50d2ae7f5492f7dd7f25e
SHA1

bf31baf91bdd2fcde24a45e3f2a1be33733c6f69
SHA256

7a9e07ce1f7386689917602ddc5a75750ad842e605ff764f67173529c181bf04
SHA512

2a5fabd751ff563ac33105c0ab1bc849134a5eb3c9d3397effedb31949f789afae10d429ebbebe3d0ad6a9c98ecb79bbfd1072c7bd43034dce7aa92c2f3d3fe3

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\.webmanifest	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\webmanifest_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\webmanifest_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\webmanifest_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\webmanifest_auto_file\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\.webmanifest\ = "webmanifest_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\webmanifest_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\webmanifest_auto_file\shell	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

2708 AcroRd32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AcroRd32.exe

pid process

2708 AcroRd32.exe
2708 AcroRd32.exe

pid	process
2708	AcroRd32.exe

pid	process
2708	AcroRd32.exe
2708	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

cmd.exerundll32.exe

description	pid	process	target process
PID 292 wrote to memory of 2752	292	cmd.exe	rundll32.exe
PID 292 wrote to memory of 2752	292	cmd.exe	rundll32.exe
PID 292 wrote to memory of 2752	292	cmd.exe	rundll32.exe
PID 2752 wrote to memory of 2708	2752	rundll32.exe	AcroRd32.exe
PID 2752 wrote to memory of 2708	2752	rundll32.exe	AcroRd32.exe
PID 2752 wrote to memory of 2708	2752	rundll32.exe	AcroRd32.exe
PID 2752 wrote to memory of 2708	2752	rundll32.exe	AcroRd32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\site.webmanifest
1⤵
- Suspicious use of WriteProcessMemory
PID:292

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\site.webmanifest
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2752

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\site.webmanifest"
3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2708

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
Filesize
3KB

MD5
fc45e81fca2f8cc4d46a1cb6f5ee13f5

SHA1
ee50787b215ba9ee7c8fe94b5f3e3c39793a3d15

SHA256
145ac123f58e1ceb1fbbe559e8bca8741ce72b3886bcdd0223cd4314f4070d37

SHA512
4120af53ed5ea5ae98e0894b62422e892ccc880f103163abfd7e8e853d272dbfa285e91ef6ea0ffc1e84dbac84f971d2f70d744e70be161eb96e34e5b4081030

Download Submit