44b7379c84733428bb4c6ee78af2537ffc1fc5ac7cd44373e9c8f349a1da6358

Analysis

max time kernel
106s
max time network
18s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
19/11/2023, 23:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Junkie_BOOT.ima
Size

54KB
MD5

74493a6eb08744de640ab8d9c0f7d6dd
SHA1

cc41e66cd17e648f002abee05885e2ed3fe0f5ba
SHA256

edb23b8b8c5c7925b4d0cd2cefcc7964af2803bd1b704331a898640e890f0d5b
SHA512

db5f74ffabd630da436720518564588b515106791d9449657cc25fd04f3e14c95ebeb1d3f6b8e3e24a0a3cac234f61720bd7749d29a2c00d4597c7f11b1a5e15
SSDEEP

384:LakB8ppW9X0yntfYBGRnRjQ4dmq44dBfzBJIEpsWsu3VV15:LPFkutfsYRj1mkbfVJIE0ev

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000_CLASSES\ima_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000_CLASSES\ima_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000_CLASSES\ima_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000_CLASSES\.ima	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000_CLASSES\ima_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000_CLASSES\ima_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000_CLASSES\ima_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000_CLASSES\.ima\ = "ima_auto_file"	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2824	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2824	AcroRd32.exe
2824	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 2096	2080	cmd.exe	29
PID 2080 wrote to memory of 2096	2080	cmd.exe	29
PID 2080 wrote to memory of 2096	2080	cmd.exe	29
PID 2096 wrote to memory of 2824	2096	rundll32.exe	30
PID 2096 wrote to memory of 2824	2096	rundll32.exe	30
PID 2096 wrote to memory of 2824	2096	rundll32.exe	30
PID 2096 wrote to memory of 2824	2096	rundll32.exe	30

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Junkie_BOOT.ima
1⤵
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Junkie_BOOT.ima
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2096
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Junkie_BOOT.ima"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
4fa341b572fcf13764c1cb6dd6057b3e

SHA1
2728d7e6843baf6568695f9e0242938c9c0981c4

SHA256
5832c298ee1c72b01f266d73af6a9bb444a466f0d956c2c3eb301a7a9c895380

SHA512
a8455802e54322ce6309a70bdceb6fd59292b8213a0750fc0f2e38c5752a475a206500ead470d78899947f70028cda9fe76e66df6056d2ba193850b94e47c49e

Download Submit