0f681d1319f07c6f236917cd6056d15c3c02ac5c02d7b4b2203015164bff6978

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
21-11-2023 15:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.tar
Size

6.7MB
MD5

2ef83945d2afda1738f7ee57633c0e13
SHA1

04ab3bfb947c68e28ec232a1e68e2c9ef91f16b4
SHA256

9b59de678dc5976617d3858d17b502faa005dc74ec468de3405b3c06fe26b610
SHA512

92d4a5094a44bd39c327089f079182ab2f319362527de69fe8dd5112afbe9a602636a836f13600b51a7f5ec55453627ccefd882b6cc52ca0992f5daad5f3a10d
SSDEEP

196608:qGyx2Z/ccFGeLoC0Sbg7X+WloiMbqRoQ6:qsioQ6

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\.tar	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\tar_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\tar_auto_file\shell	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\tar_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\tar_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\tar_auto_file\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\.tar\ = "tar_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\tar_auto_file\shell\Read\command	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2496	AcroRd32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2496	AcroRd32.exe
2496	AcroRd32.exe
2496	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 2696	2244	cmd.exe	29
PID 2244 wrote to memory of 2696	2244	cmd.exe	29
PID 2244 wrote to memory of 2696	2244	cmd.exe	29
PID 2696 wrote to memory of 2496	2696	rundll32.exe	30
PID 2696 wrote to memory of 2496	2696	rundll32.exe	30
PID 2696 wrote to memory of 2496	2696	rundll32.exe	30
PID 2696 wrote to memory of 2496	2696	rundll32.exe	30

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\sample.tar
1⤵
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\sample.tar
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\sample.tar"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
d34a1b24ebca10e6c92164d4b6b4bc65

SHA1
d39fb84d9fff0260038ba7f7db78c99bc9ec5553

SHA256
33d370431189fe3ac27da973d768632bfedfc2a6c3ea195120a0545c19287186

SHA512
faa60004365e378dd9a71f2f4e67961f81425fd8cce71262ec0b7c64690ad0134dcefb26ad9a42fbfff9725139b9d3bd708db7b8036e6ee3e9eaec017195246e

Download Submit