105cc8958dde5aa748097eacf59edb7ff70f5826fe754ade45d4a4545f47fe4f

Analysis

max time kernel
151s
max time network
123s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
24/11/2023, 20:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mechvibes-2.3.0/README.md
Size

1KB
MD5

43c62a9e29b923340385bd2735c4c9de
SHA1

3ea239f734c23431931d15f83493082097a9763c
SHA256

903cad241ccb2f1f63712cb93a33cfc124cc4741f9c9e6cb5ae7764ea7b82100
SHA512

20e719ba153c11959380be3f43abb7535d70bbe9b505aeedf0b0cb36d9fed88b6b34ded3f087f7009d9ece9545062401f451a73efd762b146c1f8491d57221a4

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000_CLASSES\.md\ = "md_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000_CLASSES\md_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000_CLASSES\md_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000_CLASSES\.md	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000_CLASSES\md_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000_CLASSES\md_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000_CLASSES\md_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000_CLASSES\md_auto_file\	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2824	AcroRd32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2824	AcroRd32.exe
2824	AcroRd32.exe
2824	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2516 wrote to memory of 2692	2516	cmd.exe	29
PID 2516 wrote to memory of 2692	2516	cmd.exe	29
PID 2516 wrote to memory of 2692	2516	cmd.exe	29
PID 2692 wrote to memory of 2824	2692	rundll32.exe	30
PID 2692 wrote to memory of 2824	2692	rundll32.exe	30
PID 2692 wrote to memory of 2824	2692	rundll32.exe	30
PID 2692 wrote to memory of 2824	2692	rundll32.exe	30

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\mechvibes-2.3.0\README.md
1⤵
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\mechvibes-2.3.0\README.md
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\mechvibes-2.3.0\README.md"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
d549b3d81503909733a060ce6d1d409f

SHA1
318a33808d085b571c26bb375516d771b6f6e392

SHA256
d0d7f89bf12eb48fcb690796c4cdfeb9ecfdc33943f46decd913c0efe1d42bb3

SHA512
9cef51a60971cc95540d1b42a46a459b7ab6d452ee73acd0afa10157fd86b2dcf8df960dfc28d857d9fdbea0f32cce9b4eae95e3180559cb2c0eb84c4dcfef70

Download Submit