3b532a3091891c7e4e8c96277d52bb9bc1cb11eea7da2f1d9175e5383af6e16f

Resubmissions

27/11/2023, 15:53

231127-tbnzlshf3y 7

27/11/2023, 15:49

231127-s9blhahf28 3

Analysis

max time kernel
163s
max time network
143s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
27/11/2023, 15:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

PlatformContent/pc/textures/water/normal_24.dds
Size

85KB
MD5

ff9f983760017e312b178618912290fb
SHA1

007e1cf9abe87da8e335ff0f28aabcc8b5ece81e
SHA256

eaf3f6b5dedfa5b1bca6ad49409794f13213ebf9d7842081dc4584df4b78da11
SHA512

f382b6d14a0a0009cbd6a2ec7e5094d39cb20d4670ebe9df13043d86d6e64d6b08f91bada02d6f5f307ec932db017d41022376951d73fefb9d6a9d2eaa987278
SSDEEP

1536:vdDwUESf0aa/P3QtNNP8LjIQ14ouCTGnAg7MwpDZMwLdED4lZ6x4a:vdMCMaoeNEnXmouFnAFwptddEDMK

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\dds_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\dds_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\dds_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\.dds	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\.dds\ = "dds_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\dds_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\dds_auto_file\shell	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\dds_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3036	AcroRd32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3036	AcroRd32.exe
3036	AcroRd32.exe
3036	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1464 wrote to memory of 2632	1464	cmd.exe	29
PID 1464 wrote to memory of 2632	1464	cmd.exe	29
PID 1464 wrote to memory of 2632	1464	cmd.exe	29
PID 2632 wrote to memory of 3036	2632	rundll32.exe	32
PID 2632 wrote to memory of 3036	2632	rundll32.exe	32
PID 2632 wrote to memory of 3036	2632	rundll32.exe	32
PID 2632 wrote to memory of 3036	2632	rundll32.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\PlatformContent\pc\textures\water\normal_24.dds
1⤵
- Suspicious use of WriteProcessMemory
PID:1464
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\PlatformContent\pc\textures\water\normal_24.dds
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\PlatformContent\pc\textures\water\normal_24.dds"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
7dbdb981b43d8aee0ef2349321962ff0

SHA1
4e5b7487fbca6ac05553ccef480bad687f935875

SHA256
cef75f28476918585ae14b3b693bcbff3ad9d6f3ac402d255f110549cb80e529

SHA512
b50fe5cc8f273a03ab522feec5bf056e86607cab2f4b4e43be81cee6b29623696df7e9114f7279db429b40582a47b3767d628765cdeaab64d3e1d8dc7e4b9bf1

Download Submit