Overview
overview
3Static
static
1cash/card.html
windows7-x64
1cash/card.html
windows10-2004-x64
1cash/cardback.htm
windows7-x64
1cash/cardback.htm
windows10-2004-x64
1cash/index.html
windows7-x64
1cash/index.html
windows10-2004-x64
1cash/index.../a.htm
windows7-x64
1cash/index.../a.htm
windows10-2004-x64
1cash/index...02.htm
windows7-x64
1cash/index...02.htm
windows10-2004-x64
1cash/network.html
windows7-x64
1cash/network.html
windows10-2004-x64
1cash/network.php
windows7-x64
3cash/network.php
windows10-2004-x64
3cash/update.html
windows7-x64
1cash/update.html
windows10-2004-x64
1cash/update.php
windows7-x64
3cash/update.php
windows10-2004-x64
3cash/verify.php
windows7-x64
3cash/verify.php
windows10-2004-x64
3Analysis
-
max time kernel
117s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
18-12-2023 12:00
Static task
static1
Behavioral task
behavioral1
Sample
cash/card.html
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
cash/card.html
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
cash/cardback.htm
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
cash/cardback.htm
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
cash/index.html
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
cash/index.html
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
cash/index_files/a.htm
Resource
win7-20231215-en
Behavioral task
behavioral8
Sample
cash/index_files/a.htm
Resource
win10v2004-20231215-en
Behavioral task
behavioral9
Sample
cash/index_files/a_002.htm
Resource
win7-20231129-en
Behavioral task
behavioral10
Sample
cash/index_files/a_002.htm
Resource
win10v2004-20231215-en
Behavioral task
behavioral11
Sample
cash/network.html
Resource
win7-20231215-en
Behavioral task
behavioral12
Sample
cash/network.html
Resource
win10v2004-20231215-en
Behavioral task
behavioral13
Sample
cash/network.php
Resource
win7-20231215-en
Behavioral task
behavioral14
Sample
cash/network.php
Resource
win10v2004-20231215-en
Behavioral task
behavioral15
Sample
cash/update.html
Resource
win7-20231129-en
Behavioral task
behavioral16
Sample
cash/update.html
Resource
win10v2004-20231215-en
Behavioral task
behavioral17
Sample
cash/update.php
Resource
win7-20231215-en
Behavioral task
behavioral18
Sample
cash/update.php
Resource
win10v2004-20231215-en
Behavioral task
behavioral19
Sample
cash/verify.php
Resource
win7-20231215-en
Behavioral task
behavioral20
Sample
cash/verify.php
Resource
win10v2004-20231215-en
General
-
Target
cash/update.php
-
Size
1KB
-
MD5
15cc6ecd63d8e8c83d4c9031c41e3e4c
-
SHA1
35b2f55c896e9ce608769d945d625e5c0438aee1
-
SHA256
bbb6efed1345829a87cf08cab197c1efe6dedac73a9ce3711d9c9dea93369ac6
-
SHA512
1f25ae287e8cb98fc23222c3645b1e55956f4bb3b4311a7a27cbc9c79f5ff0bb090b9fcf4862a1cbc741937694a9f1aad39959904eff071f402773ccea206b24
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\php_auto_file\shell rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\php_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\php_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\.php rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\.php\ = "php_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\php_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\php_auto_file\shell\Read\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_Classes\Local Settings rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\php_auto_file\ rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2816 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2816 AcroRd32.exe 2816 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 2220 wrote to memory of 2704 2220 cmd.exe rundll32.exe PID 2220 wrote to memory of 2704 2220 cmd.exe rundll32.exe PID 2220 wrote to memory of 2704 2220 cmd.exe rundll32.exe PID 2704 wrote to memory of 2816 2704 rundll32.exe AcroRd32.exe PID 2704 wrote to memory of 2816 2704 rundll32.exe AcroRd32.exe PID 2704 wrote to memory of 2816 2704 rundll32.exe AcroRd32.exe PID 2704 wrote to memory of 2816 2704 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\cash\update.php1⤵
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\cash\update.php2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\cash\update.php"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2816
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD589a6b1d941402a75eb42d9671515b9c1
SHA13f1a079dfe9c9c5c4ef6e7810d8e923e23984b02
SHA256f98affdc8471282922f8e53dbbacbaaf45acd49f38f0241347cd8cf837d0dc5c
SHA512719e4eb8cb930fe912759a4f307e078d6f05a83ed2ee01b41d5e375078dbfe2c7b2fe67dbf4c4e3cbec8963de4ba31b32650402208c64f9adfcf8050aef478e4