b2e19acc4b7aee3749c2bed1c57f8d680a67181cd95622d0fc3fde594e8ba74a

Analysis

max time kernel
117s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
18-12-2023 12:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cash/update.php
Size

1KB
MD5

15cc6ecd63d8e8c83d4c9031c41e3e4c
SHA1

35b2f55c896e9ce608769d945d625e5c0438aee1
SHA256

bbb6efed1345829a87cf08cab197c1efe6dedac73a9ce3711d9c9dea93369ac6
SHA512

1f25ae287e8cb98fc23222c3645b1e55956f4bb3b4311a7a27cbc9c79f5ff0bb090b9fcf4862a1cbc741937694a9f1aad39959904eff071f402773ccea206b24

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\php_auto_file\shell	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\php_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\php_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\.php	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\.php\ = "php_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\php_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\php_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\php_auto_file\	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

2816 AcroRd32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AcroRd32.exe

pid process

2816 AcroRd32.exe
2816 AcroRd32.exe

pid	process
2816	AcroRd32.exe

pid	process
2816	AcroRd32.exe
2816	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

cmd.exerundll32.exe

description	pid	process	target process
PID 2220 wrote to memory of 2704	2220	cmd.exe	rundll32.exe
PID 2220 wrote to memory of 2704	2220	cmd.exe	rundll32.exe
PID 2220 wrote to memory of 2704	2220	cmd.exe	rundll32.exe
PID 2704 wrote to memory of 2816	2704	rundll32.exe	AcroRd32.exe
PID 2704 wrote to memory of 2816	2704	rundll32.exe	AcroRd32.exe
PID 2704 wrote to memory of 2816	2704	rundll32.exe	AcroRd32.exe
PID 2704 wrote to memory of 2816	2704	rundll32.exe	AcroRd32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\cash\update.php
1⤵
- Suspicious use of WriteProcessMemory
PID:2220

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\cash\update.php
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2704

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\cash\update.php"
3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
89a6b1d941402a75eb42d9671515b9c1

SHA1
3f1a079dfe9c9c5c4ef6e7810d8e923e23984b02

SHA256
f98affdc8471282922f8e53dbbacbaaf45acd49f38f0241347cd8cf837d0dc5c

SHA512
719e4eb8cb930fe912759a4f307e078d6f05a83ed2ee01b41d5e375078dbfe2c7b2fe67dbf4c4e3cbec8963de4ba31b32650402208c64f9adfcf8050aef478e4

Download Submit