cf956f9042e7686927bbe2e8f4a8470bd1f019818bf25bfd4ff2835beebef4a7

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
22/12/2023, 12:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

scan/go.sh
Size

89B
MD5

bf21756d217417fdb9cf757df83cf950
SHA1

e23688da9b2f40e72b84089f65ad04c5bbe8c549
SHA256

e6b189c66e778e1d3334dae526ba1521b634a6eb8e0851368577aad2babbff55
SHA512

610d27f0f00e930a357d3451170974fb0261d833860052c8227f0755cd3e7fee70b351272d37d77b4778a43972a3b325b01ffb4936e7c0d8a66174174220f08a

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\sh_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.sh	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.sh\ = "sh_auto_file"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\sh_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\sh_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\sh_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\sh_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\sh_auto_file	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2688	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2688	AcroRd32.exe
2688	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 2804	1712	cmd.exe	29
PID 1712 wrote to memory of 2804	1712	cmd.exe	29
PID 1712 wrote to memory of 2804	1712	cmd.exe	29
PID 2804 wrote to memory of 2688	2804	rundll32.exe	30
PID 2804 wrote to memory of 2688	2804	rundll32.exe	30
PID 2804 wrote to memory of 2688	2804	rundll32.exe	30
PID 2804 wrote to memory of 2688	2804	rundll32.exe	30

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\scan\go.sh
1⤵
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\scan\go.sh
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\scan\go.sh"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
e5e661ec4f2317be6fc85f68848f92a2

SHA1
ea2297c98166736da435308fac2bad59847dcbfd

SHA256
c5598a363057fd998966a250376816f48fcd78f48fc8f711ac81e352cdec343b

SHA512
a428f73c8edda71295c4fe58d9b11b596443becd29296372440e4f0ef128c1b3bd62fc6f4163572559b7b8e114dafb8d5c44899e44147bf273ab224f1a593f36

Download Submit