743927c87c7b0eda2410ce87cddb0c1f39d550284b003a94ea026e236cab98ef

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
22/12/2023, 16:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

.tmp/s.sh
Size

23B
MD5

64571f2ed1a7798b2b187209e9226335
SHA1

ebf145d227cc92f0fc33d8be5100a4b06db43ccf
SHA256

4ae8e31878973c5d9fd22bc93e2e8fb3a2a15fdfc4afae57be5856e288d4b536
SHA512

1d87b22888f9694701fad7957a29ad4cd32aaae0204ea73f41616d289ba112f5d0b5099b749dd4efb9d8a34b07b988875e5fde2045495cad0267e95ab189c36d

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\sh_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\sh_auto_file\shell	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\sh_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\sh_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\sh_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\.sh	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\.sh\ = "sh_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\sh_auto_file\shell\Read	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2584	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2584	AcroRd32.exe
2584	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2892 wrote to memory of 2756	2892	cmd.exe	17
PID 2892 wrote to memory of 2756	2892	cmd.exe	17
PID 2892 wrote to memory of 2756	2892	cmd.exe	17
PID 2756 wrote to memory of 2584	2756	rundll32.exe	30
PID 2756 wrote to memory of 2584	2756	rundll32.exe	30
PID 2756 wrote to memory of 2584	2756	rundll32.exe	30
PID 2756 wrote to memory of 2584	2756	rundll32.exe	30

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\.tmp\s.sh
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\.tmp\s.sh"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2584

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\.tmp\s.sh
1⤵
- Suspicious use of WriteProcessMemory
PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
6ff0cc19cbdd75bd642bc7f120d661d6

SHA1
ddcfd3c13dd70bddd314a9f70692da1f7f54b57b

SHA256
26f0457aac7e6452bdab882d7c8f4fd6b7be3224e332a8d4cd003f0fd0f2f03d

SHA512
9c365a6a9cb57b0b1b0aa77f2ef1b011c5f35db4d4bb2b5ec32d1719eaccb5777a2ff77ee3feed76cce03d2a3689bb2af44ca331f2911b49982c9e13bdb26eb0

Download Submit