Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
24-12-2023 17:45
Static task
static1
Behavioral task
behavioral1
Sample
09334503fb1e4944968148819d71d896.jad
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
09334503fb1e4944968148819d71d896.jad
Resource
win10v2004-20231215-en
General
-
Target
09334503fb1e4944968148819d71d896.jad
-
Size
68KB
-
MD5
09334503fb1e4944968148819d71d896
-
SHA1
420ba871fe752d744be37f03ee580231e941ed50
-
SHA256
48d93ccf15d4c1716bef3d50e9c29bc51a7f9527c53b74cd5b89b366f30e35e0
-
SHA512
a9a2d2ae7c8b9cfb036635583dfb86af4169f249e5a820c3c665178f2ff3a8d8bc2e97b1af308c76cf38742721980669468da77cf11edfb502c1a82e1ba50454
-
SSDEEP
1536:EjUcFC+MEcJwy7GtW2insgvrGoZNGtW2insgvrGoZ4:EjUcton7ZsArG8ZsArGL
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\jad_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\jad_auto_file\shell\Read\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\.jad rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\.jad\ = "jad_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\jad_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\jad_auto_file\shell rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\jad_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\jad_auto_file rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2652 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2652 AcroRd32.exe 2652 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2724 wrote to memory of 3056 2724 cmd.exe 21 PID 2724 wrote to memory of 3056 2724 cmd.exe 21 PID 2724 wrote to memory of 3056 2724 cmd.exe 21 PID 3056 wrote to memory of 2652 3056 rundll32.exe 30 PID 3056 wrote to memory of 2652 3056 rundll32.exe 30 PID 3056 wrote to memory of 2652 3056 rundll32.exe 30 PID 3056 wrote to memory of 2652 3056 rundll32.exe 30
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\09334503fb1e4944968148819d71d896.jad1⤵
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\09334503fb1e4944968148819d71d896.jad2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\09334503fb1e4944968148819d71d896.jad"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2652
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD54dd0478d3e8a432e3f9d89fa895c4f8a
SHA107c5f8c838ad4e4b3746afcb0d9ac182f58d919d
SHA2560e9c3bd3e0417661732211b1b9ebadc5a95e34e9dc44126e2f5dc5072e081096
SHA512c78b11740610cefe150fca6feeca0191df9923c0583c20c5eee20a87370c112541cc8dec950f1142e18d205cb11bf8b1f196c604b702d29a61aa7003987d967a