Analysis
-
max time kernel
129s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26/12/2023, 01:46
Static task
static1
Behavioral task
behavioral1
Sample
4a5617c5494ca3cef28423bcc5fa30c1.jad
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
4a5617c5494ca3cef28423bcc5fa30c1.jad
Resource
win10v2004-20231215-en
General
-
Target
4a5617c5494ca3cef28423bcc5fa30c1.jad
-
Size
64KB
-
MD5
4a5617c5494ca3cef28423bcc5fa30c1
-
SHA1
90172d11f91b8aa4d2edb727c125028306e26158
-
SHA256
5ce60b2d8b0c7af8d2039cbedb46d274118b699152ca8a8436155f0a2ecf92b8
-
SHA512
48567b33c1b5cc3ea325ab352eb0cbbb9e8f2f9a2079ddb50277e93be823f41d0295c8ac9af9710a24739aa71fdbec8ca1cd140db0995cd69dc6e851eb89057f
-
SSDEEP
1536:FfGz2TH6v6lRuAcw7oXgGdjYLIDe44YgpQ9kFL:FfGz2THkquAD7oXDNYqedYH9kFL
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\jad_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\jad_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\jad_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_Classes\Local Settings rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\jad_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\.jad rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\.jad\ = "jad_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\jad_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\jad_auto_file\shell rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1792 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1792 AcroRd32.exe 1792 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1488 wrote to memory of 1336 1488 cmd.exe 17 PID 1488 wrote to memory of 1336 1488 cmd.exe 17 PID 1488 wrote to memory of 1336 1488 cmd.exe 17 PID 1336 wrote to memory of 1792 1336 rundll32.exe 30 PID 1336 wrote to memory of 1792 1336 rundll32.exe 30 PID 1336 wrote to memory of 1792 1336 rundll32.exe 30 PID 1336 wrote to memory of 1792 1336 rundll32.exe 30
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\4a5617c5494ca3cef28423bcc5fa30c1.jad1⤵
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\4a5617c5494ca3cef28423bcc5fa30c1.jad2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\4a5617c5494ca3cef28423bcc5fa30c1.jad"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1792
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5f00a66f1e0d65c5150b74b36f934d7ca
SHA120f00929fb245df01126a973649fc424c47d2b5e
SHA2565c04b88a2d4822b9bb62e7db7bf7da101f4b870735e70cf68fdab723b2e9872e
SHA512f5c9202693e3c9de10aa0f772c837f96e22ae69fa08c47419b1c9bf001e2c251cd865739a90aae3929363cf7fe65cf48b681c7ad7870a780e1dcb10a921a107b