29fc3d7e0b4b732655e80dd597d84078f801f5ab83f355e643042c5d972269a0

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01/01/2024, 15:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d2d83db2c3ba4f98ac7fb7236d2307a.jad
Size

68KB
MD5

3d2d83db2c3ba4f98ac7fb7236d2307a
SHA1

6f7c11ee3fdc299a66d6f84b26d03bbd36906634
SHA256

29fc3d7e0b4b732655e80dd597d84078f801f5ab83f355e643042c5d972269a0
SHA512

65f9134841a8bd9ea47bc2bc39fbdfcd383b42b652f7ae862fa3e12181be6c7fa7850fef44e93dc8b755e412a0d6a013978f24ffa88e3c3a97c426eded4e5cd4
SSDEEP

1536:EjUcFC+MEcNwy7GtW2insgvrGoZNGtW2insgvrGoZm:EjUctoz7ZsArG8ZsArGJ

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\jad_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\jad_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\jad_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\jad_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\.jad	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\.jad\ = "jad_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\jad_auto_file\shell\Read	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000_CLASSES\jad_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2804	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2804	AcroRd32.exe
2804	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 2776	2168	cmd.exe	29
PID 2168 wrote to memory of 2776	2168	cmd.exe	29
PID 2168 wrote to memory of 2776	2168	cmd.exe	29
PID 2776 wrote to memory of 2804	2776	rundll32.exe	30
PID 2776 wrote to memory of 2804	2776	rundll32.exe	30
PID 2776 wrote to memory of 2804	2776	rundll32.exe	30
PID 2776 wrote to memory of 2804	2776	rundll32.exe	30

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\3d2d83db2c3ba4f98ac7fb7236d2307a.jad
1⤵
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\3d2d83db2c3ba4f98ac7fb7236d2307a.jad
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\3d2d83db2c3ba4f98ac7fb7236d2307a.jad"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
e25e5a502ce7b47c3340b878f6652b33

SHA1
f6289b24a1ab8eab73f4a05aa6db1f7644f215c0

SHA256
724b98e3f99602eb0a0bd67a7b665a4bfd73d159cae4d061c9b20f9c2a85eed7

SHA512
0a80f4fba8798b9482cb83f1a21ee6d9be225fc648ce86c57a2784d5519b05e5de711cf2aae09fc3ec021e1beb7ce421120de815e8ffa4f18e284f5a9592b30d

Download Submit