2a47f3173506bcd71bf2d7498311f60d8411ba21581e619e3304ccd49f5dc9a5

Analysis

max time kernel
129s
max time network
136s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
05-01-2024 03:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

subpacks/middle/ui/debug_screen.json
Size

89KB
MD5

b229cd6317832365e43bc39afd55de39
SHA1

79de5a70218f84f819733b308057d28f6b444fac
SHA256

d3ac6cd034310433746457ef039fbe45b6dc2e0239a4dc1fed3df59339b35c05
SHA512

71ec96c5ec2e6cd8230d1a535e95021b263cd2e29dbd09d773b4bc6d05d422d07792f8944c36a0a59df6d177426db05511aaee8c170ccf4708969021445881dd
SSDEEP

768:CHrmxSy2lQQ5LZHBrRvpEbWFyx5SkXbWQ4JM0NJSgVwZ:Vxz2SQ5LZHBrRvp1AxkkXbWQQVM

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\json_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\json_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\json_auto_file\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\.json\ = "json_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\json_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\json_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\.json	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\json_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2764	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2764	AcroRd32.exe
2764	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 2704	2936	cmd.exe	29
PID 2936 wrote to memory of 2704	2936	cmd.exe	29
PID 2936 wrote to memory of 2704	2936	cmd.exe	29
PID 2704 wrote to memory of 2764	2704	rundll32.exe	30
PID 2704 wrote to memory of 2764	2704	rundll32.exe	30
PID 2704 wrote to memory of 2764	2704	rundll32.exe	30
PID 2704 wrote to memory of 2764	2704	rundll32.exe	30

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\subpacks\middle\ui\debug_screen.json
1⤵
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\subpacks\middle\ui\debug_screen.json
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\subpacks\middle\ui\debug_screen.json"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
840551115b7671591b5abbad8fd29ccc

SHA1
339532c4a8ef129e1c97032b4aadcc5c2ba54c3e

SHA256
78d05a8c22aeeefa201ce3ad70ea42fa77053d09231437bb957c80c45972174a

SHA512
cb7e8c6940fc98fde9ea141bd7e9670b1722b0ba5eafde8a77b669a75122d4f5be78020e08637d2c4ddf6c166ce4b29b8f2e054c139ae6bd6d85932d50e2007e

Download Submit