1cbdbc2553018d5afbfe7dc7755f54462660a48c6774389e3ee899ead9926f1e

Analysis

max time kernel
120s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19/01/2024, 10:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

com/appsflyer/oaid/R$string.class
Size

1KB
MD5

2de8a6e5d0ed2cfce013bc2765e15978
SHA1

aa7a8e3c5ba2023bf628c4bf30b7747b252912f1
SHA256

72309042e13c1b7c2d650ab7828d608b6321aa201f061b44c763a50e3774de76
SHA512

1fa11993c8cc1faacba1c3a4f0f59319c5b5dcb7d70382333c577e46281eded04eb6ec015652ab5e50fe10b4893d475b496341f69ecb6d5019fca9b1fe96009b

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\class_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\class_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\.class	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\class_auto_file\shell	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\class_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\class_auto_file\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\.class\ = "class_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\class_auto_file\shell\Read	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2916	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2916	AcroRd32.exe
2916	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 2592	2868	cmd.exe	29
PID 2868 wrote to memory of 2592	2868	cmd.exe	29
PID 2868 wrote to memory of 2592	2868	cmd.exe	29
PID 2592 wrote to memory of 2916	2592	rundll32.exe	30
PID 2592 wrote to memory of 2916	2592	rundll32.exe	30
PID 2592 wrote to memory of 2916	2592	rundll32.exe	30
PID 2592 wrote to memory of 2916	2592	rundll32.exe	30

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\com\appsflyer\oaid\R$string.class
1⤵
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\com\appsflyer\oaid\R$string.class
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\com\appsflyer\oaid\R$string.class"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
fc475915558db066320c550b4f3d8d48

SHA1
5b8d0614c2da77a885828fee70190184b09dad43

SHA256
0d1ec25a795bbea782cc1132421d9697c331fcd72e03e0ef54039a1f8b96756e

SHA512
7706add6ceeae26aef1df7a775ed4c4ae66d03b6e3b56715c392eea92d408397f835fc55c144121638f7604fd1dd9959d5a88ec47f715183e332e51f0012b11f

Download Submit