bd2d64fc97325bdc1a6cf92e7684854da8eaf28756696e91a4998fc87e1353f0

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
22-01-2024 12:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

qalam/assets/webfonts/fa-regular-400.woff2
Size

23KB
MD5

747442fa76f1d9a31f9a54a2e8a4b448
SHA1

07fc0ae14bb3187839082aed3bca11dfb1e04524
SHA256

9169d8be7a8177e5a92a4d04b6de7f6504b938573bf4da5889871c4f376d3849
SHA512

274dbe5bc31c560d2cc2d15afe5485687b2f7dd0ee24ffed99627310ea36a6a3cc1c91e22368f909d056f4faab051838d469e0bfe8a30169b735aca5eb0f402f
SSDEEP

384:Ok8mTTNu15tM1xuB9dYY7YRHmOdjzUJsAr4p8Oq7kpPyXBpqrhDRBybCpMuT33SI:OGg15tM1xuBYY7YRHmcjzUJJr4p8Oq7a

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\woff2_auto_file\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\.woff2\ = "woff2_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\woff2_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\woff2_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\woff2_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\.woff2	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\woff2_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\woff2_auto_file\shell	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

2780 AcroRd32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AcroRd32.exe

pid process

2780 AcroRd32.exe
2780 AcroRd32.exe

pid	process
2780	AcroRd32.exe

pid	process
2780	AcroRd32.exe
2780	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

cmd.exerundll32.exe

description	pid	process	target process
PID 1664 wrote to memory of 2724	1664	cmd.exe	rundll32.exe
PID 1664 wrote to memory of 2724	1664	cmd.exe	rundll32.exe
PID 1664 wrote to memory of 2724	1664	cmd.exe	rundll32.exe
PID 2724 wrote to memory of 2780	2724	rundll32.exe	AcroRd32.exe
PID 2724 wrote to memory of 2780	2724	rundll32.exe	AcroRd32.exe
PID 2724 wrote to memory of 2780	2724	rundll32.exe	AcroRd32.exe
PID 2724 wrote to memory of 2780	2724	rundll32.exe	AcroRd32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\qalam\assets\webfonts\fa-regular-400.woff2
1⤵
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\qalam\assets\webfonts\fa-regular-400.woff2
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2724

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\qalam\assets\webfonts\fa-regular-400.woff2"
3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
71c0ae4f4f4b9de977807c4ac6e7d774

SHA1
96022369dd5db607c2e158746a5b1aea8a8a6b55

SHA256
72f12763aa307522d84c09ef47e6daf28228c4e55c49b1787a0f584edcef048e

SHA512
543534f24ba4b0fd01095204ce132646eaf7f8d0f95f36d0c02fc4d25438c34fca7e7563dc6121b09c0a34309c08ed090f19c52e2709e48f8a1e41c58fc11ad0

Download Submit