96e6276b4d1ff728b1e2014a3be856a5e35a6a885df0797a54728868798feac2

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24-01-2024 04:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bin/configs/Default.cfg
Size

215B
MD5

5d86b415aec1bb28364783da7d11d3eb
SHA1

3ee034cda8e96da6275dae75ed66aac44c609257
SHA256

855bee1a99510b3daf1a12a8f37c05323f9a70e824e0c05e9f75fd131b8cbca4
SHA512

50766c91a2c553240a1fee98f4550c301bb89b116e3e927e6a41065d34adfdc4b5b3e5186b65236cd2a5545e4dad1893594a53b3eb8a276ab590d5db040da20f

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\cfg_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\.cfg	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\cfg_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\cfg_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\cfg_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\cfg_auto_file\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\.cfg\ = "cfg_auto_file"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\cfg_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2980	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2980	AcroRd32.exe
2980	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1340 wrote to memory of 2996	1340	cmd.exe	29
PID 1340 wrote to memory of 2996	1340	cmd.exe	29
PID 1340 wrote to memory of 2996	1340	cmd.exe	29
PID 2996 wrote to memory of 2980	2996	rundll32.exe	30
PID 2996 wrote to memory of 2980	2996	rundll32.exe	30
PID 2996 wrote to memory of 2980	2996	rundll32.exe	30
PID 2996 wrote to memory of 2980	2996	rundll32.exe	30

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\bin\configs\Default.cfg
1⤵
- Suspicious use of WriteProcessMemory
PID:1340
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bin\configs\Default.cfg
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\bin\configs\Default.cfg"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
c5bd1fc616bdf34cffa4052b3004d424

SHA1
df18293900b7d82dbb04fb04ec3db753a52761dc

SHA256
e8aae3f13aa5a92a01902899da7fadc32c55e20689391b8ec84171133aebeca3

SHA512
eb18e98fccbcc5c96fa93d763ecd8668b51be3df87db20a21fc34d0481128b22a012f9631ae13ee3993f37d4125bc3bab31b8c09fa53aedc8d0eef7127a421ec

Download Submit