Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
24-01-2024 07:52
Static task
static1
Behavioral task
behavioral1
Sample
71ae80345bdd420a36ec3e25b591f8b7.jad
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
71ae80345bdd420a36ec3e25b591f8b7.jad
Resource
win10v2004-20231215-en
General
-
Target
71ae80345bdd420a36ec3e25b591f8b7.jad
-
Size
192KB
-
MD5
71ae80345bdd420a36ec3e25b591f8b7
-
SHA1
96be2a05f6d276db4301a178c487a3ec1ababe7c
-
SHA256
520f332ebeeae3064b52b2f610793a487ae40a3fd1ce8107ae840820167d0b64
-
SHA512
0a427d972a0bfd74e4f228230ead325a2f1d5efb9d50b817ede4f2fb8b1190c54ed6978a05f49f019be314eec10425ef416f31e8cf192642bdd16937ffbdfde6
-
SSDEEP
6144:crH2imX4hiRA+ndrRvK45WlUNk/yBXUGR:cqimOiAJLyeGR
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\.jad\ = "jad_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\jad_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\jad_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\jad_auto_file\shell\Read\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\jad_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\jad_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\.jad rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\jad_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2716 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2716 AcroRd32.exe 2716 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1740 wrote to memory of 2776 1740 cmd.exe 29 PID 1740 wrote to memory of 2776 1740 cmd.exe 29 PID 1740 wrote to memory of 2776 1740 cmd.exe 29 PID 2776 wrote to memory of 2716 2776 rundll32.exe 30 PID 2776 wrote to memory of 2716 2776 rundll32.exe 30 PID 2776 wrote to memory of 2716 2776 rundll32.exe 30 PID 2776 wrote to memory of 2716 2776 rundll32.exe 30
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\71ae80345bdd420a36ec3e25b591f8b7.jad1⤵
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\71ae80345bdd420a36ec3e25b591f8b7.jad2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\71ae80345bdd420a36ec3e25b591f8b7.jad"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2716
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD51010cfae7286df9862c9fcd92e17d1b9
SHA107537304f601cc1e362de4e9fbf8f2cb9d5510a5
SHA25683bce90f5057c2460f35ab1eee6929b7caaf2252dcb7b6fb274451be6e6936ff
SHA512a2a6c1dbaa4cb15a8ba729a53a4cc2dd99206375c55ad275d331a6d86ead6b35fb2f5b8363404bb52c0fe9cbc4e694dd0001b484a8e1653044a35b460651d404