fbe07d1afd27ab353daa2afacc2de87d8f5ec69f64bbd9246f31ebfe1731de9b

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-01-2024 22:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$TEMP/PCSX2 1.6.0/Langs/zh_CN/pcsx2_Main.mo
Size

49KB
MD5

20df33b2b57c36d7ee8d458fba68a0ed
SHA1

bb9998141979a9bf909919be20d9d66c60366041
SHA256

bba73947d56197e9f8017ba4f054648a349e0e35474f50dc872fdf7e8fdeb5a5
SHA512

47be448adc22f4ad97a147e0fa130fb533b37b9d135c267aebf1b24aeeaf7c2fe712a39425ad268bedf89a8192ee4fdd77a339a884ea2990c7e771a5ef633898
SSDEEP

1536:SPkVLQwOl8Kq3Ofk9oNoVS68t79xJTRqubE:SEA8yoVS6IXT4Z

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\.mo	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\.mo\ = "mo_auto_file"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\mo_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\mo_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\mo_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\mo_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\mo_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\mo_auto_file\shell\Read	rundll32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1936	AcroRd32.exe
1936	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 1512	2040	cmd.exe	30
PID 2040 wrote to memory of 1512	2040	cmd.exe	30
PID 2040 wrote to memory of 1512	2040	cmd.exe	30
PID 1512 wrote to memory of 1936	1512	rundll32.exe	31
PID 1512 wrote to memory of 1936	1512	rundll32.exe	31
PID 1512 wrote to memory of 1936	1512	rundll32.exe	31
PID 1512 wrote to memory of 1936	1512	rundll32.exe	31

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\$TEMP\PCSX2 1.6.0\Langs\zh_CN\pcsx2_Main.mo"
1⤵
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\$TEMP\PCSX2 1.6.0\Langs\zh_CN\pcsx2_Main.mo
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1512
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\$TEMP\PCSX2 1.6.0\Langs\zh_CN\pcsx2_Main.mo"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
82fc8685fbc41a5cdbcf246a06ef4834

SHA1
b00d82a0b665d59025f69b00f38edce51aa9990c

SHA256
fd67e8426ee15d29b0dbc88b8d53a14a12b1e05aef77e0da1c5a3587ca833053

SHA512
b5bf2a8c97454654c9182b4327cc02714c49604afdb49cc698116da63d9e3145769f7469c27a001901dd385a7dc5d6782cd55af477e7457cd112f66fc390b5de

Download Submit