Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25-01-2024 16:17
Static task
static1
Behavioral task
behavioral1
Sample
74f36be83678a7b73d2706eeeb82f3d3.jad
Resource
win7-20231215-en
General
-
Target
74f36be83678a7b73d2706eeeb82f3d3.jad
-
Size
68KB
-
MD5
74f36be83678a7b73d2706eeeb82f3d3
-
SHA1
e877d21ea256c4931b517746944e65459cf1581c
-
SHA256
31cc47112ea20ee2e71485dde81152a19ad8019754a0038c5c080c8b53ef5879
-
SHA512
c94794e85fbd9e43c8cb08a60e22d8f046062994520745e2c50dc3c4f2f9c41480a45ab5365381cee47fd96e3793847621d0bae17f390188569688e375bb1740
-
SSDEEP
1536:EjUcFC+MEc2wy7GtW2insgvrGoZNGtW2insgvrGoZG:EjUctoW7ZsArG8ZsArGd
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\jad_auto_file\shell\Read rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\jad_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\jad_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\jad_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\.jad rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\.jad\ = "jad_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\jad_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\jad_auto_file\shell\Read\command rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2800 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2800 AcroRd32.exe 2800 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 2332 wrote to memory of 2708 2332 cmd.exe rundll32.exe PID 2332 wrote to memory of 2708 2332 cmd.exe rundll32.exe PID 2332 wrote to memory of 2708 2332 cmd.exe rundll32.exe PID 2708 wrote to memory of 2800 2708 rundll32.exe AcroRd32.exe PID 2708 wrote to memory of 2800 2708 rundll32.exe AcroRd32.exe PID 2708 wrote to memory of 2800 2708 rundll32.exe AcroRd32.exe PID 2708 wrote to memory of 2800 2708 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\74f36be83678a7b73d2706eeeb82f3d3.jad1⤵
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\74f36be83678a7b73d2706eeeb82f3d3.jad2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\74f36be83678a7b73d2706eeeb82f3d3.jad"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2800
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEventsFilesize
3KB
MD5071d9345f091b602b386582533645cfd
SHA13e3c19971c63c8d07120131a0e8958b645f07191
SHA2567df586aeb00477c4a7bbbc082aa0128cc27c23d1cf099d30bd02636ee4615ed4
SHA51292958ac2d9a2a847f89f3d5d10b2b825a29d13b9fff7abc08f1f623470a7cc4965cf1926dc5727d55c716108eb7c4248d8efff0c468c0fda7d739deba4df5ed7