72b5e76a8256cf479be8ab736165302405cc399be066f8b9d7eb1ba52520e3c1

Resubmissions

03/02/2024, 06:55

240203-hp5czabeg7 7

03/02/2024, 06:52

03/02/2024, 06:46

03/02/2024, 06:41

03/02/2024, 06:38

03/02/2024, 05:47

03/02/2024, 05:22

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
03/02/2024, 06:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RAM_Data/boot.config
Size

134B
MD5

907ed48ee399ff6b9343f7c9a83cfaf5
SHA1

84cc39533172e4b658e886578e0be733a35b80a2
SHA256

88bd9f6c0a46984270f62263a06df343f6a8d10b3e6a27f59b3786237ece6c5d
SHA512

269d44963d248caa9325ea6ae64233f1cb8c3a221500d52c33571c56a72b0531d74193da96197aea460acb46c893cbf28a25dcfe5c23e8c3eadff9f3d820b2b3

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2640	AcroRd32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2640	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2640	AcroRd32.exe
2640	AcroRd32.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 2640	2816	cmd.exe	29
PID 2816 wrote to memory of 2640	2816	cmd.exe	29
PID 2816 wrote to memory of 2640	2816	cmd.exe	29
PID 2816 wrote to memory of 2640	2816	cmd.exe	29

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\RAM_Data\boot.config
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\RAM_Data\boot.config"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
5d7f4e2300452aa1fb992c78be14e10b

SHA1
c0d19edee9d17bbd837fd22e6dfd9fed40c53067

SHA256
ca8c2df8a377b0a3ba8a695524fdc6be5bce5ed950885f1fcdc34566d35e584d

SHA512
cded7285acc9bd923cc4126aeb6d64da2cd7064d435fdfb86bb753da40067202e43385e2bfc90a4b880b5c7fab22141b5e9eaea0f68977a6cfc36d967e9fdac2

Download Submit