e5b98f79e84d434b44fe4dab6b0e7823772d32744249a8fb9fb2288d0b354b21

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04/02/2024, 12:56 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

scph10000.nvm
Size

1024B
MD5

0f343b0931126a20f133d67c2b018a3b
SHA1

60cacbf3d72e1e7834203da608037b1bf83b40e8
SHA256

5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef
SHA512

8efb4f73c5655351c444eb109230c556d39e2c7624e9c11abc9e3fb4b9b9254218cc5085b454a9698d085cfa92198491f07a723be4574adc70617b73eb0b6461

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\nvm_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\nvm_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\nvm_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\nvm_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\.nvm	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\.nvm\ = "nvm_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\nvm_auto_file\shell	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\nvm_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2684	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2684	AcroRd32.exe
2684	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 2704	2644	cmd.exe	29
PID 2644 wrote to memory of 2704	2644	cmd.exe	29
PID 2644 wrote to memory of 2704	2644	cmd.exe	29
PID 2704 wrote to memory of 2684	2704	rundll32.exe	30
PID 2704 wrote to memory of 2684	2704	rundll32.exe	30
PID 2704 wrote to memory of 2684	2704	rundll32.exe	30
PID 2704 wrote to memory of 2684	2704	rundll32.exe	30

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\scph10000.nvm
1⤵
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\scph10000.nvm
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\scph10000.nvm"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
01e7336e55fa5f910f25672ea4945a48

SHA1
3f1a4f00187c689025a1805dbcc7bc2e9d2da80e

SHA256
7117e5b596851e71b7171805c007c5dcfa099dce430ffbff37bac53b4173e5fa

SHA512
c2afa9f72e8125bd3cd484ebcf6ae8e3f1fe6f1797c233ce911299583c672f211245b96eaf405ad94a8bc2fd3f42dd8d01275c1eadd64472014c8a4f8478ad54

Download Submit