e3596428cd648a2b0374346a990e71cf4af0feb6bb6ec51d8ec3e369f26e2bbe

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
11-02-2024 17:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

geode/resources/geode.loader/mdFontMono-uhd.fnt
Size

8KB
MD5

03d291216c218b349deb503534b6ddd3
SHA1

2963dbc6e8ebcef1d59cbd0e80a750c0d2bf31d0
SHA256

5d56ef0ddd3e1837f8baf1c031155c1a04911da6650bdf5584eb60d3fda30e9f
SHA512

7a100292cd5752fb226ab36505bbab88f35d81ea94b1e1e90540ea3c341f691a0c46c913ac8fdbe814c55f9c175e2c4ec72f53718b4cce8a110608dac94a25e5
SSDEEP

192:2+EQCegiukz5CpEtAC1CtGkr5JQk9Vs06Y1CjieYICTI9r5J398h+Bu3ZEoQJgVf:OsB6CK

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.fnt	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\fnt_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\fnt_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\fnt_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\fnt_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\fnt_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\fnt_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.fnt\ = "fnt_auto_file"	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

2808 AcroRd32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AcroRd32.exe

pid process

2808 AcroRd32.exe
2808 AcroRd32.exe

pid	process
2808	AcroRd32.exe

pid	process
2808	AcroRd32.exe
2808	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

cmd.exerundll32.exe

description	pid	process	target process
PID 2936 wrote to memory of 2524	2936	cmd.exe	rundll32.exe
PID 2936 wrote to memory of 2524	2936	cmd.exe	rundll32.exe
PID 2936 wrote to memory of 2524	2936	cmd.exe	rundll32.exe
PID 2524 wrote to memory of 2808	2524	rundll32.exe	AcroRd32.exe
PID 2524 wrote to memory of 2808	2524	rundll32.exe	AcroRd32.exe
PID 2524 wrote to memory of 2808	2524	rundll32.exe	AcroRd32.exe
PID 2524 wrote to memory of 2808	2524	rundll32.exe	AcroRd32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\geode\resources\geode.loader\mdFontMono-uhd.fnt
1⤵
- Suspicious use of WriteProcessMemory
PID:2936

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\geode\resources\geode.loader\mdFontMono-uhd.fnt
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2524

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\geode\resources\geode.loader\mdFontMono-uhd.fnt"
3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
e0ff7003da369dc2fc96c15dfcaf1ca0

SHA1
b183e47a2ac789c7c601c19882b9870765f478ba

SHA256
f456717529c2538c6a06105f07fb6937512418165cf6857ba8670258ba72181a

SHA512
ec24c069e39ea3819ccbfe55b9849b68ae273c921bb1ec613eafdb99b1bfe91b32ed36241877da06d112c986273bb4e2d740d4fdb6bb76ed14d485957caf5e01

Download Submit