80a2f9e557e81028d751037e5d27bb90cd7b822bc0e6a6e4201287074d8fec08

Analysis

max time kernel
122s
max time network
129s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
19/02/2024, 20:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

icudtl.dat
Size

10.1MB
MD5

2c367970ac87a9275eeec5629bb6fc3d
SHA1

399324d1aeee5e74747a6873501a1ee5aac005ee
SHA256

17d57b17d12dc5cfbf06413d68a06f45ccf245f4abdf5429f30256977c4ed6de
SHA512

f788a0d35f9e4bebe641ee67fff14968b62891f52d05bf638cd2c845df87f2e107c42a32bbe62f389f05e5673fe55cbdb85258571e698325400705cd7b16db01
SSDEEP

98304:TfPBQYOo+ddlymYf2LfPQCvliXUxiG9Ha93Whla6ZENSs285:TfPBhORjYAHliXUxiG9Ha93Whla6ZEV7

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\dat_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\.dat	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\.dat\ = "dat_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\dat_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\dat_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\dat_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\dat_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\dat_auto_file\shell	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2688	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2688	AcroRd32.exe
2688	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 2300	2376	cmd.exe	29
PID 2376 wrote to memory of 2300	2376	cmd.exe	29
PID 2376 wrote to memory of 2300	2376	cmd.exe	29
PID 2300 wrote to memory of 2688	2300	rundll32.exe	30
PID 2300 wrote to memory of 2688	2300	rundll32.exe	30
PID 2300 wrote to memory of 2688	2300	rundll32.exe	30
PID 2300 wrote to memory of 2688	2300	rundll32.exe	30

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\icudtl.dat
1⤵
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\icudtl.dat
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\icudtl.dat"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
744fef6450281fd87bfba702c1aa22ef

SHA1
c9c9202f401a2e6025b3bc98b20ed551335a794d

SHA256
0a3250f14bf2f3febbfe63b19fe6a405c37da711d63b974c1e051d19050f0e7a

SHA512
4a9b605a6c4169608fbeb26a6f8c3143f8820b83aca841fd2107cc494833a6b802366483a4c77a227393d61b19b67c48825077c7b7dcdf44a435a28896a2037f

Download Submit