Overview
overview
3Static
static
1SPICA_無料版_.zip
windows7-x64
1SPICA_無料版_.zip
windows10-2004-x64
1SPICA2�...��.psd
windows7-x64
3SPICA2�...��.psd
windows10-2004-x64
3Xs�...�1.jpg
windows7-x64
3Xs�...�1.jpg
windows10-2004-x64
3Xs�...�3.jpg
windows7-x64
3Xs�...�3.jpg
windows10-2004-x64
3Xs�...�4.jpg
windows7-x64
3Xs�...�4.jpg
windows10-2004-x64
3Xs�...�5.jpg
windows7-x64
3Xs�...�5.jpg
windows10-2004-x64
3Xs�...�j.jpg
windows7-x64
3Xs�...�j.jpg
windows10-2004-x64
3p...��.jpg
windows7-x64
3p...��.jpg
windows10-2004-x64
3Analysis
-
max time kernel
120s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
21/02/2024, 21:00
Static task
static1
Behavioral task
behavioral1
Sample
SPICA_無料版_.zip
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
SPICA_無料版_.zip
Resource
win10v2004-20240221-en
Behavioral task
behavioral3
Sample
SPICA2.psd
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
SPICA2.psd
Resource
win10v2004-20240221-en
Behavioral task
behavioral5
Sample
XsJ@Tv1.jpg
Resource
win7-20240220-en
Behavioral task
behavioral6
Sample
XsJ@Tv1.jpg
Resource
win10v2004-20240221-en
Behavioral task
behavioral7
Sample
XsJ@Tv3.jpg
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
XsJ@Tv3.jpg
Resource
win10v2004-20240221-en
Behavioral task
behavioral9
Sample
XsJ@Tv4.jpg
Resource
win7-20240215-en
Behavioral task
behavioral10
Sample
XsJ@Tv4.jpg
Resource
win10v2004-20240221-en
Behavioral task
behavioral11
Sample
XsJ@Tv5.jpg
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
XsJ@Tv5.jpg
Resource
win10v2004-20240221-en
Behavioral task
behavioral13
Sample
XsJ@TvQiŁj.jpg
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
XsJ@TvQiŁj.jpg
Resource
win10v2004-20240221-en
Behavioral task
behavioral15
Sample
pK.jpg
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
pK.jpg
Resource
win10v2004-20240221-en
General
-
Target
SPICA2.psd
-
Size
44.3MB
-
MD5
ddb0e6ca4715e1305dd7d1a49c6db7a6
-
SHA1
ea95ad75de7cc8cb593f8534f1a9e5d9f6f0d56b
-
SHA256
41240acbac7078caf7b3a9dd04b0c6b0b630986df83143231c1d742a3a2e300e
-
SHA512
3503f720987cb09a9951eddd2a5d456f31a9314dfc0d64804f33be3aae48816251e0472ff1197ad588b85d1e325af8fc48df13f74f7a0316f036998e03486ebe
-
SSDEEP
786432:BjNrLTK6KccvfP0qtnGhQ1CeN/ARpv8H6lEkRHH/OeLYmFZ4Due6izJw8ohPa2ZQ:ZNW6Kccv0aupv1zJf0GZU6i1tyart
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_Classes\Local Settings rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\psd_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\.psd rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\.psd\ = "psd_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\psd_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\psd_auto_file\shell\Read\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\psd_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\psd_auto_file\shell\Read rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\psd_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2492 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2492 AcroRd32.exe 2492 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2236 wrote to memory of 2580 2236 cmd.exe 29 PID 2236 wrote to memory of 2580 2236 cmd.exe 29 PID 2236 wrote to memory of 2580 2236 cmd.exe 29 PID 2580 wrote to memory of 2492 2580 rundll32.exe 30 PID 2580 wrote to memory of 2492 2580 rundll32.exe 30 PID 2580 wrote to memory of 2492 2580 rundll32.exe 30 PID 2580 wrote to memory of 2492 2580 rundll32.exe 30
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\SPICA2.psd1⤵
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\SPICA2.psd2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\SPICA2.psd"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2492
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD500cb03d611f42e3e5f9d6a5642c65b1b
SHA1e51ab145bc2881332eb5d2afc0f689c1b71db763
SHA2567cbea565b4d6c6316c53b8f5a3d917ba7310951c3b04232e86b1e2718aa4608d
SHA512eb52a20045f01fee7cc255f72c7a5c37ed56bb5a9d5736c584185c91390564a8c52a11914ce95208c8884c67cecb7bacfa609bc2d82ba92b0f4b1d6d172234a7