36e2c9d3c3531d0675492ca7470ef832cda4b97dd7593ca8cf0c4e60f63e55f1

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
25-02-2024 10:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Pal/Saved/SaveGames/0/4DB765FD4B7E500DF91375BA51CE6666/Players/E76BA128000000000000000000000000.sav
Size

2KB
MD5

6b0580637db1d5580109b67ad457407f
SHA1

958847f241b16ce56280ba8d57c66e1b176d6345
SHA256

209b2fb32d8387fd6f2eab8d26ef748ae1766038b72c27523d1d90acf466efee
SHA512

39438ae3b0c9e45b9a7073e45e625b1873a62bd5d2b6e262a1db95d73cfe909390d4559ba66999bc0135b45545663f3149684120f0998e3088161c129a141ed9

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\sav_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.sav	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.sav\ = "sav_auto_file"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\sav_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\sav_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\sav_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\sav_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\sav_auto_file\shell\Read\command	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1320	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1320	AcroRd32.exe
1320	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1804 wrote to memory of 2624	1804	cmd.exe	29
PID 1804 wrote to memory of 2624	1804	cmd.exe	29
PID 1804 wrote to memory of 2624	1804	cmd.exe	29
PID 2624 wrote to memory of 1320	2624	rundll32.exe	30
PID 2624 wrote to memory of 1320	2624	rundll32.exe	30
PID 2624 wrote to memory of 1320	2624	rundll32.exe	30
PID 2624 wrote to memory of 1320	2624	rundll32.exe	30

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Pal\Saved\SaveGames\0\4DB765FD4B7E500DF91375BA51CE6666\Players\E76BA128000000000000000000000000.sav
1⤵
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Pal\Saved\SaveGames\0\4DB765FD4B7E500DF91375BA51CE6666\Players\E76BA128000000000000000000000000.sav
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Pal\Saved\SaveGames\0\4DB765FD4B7E500DF91375BA51CE6666\Players\E76BA128000000000000000000000000.sav"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:1320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
1fd1bbea90a82c21a81eb175d3841d3d

SHA1
6363877eb662ebfcd7f003b928fd8702607dd3ed

SHA256
b02c8577180eff09b8d6ab213a92d57b834e4998e4c7f47f27b53224afe6cdf5

SHA512
5ab5482e13af480eec54a4c4feef74e34047d6133ef73e6490ba420d60664c829c07f9fc9e0c32dd6db41d561ed35e68f910fc7f55aa978295936e60981b129c

Download Submit