36e2c9d3c3531d0675492ca7470ef832cda4b97dd7593ca8cf0c4e60f63e55f1

Analysis

max time kernel
158s
max time network
149s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25-02-2024 10:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Pal/Saved/SaveGames/0/4DB765FD4B7E500DF91375BA51CE6666/Players/C58D2BA7000000000000000000000000.sav
Size

3KB
MD5

93ae86cb85e9d009d0886831223f6047
SHA1

d646526912dd7edb820f74b6739341510a8c6b10
SHA256

8bcb33cd58113559ab12fca47eae56e741268ed82d201851456ac1e404e1bd0c
SHA512

88f46c00ecdf7cd572c6412f437a23f1b0f906975fb0c66b177b8868b15811b0fe5cc9375aed949a4505707c2e6f54eb27742baed06200cc12fdaf22de9be5e4

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\.sav	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\.sav\ = "sav_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\sav_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\sav_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\sav_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\sav_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\sav_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\sav_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
860	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
860	AcroRd32.exe
860	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2564 wrote to memory of 2388	2564	cmd.exe	30
PID 2564 wrote to memory of 2388	2564	cmd.exe	30
PID 2564 wrote to memory of 2388	2564	cmd.exe	30
PID 2388 wrote to memory of 860	2388	rundll32.exe	32
PID 2388 wrote to memory of 860	2388	rundll32.exe	32
PID 2388 wrote to memory of 860	2388	rundll32.exe	32
PID 2388 wrote to memory of 860	2388	rundll32.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Pal\Saved\SaveGames\0\4DB765FD4B7E500DF91375BA51CE6666\Players\C58D2BA7000000000000000000000000.sav
1⤵
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Pal\Saved\SaveGames\0\4DB765FD4B7E500DF91375BA51CE6666\Players\C58D2BA7000000000000000000000000.sav
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Pal\Saved\SaveGames\0\4DB765FD4B7E500DF91375BA51CE6666\Players\C58D2BA7000000000000000000000000.sav"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
11fdf49a2a74c7ec1e432179c3e31466

SHA1
10f70d4d0788333790983b69efefd75ab0dc11de

SHA256
cc5ab54252e142064c68f6cea39ecb5db413156fda8db7800409c1aeb44cfaa4

SHA512
4fa412653458d1fd614ca311b8020e7262d1f4c73a8d1f4b69e361ba551c3184913930b14eac52bed5365cc3f2d9df1c4923d479a2d8866884dedaf2ce19d34c

Download Submit