5daea0e236791d060252b4e08b7c5e287d448891187ea0ca2b802e4ea1af9834

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
25/02/2024, 12:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

x64/Templates/ConfigComplementos.rpt
Size

64KB
MD5

f5e0f49448c961d00f5e1fb5ababaf60
SHA1

9683c793075368ecf3575d8d4e4571be1a021b1d
SHA256

3f95f256b75c853ff5fa9b5133903d6a7d99a0589b3fd72fb2f9e76dc672be82
SHA512

e8798587ed0964654a77d42c4e49f62d3f781c49a07728c7161ca59854f8428336a122b914926fd42138ac3f487c1990f996b785574a75c5da62394381e5177e
SSDEEP

192:lZ7LAfF3MwMlGM1M4MxM7MEZg7Bv4dOmYwcXBmwTEowvrM2mVhG2q+Xa0cWIQr:30SZg7J4oBwcXBvgoCY2m3S

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\rpt_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\rpt_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.rpt\ = "rpt_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\rpt_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\rpt_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\rpt_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\rpt_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.rpt	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2748	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2748	AcroRd32.exe
2748	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2544	2316	cmd.exe	29
PID 2316 wrote to memory of 2544	2316	cmd.exe	29
PID 2316 wrote to memory of 2544	2316	cmd.exe	29
PID 2544 wrote to memory of 2748	2544	rundll32.exe	30
PID 2544 wrote to memory of 2748	2544	rundll32.exe	30
PID 2544 wrote to memory of 2748	2544	rundll32.exe	30
PID 2544 wrote to memory of 2748	2544	rundll32.exe	30

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\x64\Templates\ConfigComplementos.rpt
1⤵
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\x64\Templates\ConfigComplementos.rpt
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\x64\Templates\ConfigComplementos.rpt"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
7742c9c998f13fd7df47097e27c92ae1

SHA1
09abb2ef1597594b36dcb88f374240e25b54db75

SHA256
f3615f811243bd66b6cf597a9aeb4bd6eb4b93363fcd0f0a02887936ce73fc54

SHA512
b859d68d1eaf2b1ca661c38d7bdaf6ae6a824582033e22eb1ad0d73fe0dd659755ea9d224a646b298c3a6c2c998924dc817f87585b89f4b5b4eec55583aa6257

Download Submit