77988bfd59f4057f4f4d1952e36153870d9754f9233e36b0e0e5b7d684cfdcc7

Analysis

max time kernel
104s
max time network
72s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-02-2024 00:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Vintage Story/assets/survival/worldgen/villages.json
Size

12KB
MD5

7149f35b8ddc47c8527d9e8791c9b9c0
SHA1

ae29e59cee9da74ed05acb52fc50552be74ad3ea
SHA256

4a066d9ea577943ea51d8dde4d4c7bf45088f32735786aef69e5490ea6da995a
SHA512

cb1e40ceeae50bbed6144d3afed06a567b9f4c020dc506b65756b2636ee51fd0321e6bfece11e0b4b7db81f046cd505d3b9b9c2b86a5b7a172b0388bbdf10643
SSDEEP

384:WJDjllDjAIDjpCDj7hDjF6DjwODjsuDj5ODjrADjVEDj6vDjsHDjKbDj4rDj+RDN:o

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\.json\ = "json_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\json_auto_file\shell\Read	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\json_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\.json	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\json_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\json_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\json_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\json_auto_file	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2284	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2284	AcroRd32.exe
2284	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 2456	2540	cmd.exe	30
PID 2540 wrote to memory of 2456	2540	cmd.exe	30
PID 2540 wrote to memory of 2456	2540	cmd.exe	30
PID 2456 wrote to memory of 2284	2456	rundll32.exe	31
PID 2456 wrote to memory of 2284	2456	rundll32.exe	31
PID 2456 wrote to memory of 2284	2456	rundll32.exe	31
PID 2456 wrote to memory of 2284	2456	rundll32.exe	31

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Vintage Story\assets\survival\worldgen\villages.json"
1⤵
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Vintage Story\assets\survival\worldgen\villages.json
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Vintage Story\assets\survival\worldgen\villages.json"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
e8395ce179f75aa0c89c6a88c64fba65

SHA1
640b6277eacaa945fb534f8c97a8332612c10786

SHA256
1c64bb6556b1ef843979caf47a02881d5bbc8a8fd7d3b05336b2bc31886e9b8e

SHA512
2a3b1b7df1e75c2854936347a28a9bab5c8085aba299e0761f5e82509acb92757a240a77de870197303dc156de7f4434de2583985dfd70c646dfc2996b40e6d6

Download Submit