88069993bf5ab8962e2b844ee58659a1ec59c9662e4e2bc87947fb08abc54dc1

Analysis

max time kernel
34s
max time network
18s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
02/03/2024, 21:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TeddyPcFiles/config.json
Size

99B
MD5

668a1b746e7bce9ff92bcf04fecb2014
SHA1

83d39ef8457d8c03c7e2dff8db688833fe4eb495
SHA256

c5ed2b2dcbda5dc58f8c1ad7652f0c7e0432d5900683b798b72970065817cdb8
SHA512

2b11a3f36223088b203ceae4d1207f1100a6cbb44556e235f82dc4c5ea0d32798800a3b41b99f57e6a30d9a47d773f0bb1b4ca62dff8c9a00be87afbdc3a1208

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\json_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\.json\ = "json_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\json_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\json_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\json_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\.json	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\json_auto_file\shell	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\json_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2640	AcroRd32.exe
2640	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 2900	1948	cmd.exe	29
PID 1948 wrote to memory of 2900	1948	cmd.exe	29
PID 1948 wrote to memory of 2900	1948	cmd.exe	29
PID 2900 wrote to memory of 2640	2900	rundll32.exe	30
PID 2900 wrote to memory of 2640	2900	rundll32.exe	30
PID 2900 wrote to memory of 2640	2900	rundll32.exe	30
PID 2900 wrote to memory of 2640	2900	rundll32.exe	30

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\TeddyPcFiles\config.json
1⤵
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\TeddyPcFiles\config.json
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\TeddyPcFiles\config.json"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
a3d0f313c083cb3046982991ebe93342

SHA1
346372c385a167fa1ff9178d2b869fcceb76d670

SHA256
ecb36cc15805e6315916e439371ff6a6dbf7359ed8d4c078f0a1417c993865d1

SHA512
b3ba0307f012b9ca10ad332d717db02be7d49b10e4b9d2d1d12ccfa95e678d1f0acb9f8f3d206c40b67cf7f2208c298aa5e71766dbc234a76bd40813aee7fd28

Download Submit