dade9c3e15dbc7dbe43d4a9945ddf2ef49ef243974e61f030276b555b21a4ab3

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05-03-2024 14:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bobiAntiFall.cs
Size

17KB
MD5

7a7bba8681b07bffb676e360a3d68189
SHA1

30d71103e9fd485329ff666c7d5048f3aeee4576
SHA256

8c2fc3d96d376d9d5a3c764b8c69d993d1a4a4ded7de7024ec5f88ca167033c9
SHA512

c3e38b5c9e83c9dc7c5357c232ca3639a904867db01957a553de7b3cb65591c95d62f85888e9d12d832d6bd7797ab3abf234a9fece7d53138e1c56db4597f450
SSDEEP

384:bf1uJEVbpKJj7Bz3sMKfTWSFMl759NcIEnncN79yPzD41H:bNuedKJj7BPl75YIEY74OH

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2468	AcroRd32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2468	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2468	AcroRd32.exe
2468	AcroRd32.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 2468	1628	cmd.exe	29
PID 1628 wrote to memory of 2468	1628	cmd.exe	29
PID 1628 wrote to memory of 2468	1628	cmd.exe	29
PID 1628 wrote to memory of 2468	1628	cmd.exe	29

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\bobiAntiFall.cs
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\bobiAntiFall.cs"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
1dcfbc75b3b1a8e4eb8542d7e2c45ad6

SHA1
0500b8f930861858a3bd17271fae764510fb225d

SHA256
fd0c35e2ae223c4e2e1aa2b56a2f188b182babb8c67116306b33cd67be5bd58c

SHA512
794addc7caa26524f112d90e7b5a5e053f51d7443d1c285d359ef48ef713731be0137ee2fb2732afe16f16e2b44792c0849ad0c2720e8df298112eddb1839614

Download Submit