54b06c035e22e4c4cc2f828acfc99ed138e147b3384e31f4283ee62361d5b561

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06/03/2024, 21:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b83cd525bb6fe770822ce513e7a4b398.jad
Size

68KB
MD5

b83cd525bb6fe770822ce513e7a4b398
SHA1

c2b71b787477102370280680a089157ebc450ad2
SHA256

54b06c035e22e4c4cc2f828acfc99ed138e147b3384e31f4283ee62361d5b561
SHA512

858a7f72b887a742bb9e0746058463683292db6e1459541cd049bffa89802fa36e16958c55441c8d47df0e1a6da85f132fc31b51e6c6caa92c418e1d38f4bc25
SSDEEP

1536:EjUcFC+MEcfwy7GtW2insgvrGoZNGtW2insgvrGoZb:EjUctox7ZsArG8ZsArGI

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\jad_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.jad	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\jad_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.jad\ = "jad_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\jad_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\jad_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\jad_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\jad_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2444	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2444	AcroRd32.exe
2444	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 2640	2756	cmd.exe	29
PID 2756 wrote to memory of 2640	2756	cmd.exe	29
PID 2756 wrote to memory of 2640	2756	cmd.exe	29
PID 2640 wrote to memory of 2444	2640	rundll32.exe	30
PID 2640 wrote to memory of 2444	2640	rundll32.exe	30
PID 2640 wrote to memory of 2444	2640	rundll32.exe	30
PID 2640 wrote to memory of 2444	2640	rundll32.exe	30

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\b83cd525bb6fe770822ce513e7a4b398.jad
1⤵
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\b83cd525bb6fe770822ce513e7a4b398.jad
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\b83cd525bb6fe770822ce513e7a4b398.jad"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
67461ce3e2defc8d4df95ad8960ea081

SHA1
f021a9e7dbc48e54d91946146ce547aaf4c0d620

SHA256
1daa25b31fc500ac24612cb6d599c21a3ee8b5b93cd76c1394ac28c5f779df39

SHA512
57c347d81a4c273853ed2a4bde8b34a0e70b38e3886c3e1b62d08a58ea7f0c18ccdc9a818703f1e19407068dcfff4987987adccdb9b6bbe48349426ee3cf1aee

Download Submit