3b530ace3209771f676e361ebc54dfc5d992d5069db93d416cd4b60745ccc400

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07/03/2024, 13:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Sudsers34/Neoterist/Opslagsbindenes/Oplivelse/indsigelse.ant
Size

50KB
MD5

fe6e4fb43bfcb1e023788a586f9de59d
SHA1

86fc49bf39c949766f9b2601f62cfb8dce864027
SHA256

7f129a12d4e161d5cfaec501713f650008eec3bae6e73928f0383ce2d563e5e1
SHA512

386f7bc255e33f6269208bf68433628f4e4b97ae535dfae238e689e62a5853e549b0cdc7a69d2c8258e668c449056d407b5b186bb42003353f5df6a2166dc757
SSDEEP

768:SrGIR2Rr+h5F/WAwCWXYI+tHdDjhq11G0JrBY2UHZ1z/VyaIvQz:SrGIRIKhz/T90YI69Djh+sPHZRI/Qz

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\ant_auto_file\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\.ant\ = "ant_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\ant_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\ant_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\ant_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\.ant	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\ant_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\ant_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2440	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2440	AcroRd32.exe
2440	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2760 wrote to memory of 2512	2760	cmd.exe	29
PID 2760 wrote to memory of 2512	2760	cmd.exe	29
PID 2760 wrote to memory of 2512	2760	cmd.exe	29
PID 2512 wrote to memory of 2440	2512	rundll32.exe	30
PID 2512 wrote to memory of 2440	2512	rundll32.exe	30
PID 2512 wrote to memory of 2440	2512	rundll32.exe	30
PID 2512 wrote to memory of 2440	2512	rundll32.exe	30

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Sudsers34\Neoterist\Opslagsbindenes\Oplivelse\indsigelse.ant
1⤵
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Sudsers34\Neoterist\Opslagsbindenes\Oplivelse\indsigelse.ant
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2512
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Sudsers34\Neoterist\Opslagsbindenes\Oplivelse\indsigelse.ant"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
af07097eb1c47b8b77df862e7d8e0c35

SHA1
94d6c5264856c814fc71a72318fb6467db368cfd

SHA256
9a449956d66d791fae6ee8463d79b655f52438f4f9ac8738f47181e4ba20285e

SHA512
d3be153f6efdbe36d51ab702b19b783057d2ec770231aff5ec92450ace7115d169f42bf132c4c3b400dd6a0ceb70571e0e12c7045d24a8e6d026f48223148ac6

Download Submit