0f697e9cca3455c8e54b7b049b4e9632115634615f38e43ddbeb781d978354db

Analysis

max time kernel
128s
max time network
75s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11-03-2024 17:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

web-client/translations/pl.json
Size

229KB
MD5

9ea17fa0857e212627af762da17fa65d
SHA1

3790166e767b6386a7d81c13c24830fa31afc3a8
SHA256

3955bfa051a8aa8e7a4576e2d76839dd867e73076ad5326806bd4b668b2aaa02
SHA512

922e6f350de0db3ccc00c6f72d65145071dd4b6954d832c7d0890029c07d8fbf28be57d846e7457e43342e298316cf28b1c9d480bdc19dc71a26d4f54b708c43
SSDEEP

3072:p3inCqVoZoPVqD0g4bf9S33k5sJklGouUFUnZe4rhcy/NvY0zjha2HYs5DKBTjsh:KXZS331TjYIp4sqTi6YnLgXhyce

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\json_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\.json	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\.json\ = "json_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\json_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\json_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\json_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\json_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\json_auto_file\shell\Read	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
676	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
676	AcroRd32.exe
676	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 2968	2720	cmd.exe	29
PID 2720 wrote to memory of 2968	2720	cmd.exe	29
PID 2720 wrote to memory of 2968	2720	cmd.exe	29
PID 2968 wrote to memory of 676	2968	rundll32.exe	30
PID 2968 wrote to memory of 676	2968	rundll32.exe	30
PID 2968 wrote to memory of 676	2968	rundll32.exe	30
PID 2968 wrote to memory of 676	2968	rundll32.exe	30

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\web-client\translations\pl.json
1⤵
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\web-client\translations\pl.json
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\web-client\translations\pl.json"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
2131dc7c277bb5136c5a8ee28061b1c5

SHA1
a815e00a947759aea0ddce6a2ea2d6312b364ac3

SHA256
599f1b721a520a1769640c6a918f46460840c029b18b90a72346b21e2173d3d3

SHA512
f4ebd66e41fba7bce31beb3896dd6348e6398421c994a129a75179fa9a7be7486bbba8a8e104c8c2239f0d6dabf8af41fb0f2a89d04472c3d5a35ec0f7ae57a7

Download Submit