98a2b4e6ca4787e4d929e9e05b015cfd1e8dd3d3c2ed895cc52733ff3f048a15

Analysis

max time kernel
200s
max time network
148s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19/03/2024, 15:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

DLC/dlc040_trial_of_allegiance/gfx/entities/TOA_meshes_infantry.gfx
Size

103KB
MD5

487185357b6bd77faf2ebf80313f4e13
SHA1

38ec9def9cc6c0d3002a46671cafd137753b6581
SHA256

fd9e74e4644fdcebb93aae97a2b628671a2382c7d6f3b14c6d6b801ffce748fe
SHA512

d230202d02be1a48bd6a0b48c5fd061d00555265c5e36a406874f4a6d7d3597e24799a049442b1a87ce8919ea3c64d903d5f8d393352eddbec5af29f7892d318
SSDEEP

192:Pt89kpRf9kGjkb/t8Z4dRfZ42qWaQ2jagt87WZRf7WFBWXt8QxTRfQxCLnt8Q/vP:VCM

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\gfx_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\gfx_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\gfx_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\gfx_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\gfx_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\.gfx	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\.gfx\ = "gfx_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\gfx_auto_file\shell\Read	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1292	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1292	AcroRd32.exe
1292	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2472 wrote to memory of 576	2472	cmd.exe	30
PID 2472 wrote to memory of 576	2472	cmd.exe	30
PID 2472 wrote to memory of 576	2472	cmd.exe	30
PID 576 wrote to memory of 1292	576	rundll32.exe	31
PID 576 wrote to memory of 1292	576	rundll32.exe	31
PID 576 wrote to memory of 1292	576	rundll32.exe	31
PID 576 wrote to memory of 1292	576	rundll32.exe	31

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\DLC\dlc040_trial_of_allegiance\gfx\entities\TOA_meshes_infantry.gfx
1⤵
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\DLC\dlc040_trial_of_allegiance\gfx\entities\TOA_meshes_infantry.gfx
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:576
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\DLC\dlc040_trial_of_allegiance\gfx\entities\TOA_meshes_infantry.gfx"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:1292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
d236b283168961af2f2e4541e5fc4a35

SHA1
3db41dc54ce1dd33fcb862570b8b4cff24680fd7

SHA256
240a247cc6164b93815b57e8cee4b3866dc7a92b670c19934ffd6067b2e22e1e

SHA512
f51a01a848d3fd91dd4a8b652f61020296650660cd6f836591cfb8698fcbb76ad42c479a935c4d4189f9d0eee99d7af7c2026d2b0726a04b84c6af704b00ba2f

Download Submit