841a98464457d2fceff8a35e6b575b1e5e0681f7232cb3c2b94c698e38960a25

Resubmissions

25/03/2024, 21:05

240325-zxdnnahe48 3

25/03/2024, 20:59

25/03/2024, 20:56

25/03/2024, 20:51

25/03/2024, 20:45

25/03/2024, 20:38

25/03/2024, 20:36

Analysis

max time kernel
18s
max time network
16s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25/03/2024, 20:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Prefetch/CONSENT.EXE-40419367.pf
Size

47KB
MD5

5bf2115dc8d3b729c5829874d5d8cb59
SHA1

f9a56d5cf85b67f84f4217c93fad6f48d9813202
SHA256

2b4056595a0cee651479270c2e09cd47ebba9124336c577ddd3b0c782afc48b2
SHA512

ce6d130a05aa1fa428f444ab3f156834a401e4f9029d6ba7a31f26f2dcfb532393acc19411b2cfafea7ff0bc29d5748d527d3d157623c35424f1362fc6bd15f8
SSDEEP

768:lwPFCp5xpgP+Qfx6tRRwCxWjoeT1glONlNNjBR3BUa+rJ9Fe:EFCHjxWt4uPR3BUlvFe

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\pf_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.pf	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\pf_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\pf_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\pf_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\pf_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.pf\ = "pf_auto_file"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\pf_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2544	AcroRd32.exe
2544	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2712 wrote to memory of 2628	2712	cmd.exe	29
PID 2712 wrote to memory of 2628	2712	cmd.exe	29
PID 2712 wrote to memory of 2628	2712	cmd.exe	29
PID 2628 wrote to memory of 2544	2628	rundll32.exe	30
PID 2628 wrote to memory of 2544	2628	rundll32.exe	30
PID 2628 wrote to memory of 2544	2628	rundll32.exe	30
PID 2628 wrote to memory of 2544	2628	rundll32.exe	30

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Prefetch\CONSENT.EXE-40419367.pf
1⤵
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Prefetch\CONSENT.EXE-40419367.pf
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Prefetch\CONSENT.EXE-40419367.pf"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
310032eb1e3527e995611e70715500db

SHA1
2e11aa4930761b25e1ce5105a243806f41c308f1

SHA256
108d5464b9737bb4a6457d2bbef293fc652160558eb387518cd12a8fe3a4a622

SHA512
30460a4718a699bb7cf3b328142d7f53ff5eb947f6f0799bc3ffc2591d14cb4fc8da7b3059ec41785b895b9ce88a1eb424bd5a690be7957fae0beea5d73a2757

Download Submit