Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
05-04-2024 12:26
Static task
static1
Behavioral task
behavioral1
Sample
asd100.bin
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
asd100.bin
Resource
win10v2004-20240226-en
General
-
Target
asd100.bin
-
Size
100KB
-
MD5
4c6426ac7ef186464ecbb0d81cbfcb1e
-
SHA1
5a6918eebd9d635e8f632e3ef34e3792b1b5ec13
-
SHA256
f627ca4c2c322f15db26152df306bd4f983f0146409b81a4341b9b340c365a16
-
SHA512
5f6dbea410beee80292b16df6fcc767ae6baf058ab4c38fa6a4fc72b7828374af42bd6da094eada2ad006d1a0754f9ff7bdd94c0ef9540e6651729b74fb9ea46
-
SSDEEP
3::
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\bin_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\.bin rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\.bin\ = "bin_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\bin_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\bin_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\bin_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\bin_auto_file\shell rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\bin_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2692 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2692 AcroRd32.exe 2692 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 2840 wrote to memory of 2616 2840 cmd.exe rundll32.exe PID 2840 wrote to memory of 2616 2840 cmd.exe rundll32.exe PID 2840 wrote to memory of 2616 2840 cmd.exe rundll32.exe PID 2616 wrote to memory of 2692 2616 rundll32.exe AcroRd32.exe PID 2616 wrote to memory of 2692 2616 rundll32.exe AcroRd32.exe PID 2616 wrote to memory of 2692 2616 rundll32.exe AcroRd32.exe PID 2616 wrote to memory of 2692 2616 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\asd100.bin1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\asd100.bin2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\asd100.bin"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEventsFilesize
3KB
MD54c11e83eaf5cb3bc3d9fce07dc9e0f19
SHA14708b93b2275ee49a348d84b11a748f2fe5ca99e
SHA25689b976fc8c01c1c8a0105cdde66eb231b20de8d59f0fa617afe0a67e295b8484
SHA51214354eec43cf569288084376f964d908dcbbd87b2d4941c85c929d47b5d0e4c5e2eb53fad6204424f2b5c734b039af89fbd902a2bc84983c3d8dc3c2d5525514