Analysis
-
max time kernel
122s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
05-04-2024 15:56
Static task
static1
Behavioral task
behavioral1
Sample
redist.zip
Resource
win7-20240319-en
Behavioral task
behavioral2
Sample
redist.zip
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
buildrhadha.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
buildrhadha.exe
Resource
win10v2004-20240319-en
Behavioral task
behavioral5
Sample
data.bin
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
data.bin
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
g2m.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
g2m.dll
Resource
win10v2004-20240226-en
General
-
Target
data.bin
-
Size
385KB
-
MD5
5a7264ad76d39eda0dc5530e9a3679e4
-
SHA1
1efbe655e1ba6c78c43ba3409cf8e8f684abb3b4
-
SHA256
63517dce685f53192dad844d6bfed151f081a7ba2c37ce416117d2d938d07a6c
-
SHA512
5abf227ebaccb71d415252c664ce1ee8581964c75839b032dae65d709a195dfca3e49a92e5e737c313d570f7891d752ba828944abcadce7e1e8942349efe571b
-
SSDEEP
6144:LvwGlkQbUt657/HdVfsEb3nkg88bCQUYs08m78m+51RUsWTNCsF8ncMu+Ur0:LIZiLvUM/7qmgm+57UFTN18n4r0
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\bin_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\bin_auto_file\shell\Read\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\bin_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.bin\ = "bin_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.bin rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\bin_auto_file\shell rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\bin_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\bin_auto_file\ rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2552 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2552 AcroRd32.exe 2552 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 2460 wrote to memory of 2528 2460 cmd.exe rundll32.exe PID 2460 wrote to memory of 2528 2460 cmd.exe rundll32.exe PID 2460 wrote to memory of 2528 2460 cmd.exe rundll32.exe PID 2528 wrote to memory of 2552 2528 rundll32.exe AcroRd32.exe PID 2528 wrote to memory of 2552 2528 rundll32.exe AcroRd32.exe PID 2528 wrote to memory of 2552 2528 rundll32.exe AcroRd32.exe PID 2528 wrote to memory of 2552 2528 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\data.bin1⤵
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\data.bin2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\data.bin"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2552
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5412ea4121952d5990fcb26ecededcf09
SHA1428b09417b992a96117ba9b3cc63bccd399e06da
SHA256ca32c6b4053fbb49d19fc861bbca32d96992032d5f568a258c9cc748aac9ae3a
SHA5126c6a3d6290aa9e040b149f7070a1fb2f2d5c4baca4c8bd7beb96bb86df295e2c561562aa03d526e88ae122723fc57642a3b7f5871d58f35370a7a77e833b2cbe