34975ef04e77cc6db686cffdfefd60c2679774850547bc15b4ad45de4ff3a0c0

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17/04/2024, 13:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Morgengnavnes/Monostomatidae/Banderol191.deb
Size

3KB
MD5

1d08dec8dde24cb16f919aa4c280b085
SHA1

82232fddf599ebd278050ef8a14388ffb8366397
SHA256

d586b372746c68e0bff05f75c09a759175aff7949a7ebc9d098d311288ab74bd
SHA512

133621bc48c8a18d792caf2673fa4da1f4dd5ac7dac85241be6ffc64726746103f1c1b001bd6017c0d85d1cc1e31cf984f22f1d037fd17392768d4db530c5b43

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.deb	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\deb_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\deb_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\deb_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\deb_auto_file\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.deb\ = "deb_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\deb_auto_file\shell\Read	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\deb_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2888	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2888	AcroRd32.exe
2888	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 2540	2352	cmd.exe	29
PID 2352 wrote to memory of 2540	2352	cmd.exe	29
PID 2352 wrote to memory of 2540	2352	cmd.exe	29
PID 2540 wrote to memory of 2888	2540	rundll32.exe	30
PID 2540 wrote to memory of 2888	2540	rundll32.exe	30
PID 2540 wrote to memory of 2888	2540	rundll32.exe	30
PID 2540 wrote to memory of 2888	2540	rundll32.exe	30

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Morgengnavnes\Monostomatidae\Banderol191.deb
1⤵
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Morgengnavnes\Monostomatidae\Banderol191.deb
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Morgengnavnes\Monostomatidae\Banderol191.deb"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
ec4dab7648581a2649d88a237428344c

SHA1
d62abea2098e0cd2c6c91e19f7deacc190d24d1e

SHA256
b8e2c79da397e2a99abd8221d9611f6bd7933bd181b1cff42563b10336f5da07

SHA512
426e778b2ea8047b82b723033cc69829eb97d6f07992168c228747ea0322cbbab2ac071ea48276c9c3b274a838f9bb4f992d3c1191acffc3ab1273ae49d3b088

Download Submit