Analysis
-
max time kernel
24s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
19/04/2024, 10:14
Behavioral task
behavioral1
Sample
7e0bf0d134364afa456b6d36c133aa22647e0618d91d0ce01b459558f24f92fd.elf
Resource
win7-20240221-en
General
-
Target
7e0bf0d134364afa456b6d36c133aa22647e0618d91d0ce01b459558f24f92fd.elf
-
Size
177KB
-
MD5
bc9cb0dcda2adca9ef70d10f78198b4e
-
SHA1
918a9f4c3a791d22cb77461a1000926d98883521
-
SHA256
7e0bf0d134364afa456b6d36c133aa22647e0618d91d0ce01b459558f24f92fd
-
SHA512
f4680fea5c4c3033ff2d64871c8f727c5ba0980b7d7f88894202b103ee16f20382a77a7c7d3a8bf0a8a049cd43b2cb743bded145fd4f1e9fc0194c5ecf342dad
-
SSDEEP
3072:49rNi/XEmhIjG/SMn5aYzv02q1Y6+c13oBtn7G:49rNuXDfhdMLYg1wtn7G
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\elf_auto_file\shell\Read rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\elf_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\elf_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\.elf rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\.elf\ = "elf_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\elf_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\elf_auto_file\shell\Read\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\elf_auto_file rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2640 AcroRd32.exe 2640 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2184 wrote to memory of 2564 2184 cmd.exe 29 PID 2184 wrote to memory of 2564 2184 cmd.exe 29 PID 2184 wrote to memory of 2564 2184 cmd.exe 29 PID 2564 wrote to memory of 2640 2564 rundll32.exe 30 PID 2564 wrote to memory of 2640 2564 rundll32.exe 30 PID 2564 wrote to memory of 2640 2564 rundll32.exe 30 PID 2564 wrote to memory of 2640 2564 rundll32.exe 30
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\7e0bf0d134364afa456b6d36c133aa22647e0618d91d0ce01b459558f24f92fd.elf1⤵
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\7e0bf0d134364afa456b6d36c133aa22647e0618d91d0ce01b459558f24f92fd.elf2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\7e0bf0d134364afa456b6d36c133aa22647e0618d91d0ce01b459558f24f92fd.elf"3⤵
- Suspicious use of SetWindowsHookEx
PID:2640
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5e72c1779e9a9d840b7eba1411dcf9013
SHA1b82aecf08175cf994b9b811cc2947d916699dea5
SHA256a331c616c9cc1690621f95363f8d24bdcc9b9c00692a209767d762ff367e1857
SHA5123a756667f78d04740b64bf6ae1aa10e68adafb2fceafa06c93fee0f1c444bd8a52869550a6b1e0368fc9a831871beed32aad5f977683f866587b8869f3f0221a