Analysis Overview
SHA256
7e0bf0d134364afa456b6d36c133aa22647e0618d91d0ce01b459558f24f92fd
Threat Level: Known bad
The file 7e0bf0d134364afa456b6d36c133aa22647e0618d91d0ce01b459558f24f92fd.elf was found to be: Known bad.
Malicious Activity Summary
Mirai family
Enumerates physical storage devices
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-19 10:14
Signatures
Mirai family
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-19 10:14
Reported
2024-04-19 10:15
Platform
win7-20240221-en
Max time kernel
24s
Max time network
19s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\elf_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\elf_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\elf_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\.elf | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\.elf\ = "elf_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\elf_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\elf_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\elf_auto_file | C:\Windows\system32\rundll32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2184 wrote to memory of 2564 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2184 wrote to memory of 2564 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2184 wrote to memory of 2564 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2564 wrote to memory of 2640 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2564 wrote to memory of 2640 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2564 wrote to memory of 2640 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2564 wrote to memory of 2640 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\7e0bf0d134364afa456b6d36c133aa22647e0618d91d0ce01b459558f24f92fd.elf
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\7e0bf0d134364afa456b6d36c133aa22647e0618d91d0ce01b459558f24f92fd.elf
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\7e0bf0d134364afa456b6d36c133aa22647e0618d91d0ce01b459558f24f92fd.elf"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | e72c1779e9a9d840b7eba1411dcf9013 |
| SHA1 | b82aecf08175cf994b9b811cc2947d916699dea5 |
| SHA256 | a331c616c9cc1690621f95363f8d24bdcc9b9c00692a209767d762ff367e1857 |
| SHA512 | 3a756667f78d04740b64bf6ae1aa10e68adafb2fceafa06c93fee0f1c444bd8a52869550a6b1e0368fc9a831871beed32aad5f977683f866587b8869f3f0221a |