24fe65718394b79c9d647247a56788d65b3027391ab9f09484705b1d57635818

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
24-04-2024 21:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

010 Motive.pth
Size

566KB
MD5

c835ea84b5256a41cdf5c363f4068706
SHA1

88ae3a1c28bf3e1ca74c3965652637fd2abec9bb
SHA256

42d7394d8fca0f3ff0c1ae36ea2c847552480351f29c951130c4f1747e5e2616
SHA512

18bf4a6f9fdd03b2330183b6b0956352a674bfb78cd534dfd1dce2e5a93eed7582aa94d7bff3f9383f8100a0685c7f0d208581fdf12cad74b4a7b7e27ad1dfaa
SSDEEP

1536:CHhWuh7x+UQ/Vu4DE2RzLMeqRvyodqsQHh/:u7x+7/Vu4D/tLMemvyodTy

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\pth_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.pth	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\pth_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\pth_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\pth_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\pth_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\pth_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.pth\ = "pth_auto_file"	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

2432 AcroRd32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AcroRd32.exe

pid process

2432 AcroRd32.exe
2432 AcroRd32.exe

pid	process
2432	AcroRd32.exe

pid	process
2432	AcroRd32.exe
2432	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

cmd.exerundll32.exe

description	pid	process	target process
PID 2328 wrote to memory of 2772	2328	cmd.exe	rundll32.exe
PID 2328 wrote to memory of 2772	2328	cmd.exe	rundll32.exe
PID 2328 wrote to memory of 2772	2328	cmd.exe	rundll32.exe
PID 2772 wrote to memory of 2432	2772	rundll32.exe	AcroRd32.exe
PID 2772 wrote to memory of 2432	2772	rundll32.exe	AcroRd32.exe
PID 2772 wrote to memory of 2432	2772	rundll32.exe	AcroRd32.exe
PID 2772 wrote to memory of 2432	2772	rundll32.exe	AcroRd32.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\010 Motive.pth"
1⤵
- Suspicious use of WriteProcessMemory
PID:2328

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\010 Motive.pth
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2772

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\010 Motive.pth"
3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2432

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
Filesize
3KB

MD5
f68a1023917e542a01b3977e2cef79f4

SHA1
60191e43eae54691a647344e6b7791661ffd5bf4

SHA256
bb92308e8a5e49ff098a4ecc476d0b74c7df7618da8a3d52b1368fa63a299ce3

SHA512
f77bf8bd6f1ce4d6f4108825b1e04815f5c2626da18d27b7de3c74801a9d240d6ff036c9b4b6d78a7c4c5b7145a40bc12c9b960c3338bcab2fda77647c9ee989

Download Submit