24fe65718394b79c9d647247a56788d65b3027391ab9f09484705b1d57635818

Analysis

max time kernel
120s
max time network
126s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
24-04-2024 21:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

011 Factory Drum.smp
Size

5.9MB
MD5

d9e4ad431608cf98383a6eae4eacccfc
SHA1

027e810908464624644b8d2cf8aa7e30a310f475
SHA256

fda31e31be1e999425778157c41f636b48532282b0c0734479aa68a3371e3395
SHA512

fce5d01d3b50cd88e1b1e566ae5923e51c7bc73196ae85328f49ec632a39cd6640a0481dfee0d84bcb8ce81a828eeb6153b05dd80ee62a0a978b9f6954ba0e23
SSDEEP

98304:FPNnxvMW6kdOvYWl+Q0A1e7Fph0Km2OXgsVGVLE1d5Zie5rYINwdw19lRutmEBXO:FPNRt6kMvNl30xh9vwRVyEb+eZYINp1l

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\smp_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.smp	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.smp\ = "smp_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\smp_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\smp_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\smp_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\smp_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\smp_auto_file\shell	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

2680 AcroRd32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AcroRd32.exe

pid process

2680 AcroRd32.exe
2680 AcroRd32.exe

pid	process
2680	AcroRd32.exe

pid	process
2680	AcroRd32.exe
2680	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

cmd.exerundll32.exe

description	pid	process	target process
PID 1028 wrote to memory of 2476	1028	cmd.exe	rundll32.exe
PID 1028 wrote to memory of 2476	1028	cmd.exe	rundll32.exe
PID 1028 wrote to memory of 2476	1028	cmd.exe	rundll32.exe
PID 2476 wrote to memory of 2680	2476	rundll32.exe	AcroRd32.exe
PID 2476 wrote to memory of 2680	2476	rundll32.exe	AcroRd32.exe
PID 2476 wrote to memory of 2680	2476	rundll32.exe	AcroRd32.exe
PID 2476 wrote to memory of 2680	2476	rundll32.exe	AcroRd32.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\011 Factory Drum.smp"
1⤵
- Suspicious use of WriteProcessMemory
PID:1028

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\011 Factory Drum.smp
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2476

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\011 Factory Drum.smp"
3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2680

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
Filesize
3KB

MD5
660952a4b36b0f87c28b9aa5f10f63f5

SHA1
dfdc8b9236c61e64f3eff51e5b097117cf17fcf6

SHA256
12d38c02824479f7c0ba984789e47c235469467f694d25eca69dcf1e0963048d

SHA512
48a1d6ba51b401035ddd08c59eb636c9bed37621a217d191899aeb33fbbdd35c76cbbf1a427705063c9c8b402bf1480b35ba70de50d04bc4091e73d73d1b1f1e

Download Submit