914410cfcdcde6320eee4425e8062432bd98eb85db154b896d6d15ed3be80824

Analysis

max time kernel
360s
max time network
364s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
01/05/2024, 05:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

game.lua
Size

10KB
MD5

e205ff3e5ff38c40a3c32f52f8757bf7
SHA1

5edb81d72edd2e7fa920597461283fda8552534a
SHA256

05d0fdfc3ee78850da2b792fd0c88c410ee961c148994fcd503c21eb3f22e9c5
SHA512

47b915d154391dd17b32070842f1299fd492730ef009a8fb51b5c1282b61bf6fe15246121f8df93cd9cdbd542de341dfac4bfc5452cfc9b3c9425a714fe5a3ae
SSDEEP

192:8kOo3X0otBGoEonyOozSo8oVhocipoDYToKNioNdFmoWAos4oeWo0e2K0EMw1i5C:7Oo3EotgoEonyOozSo8oTojpo0ToLoRq

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\lua_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\lua_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\lua_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\lua_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\lua_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.lua	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.lua\ = "lua_auto_file"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\lua_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2484	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2484	AcroRd32.exe
2484	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 2436	2036	cmd.exe	29
PID 2036 wrote to memory of 2436	2036	cmd.exe	29
PID 2036 wrote to memory of 2436	2036	cmd.exe	29
PID 2436 wrote to memory of 2484	2436	rundll32.exe	30
PID 2436 wrote to memory of 2484	2436	rundll32.exe	30
PID 2436 wrote to memory of 2484	2436	rundll32.exe	30
PID 2436 wrote to memory of 2484	2436	rundll32.exe	30

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\game.lua
1⤵
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\game.lua
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\game.lua"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
7a1294797c94783108c4eaec7c8cacf0

SHA1
160fb9e8112e34b9da769f45843bfea6652bf956

SHA256
1682c602fddb0dfc9275025c2cdbfbdb672027ba136177f9629c7de707110d8d

SHA512
01987f529215501201d2440ffe7312377a493f15293263ab0c51bfcba5fa80ac28fbf2cce06ab275f7b31924d7b2bfbf0d4f3fffa36071156e0ff87a99916453

Download Submit