c3f250ab11d40bc8e68d90efa095da80a4e2c285d3d04e1c52434158345e2b47

Analysis

max time kernel
34s
max time network
19s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08-05-2024 08:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CVE-2023-38831/.git/hooks/pre-receive.sample
Size

544B
MD5

2ad18ec82c20af7b5926ed9cea6aeedd
SHA1

705a17d259e7896f0082fe2e9f2c0c3b127be5ac
SHA256

a4c3d2b9c7bb3fd8d1441c31bd4ee71a595d66b44fcf49ddb310252320169989
SHA512

ee08c11fab7e896b2e09c241954ba7640338b12c75cd8040daf053c31b2f22236d7a0deac736f89d305236312fdb4f560a38d4d8debdcc9dcdd23b2d975907d5

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\sample_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\sample_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\sample_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\sample_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\sample_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.sample	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.sample\ = "sample_auto_file"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\sample_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AcroRd32.exe

pid process

2472 AcroRd32.exe
2472 AcroRd32.exe

pid	process
2472	AcroRd32.exe
2472	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

cmd.exerundll32.exe

description	pid	process	target process
PID 640 wrote to memory of 2596	640	cmd.exe	rundll32.exe
PID 640 wrote to memory of 2596	640	cmd.exe	rundll32.exe
PID 640 wrote to memory of 2596	640	cmd.exe	rundll32.exe
PID 2596 wrote to memory of 2472	2596	rundll32.exe	AcroRd32.exe
PID 2596 wrote to memory of 2472	2596	rundll32.exe	AcroRd32.exe
PID 2596 wrote to memory of 2472	2596	rundll32.exe	AcroRd32.exe
PID 2596 wrote to memory of 2472	2596	rundll32.exe	AcroRd32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\CVE-2023-38831\.git\hooks\pre-receive.sample
1⤵
- Suspicious use of WriteProcessMemory
PID:640

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\CVE-2023-38831\.git\hooks\pre-receive.sample
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2596

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\CVE-2023-38831\.git\hooks\pre-receive.sample"
3⤵
- Suspicious use of SetWindowsHookEx
PID:2472

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
Filesize
3KB

MD5
3c5ab6b25e134e2071e1bedef93b9ce2

SHA1
42556860c65fbecf01e37d058eea7c04494b2608

SHA256
742787284fb46484a76c057e32f496e81a8c22c559a45c24c5f428959ac9ba80

SHA512
c5d5c0f2258e21422ac9a4964b6f78a0e0baf1fdd87432c1cbd89bc70b98c8d7be5c8c6ed27c3cbe26188693395dd477a34b5c89bb12f87c97abdda81c9944ea

Download Submit