c3f250ab11d40bc8e68d90efa095da80a4e2c285d3d04e1c52434158345e2b47

Analysis

max time kernel
48s
max time network
16s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
08-05-2024 08:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CVE-2023-38831/.git/hooks/fsmonitor-watchman.sample
Size

4KB
MD5

a0b2633a2c8e97501610bd3f73da66fc
SHA1

0ec0ec9ac11111433d17ea79e0ae8cec650dcfa4
SHA256

e0549964e93897b519bd8e333c037e51fff0f88ba13e086a331592bf801fa1d0
SHA512

5168643c1768ec83554a9066754507a781b6d14251a46a469222d462efc6ca87a72c90679154e8a723349c91e7772b32ac9b08dfe313cded0ee0a6f17885079e
SSDEEP

96:GFCscBOvOFXDgRvi/3UCwN4ZlkRo/j5SpoNOBoi+geBIzCa:GFCsEOmWRa8CwN4ZqRo7geEk3IzCa

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\sample_auto_file\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.sample\ = "sample_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\sample_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\sample_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\sample_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.sample	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\sample_auto_file\shell\Read	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\sample_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AcroRd32.exe

pid process

2704 AcroRd32.exe
2704 AcroRd32.exe

pid	process
2704	AcroRd32.exe
2704	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

cmd.exerundll32.exe

description	pid	process	target process
PID 1652 wrote to memory of 3028	1652	cmd.exe	rundll32.exe
PID 1652 wrote to memory of 3028	1652	cmd.exe	rundll32.exe
PID 1652 wrote to memory of 3028	1652	cmd.exe	rundll32.exe
PID 3028 wrote to memory of 2704	3028	rundll32.exe	AcroRd32.exe
PID 3028 wrote to memory of 2704	3028	rundll32.exe	AcroRd32.exe
PID 3028 wrote to memory of 2704	3028	rundll32.exe	AcroRd32.exe
PID 3028 wrote to memory of 2704	3028	rundll32.exe	AcroRd32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\CVE-2023-38831\.git\hooks\fsmonitor-watchman.sample
1⤵
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\CVE-2023-38831\.git\hooks\fsmonitor-watchman.sample
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3028

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\CVE-2023-38831\.git\hooks\fsmonitor-watchman.sample"
3⤵
- Suspicious use of SetWindowsHookEx
PID:2704

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
Filesize
3KB

MD5
c1d0831a672eb9e5f9bcee13d3e4b4a6

SHA1
821b3fdb705240333681f6b3dee66794f31b9731

SHA256
9b5fa6e9c2aa97a3d41e7b74a2df4c0fa7b7874ebde80db77ff0886594e2ccfd

SHA512
c7f5de1658008d541db662343e8ceca199dd9a1fba937bd57a2b6d54630fbe5f23313ef6d5e6f34ec48c13a8427a6f1f4e317773ca7b84d49768f3551d6b7fe3

Download Submit