Overview

overview

7

Static

static

3

2520f6005d...18.exe

windows7-x64

7

2520f6005d...18.exe

windows10-2004-x64

7

$DESKTOP/P...ne.jad

windows7-x64

3

$DESKTOP/P...ne.jad

windows10-2004-x64

3

$DESKTOP/P...ne.jad

windows7-x64

3

$DESKTOP/P...ne.jad

windows10-2004-x64

3

$PLUGINSDI...ns.dll

windows7-x64

3

$PLUGINSDI...ns.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDIR/inetc.dll

windows7-x64

3

$PLUGINSDIR/inetc.dll

windows10-2004-x64

3

PassMem.chm

windows7-x64

1

PassMem.chm

windows10-2004-x64

1

PassMem.exe

windows7-x64

1

PassMem.exe

windows10-2004-x64

1

UpdateApp.exe

windows7-x64

1

UpdateApp.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    118s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    08/05/2024, 13:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    $DESKTOP/PassMemPhone.jad

  • Size

    278B

  • MD5

    40d997c13a2ba3bb6652f8a60df57f7d

  • SHA1

    7c8eeb01465f6644eb27b263830e1154162e3edc

  • SHA256

    e5a2012bbca0caa52c49d9db48736e8a922a6205d5dbae5618421e7b524c0cc0

  • SHA512

    cc7540333eb1fe267842fdabd0d3a78ba918b54fba6a0bf09a0c9b6d62b82fcce5e7341dbe32c2a7cc88791a6a9d2f34dc8efaef394176977586b3f8cdff9eab

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 9 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$DESKTOP\PassMemPhone.jad
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:756
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\$DESKTOP\PassMemPhone.jad
      2⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1880
      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\$DESKTOP\PassMemPhone.jad"
        3⤵
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:2716

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
    Filesize

    3KB

    MD5

    94c0bbb9397326567d1148efc8f58a5a

    SHA1

    0efb62ee7bfa733d55020f9cf67fa13c89be92c9

    SHA256

    72087f3614f96b10fc5f2da6568b22da190aa60e8b8edcd26566de48e6fed9d3

    SHA512

    94b85d547bff7b600067c654d935c0a27e526b349699f09f40908c67f0c353ab8b00e572c492bd35687c85db4e13b9b1140cbf9fb6bc54be6dee69f2d45e6316

    Download Submit