Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
08-05-2024 20:51
Static task
static1
Behavioral task
behavioral1
Sample
m (1).7z
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
m (1).7z
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
auto.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
auto.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
b.a3x
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
b.a3x
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
c.a3x
Resource
win7-20240215-en
Behavioral task
behavioral8
Sample
c.a3x
Resource
win10v2004-20240426-en
General
-
Target
b.a3x
-
Size
23KB
-
MD5
798143857b58ea9146d2e58b5f21c25e
-
SHA1
2bd4acea5c3bf107cc6615af65d1617c847814cc
-
SHA256
c3d85c05121900c93f667ff65073ef331d37e65eea9bd4c60252dba9764056a3
-
SHA512
446cedc6dcd277ee542d157f7f5a4c0f305a6aceb317ad518c6d6f15843cd525c1e52502330de494664a868f5904db164a0570bb3ff756b5e8b059a32c379b08
-
SSDEEP
384:M3//cBozUqKi8DsHqjFnKNSTYY0Rez/5QLkWN6vXiAq+7UYaiaeOaIfxVh+bJ/jd:U//vUqKFsKw0h1QL7Qvy8UYP6aIfxVgP
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\a3x_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\a3x_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.a3x\ = "a3x_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\a3x_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\a3x_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\a3x_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_Classes\Local Settings rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\a3x_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.a3x rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2608 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2608 AcroRd32.exe 2608 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 1976 wrote to memory of 2792 1976 cmd.exe rundll32.exe PID 1976 wrote to memory of 2792 1976 cmd.exe rundll32.exe PID 1976 wrote to memory of 2792 1976 cmd.exe rundll32.exe PID 2792 wrote to memory of 2608 2792 rundll32.exe AcroRd32.exe PID 2792 wrote to memory of 2608 2792 rundll32.exe AcroRd32.exe PID 2792 wrote to memory of 2608 2792 rundll32.exe AcroRd32.exe PID 2792 wrote to memory of 2608 2792 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\b.a3x1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\b.a3x2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\b.a3x"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEventsFilesize
3KB
MD57576d40e8fb417021a7c613d35ca6fd5
SHA1dda752dfbc5f2aa8ffff8b7f1d439b6a57a127ea
SHA256fea8db0f335f162b3abf83f2dadb17d1ff467b6f6dc72ddbaa2fbdad9a9b6bc7
SHA512a0be49583f49d1680050475317ca6860a27e478d4e4ec406fac8937d1d3bda2a9fc81e26c156d9631c78d97d1fcee07486fd6c77d5ed743e7187b8afbebb36d6