8bdabdece28081d7655553a71eb4bdb0f0ca72f0f15b14bdc0469a7bd45f570f

Resubmissions

12/05/2024, 09:39

240512-lm2qvadb35 9

12/05/2024, 09:38

240512-ll7wgaaa21 9

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
12/05/2024, 09:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

KiddionsFULL/scripts/Rank Editor.lua
Size

2KB
MD5

1dafe05e2a1ed6e3e1152c03dd80b4a0
SHA1

bdc8ca248d46eda7930d4d38b638c447312d81f5
SHA256

42edc99e023b5c29906f74444c05f35f998961aa6d86b0e6f4fd6762f2a23442
SHA512

42023e55cbec593ec0e0df27939b6fedba26eeaeca7cb657e4d7db63467a881ed8b01f4dad24f6470198120121f174378f42a9bc4dc48b0445d2d16c2a2ce340

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\lua_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.lua	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.lua\ = "lua_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\lua_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\lua_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\lua_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\lua_auto_file\shell	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\lua_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2572	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2572	AcroRd32.exe
2572	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 2584	2020	cmd.exe	29
PID 2020 wrote to memory of 2584	2020	cmd.exe	29
PID 2020 wrote to memory of 2584	2020	cmd.exe	29
PID 2584 wrote to memory of 2572	2584	rundll32.exe	30
PID 2584 wrote to memory of 2572	2584	rundll32.exe	30
PID 2584 wrote to memory of 2572	2584	rundll32.exe	30
PID 2584 wrote to memory of 2572	2584	rundll32.exe	30

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\KiddionsFULL\scripts\Rank Editor.lua"
1⤵
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\KiddionsFULL\scripts\Rank Editor.lua
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\KiddionsFULL\scripts\Rank Editor.lua"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
601c81c31b78ddd58dbe2738ce875c33

SHA1
ff01e2504727db26474e75d9c71d54515d66407d

SHA256
4ad2a762a8ea25a51bbd336439716e150442739aa25d4efa5caf03f71d27b5ff

SHA512
712b26ac7971228496bea82ada889c9f4a4541b48ee0618655e26b070463f83e3eac2ed86a03259d5e11b796231828626485c7f82b80ba2e6e500460f3942a06

Download Submit