30a0ca3adae2a904fa533369a5157a9e9bf93678794f405b981f15fd2676c6a0

Analysis

max time kernel
119s
max time network
131s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
13-05-2024 16:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Quest Adventure Installer/JRE/conf/security/java.security
Size

56KB
MD5

00cf40959861f61f17b90c6b6002a9a1
SHA1

982e48466428e1f49c1a5941c73afdacefd1d22e
SHA256

38166a975348862d693d95de8d676cf19cecccc45af4a1896c73c45f7bd966ef
SHA512

bad90152685279d896a4063d76dec5befe14831d3dd3260929b9a639505e898fa996b52aab3821a51c6c9aa09d956a23a8bdd870377a10e75c9399629cab5779
SSDEEP

768:rfBzVIMtipMfSSvAOUjt1p+SiIj4sjyaF/IJnoIqHihz3oFoBfCDqrsoZ9d5eDF:rIMy8SCAOUjt1p5/jCG/UoQhzYKpNnCF

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\security_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\security_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\security_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\security_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\security_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\.security	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\.security\ = "security_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\security_auto_file\shell	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2288	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2288	AcroRd32.exe
2288	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 2700	1952	cmd.exe	29
PID 1952 wrote to memory of 2700	1952	cmd.exe	29
PID 1952 wrote to memory of 2700	1952	cmd.exe	29
PID 2700 wrote to memory of 2288	2700	rundll32.exe	30
PID 2700 wrote to memory of 2288	2700	rundll32.exe	30
PID 2700 wrote to memory of 2288	2700	rundll32.exe	30
PID 2700 wrote to memory of 2288	2700	rundll32.exe	30

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Quest Adventure Installer\JRE\conf\security\java.security"
1⤵
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Quest Adventure Installer\JRE\conf\security\java.security
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Quest Adventure Installer\JRE\conf\security\java.security"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
60e8ec666f55bc7d40062bd88d51574f

SHA1
56a557e3ff7ad854207b8d85ddcd6ef05a7a0d4b

SHA256
212ba173cec578eaee4e74f7c88d96be2e60f3761b2887bb9135cf1f4791f7ea

SHA512
c00fde89d3c0171648f8134df34d1dca9a85f7ca9b04aea655236587f19b27b3e5f3bd3663343a15327951747ae07f5ca4a26c5c3d82375409488e72a3761f8b

Download Submit