Overview
overview
3Static
static
3oblivion-d...64.zip
windows7-x64
1oblivion-d...64.zip
windows10-2004-x64
1locales/af.pak
windows7-x64
3locales/af.pak
windows10-2004-x64
3locales/am.pak
windows7-x64
3locales/am.pak
windows10-2004-x64
3locales/ar.pak
windows7-x64
3locales/ar.pak
windows10-2004-x64
3locales/bg.pak
windows7-x64
3locales/bg.pak
windows10-2004-x64
3locales/bn.pak
windows7-x64
3locales/bn.pak
windows10-2004-x64
3locales/ca.pak
windows7-x64
3locales/ca.pak
windows10-2004-x64
1locales/cs.pak
windows7-x64
3locales/cs.pak
windows10-2004-x64
3locales/da.pak
windows7-x64
3locales/da.pak
windows10-2004-x64
3locales/de.pak
windows7-x64
3locales/de.pak
windows10-2004-x64
3locales/el.pak
windows7-x64
3locales/el.pak
windows10-2004-x64
3locales/en-GB.pak
windows7-x64
3locales/en-GB.pak
windows10-2004-x64
3locales/en-US.pak
windows7-x64
3locales/en-US.pak
windows10-2004-x64
3locales/es-419.pak
windows7-x64
3locales/es-419.pak
windows10-2004-x64
3locales/es.pak
windows7-x64
3locales/es.pak
windows10-2004-x64
3locales/et.pak
windows7-x64
3locales/et.pak
windows10-2004-x64
3Analysis
-
max time kernel
118s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
19/05/2024, 19:52
Static task
static1
Behavioral task
behavioral1
Sample
oblivion-desktop-win-x64.zip
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
oblivion-desktop-win-x64.zip
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
locales/af.pak
Resource
win7-20240419-en
Behavioral task
behavioral4
Sample
locales/af.pak
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
locales/am.pak
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
locales/am.pak
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
locales/ar.pak
Resource
win7-20240508-en
Behavioral task
behavioral8
Sample
locales/ar.pak
Resource
win10v2004-20240426-en
Behavioral task
behavioral9
Sample
locales/bg.pak
Resource
win7-20240215-en
Behavioral task
behavioral10
Sample
locales/bg.pak
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
locales/bn.pak
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
locales/bn.pak
Resource
win10v2004-20240426-en
Behavioral task
behavioral13
Sample
locales/ca.pak
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
locales/ca.pak
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
locales/cs.pak
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
locales/cs.pak
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
locales/da.pak
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
locales/da.pak
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
locales/de.pak
Resource
win7-20240508-en
Behavioral task
behavioral20
Sample
locales/de.pak
Resource
win10v2004-20240508-en
Behavioral task
behavioral21
Sample
locales/el.pak
Resource
win7-20240221-en
Behavioral task
behavioral22
Sample
locales/el.pak
Resource
win10v2004-20240426-en
Behavioral task
behavioral23
Sample
locales/en-GB.pak
Resource
win7-20240220-en
Behavioral task
behavioral24
Sample
locales/en-GB.pak
Resource
win10v2004-20240426-en
Behavioral task
behavioral25
Sample
locales/en-US.pak
Resource
win7-20240508-en
Behavioral task
behavioral26
Sample
locales/en-US.pak
Resource
win10v2004-20240426-en
Behavioral task
behavioral27
Sample
locales/es-419.pak
Resource
win7-20240508-en
Behavioral task
behavioral28
Sample
locales/es-419.pak
Resource
win10v2004-20240226-en
Behavioral task
behavioral29
Sample
locales/es.pak
Resource
win7-20240221-en
Behavioral task
behavioral30
Sample
locales/es.pak
Resource
win10v2004-20240426-en
Behavioral task
behavioral31
Sample
locales/et.pak
Resource
win7-20240220-en
Behavioral task
behavioral32
Sample
locales/et.pak
Resource
win10v2004-20240426-en
General
-
Target
locales/es.pak
-
Size
473KB
-
MD5
29cbdcc2168f1bb29532122c39e67a1a
-
SHA1
f086c79d60daf2b0a7df91916387efa461795dcb
-
SHA256
232f41ab5996c917687276e82c177de208b36e77aa834bb5d94d6a331f4180fe
-
SHA512
b603edf2a18f5893ab482b0c34e4126f824fbdd1b669927d7bc30d68e2e5bdf78d7d4b2aabdbe257987e8e19f440d9396a3683340b94c3fd844c70e34e93d8a8
-
SSDEEP
6144:6kqGWOZ1+zun+V4HgspZpGrUKjs5f2rYDoRRiN6PZGMj:6BbOSSmirpKjjs5ursoRwBA
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.pak\ = "pak_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\pak_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\pak_auto_file\shell\Read\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\pak_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\pak_auto_file\shell rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\pak_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\pak_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.pak rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2576 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2576 AcroRd32.exe 2576 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1884 wrote to memory of 2460 1884 cmd.exe 31 PID 1884 wrote to memory of 2460 1884 cmd.exe 31 PID 1884 wrote to memory of 2460 1884 cmd.exe 31 PID 2460 wrote to memory of 2576 2460 rundll32.exe 32 PID 2460 wrote to memory of 2576 2460 rundll32.exe 32 PID 2460 wrote to memory of 2576 2460 rundll32.exe 32 PID 2460 wrote to memory of 2576 2460 rundll32.exe 32
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\locales\es.pak1⤵
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\locales\es.pak2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\locales\es.pak"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2576
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5039b8892c445c18c1f5e5df6f56e16b5
SHA1b489e930063e3f9152d097efd5e1a5d69346a7af
SHA2567f640db8814dff7ebdf875380a94986c814ab3abd27d07b48fd718343b20aa44
SHA5128a427a668691f150673b149a17ccfb8eee12d2f53fa2c14feb93cf32152ccdde24b356410599eda250563906a50342fd61637443b285066e2bac1cc678e3c52c