e546b9e37a4e242540e67bc44473d4867483fdad0efe53f6f263a729f5f03394

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21/05/2024, 05:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

start-stop.sh
Size

1KB
MD5

54cc92a18e127f3de2e36a48ddb80d43
SHA1

16f21d570d2003cbc16fb48c4cc4574a1aa7b4f7
SHA256

61486a1970eada71b8db34287bfde79a1ae665ce441ec2f7a9b3f609e92c4186
SHA512

78f25ca63bf8210ff32e2cc9b1eb48d8d28d1d058ccc7dbe30ba527be0efb82ab639649eb2b0bbb1ce5c0d90f036199806509e3cee7a75fbfc4c62a8a90e4fdf

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\sh_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\sh_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.sh	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\sh_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\sh_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.sh\ = "sh_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\sh_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\sh_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2584	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2584	AcroRd32.exe
2584	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 2376	2880	cmd.exe	29
PID 2880 wrote to memory of 2376	2880	cmd.exe	29
PID 2880 wrote to memory of 2376	2880	cmd.exe	29
PID 2376 wrote to memory of 2584	2376	rundll32.exe	30
PID 2376 wrote to memory of 2584	2376	rundll32.exe	30
PID 2376 wrote to memory of 2584	2376	rundll32.exe	30
PID 2376 wrote to memory of 2584	2376	rundll32.exe	30

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\start-stop.sh
1⤵
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\start-stop.sh
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\start-stop.sh"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
976119a78f30923179de976f076ef769

SHA1
1bb1abbe0a807138316114348a5f3df90b601376

SHA256
e184acf04472ce2dc26fafa67b146c515d7fe502b8eef7d9d398fb08a7951b98

SHA512
7bc38d8ac86f6644362d3851700fe6422b0b538438df86aebcd90db13245d51a1b0d971bea52955a02c7ae3d2d169f00582967f2d24733049443cdb6b5d2e682

Download Submit