a84115709978f80de7a381f914f4d5556211691ee639fb7f36d53aced0e915d5

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
21/05/2024, 05:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

install-01.sh
Size

3KB
MD5

3925546845dd9eda71a3ad8d299f7063
SHA1

7b5033056845a318bf7b388ac881644628e158e1
SHA256

a84115709978f80de7a381f914f4d5556211691ee639fb7f36d53aced0e915d5
SHA512

3e1a9f10244f27a532ad66b9d8525b46f385be936a11739032c42e7d6d4044f0bcddb92cc67e6597b86f13a97f549a97fc6b7ef37ac8f896471126ec61eff11f

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\sh_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\sh_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\sh_auto_file\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.sh\ = "sh_auto_file"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\sh_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\sh_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.sh	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\sh_auto_file\shell	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2676	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2676	AcroRd32.exe
2676	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 824 wrote to memory of 2732	824	cmd.exe	29
PID 824 wrote to memory of 2732	824	cmd.exe	29
PID 824 wrote to memory of 2732	824	cmd.exe	29
PID 2732 wrote to memory of 2676	2732	rundll32.exe	30
PID 2732 wrote to memory of 2676	2732	rundll32.exe	30
PID 2732 wrote to memory of 2676	2732	rundll32.exe	30
PID 2732 wrote to memory of 2676	2732	rundll32.exe	30

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\install-01.sh
1⤵
- Suspicious use of WriteProcessMemory
PID:824
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\install-01.sh
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\install-01.sh"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
e5282e5cd5121c7487d3b4b5848e7a58

SHA1
7172ea930cd620f3c0ffb95806d6998e652e6bd3

SHA256
a6152d7bf19dedb6ae5aa55587522894b12207d1e54b786c6dd1ff660e879963

SHA512
46a318743fd25ea43bc5ba44c5f815ebed02f597fab41873ab6567fdaa22615134613100f7ec60dc381cee234fecd5fb4672eb6b1ecdbadbd1d14f535e39f1b2

Download Submit