507641e3047216809af93a127af70a266e273cd95c1cfaa06605a753b9166388

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21-05-2024 14:33

Target

Delta V3.61/bin/modules.json
Size

639B
MD5

87b829dbc0f63d72bff5664fa2177dd9
SHA1

aaee2d27a5a0290af3f14a8a20a84667aff498fc
SHA256

df98a2a55cd20d372e43356f931a1bd5aad946b44e92f407405e9ac65539458e
SHA512

e827da6e7e4d85e328b51a2b2c1ed4db7b0b453a5cdca066b210b58c0c8d9c912e90324f45a3682450a4ee2519806eb5295226acd7ec7d40e952ce061f350318

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.json\ = "json_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\json_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\json_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\json_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\json_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.json	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\json_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\json_auto_file\shell\Read	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

2728 AcroRd32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AcroRd32.exe

pid process

2728 AcroRd32.exe
2728 AcroRd32.exe

pid	process
2728	AcroRd32.exe

pid	process
2728	AcroRd32.exe
2728	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

cmd.exerundll32.exe

description	pid	process	target process
PID 2388 wrote to memory of 2760	2388	cmd.exe	rundll32.exe
PID 2388 wrote to memory of 2760	2388	cmd.exe	rundll32.exe
PID 2388 wrote to memory of 2760	2388	cmd.exe	rundll32.exe
PID 2760 wrote to memory of 2728	2760	rundll32.exe	AcroRd32.exe
PID 2760 wrote to memory of 2728	2760	rundll32.exe	AcroRd32.exe
PID 2760 wrote to memory of 2728	2760	rundll32.exe	AcroRd32.exe
PID 2760 wrote to memory of 2728	2760	rundll32.exe	AcroRd32.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Delta V3.61\bin\modules.json"
1⤵
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Delta V3.61\bin\modules.json
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Delta V3.61\bin\modules.json"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2728

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
9de55abd151d85b59723821f32c7ac14

SHA1
486c7adaf4c26382ab20bfb8da4e1cacc0c7c450

SHA256
3384af2569f392afa517502d2170804176c37e20bde1d13432bcd9b6448284c5

SHA512
1a4b88511220676777503477e798d84c256f9b28fc130f2611c563e61c342cb5e800fc96e755e729ee647026fab18a421afcb6c146a6fe7c6466599336a06f59

Download Submit