ace56fea4b7af878e92fa3caa903c1dd21e0b3b43c96ba114e682afa1c2413ed

Analysis

max time kernel
121s
max time network
129s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 22:18

Target

Blank-Grabber-main/Blank Grabber/env/Scripts/build/Built.exe/EXE-00.toc
Size

7KB
MD5

30596a29f03d87d270b956114a18422d
SHA1

db876db8b526429bf04b54de6049acc82dc1e797
SHA256

2679130c5ed2105602791fb425f7707c15686f9449212edeaab7aa7ffb1d366e
SHA512

31198a584973c53a784ed6a59cbc086652c41020a6e3eae2118b078bf2b2acf2d6e6987535d5dcd97d6bdac2ad7623052ea4a8693a0a723a0338e3bebb279c43
SSDEEP

192:9lIQMelpgLvsExuwTiXFelbAD0+sMk+ftf6Tbh:9lvMebgLvsYErS

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\toc_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\toc_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\.toc	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\.toc\ = "toc_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\toc_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\toc_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\toc_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\toc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

2780 AcroRd32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AcroRd32.exe

pid process

2780 AcroRd32.exe
2780 AcroRd32.exe

pid	process
2780	AcroRd32.exe

pid	process
2780	AcroRd32.exe
2780	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

cmd.exerundll32.exe

description	pid	process	target process
PID 2840 wrote to memory of 2696	2840	cmd.exe	rundll32.exe
PID 2840 wrote to memory of 2696	2840	cmd.exe	rundll32.exe
PID 2840 wrote to memory of 2696	2840	cmd.exe	rundll32.exe
PID 2696 wrote to memory of 2780	2696	rundll32.exe	AcroRd32.exe
PID 2696 wrote to memory of 2780	2696	rundll32.exe	AcroRd32.exe
PID 2696 wrote to memory of 2780	2696	rundll32.exe	AcroRd32.exe
PID 2696 wrote to memory of 2780	2696	rundll32.exe	AcroRd32.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Blank-Grabber-main\Blank Grabber\env\Scripts\build\Built.exe\EXE-00.toc"
1⤵
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Blank-Grabber-main\Blank Grabber\env\Scripts\build\Built.exe\EXE-00.toc
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Blank-Grabber-main\Blank Grabber\env\Scripts\build\Built.exe\EXE-00.toc"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2780

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
4fae65fad10aad31796581e37e73883f

SHA1
0d2de57dca25fcd7951e916438ad31d3347dfca5

SHA256
9cd02cc24571cd869cdad2b36cd5caf39fd3ccbb81c96c48619a7a65c310b272

SHA512
ca2af6bee915e29a1b17ae512a036b43045c24e34383322c50f0ceb3847362d5d268c2e11a7862f97f2d887bfeb7b86fdd1e3eb5db06356047e4ab0970312f90

Download Submit