4d4d53b1838441f48f171c68ff21096c582492866a8fd2fa7f8e91e24cf8a0d7

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 03:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

run_bepinex.sh
Size

4KB
MD5

9da2acc32ba59c3d227c9123a0d49e76
SHA1

6f5d73b1abe96eaa9608041e7c4b16e0574b7fda
SHA256

a27086fd85d5162a2ee974c453bee0cb2906c601c40053782ef26f5bccfd7602
SHA512

d5620a53a6a6e419000b7f2dcd834d28b8d214253767ab6737ba325fd8f04c4f3dbfaf52ab13d826e16d0218d3449ee94f0fa65e4924393f2bf6a74b55148397
SSDEEP

96:i97kv84Vi3VvIZkYuDZULeb18X4zw7xpUUvOI2l+4IoWlJu:iB3VvI2YyZU658X48xp1Yok

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\sh_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.sh	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\sh_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\sh_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\sh_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.sh\ = "sh_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\sh_auto_file\shell\Read	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\sh_auto_file\	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

2636 AcroRd32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AcroRd32.exe

pid process

2636 AcroRd32.exe
2636 AcroRd32.exe

pid	process
2636	AcroRd32.exe

pid	process
2636	AcroRd32.exe
2636	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

cmd.exerundll32.exe

description	pid	process	target process
PID 1712 wrote to memory of 2492	1712	cmd.exe	rundll32.exe
PID 1712 wrote to memory of 2492	1712	cmd.exe	rundll32.exe
PID 1712 wrote to memory of 2492	1712	cmd.exe	rundll32.exe
PID 2492 wrote to memory of 2636	2492	rundll32.exe	AcroRd32.exe
PID 2492 wrote to memory of 2636	2492	rundll32.exe	AcroRd32.exe
PID 2492 wrote to memory of 2636	2492	rundll32.exe	AcroRd32.exe
PID 2492 wrote to memory of 2636	2492	rundll32.exe	AcroRd32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\run_bepinex.sh
1⤵
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\run_bepinex.sh
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2492

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\run_bepinex.sh"
3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
b2424e0548ceb97c638a216aee5556eb

SHA1
45d229015c16db29b0ecd5173ee1c745eab18175

SHA256
bcd7ed566265b061b0490f02246195d2f9dfb58c41a52dcdd72fb9dfc20de59f

SHA512
0f33b14b63c4579e368fb1c7627be5802d5ee68b730c3986c607179fd519a6898c75456eed8c2e26454d847bf984515b191d09b42261f3c7da5f51ee52c73f7a

Download Submit