e6524a4e9e6f0bfe9681b9616b35b4554f23b3ac029c5467fdd800751dfed6dd

Analysis

max time kernel
118s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 05:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

apk+.json
Size

120B
MD5

36b787064fcc4dafe1f77935108c182f
SHA1

f9286a5bb77d7beed1bd2a56712d6548df558b88
SHA256

3db6981a4026e9027af6c9409b100a8233abd1e3474116e6d32f6e6d2caf4e70
SHA512

ee881db705c98cefb8b927ffbf85f4a75be0f7da45cbe487cf61e87d3402ba45508ce970e268b419ea39c3b4d4c7958d14ad0ceca24562f586d35d2abcd83927

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.json	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.json\ = "json_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\json_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\json_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\json_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\json_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\json_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\json_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

2276 AcroRd32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AcroRd32.exe

pid process

2276 AcroRd32.exe
2276 AcroRd32.exe

pid	process
2276	AcroRd32.exe

pid	process
2276	AcroRd32.exe
2276	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

cmd.exerundll32.exe

description	pid	process	target process
PID 2220 wrote to memory of 2880	2220	cmd.exe	rundll32.exe
PID 2220 wrote to memory of 2880	2220	cmd.exe	rundll32.exe
PID 2220 wrote to memory of 2880	2220	cmd.exe	rundll32.exe
PID 2880 wrote to memory of 2276	2880	rundll32.exe	AcroRd32.exe
PID 2880 wrote to memory of 2276	2880	rundll32.exe	AcroRd32.exe
PID 2880 wrote to memory of 2276	2880	rundll32.exe	AcroRd32.exe
PID 2880 wrote to memory of 2276	2880	rundll32.exe	AcroRd32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\apk+.json
1⤵
- Suspicious use of WriteProcessMemory
PID:2220

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\apk+.json
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2880

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\apk+.json"
3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2276

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
Filesize
3KB

MD5
522d70e81fca5a44bcc5513869a81938

SHA1
400bbee6315fb50e2fec61ae1917cf9259fc4318

SHA256
d04e9135992062ce9a4ab782b917063d394a7132275974d8651b2851eb82ef12

SHA512
cd171eec6caec4010388d6df77ae4013b47778731a07fc18912aa76d8df2d2a8980f88a8a58bb994b164c83d75c2a68189ce1fe3ebbee6f387d30d5b2484535d

Download Submit