Overview
overview
7Static
static
1apk+.json
windows7-x64
3apk+.json
windows10-2004-x64
3base.apk
android-9-x86
7base.apk
android-10-x64
7base.apk
android-11-x64
7split_config.es.apk
android-9-x86
split_config.es.apk
android-10-x64
split_config.es.apk
android-11-x64
split_conf...pi.apk
android-9-x86
split_conf...pi.apk
android-10-x64
split_conf...pi.apk
android-11-x64
Analysis
-
max time kernel
118s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
22-05-2024 05:43
Static task
static1
Behavioral task
behavioral1
Sample
apk+.json
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
apk+.json
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
base.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral4
Sample
base.apk
Resource
android-x64-20240514-en
Behavioral task
behavioral5
Sample
base.apk
Resource
android-x64-arm64-20240514-en
Behavioral task
behavioral6
Sample
split_config.es.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral7
Sample
split_config.es.apk
Resource
android-x64-20240514-en
Behavioral task
behavioral8
Sample
split_config.es.apk
Resource
android-x64-arm64-20240514-en
Behavioral task
behavioral9
Sample
split_config.xxhdpi.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral10
Sample
split_config.xxhdpi.apk
Resource
android-x64-20240514-en
Behavioral task
behavioral11
Sample
split_config.xxhdpi.apk
Resource
android-x64-arm64-20240514-en
General
-
Target
apk+.json
-
Size
120B
-
MD5
36b787064fcc4dafe1f77935108c182f
-
SHA1
f9286a5bb77d7beed1bd2a56712d6548df558b88
-
SHA256
3db6981a4026e9027af6c9409b100a8233abd1e3474116e6d32f6e6d2caf4e70
-
SHA512
ee881db705c98cefb8b927ffbf85f4a75be0f7da45cbe487cf61e87d3402ba45508ce970e268b419ea39c3b4d4c7958d14ad0ceca24562f586d35d2abcd83927
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.json rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.json\ = "json_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\json_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\json_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\json_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\json_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\json_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\json_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2276 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2276 AcroRd32.exe 2276 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 2220 wrote to memory of 2880 2220 cmd.exe rundll32.exe PID 2220 wrote to memory of 2880 2220 cmd.exe rundll32.exe PID 2220 wrote to memory of 2880 2220 cmd.exe rundll32.exe PID 2880 wrote to memory of 2276 2880 rundll32.exe AcroRd32.exe PID 2880 wrote to memory of 2276 2880 rundll32.exe AcroRd32.exe PID 2880 wrote to memory of 2276 2880 rundll32.exe AcroRd32.exe PID 2880 wrote to memory of 2276 2880 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\apk+.json1⤵
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\apk+.json2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\apk+.json"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2276
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEventsFilesize
3KB
MD5522d70e81fca5a44bcc5513869a81938
SHA1400bbee6315fb50e2fec61ae1917cf9259fc4318
SHA256d04e9135992062ce9a4ab782b917063d394a7132275974d8651b2851eb82ef12
SHA512cd171eec6caec4010388d6df77ae4013b47778731a07fc18912aa76d8df2d2a8980f88a8a58bb994b164c83d75c2a68189ce1fe3ebbee6f387d30d5b2484535d