0fad84a66e789895541c399d1d99837fe07ec6ad2be3e6c18dd22a91c99d8290

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 11:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

shell.sh
Size

42B
MD5

7a6db3faa9d1512ab3c1cfc2cfde7f98
SHA1

cbd20b89a1b53593e8262cc795fa2a2b6c77a752
SHA256

0fad84a66e789895541c399d1d99837fe07ec6ad2be3e6c18dd22a91c99d8290
SHA512

fc10d4f37bbab738668c5da22a94e39dbdddeff9afcaed6b4dda65d60d148d6a2f57d591d039b12921ea54cbd9bf6e38edccf809099d7931211cad9848a27c8e

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\sh_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\sh_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\.sh	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\.sh\ = "sh_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\sh_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\sh_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\sh_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\sh_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2532	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2532	AcroRd32.exe
2532	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 2736	2164	cmd.exe	29
PID 2164 wrote to memory of 2736	2164	cmd.exe	29
PID 2164 wrote to memory of 2736	2164	cmd.exe	29
PID 2736 wrote to memory of 2532	2736	rundll32.exe	30
PID 2736 wrote to memory of 2532	2736	rundll32.exe	30
PID 2736 wrote to memory of 2532	2736	rundll32.exe	30
PID 2736 wrote to memory of 2532	2736	rundll32.exe	30

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\shell.sh
1⤵
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\shell.sh
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\shell.sh"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
34f387a19c65bbe32f76414afd4271a6

SHA1
ca66a098737aee7403823dba09c84fedf8d0be0b

SHA256
758215b26889dcfbabc1b37d27093ec8812719dbcb3f396fc86d67a9c20ab808

SHA512
a459f4467111555baffcec6f3d79e565ed2a1751fd39e7878d2335003b0f0c6c13ae74dff7505899400620d8d4460cc9e1a72a1b63dc12a8e31ca9d22050e7a8

Download Submit