Analysis
-
max time kernel
122s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
22-05-2024 12:24
Static task
static1
Behavioral task
behavioral1
Sample
watchApplication.sh
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
watchApplication.sh
Resource
win10v2004-20240426-en
General
-
Target
watchApplication.sh
-
Size
300B
-
MD5
8a9b2484a0cb5fe83206e5a688d46416
-
SHA1
ab07dde19241c8d96af63023d139a680e7597bef
-
SHA256
c41e1cbd8b73e7299d918636687586ad358d3165f2485a5d1b126faa5e812dff
-
SHA512
2a66184b1fb8b85b104222532720e33e7155286376e05d89996ea5691d1d78a52b27da41f198c24b5c69d68494ebfbc4b27ec45278d8baa006140e0376e97d0f
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\sh_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\sh_auto_file\ rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.sh\ = "sh_auto_file" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\sh_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\sh_auto_file\shell\Read\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.sh rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\sh_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\sh_auto_file\shell rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2368 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2368 AcroRd32.exe 2368 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2844 wrote to memory of 2564 2844 cmd.exe 29 PID 2844 wrote to memory of 2564 2844 cmd.exe 29 PID 2844 wrote to memory of 2564 2844 cmd.exe 29 PID 2564 wrote to memory of 2368 2564 rundll32.exe 30 PID 2564 wrote to memory of 2368 2564 rundll32.exe 30 PID 2564 wrote to memory of 2368 2564 rundll32.exe 30 PID 2564 wrote to memory of 2368 2564 rundll32.exe 30
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\watchApplication.sh1⤵
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\watchApplication.sh2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\watchApplication.sh"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2368
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5b60376bc654cabf5499014bbb0be5c02
SHA1d3ce70eb2be25316b05ab2361e9558a90fcf7674
SHA256a09a2909006a828f811201ef0c921e0d89c60c4ce3ed61e47875c887da0d4e22
SHA512d2de84bc73fcb92a08dc1b47dd781c2fd942b7e56e12ee0e4c1cf197cb0aeb0648e764697aa2913ffd571ef68669ba7366de4ae6c22c2bb6d9686d45a24c2571