0ba75e731377c4f2f1b9f9eeec3abcdca3e94c4096eab6db777bc8d46f9ebf33

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 22:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01 PROCESO JUDICIAL/urticaria.yml
Size

77KB
MD5

06e9db95890d8424c2584a15f155eb1d
SHA1

71f980a18d2321ac084284c87116446bc6cf7dbf
SHA256

32ebc34d97ad56a39847090cfb633b34b7eb069f810a1f0bb67459d3abcf3a14
SHA512

b77ee91f525da4262a70b51b7ea892565282f3f7464cf8065c9a96ba6056e5472f7c9309476580d8949cb0be22fc0600002a1b943356cb7bc9cea485a4a39274
SSDEEP

1536:pTjgOL4cuK7QZdQFV2pcbP+NMG8KzpSeOLgNjk/h:pTkOVZ7QZdoVIcbP2bcgk5

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\yml_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\yml_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\yml_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.yml	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.yml\ = "yml_auto_file"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\yml_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\yml_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\yml_auto_file\shell\Read	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

2656 AcroRd32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AcroRd32.exe

pid process

2656 AcroRd32.exe
2656 AcroRd32.exe

pid	process
2656	AcroRd32.exe

pid	process
2656	AcroRd32.exe
2656	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

cmd.exerundll32.exe

description	pid	process	target process
PID 3016 wrote to memory of 2652	3016	cmd.exe	rundll32.exe
PID 3016 wrote to memory of 2652	3016	cmd.exe	rundll32.exe
PID 3016 wrote to memory of 2652	3016	cmd.exe	rundll32.exe
PID 2652 wrote to memory of 2656	2652	rundll32.exe	AcroRd32.exe
PID 2652 wrote to memory of 2656	2652	rundll32.exe	AcroRd32.exe
PID 2652 wrote to memory of 2656	2652	rundll32.exe	AcroRd32.exe
PID 2652 wrote to memory of 2656	2652	rundll32.exe	AcroRd32.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\01 PROCESO JUDICIAL\urticaria.yml"
1⤵
- Suspicious use of WriteProcessMemory
PID:3016

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\01 PROCESO JUDICIAL\urticaria.yml
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2652

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\01 PROCESO JUDICIAL\urticaria.yml"
3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2656

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
Filesize
3KB

MD5
0ea1a9f2fb10d07188e3389a84798727

SHA1
2abdf39ef9dec495dbbce06654ccf7cdc06ad625

SHA256
2534d2559833c61068297dd6190f8427df5a407f39d810e429730ca723962427

SHA512
b895667253c2b69837852b98cfce6fc9ebc9c8c11ebdd489347c5a52158d1e8d2d9c8badaba556df2b18c89df3401efad959d5fb0aa91e1b605879bdcc1ed2c4

Download Submit