bbe1db5f65c6bebc6081b7e7fdc5144a23d58e5190ef363911bd0099c60e75ee

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 12:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

flpshop.sh
Size

90B
MD5

35c1e803e50ddef26fcb4f1907442939
SHA1

fd662a507988dd7a79dd09339bbc3d42b3edd16a
SHA256

bbe1db5f65c6bebc6081b7e7fdc5144a23d58e5190ef363911bd0099c60e75ee
SHA512

0055d61f33af34d40cd6b3d6ac73cd1a326cae509befb09722eeca8912ac83c1dadea22de002844ec6270d7ab812db693b5e8e0ceb8b6343a820befd5da7693a

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.sh\ = "sh_auto_file"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\sh_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\sh_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\sh_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\sh_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.sh	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\sh_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\sh_auto_file\shell	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2948	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2948	AcroRd32.exe
2948	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2900 wrote to memory of 2536	2900	cmd.exe	29
PID 2900 wrote to memory of 2536	2900	cmd.exe	29
PID 2900 wrote to memory of 2536	2900	cmd.exe	29
PID 2536 wrote to memory of 2948	2536	rundll32.exe	30
PID 2536 wrote to memory of 2948	2536	rundll32.exe	30
PID 2536 wrote to memory of 2948	2536	rundll32.exe	30
PID 2536 wrote to memory of 2948	2536	rundll32.exe	30

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\flpshop.sh
1⤵
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\flpshop.sh
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\flpshop.sh"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
3b4c3d8a760718ce4eedc2cae73c9d95

SHA1
6cf1778bd088e7d7868e04a93e9f29dab6f8db02

SHA256
fa6ad033704fa5ac4029c730438c82b1f0ead6a8ee3636b617bb4bd66c084f76

SHA512
184d57a4c2f5f957dadb2d5ada97ff78a7d91d010242c44952e22f526f9d272c6c15e4dec35f2a18fa08e748c37c29938a64c07961606e0298849f59f7074654

Download Submit