Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
25-05-2024 18:22
Static task
static1
Behavioral task
behavioral1
Sample
cool.php
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
cool.php
Resource
win10v2004-20240426-en
General
-
Target
cool.php
-
Size
5B
-
MD5
cb5e100e5a9a3e7f6d1fd97512215282
-
SHA1
11f9578d05e6f7bb58a3cdd00107e9f4e3882671
-
SHA256
ca00fccfb408989eddc401062c4d1219a6aceb6b9b55412357f1790862e8f178
-
SHA512
6a162d143889f5200e64400bc53e6b998bdfcf5d7600b633ede12a67ad24efccecff529ebe472963ad738bb7c463a158938d2f681f238e21c0d6f795f4fd1d87
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\php_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.php\ = "php_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\php_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\php_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.php rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\php_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\php_auto_file\shell rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\php_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2660 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2660 AcroRd32.exe 2660 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 1680 wrote to memory of 2568 1680 cmd.exe rundll32.exe PID 1680 wrote to memory of 2568 1680 cmd.exe rundll32.exe PID 1680 wrote to memory of 2568 1680 cmd.exe rundll32.exe PID 2568 wrote to memory of 2660 2568 rundll32.exe AcroRd32.exe PID 2568 wrote to memory of 2660 2568 rundll32.exe AcroRd32.exe PID 2568 wrote to memory of 2660 2568 rundll32.exe AcroRd32.exe PID 2568 wrote to memory of 2660 2568 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\cool.php1⤵
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\cool.php2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\cool.php"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2660
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5983e874ffc5ed8c51bf9828473f66f5a
SHA1e1b2f0b4b229015afa35339dbb6974b709560823
SHA256198a0654740ffbba02c7a5667ae029e5769ef905ff16e2a80f9e57e39567126c
SHA512cb60703b883646e1078b9ee2bfe5422a077f79f5ed39cb16fdcb6ff6cf9aab16e5361f5205444e264e09c883401f5cb85abd1047c3e3161e246b94af7b55690b