ca00fccfb408989eddc401062c4d1219a6aceb6b9b55412357f1790862e8f178

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
25-05-2024 18:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cool.php
Size

5B
MD5

cb5e100e5a9a3e7f6d1fd97512215282
SHA1

11f9578d05e6f7bb58a3cdd00107e9f4e3882671
SHA256

ca00fccfb408989eddc401062c4d1219a6aceb6b9b55412357f1790862e8f178
SHA512

6a162d143889f5200e64400bc53e6b998bdfcf5d7600b633ede12a67ad24efccecff529ebe472963ad738bb7c463a158938d2f681f238e21c0d6f795f4fd1d87

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\php_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.php\ = "php_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\php_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\php_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.php	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\php_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\php_auto_file\shell	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\php_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

2660 AcroRd32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AcroRd32.exe

pid process

2660 AcroRd32.exe
2660 AcroRd32.exe

pid	process
2660	AcroRd32.exe

pid	process
2660	AcroRd32.exe
2660	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

cmd.exerundll32.exe

description	pid	process	target process
PID 1680 wrote to memory of 2568	1680	cmd.exe	rundll32.exe
PID 1680 wrote to memory of 2568	1680	cmd.exe	rundll32.exe
PID 1680 wrote to memory of 2568	1680	cmd.exe	rundll32.exe
PID 2568 wrote to memory of 2660	2568	rundll32.exe	AcroRd32.exe
PID 2568 wrote to memory of 2660	2568	rundll32.exe	AcroRd32.exe
PID 2568 wrote to memory of 2660	2568	rundll32.exe	AcroRd32.exe
PID 2568 wrote to memory of 2660	2568	rundll32.exe	AcroRd32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\cool.php
1⤵
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\cool.php
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2568

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\cool.php"
3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
983e874ffc5ed8c51bf9828473f66f5a

SHA1
e1b2f0b4b229015afa35339dbb6974b709560823

SHA256
198a0654740ffbba02c7a5667ae029e5769ef905ff16e2a80f9e57e39567126c

SHA512
cb60703b883646e1078b9ee2bfe5422a077f79f5ed39cb16fdcb6ff6cf9aab16e5361f5205444e264e09c883401f5cb85abd1047c3e3161e246b94af7b55690b

Download Submit