Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27/05/2024, 11:40
Static task
static1
Behavioral task
behavioral1
Sample
update2.sh
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
update2.sh
Resource
win10v2004-20240508-en
General
-
Target
update2.sh
-
Size
499B
-
MD5
90a08378ad670dd9c974d0d638a03cf1
-
SHA1
76f0c87b925e5d4b0b606e3ecbd3929f7538ac30
-
SHA256
0ae12fe3bc8ca1cfbe660f79254dd8b20db735c58ebd087fc37bac099ff6b874
-
SHA512
0f8cd91efda7375536ec26e83e09892c540ada0ef21bc600ae0110c747b97174d6cb27f7109d54d820ea36523c56f0f5bda58d132320584e600068818f52724d
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.sh rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\sh_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\sh_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\sh_auto_file\shell\Read\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_Classes\Local Settings rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\sh_auto_file\ rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\sh_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\sh_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.sh\ = "sh_auto_file" rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2716 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2716 AcroRd32.exe 2716 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2600 wrote to memory of 2540 2600 cmd.exe 29 PID 2600 wrote to memory of 2540 2600 cmd.exe 29 PID 2600 wrote to memory of 2540 2600 cmd.exe 29 PID 2540 wrote to memory of 2716 2540 rundll32.exe 30 PID 2540 wrote to memory of 2716 2540 rundll32.exe 30 PID 2540 wrote to memory of 2716 2540 rundll32.exe 30 PID 2540 wrote to memory of 2716 2540 rundll32.exe 30
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\update2.sh1⤵
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\update2.sh2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\update2.sh"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2716
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD51b495af4aec827fa8396be0aa4b5df08
SHA1c8ee688937f51ee1cd197f97be83bf01369c2c85
SHA25667baf45a75623383e725227303dfc1951b207f75e345ccd57a32cca5ee874bca
SHA51243a574b71f5af4113b8e3fec48a9736cee92a98eca3e503d8ce57d5fd8d659c6dbd3c5a61b9a1d0135f6da99803d7dac195acd64809c459dc8ae649ee079de9f