7c466c3a0668cc8ac5a189a374d8e8544c05d53f12c7f84516a5fa5b0ded8244

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-05-2024 02:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Moon-Predictor-v2-main/README.md
Size

1KB
MD5

1dfba5f607e58b75a1e52f824cc0fd63
SHA1

5251484e4ba429287bf7397ecda1eca20b4e10f1
SHA256

957adc7f48441c002cc653452755b4b3a5aa90d0a5740fb97e83e646a179618c
SHA512

06144dd9094a5ac775dcae1486a5c2948f80e4a1eb5084302ae80ed8b108124cb7a41d242fc8e28c30d96a68f3a9ce231c79b51b1f396940b6346eafc2a86fbc

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.md	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.md\ = "md_auto_file"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\md_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\md_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\md_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\md_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\md_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\md_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

2784 AcroRd32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AcroRd32.exe

pid process

2784 AcroRd32.exe
2784 AcroRd32.exe

pid	process
2784	AcroRd32.exe

pid	process
2784	AcroRd32.exe
2784	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

cmd.exerundll32.exe

description	pid	process	target process
PID 1464 wrote to memory of 2976	1464	cmd.exe	rundll32.exe
PID 1464 wrote to memory of 2976	1464	cmd.exe	rundll32.exe
PID 1464 wrote to memory of 2976	1464	cmd.exe	rundll32.exe
PID 2976 wrote to memory of 2784	2976	rundll32.exe	AcroRd32.exe
PID 2976 wrote to memory of 2784	2976	rundll32.exe	AcroRd32.exe
PID 2976 wrote to memory of 2784	2976	rundll32.exe	AcroRd32.exe
PID 2976 wrote to memory of 2784	2976	rundll32.exe	AcroRd32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Moon-Predictor-v2-main\README.md
1⤵
- Suspicious use of WriteProcessMemory
PID:1464

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Moon-Predictor-v2-main\README.md
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2976

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Moon-Predictor-v2-main\README.md"
3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2784

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
Filesize
3KB

MD5
85206a922344ee4fee26b328a7cb74a5

SHA1
db759e16d96f7d7c6f9424464bdb6dc292f9c511

SHA256
16da866fb6694917b2e27dcd993273192d94e05084460e74f1d63d258d72aea5

SHA512
932414aea0cf3d74f199b3abeaca581c2c0c3258ce7e49bc02ecb5bb0bed22a2a0691b3ddbfa332087a4dc021c3659ca523fd8e879c629aaad32ae521631ed2d

Download Submit