83c86d01e5a4dcc864ad8200c0fbcff4e16802d8aa63b76aba76a8a63ec48376

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28/05/2024, 12:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

start.sh
Size

86B
MD5

0a8d9c1f65c22092e4bf0e7287ecd8f6
SHA1

7b5398335eed48b540653ac76ba365bcbee810e6
SHA256

83c86d01e5a4dcc864ad8200c0fbcff4e16802d8aa63b76aba76a8a63ec48376
SHA512

eeb8790c3beed2842ce2090a4817bb3f28092d9f77566b7ca23623b6c3f34fb05af3510615b437a8967cd202af8646db1e1895082bc19164da96bd8a7ec6ce69

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\sh_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\sh_auto_file\shell	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\sh_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\sh_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.sh\ = "sh_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\.sh	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\sh_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\sh_auto_file\	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2420	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2420	AcroRd32.exe
2420	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 2520	2160	cmd.exe	29
PID 2160 wrote to memory of 2520	2160	cmd.exe	29
PID 2160 wrote to memory of 2520	2160	cmd.exe	29
PID 2520 wrote to memory of 2420	2520	rundll32.exe	30
PID 2520 wrote to memory of 2420	2520	rundll32.exe	30
PID 2520 wrote to memory of 2420	2520	rundll32.exe	30
PID 2520 wrote to memory of 2420	2520	rundll32.exe	30

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\start.sh
1⤵
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\start.sh
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\start.sh"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
f8042f3f10aa6c746d25b3ba2695935b

SHA1
3fec19947fd0e9ddd6ef301fe4da1bccf05e01bc

SHA256
ed9047b79a743aace1e4d34328ccbac88300385cc2c889a38368e86d56ebef8e

SHA512
660f40dcf5a767adcb5a5426ec241048505764b080791f3516e0747cd1f5a61e62f022cb14c43b19100c9efeea0fdcfc1f9f3e207c8fc91406ec6fd4c7ce79b7

Download Submit