Resubmissions
28-05-2024 15:19
240528-sqcz8abb79 328-05-2024 15:16
240528-snkx2sbb37 328-05-2024 15:15
240528-sm889aaa6y 3Analysis
-
max time kernel
44s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28-05-2024 15:16
Static task
static1
Behavioral task
behavioral1
Sample
Autoit3.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
Autoit3.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
script.a3x
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
script.a3x
Resource
win10v2004-20240426-en
General
-
Target
script.a3x
-
Size
547KB
-
MD5
dfa96717b69fa69d264a60b9de36f078
-
SHA1
b18dd41bcdc7a75a4b505cbdfb337cf19a2934d8
-
SHA256
493fb733897f4c3d7adf01d663e711e2e47240bfdf5b99abd230aa809f43a8cf
-
SHA512
5772cdac81361297d72f620e23068da8180fce09935340caaf279b6719f446ad3fd85dfc3004258e943092a73f914b84f9a12ef85630ac32410d1a7ddd3b41c7
-
SSDEEP
12288:NeZu+gIZHxCQ4bamk1FNTVRppgU+ehWwhz5u6+c5zzq:VqRCQ4RU7ppgK35t+cdO
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\a3x_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.a3x rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\a3x_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\a3x_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\a3x_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\a3x_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_Classes\Local Settings rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.a3x\ = "a3x_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\a3x_auto_file rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2292 AcroRd32.exe 2292 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2856 wrote to memory of 2536 2856 cmd.exe 29 PID 2856 wrote to memory of 2536 2856 cmd.exe 29 PID 2856 wrote to memory of 2536 2856 cmd.exe 29 PID 2536 wrote to memory of 2292 2536 rundll32.exe 30 PID 2536 wrote to memory of 2292 2536 rundll32.exe 30 PID 2536 wrote to memory of 2292 2536 rundll32.exe 30 PID 2536 wrote to memory of 2292 2536 rundll32.exe 30
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\script.a3x1⤵
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\script.a3x2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\script.a3x"3⤵
- Suspicious use of SetWindowsHookEx
PID:2292
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD59195ffc44eb098d59e98be560c8d9abc
SHA158bde5ffd157217747fb7546359801cf7857a813
SHA256ae36883ff88d7fa46078b9ce49a23976ae8c328e3a3647d27ecf877021bfbf68
SHA512525261bded74625704676c8f6740418308a3a6805c561f5db050f34b5cdfab6626c2f2c878d10c57f543502889ec36b53c291bc70760e285667be179551f2e22