Resubmissions

01/06/2024, 10:55

240601-mz4lmsbd45 1

Analysis

  • max time kernel
    1565s
  • max time network
    1567s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    01/06/2024, 11:00

General

  • Target

    linux.sh

  • Size

    314B

  • MD5

    c8eb421ad68efe174d0f7ef0c2e5a205

  • SHA1

    0e769cb5d0be585be860140057f34b45ead449e5

  • SHA256

    6730f5a35c9565db033f981866d13dbba63712cc56e9194cfe180f87480654a3

  • SHA512

    ef76961a2a38b9a37112f38f9fe38860dd096b314343ac48acc3096565a55aef50dafc82335e3a1ef1e1505c6a2e1abc124ddfee40874d33f863ac6162afa6b1

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 9 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\linux.sh
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2932
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\linux.sh
      2⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2592
      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\linux.sh"
        3⤵
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:2576

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

    Filesize

    3KB

    MD5

    6b7170f22b29e09d3faf7a40bb40e12f

    SHA1

    7d2f190a1a4ca32e457489d94313220f30b8480e

    SHA256

    37f3d40a3a331a11fb3e180aaaf0c1d23039e8e857429c591753bad0fc4fb7ba

    SHA512

    f81afcc8004b16077a1f58577d6331b005b04fbaf3a4759b5004bab9e8eb5d316e6e6125f4725088fd1702137a10524523e341135548faa8ea46d328167a2853