Resubmissions
01/06/2024, 10:55
240601-mz4lmsbd45 1Analysis
-
max time kernel
1565s -
max time network
1567s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
01/06/2024, 11:00
Static task
static1
Behavioral task
behavioral1
Sample
linux.sh
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
linux.sh
Resource
win10v2004-20240426-en
General
-
Target
linux.sh
-
Size
314B
-
MD5
c8eb421ad68efe174d0f7ef0c2e5a205
-
SHA1
0e769cb5d0be585be860140057f34b45ead449e5
-
SHA256
6730f5a35c9565db033f981866d13dbba63712cc56e9194cfe180f87480654a3
-
SHA512
ef76961a2a38b9a37112f38f9fe38860dd096b314343ac48acc3096565a55aef50dafc82335e3a1ef1e1505c6a2e1abc124ddfee40874d33f863ac6162afa6b1
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\sh_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\sh_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\sh_auto_file\shell\Read\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.sh rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\sh_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\sh_auto_file\ rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.sh\ = "sh_auto_file" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\sh_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2576 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2576 AcroRd32.exe 2576 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2932 wrote to memory of 2592 2932 cmd.exe 29 PID 2932 wrote to memory of 2592 2932 cmd.exe 29 PID 2932 wrote to memory of 2592 2932 cmd.exe 29 PID 2592 wrote to memory of 2576 2592 rundll32.exe 30 PID 2592 wrote to memory of 2576 2592 rundll32.exe 30 PID 2592 wrote to memory of 2576 2592 rundll32.exe 30 PID 2592 wrote to memory of 2576 2592 rundll32.exe 30
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\linux.sh1⤵
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\linux.sh2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\linux.sh"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2576
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD56b7170f22b29e09d3faf7a40bb40e12f
SHA17d2f190a1a4ca32e457489d94313220f30b8480e
SHA25637f3d40a3a331a11fb3e180aaaf0c1d23039e8e857429c591753bad0fc4fb7ba
SHA512f81afcc8004b16077a1f58577d6331b005b04fbaf3a4759b5004bab9e8eb5d316e6e6125f4725088fd1702137a10524523e341135548faa8ea46d328167a2853