670c3c11677386167bdc685d2a25a97751ffef4c89ddacc230af2d7021b8200b

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
07/06/2024, 10:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

net8.0/Spoofer Base.runtimeconfig.json
Size

340B
MD5

253333997e82f7d44ea8072dfae6db39
SHA1

03b9744e89327431a619505a7c72fd497783d884
SHA256

28329cf08f6505e73806b17558b187c02f0c1c516fe47ebfb7a013d082aaa306
SHA512

56d99039e0fb6305588e9f87361e7e0d5051507bf321ba36619c4d29741f35c27c62f025a52523c9e1c7287aabf1533444330a8cdf840fa5af0fa2241fcb4fc2

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\json_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\json_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.json	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.json\ = "json_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\json_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\json_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\json_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\json_auto_file\shell\Read	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2636	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2636	AcroRd32.exe
2636	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 2256	3040	cmd.exe	29
PID 3040 wrote to memory of 2256	3040	cmd.exe	29
PID 3040 wrote to memory of 2256	3040	cmd.exe	29
PID 2256 wrote to memory of 2636	2256	rundll32.exe	30
PID 2256 wrote to memory of 2636	2256	rundll32.exe	30
PID 2256 wrote to memory of 2636	2256	rundll32.exe	30
PID 2256 wrote to memory of 2636	2256	rundll32.exe	30

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\net8.0\Spoofer Base.runtimeconfig.json"
1⤵
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\net8.0\Spoofer Base.runtimeconfig.json
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2256
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\net8.0\Spoofer Base.runtimeconfig.json"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
0d162b85a15522e1b4a5b718d7b197c8

SHA1
d7c15a564165665e9bc107397d06a93f3aa2557f

SHA256
e911ec1866f964dc94c6fcd6c6aa1a098c53ac10726da8d1b2ef53256937b34c

SHA512
e58b7aed1875f698359a7d82ec930d87edbc4528057f3fe65464bb6b0a11e05c322d11892ea05472f00567263e461efb17946e20694f07b57c399812ce19dbb5

Download Submit