ceff46da586622eec2d85705082b12ae8af0e9cde91f573b8aa2d6edefd7207c

Analysis

max time kernel
118s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08/06/2024, 04:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

x - Ware src/Uptime/Frozen/Backend/OnLeave.cs
Size

816B
MD5

a5a340c5f037e6dc1a98d542676e5f3c
SHA1

a4d0da5c84dded4aefea72ea0c86809c64b864b4
SHA256

1bc323ce1c6dc730a9c25dc7a32133191ff255a1bfcdd872a09ca6d85b91cbf3
SHA512

a29ca8f00ca551292515284fdce43dd9c3d57fb3ba3945c7f5fd3160160f507119661c540cf7f71dbceaf4c4d523b86b72f1a6a881ad6f6adb915a07571802a4

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2376	AcroRd32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2376	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2376	AcroRd32.exe
2376	AcroRd32.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 2376	1708	cmd.exe	29
PID 1708 wrote to memory of 2376	1708	cmd.exe	29
PID 1708 wrote to memory of 2376	1708	cmd.exe	29
PID 1708 wrote to memory of 2376	1708	cmd.exe	29

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\x - Ware src\Uptime\Frozen\Backend\OnLeave.cs"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\x - Ware src\Uptime\Frozen\Backend\OnLeave.cs"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
db7e447dea96de5ee11b4c7b98d93742

SHA1
d3311c7d535e8147ab5902b147f7e6cd38fc30cc

SHA256
420154cffe9c16062c6036c3f9a6a44ff312c31f5b9813f1780b18cefefd982a

SHA512
9cdff2826fdae49007bb991ee01011632556edecf7bfa629a64ee3f263b2456ffdd84b16655a5b3fcbc1eb8a579315c31ab564a88375d13bd1da3004d73c5362

Download Submit