ceff46da586622eec2d85705082b12ae8af0e9cde91f573b8aa2d6edefd7207c

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
08/06/2024, 04:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

x - Ware src/Uptime/Frozen/Backend/anticheatnotif.cs
Size

639B
MD5

78873720ee2496d9c542849404c9c476
SHA1

39a4f4d0b3d879c6eece109d715f1532cbaf1566
SHA256

9815a3e9c444e9b2c91adeb66c5365b6ad2dfc8fe7ecba6b3ad2d0bdf846c370
SHA512

49f841e2dce34620d4c7fd85cc9596b4b3322d048d12754359974f3081a4c5c8b3eb9eda2d9390f1f79c8be4798b0445a549011aabac78e20f807a7575096591

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2532	AcroRd32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2532	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2532	AcroRd32.exe
2532	AcroRd32.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 2532	1732	cmd.exe	29
PID 1732 wrote to memory of 2532	1732	cmd.exe	29
PID 1732 wrote to memory of 2532	1732	cmd.exe	29
PID 1732 wrote to memory of 2532	1732	cmd.exe	29

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\x - Ware src\Uptime\Frozen\Backend\anticheatnotif.cs"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\x - Ware src\Uptime\Frozen\Backend\anticheatnotif.cs"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
f8774bac309c623621b8ae209bf80af8

SHA1
d38a3d796e4629e0e91c9871b29f42c6b53575be

SHA256
087027567a7d2b0691ff5575de44b0d75375822b47433c9fca0219d30ddaec2f

SHA512
390ee9a21e78347f5fef8b2f4afe5657aefe507a991f06987b4a7c9fca8a5659643e586a3279f2bd5d0a247c302e7b913552f396529277c74e84ae2531c841c5

Download Submit