ceff46da586622eec2d85705082b12ae8af0e9cde91f573b8aa2d6edefd7207c

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
08/06/2024, 04:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

x - Ware src/Uptime/Frozen/UI/WristMenu.cs
Size

54KB
MD5

12e255cf5495fa3504926e778a57ae7b
SHA1

a0682908bb618d73b0c81fc53812d3dc61c25188
SHA256

d448d6081e472424aae27abdaaf2fcaa74b23a4865cffa4652b72c63d59b04c4
SHA512

106e556a9ee5072b9a6cdc2bfd16efb3856bbcdf0da4f3de122b9d4c215577b70539b3cb748b606be03073545f1e40fba9886285ee8d23d3d98707b4ad5e4cdf
SSDEEP

768:IYvtvR37fBTf/IoE7DQmVPWk2Tpt5aHniH/HG7NWQt9deDVfcLPD4kol:hkQm9WmsQghSql

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2532	AcroRd32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2532	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2532	AcroRd32.exe
2532	AcroRd32.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 2532	2976	cmd.exe	29
PID 2976 wrote to memory of 2532	2976	cmd.exe	29
PID 2976 wrote to memory of 2532	2976	cmd.exe	29
PID 2976 wrote to memory of 2532	2976	cmd.exe	29

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\x - Ware src\Uptime\Frozen\UI\WristMenu.cs"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\x - Ware src\Uptime\Frozen\UI\WristMenu.cs"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
35a8565f7cde30e1ad98f9639cb549d6

SHA1
bc0de3264ecfe3baade0d4961b630b33638eafe7

SHA256
0816f001e06256b7ce189a5a2dfe367f552dc8c74c26ab84d062f94eb560f02b

SHA512
df545639023bce2cfe8cea76bd37a9bf3bd85cdfb9bdf148d53439867cec752e032e4a1e40ab5bbaf09ba07969f5dcaba71a9337521be2f76d1aa5bf96e7b18e

Download Submit