ceff46da586622eec2d85705082b12ae8af0e9cde91f573b8aa2d6edefd7207c

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
08/06/2024, 04:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

x - Ware src/Uptime/Frozen/Utilities/TimedBehaviour.cs
Size

1KB
MD5

d068b5926160df8b522bae6a6cf04aab
SHA1

1e9fd8021a85bd42046ebd4ed999e1bb2696a559
SHA256

88a90fde1cbd74497811d5e3e44be40628e7bd0275adcaef4b1105dbf5654bbd
SHA512

e19eaf68fc95da71b769c86c6d0a415c8d0d2e9532d2465d2f219b25f386f08777884a095627db257990207c5948e53352daf4e16a13693055a3d0918ca2293c

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2836	AcroRd32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2836	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2836	AcroRd32.exe
2836	AcroRd32.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 2836	2700	cmd.exe	29
PID 2700 wrote to memory of 2836	2700	cmd.exe	29
PID 2700 wrote to memory of 2836	2700	cmd.exe	29
PID 2700 wrote to memory of 2836	2700	cmd.exe	29

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\x - Ware src\Uptime\Frozen\Utilities\TimedBehaviour.cs"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\x - Ware src\Uptime\Frozen\Utilities\TimedBehaviour.cs"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
33b65bd15c5950e5d783732ab4684cda

SHA1
1793b087787277c895ab43e9b1434da4bc895f81

SHA256
3b19fbd0c196e0276fe63bbd3812368c7b372fc04fbfd1f1bd1247ce1785c9ff

SHA512
bf6ff35dd5a6da9f8f33b0e46ee9227cd8d128c9a07eb22690118da22f06c5288e8c4cbb95cd0b56c870c9ee34c91b53a46ab10c145df2de405d6332e46a480c

Download Submit