Overview
overview
10Static
static
1Data2.zip
windows7-x64
1Data2.zip
windows10-2004-x64
1hv.exe
windows7-x64
5hv.exe
windows10-2004-x64
10iepdf32.dll
windows7-x64
3iepdf32.dll
windows10-2004-x64
3rhombohedron.ai
windows7-x64
3rhombohedron.ai
windows10-2004-x64
3shovelnose.deb
windows7-x64
3shovelnose.deb
windows10-2004-x64
3Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
12-06-2024 06:44
Static task
static1
Behavioral task
behavioral1
Sample
Data2.zip
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
Data2.zip
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
hv.exe
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
hv.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral5
Sample
iepdf32.dll
Resource
win7-20240419-en
Behavioral task
behavioral6
Sample
iepdf32.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral7
Sample
rhombohedron.ai
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
rhombohedron.ai
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
shovelnose.deb
Resource
win7-20240508-en
Behavioral task
behavioral10
Sample
shovelnose.deb
Resource
win10v2004-20240508-en
General
-
Target
rhombohedron.ai
-
Size
59KB
-
MD5
674dfd74a1bef081bf0da83f893138e5
-
SHA1
2a254cc02fea4c55bbc3133b99a9e2fd03082ae7
-
SHA256
67ff95298e395543ea0c9eeec6bfff81688df379bec578aa31c52d214b385180
-
SHA512
0b2bfbe287a037d46d881a00638a3c272197cf3537bc74169c07c7721cda2bf94927268bfd6cb965ad56e1ac98e3466d809cbc67f2e4d971dd0d7da9568a4cce
-
SSDEEP
768:mw3MXcFaDu4TOhFy3e+BYNuBBwsVMOTeKL7WSX2VZ4kEIs18Ai9my:tkgaDXOhFm/YGBwi57DEdV9my
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\ai_auto_file\ rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.ai\ = "ai_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\ai_auto_file\shell rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\ai_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\ai_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.ai rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\ai_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\ai_auto_file\shell\Read\command rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2776 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2776 AcroRd32.exe 2776 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 1924 wrote to memory of 2616 1924 cmd.exe rundll32.exe PID 1924 wrote to memory of 2616 1924 cmd.exe rundll32.exe PID 1924 wrote to memory of 2616 1924 cmd.exe rundll32.exe PID 2616 wrote to memory of 2776 2616 rundll32.exe AcroRd32.exe PID 2616 wrote to memory of 2776 2616 rundll32.exe AcroRd32.exe PID 2616 wrote to memory of 2776 2616 rundll32.exe AcroRd32.exe PID 2616 wrote to memory of 2776 2616 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\rhombohedron.ai1⤵
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\rhombohedron.ai2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\rhombohedron.ai"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2776
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEventsFilesize
3KB
MD54d944bda86d1726bf675e0d0212423c5
SHA1b3168b93061e7e4a812403b65ab673afbc3cb7d7
SHA2562103d883f689145867b3e8c8315e74023bcd2a0c4e6f9390e0c5a65b471144d0
SHA512c2426244cbd0ae30b29c1b50e09386b5ee879b29fed0e2ac44dd686456d22ba2ba39ed3ab81619d3efa00e4aebc4d6915bacb2ee466ec12fe18035c666ca68ad