941cc44f629086310dba8c9e96ab55994f230eef6917a2e70ec6c9b698154d88

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
24/06/2024, 12:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EncoderServer.cfg
Size

89B
MD5

d81d3a63c3597a1ac1f61e7862e174f1
SHA1

416c43386386a8916ae80482aacd5a998e9d4e83
SHA256

d505f1850d38d5d6b5d4924cca0f7ed679bbae6ae1ecd8e5c24257fce01f602e
SHA512

72188bb3629c4938a5b1c93e5be7b8fd87ed3ca946feccf36de4b3acb999585b3edde4bd517a173c32774ce46492bf94819e5a49350135ebb370648478685f14

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\cfg_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.cfg	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.cfg\ = "cfg_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\cfg_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\cfg_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\cfg_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\cfg_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\cfg_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2172	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2172	AcroRd32.exe
2172	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 2740	2164	cmd.exe	29
PID 2164 wrote to memory of 2740	2164	cmd.exe	29
PID 2164 wrote to memory of 2740	2164	cmd.exe	29
PID 2740 wrote to memory of 2172	2740	rundll32.exe	30
PID 2740 wrote to memory of 2172	2740	rundll32.exe	30
PID 2740 wrote to memory of 2172	2740	rundll32.exe	30
PID 2740 wrote to memory of 2172	2740	rundll32.exe	30

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\EncoderServer.cfg
1⤵
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\EncoderServer.cfg
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\EncoderServer.cfg"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
03b9bf6990e600bfbabbc657bad5db1e

SHA1
30f786b46e26e513aa300f0034707dbee8616d84

SHA256
d38d37f94d2a70215e3dc343bc7782b36a545d6a5c2a3378c0467104d1539db1

SHA512
51b8e28a5bbfc21753fe36ee0911cfeba272fdfc5c5eb61ab797f18eecd1c5cddb60a59ce271aa86640a8131dfc9b4e90f3ffe9ad3ebbe261e36cd148f5c9e36

Download Submit