b2d67f85171a7e394f28cc8df0f0a36f80e7fb7aeada7f9709fd1543b53e4579

Resubmissions

25/06/2024, 17:24

240625-vyzkassgra 8

Analysis

max time kernel
361s
max time network
362s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
25/06/2024, 17:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Arquivos Minecraft/UnlockerPortable/Other/Source/_UnlockerPortable.nsi
Size

6KB
MD5

1fb8be36a2c4a946c8fc8790a1e8d399
SHA1

5404f57620d5fb6638cd06c4351c49873ee31b23
SHA256

55338f2e03528a6f44c07e34461e314350d678a43e28e60fed6453697e292fa8
SHA512

fad88ae0d91bd5978fec6bcd0c09c50bc6b572afe30c4d48e99ce019b418f8e14319ef6833e921ee07aa467058c18126e5a6f51294f41e64a77e4b2d531dace5
SSDEEP

192:JU4R20EpF/0bYbELx4IVTaV6ZBXQI1zprztM2cNqGq:JUcEpFsYbELx4IVTaV6/QI1zprztM2cG

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\.nsi\ = "nsi_auto_file"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\nsi_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\nsi_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\nsi_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\nsi_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\nsi_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\nsi_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\.nsi	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2776	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2776	AcroRd32.exe
2776	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1216 wrote to memory of 3016	1216	cmd.exe	29
PID 1216 wrote to memory of 3016	1216	cmd.exe	29
PID 1216 wrote to memory of 3016	1216	cmd.exe	29
PID 3016 wrote to memory of 2776	3016	rundll32.exe	30
PID 3016 wrote to memory of 2776	3016	rundll32.exe	30
PID 3016 wrote to memory of 2776	3016	rundll32.exe	30
PID 3016 wrote to memory of 2776	3016	rundll32.exe	30

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Arquivos Minecraft\UnlockerPortable\Other\Source\_UnlockerPortable.nsi"
1⤵
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Arquivos Minecraft\UnlockerPortable\Other\Source\_UnlockerPortable.nsi
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Arquivos Minecraft\UnlockerPortable\Other\Source\_UnlockerPortable.nsi"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
16d1ccfc125882ae7d1506fe77b0e63a

SHA1
9a425104ee4ed2699da29a8b0f59a0128da16acf

SHA256
73b35c6b9e989ea5ee1bd2b2302d7ec72533e35f71d6f60b00adf5204370ac7d

SHA512
0f26b19281b3d10acf946ffedc23d9fbc4dd822d99de525bf5292ce774b22c19d6c4f20991f43e3cb1067f0d7dcb708207b82ea93c49b86ad58ba4c817a380c9

Download Submit