8ac1a222daea2d06c323567bf56c37b291aea14835801188324b36b90596e7d0

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
05/07/2024, 06:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bins.sh
Size

2KB
MD5

fbc96085185b1c3509e78613b9f78a3a
SHA1

ebd4e99ebe6a3acecc38c7be1ed545c955291ae6
SHA256

8ac1a222daea2d06c323567bf56c37b291aea14835801188324b36b90596e7d0
SHA512

59c4dadb711670122839babca82a437d5aa0c4205ca757937f79981e6bc7345cc827b75a8839381faea4ee27b5fa61a015913a7414e2ea4262d09e2a200b73eb

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\.sh	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\sh_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\sh_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\sh_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\sh_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\.sh\ = "sh_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\sh_auto_file\shell\Read	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\sh_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2728	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2728	AcroRd32.exe
2728	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 2608	2160	cmd.exe	29
PID 2160 wrote to memory of 2608	2160	cmd.exe	29
PID 2160 wrote to memory of 2608	2160	cmd.exe	29
PID 2608 wrote to memory of 2728	2608	rundll32.exe	30
PID 2608 wrote to memory of 2728	2608	rundll32.exe	30
PID 2608 wrote to memory of 2728	2608	rundll32.exe	30
PID 2608 wrote to memory of 2728	2608	rundll32.exe	30

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\bins.sh
1⤵
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bins.sh
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\bins.sh"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
12c42c46abf759042a4af56c135460d2

SHA1
5d5c2e81298bcc1fbb214369f1d834e7f7a544e2

SHA256
1fe208e9fd7b5dea06c9e53721e31abc1d3a870f247fa854097ae14174a43d19

SHA512
e1ebef4dbc7dad185f1e518354f69bdf597f00584fb7ea58d3e8549cc827c8d825502c8918a518753abe5698c1ba83fc97737258571f7a51d04c08ffc37ccce6

Download Submit