ed1e10ee0cd794b7d253741f0893c094f11a0b03c15b62451ba17dcbb84a00a4

Resubmissions

12/10/2024, 12:46

241012-pzt4ba1dmf 3

12/10/2024, 12:45

12/10/2024, 12:44

12/10/2024, 12:42

05/08/2024, 23:13

08/07/2024, 16:42

07/07/2024, 23:47

Analysis

max time kernel
1556s
max time network
1562s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
08/07/2024, 16:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

REGFuck-master/RegFuck/Properties/AssemblyInfo.cs
Size

1KB
MD5

0966cfdc95bcdbf2ae6d960439370b05
SHA1

2bd06e77c24c83fd09172cf0eba24697a9a87c29
SHA256

6c99adef612a9558e20e7410fdf1e416b94c31fcefaa05aa66ece211575924ce
SHA512

5ded1878acac83964792f72e3a4f2f60beb9ecf97d4d0e59a31f08d95c6e85910c8f861289c9949c8ddb75a768d3cfd3c4a34fe9b886625a1e63e3aef59a0f6f

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2588	AcroRd32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2588	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2588	AcroRd32.exe
2588	AcroRd32.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 2588	1628	cmd.exe	31
PID 1628 wrote to memory of 2588	1628	cmd.exe	31
PID 1628 wrote to memory of 2588	1628	cmd.exe	31
PID 1628 wrote to memory of 2588	1628	cmd.exe	31

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\REGFuck-master\RegFuck\Properties\AssemblyInfo.cs
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\REGFuck-master\RegFuck\Properties\AssemblyInfo.cs"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
f676305e54df14ac30ffd17af95691fe

SHA1
8a0c699ad034c5ca9a9d8d56b84433a2f002eecf

SHA256
3838b0ce9bddbf4bfa1c3a36d1f3e01a6b1e9062bcd5f1cd6d9d74f9d9f5c653

SHA512
800db690df07c61b3ff55d1eefd531a43346dd68ee1ddb7e58594cdfd41db9af17478f0a95bd8d87c13eafaf67082dab2ddf640bff78df489d8412ade4dcdbf9

Download Submit