ed1e10ee0cd794b7d253741f0893c094f11a0b03c15b62451ba17dcbb84a00a4

Resubmissions

12/10/2024, 12:46

241012-pzt4ba1dmf 3

12/10/2024, 12:45

12/10/2024, 12:44

12/10/2024, 12:42

05/08/2024, 23:13

08/07/2024, 16:42

07/07/2024, 23:47

Analysis

max time kernel
1561s
max time network
1567s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
08/07/2024, 16:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

REGFuck-master/.gitignore
Size

4KB
MD5

3098b68cc250096257faf1fd842923e6
SHA1

850b66c7cdc908904fbfe45f117a5448b349cb3f
SHA256

a6204c2b9a5c667c5f337f4613aba9d2e5e2da9d8aeb80003d6ff52f48991779
SHA512

a920f27435b28b925a5fe2a9cfc249b63d846e6e52592a928f80d05865f30ffb4b3f3f87658322aa886d541889226d85ba4b9bb60aa59e3c0865ba292671eed6
SSDEEP

96:nsZoRH+CWt4saLzcSiUEK6qGiANBCHJvh+JVFwygRfOXUPS:n9R1WahVPfHf+JSg

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\.gitignore\ = "gitignore_auto_file"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\gitignore_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\.gitignore	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\gitignore_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\gitignore_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\gitignore_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\gitignore_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\gitignore_auto_file	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2764	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2764	AcroRd32.exe
2764	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1356 wrote to memory of 2732	1356	cmd.exe	32
PID 1356 wrote to memory of 2732	1356	cmd.exe	32
PID 1356 wrote to memory of 2732	1356	cmd.exe	32
PID 2732 wrote to memory of 2764	2732	rundll32.exe	33
PID 2732 wrote to memory of 2764	2732	rundll32.exe	33
PID 2732 wrote to memory of 2764	2732	rundll32.exe	33
PID 2732 wrote to memory of 2764	2732	rundll32.exe	33

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\REGFuck-master\.gitignore
1⤵
- Suspicious use of WriteProcessMemory
PID:1356
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\REGFuck-master\.gitignore
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\REGFuck-master\.gitignore"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
a8f0ada2c543d459a3fee69b1b5ecf5a

SHA1
58284ac9f44cfacd734754eb9646f910a5ee5ba2

SHA256
3ef2933996cb121d7a32daf68848f2e07e278bed6cb93d103e513b5db0fc253d

SHA512
06aea22f7dce0c7a30d86a8510d669cf86e0eb8dc03bcf8f512e03aa31a3c82d72f67f8d459b077aedce04d9c97d96361e357669379fd107180534346babcb82

Download Submit