d88271eb4440a41f65cad7e1d6c8b6b5f5d627d2bba8783b7ca76890467e9947

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
08/07/2024, 17:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

SmokeySpoofer-main/SmokeySpoofer/Properties/Settings.Designer.cs
Size

1KB
MD5

7ba58f19975d04b2b0ee78bf0fd0e17b
SHA1

84dd853ef84cf1c26655d75494d7200360d985ec
SHA256

0ffa692522bdb415ec1a38be6391f5162bddd3518028c73c52b4470059918001
SHA512

2e7c72eee4e74e600e4a5871bae043557938eed7ceb9370edf69301188ebcb0881903081e85bc0ddb2339e12ecea459c46d674b8d0f255d84a0c0c17db33ee74

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2756	AcroRd32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2756	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2756	AcroRd32.exe
2756	AcroRd32.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 2756	2984	cmd.exe	31
PID 2984 wrote to memory of 2756	2984	cmd.exe	31
PID 2984 wrote to memory of 2756	2984	cmd.exe	31
PID 2984 wrote to memory of 2756	2984	cmd.exe	31

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\SmokeySpoofer-main\SmokeySpoofer\Properties\Settings.Designer.cs
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\SmokeySpoofer-main\SmokeySpoofer\Properties\Settings.Designer.cs"
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
427a7aaced9edfeb03634a9bde15b488

SHA1
1d76207b5e83a8972161675eacb7595b19c4ae3f

SHA256
65bafcd78a8c6870f2487e2cdd3c0ccf0798d508fccebed8d5319d6608ac161f

SHA512
4ef8de5a55e2bd40defbeb736d6aec4a6b1e3b6e79efc1619675ee23fae09d3a6cbf21b170d657b9bea0d29004ddb2f5f5df2c594350078a78c49294f6e695e0

Download Submit