538625f9a7445060633674211aa9d30224a7dea65b72b7bbb16796483b09034a

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
09/07/2024, 04:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$PLUGINSDIR/app-64.7z
Size

83.1MB
MD5

a576c2eb25b57ac159026e5c2c8dbc53
SHA1

a41b15182f78de6bdbbc1d9cfd389278cb3a3321
SHA256

ff5758a6fb05f2d92b5f89ea42856e9c89520cba44be4024582cea72fd36ae65
SHA512

29b9715f47bef13080f7e4db61cdd6f7aed1933375cca276b1bcb9243fe50a0bf7002ed49554df91716c4020df01cd4bbc290e195ded13629c54b21428198265
SSDEEP

1572864:DgUDBSOQJXbL5OPQVQQZMJsIuW3IELNAe0uT7OeDF3jOZG:DLDBSO4XBOPsQQuP/3Guz9SG

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2052	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2052	AcroRd32.exe
2052	AcroRd32.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2840 wrote to memory of 2772	2840	cmd.exe	31
PID 2840 wrote to memory of 2772	2840	cmd.exe	31
PID 2840 wrote to memory of 2772	2840	cmd.exe	31
PID 2772 wrote to memory of 2676	2772	rundll32.exe	32
PID 2772 wrote to memory of 2676	2772	rundll32.exe	32
PID 2772 wrote to memory of 2676	2772	rundll32.exe	32
PID 2676 wrote to memory of 2052	2676	rundll32.exe	34
PID 2676 wrote to memory of 2052	2676	rundll32.exe	34
PID 2676 wrote to memory of 2052	2676	rundll32.exe	34
PID 2676 wrote to memory of 2052	2676	rundll32.exe	34

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app-64.7z
1⤵
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app-64.7z
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app-64.7z
    3⤵
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
      "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app-64.7z"
      4⤵
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:2052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
6d37138f394c75a79f43863533b7e75c

SHA1
c6b8a4b05fac631960514f62eebca9a3c8d8ada4

SHA256
95c1d1a396b9f41d06743b5039df4d2df869a8ddcf7b3eca8b511b8335e22fc0

SHA512
191994d02c155dc1627aaf1d00cf489ac388e3ac4fc4a8fca20f712f7b25e49229c4790334db00220663dbc3fcf70d8056ef60b9029a057034fa5a92723bfd91

Download Submit