6ea69c62d53d4aa6016c4eba3bcf7ea4c19ec57f23b459b8f5e70b165ff7876a

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
13/07/2024, 17:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EVERYTHING.pdb
Size

41KB
MD5

6a5b4ea5db6629a678cfbab8dd6ebe27
SHA1

aca68668e49f0d8fd10ef8ad385fab4853a42704
SHA256

cda489b66c5b6c6c4821eee89d7ae075f34aca5af06376fb7eda132e3c5bac6d
SHA512

04218fc3f0f36c92aefb34279baeaa6e1744b1be3ef734e50b8775778edb580780c0fcef85f75e18ffcf6a225560185a70c9a9c4a0f25881f110b6ecfa97da43
SSDEEP

384:PnbwAbwx1dvs5c4SECbHzuXpPSDl2ECbkUgmL1dvsaZ:PnbwAbwx1dvs5MUCtFs1dvsa

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\pdb_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\pdb_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\pdb_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\pdb_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\pdb_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\.pdb\ = "pdb_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\pdb_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\.pdb	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2928	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2928	AcroRd32.exe
2928	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 2860	1672	cmd.exe	31
PID 1672 wrote to memory of 2860	1672	cmd.exe	31
PID 1672 wrote to memory of 2860	1672	cmd.exe	31
PID 2860 wrote to memory of 2928	2860	rundll32.exe	32
PID 2860 wrote to memory of 2928	2860	rundll32.exe	32
PID 2860 wrote to memory of 2928	2860	rundll32.exe	32
PID 2860 wrote to memory of 2928	2860	rundll32.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\EVERYTHING.pdb
1⤵
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\EVERYTHING.pdb
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\EVERYTHING.pdb"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
995f7de7973d5a3de93c354a794625bd

SHA1
3dbe7f470445b69412231c9084814af65075389b

SHA256
3bd48032abf613f25689c6034a887cfff2a22f0be2502ae39b7fcd5c80e9232f

SHA512
73eec64b52f138724e4d16e3a7560bfbbfaa0d300f985acb43acef68a50739086fc6385734ccd6a29f4671f4b0a4c53f9827d6713a45b89209fd4c7f7443b909

Download Submit