645e274fec3723d065308f9b16b33392ed7f51fbd5ffc3c00806c2efafb08b65

Analysis

max time kernel
103s
max time network
20s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19-07-2024 11:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

internal/extensions/CScriptThread_Timers.lua
Size

1KB
MD5

9e26a3f52653a2bc26376665de16460a
SHA1

819f322e928a3e969a7e1e2cc92b4c774119587a
SHA256

89b849bd208de27791887738d84a2c20f1e6be9acb5b5973459e097fa6c2e26a
SHA512

421df6874e7d5931288818687332b4eaa388560956238edb6e127f8033705dc97ac2de18487e0c2fefba264021f1dbec31c588984dd71275ac814eec687bce7b

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\lua_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\lua_auto_file\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\.lua\ = "lua_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\lua_auto_file\shell	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\lua_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\.lua	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\lua_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\lua_auto_file\shell\Read\command	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2784	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2784	AcroRd32.exe
2784	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 2148	2388	cmd.exe	30
PID 2388 wrote to memory of 2148	2388	cmd.exe	30
PID 2388 wrote to memory of 2148	2388	cmd.exe	30
PID 2148 wrote to memory of 2784	2148	rundll32.exe	31
PID 2148 wrote to memory of 2784	2148	rundll32.exe	31
PID 2148 wrote to memory of 2784	2148	rundll32.exe	31
PID 2148 wrote to memory of 2784	2148	rundll32.exe	31

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\internal\extensions\CScriptThread_Timers.lua
1⤵
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\internal\extensions\CScriptThread_Timers.lua
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\internal\extensions\CScriptThread_Timers.lua"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
7a1f6c6c8105a7fcd78a3dc11b0e14ba

SHA1
174e9487fd27005d0f30ef3c9c66e443f24b42bc

SHA256
f42e5999643e2b00c7c0e3f9cc044f62f225873d9c8e6fc51d131f2099331dc3

SHA512
9042d6e751cacac567a7c703fa4635061297b71238247c84a7b8c76b46ca38e71a5401acd73089dd49837aea96a6458874c9fd641f4084de990a77d70c515811

Download Submit