645e274fec3723d065308f9b16b33392ed7f51fbd5ffc3c00806c2efafb08b65

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
19-07-2024 11:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

internal/extensions/vehicles.lua
Size

13KB
MD5

f4af2d671434c49b996e782557d5910b
SHA1

ed487d8e687b38e771483429984bf0e93d98c44b
SHA256

33aceffacff3af61fe5743c9debd7968e352a2cda0d522d4dca7c68a8e17974c
SHA512

38691c3c84cdc4a87f3deda94b9bb4fad1d8137cc26b8f631c0a7b8daf2649e7af284efccee208c0f6e129eaf26ce45e477f372f4c6c8823bb5a38b1e60fc6af
SSDEEP

192:L6+1F3MKGh8gLQyNK7axlrAnwHOCG29OadTdLx0HMmdQu8PMISQ3bNV8C366:r28gcyIhndQu8ko3bNV8C3N

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\lua_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\lua_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\.lua	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\lua_auto_file\shell\Read	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\lua_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\lua_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\lua_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\.lua\ = "lua_auto_file"	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2820	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2820	AcroRd32.exe
2820	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 2412	3044	cmd.exe	31
PID 3044 wrote to memory of 2412	3044	cmd.exe	31
PID 3044 wrote to memory of 2412	3044	cmd.exe	31
PID 2412 wrote to memory of 2820	2412	rundll32.exe	32
PID 2412 wrote to memory of 2820	2412	rundll32.exe	32
PID 2412 wrote to memory of 2820	2412	rundll32.exe	32
PID 2412 wrote to memory of 2820	2412	rundll32.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\internal\extensions\vehicles.lua
1⤵
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\internal\extensions\vehicles.lua
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\internal\extensions\vehicles.lua"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
261e7a67b97e82f3ae6c5a3df32f0b80

SHA1
6ec41554fe921607533f2d7fe337ba88ab4d9b3b

SHA256
ee7eabedac5454897c9cfbca0293371928b7b150226bd4b8c0b2194892eeead1

SHA512
f87a6de1db3d9f7bce595945bdae59b678f6221285bd62c20ea1f2d4a3855c4a5a70099265a60787980cdffe8314a8951db27c1a429f6acbc35afc88a9cd9d71

Download Submit