645e274fec3723d065308f9b16b33392ed7f51fbd5ffc3c00806c2efafb08b65

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
19-07-2024 11:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

internal/game/Object.lua
Size

95B
MD5

b91ef87c27f50a0027b7e1c82be520bb
SHA1

d01c21a6fab3ad8239970255867e40369dacde72
SHA256

a77f0b448eafd9fea35835629e4480b911bda3faa402a996d813db13867e512b
SHA512

514df7a7101529b035b876c519a27619349f8575f0c58e5eba357b10bb8058f9e105fa7ea97ff6f5aa5a3fa064699908099cbd6f8aa9903c740c12779b430a50

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\lua_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\lua_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\lua_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\lua_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\.lua	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\.lua\ = "lua_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\lua_auto_file\shell\Read	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\lua_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2732	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2732	AcroRd32.exe
2732	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 2700	3016	cmd.exe	31
PID 3016 wrote to memory of 2700	3016	cmd.exe	31
PID 3016 wrote to memory of 2700	3016	cmd.exe	31
PID 2700 wrote to memory of 2732	2700	rundll32.exe	33
PID 2700 wrote to memory of 2732	2700	rundll32.exe	33
PID 2700 wrote to memory of 2732	2700	rundll32.exe	33
PID 2700 wrote to memory of 2732	2700	rundll32.exe	33

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\internal\game\Object.lua
1⤵
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\internal\game\Object.lua
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\internal\game\Object.lua"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
2501cc0ce2a40a5118958cab7ab32c51

SHA1
ded58e28806ba4328652d3614da82002e95717b0

SHA256
473ab08e8c627eff480ac0d828d9b4778bbec13f3d7f02286a7536655f0e7457

SHA512
76048778c39131235cdcc3e37f7281dd7d2245272c33c84277feeb213b3c9f40f3f886993961efb89a76ab2913f00303507029fd556204dfd8c5105a449eb79a

Download Submit