1862de02fa8eff612a8d616c5d405bc5898c35fd3cfc74c6b8ceeda8b5bb8db3

Analysis

max time kernel
122s
max time network
122s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
20-07-2024 14:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CR9CK/CR9CK.pdb
Size

955KB
MD5

1d4b71a9d5b1d0c2354567f6a24abe14
SHA1

3e8dc08d03b65473d088fb31b770c00fb504d506
SHA256

a843fcdc6a84e7aca0c679b2a4d4d1e39a3c69cd94cfae4e3ebe7d10564bfca8
SHA512

74e9dcee57650a5dd109235a39d208e03bc6ef8795e53d4b7fac9605c897f22570f5067d2a0bf4280dc3a07a4b848653e24369fea855907da9ccab6b84f537fa
SSDEEP

6144:jtul3tZQCwOXckPOAR2CsfGcVknfqyZsAj51jDz6svLYtgpCIAVq3L5V6rsT2Fhv:H+OAsy7D9vLYGCK3L50o9vC0

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\.pdb\ = "pdb_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\pdb_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\pdb_auto_file\shell	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\pdb_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\pdb_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\pdb_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\.pdb	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\pdb_auto_file\shell\Read\command	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

2840 AcroRd32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AcroRd32.exe

pid process

2840 AcroRd32.exe
2840 AcroRd32.exe

pid	process
2840	AcroRd32.exe

pid	process
2840	AcroRd32.exe
2840	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

cmd.exerundll32.exe

description	pid	process	target process
PID 3016 wrote to memory of 2340	3016	cmd.exe	rundll32.exe
PID 3016 wrote to memory of 2340	3016	cmd.exe	rundll32.exe
PID 3016 wrote to memory of 2340	3016	cmd.exe	rundll32.exe
PID 2340 wrote to memory of 2840	2340	rundll32.exe	AcroRd32.exe
PID 2340 wrote to memory of 2840	2340	rundll32.exe	AcroRd32.exe
PID 2340 wrote to memory of 2840	2340	rundll32.exe	AcroRd32.exe
PID 2340 wrote to memory of 2840	2340	rundll32.exe	AcroRd32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\CR9CK\CR9CK.pdb
1⤵
- Suspicious use of WriteProcessMemory
PID:3016

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\CR9CK\CR9CK.pdb
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2340

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\CR9CK\CR9CK.pdb"
3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2840

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
Filesize
3KB

MD5
6c8bd233be0c94b73154356e8bd04177

SHA1
ee580c5101c36456e89a4f9fe143f064f4ead141

SHA256
5bb5cbf15d1c14313796677147915f816c6d2d5a6a47c90db1016701a2bb7fe5

SHA512
0368390b4233b7502dba06ff5d5aa60eeb1b458da3d0aa4e4782d39976af2be0f8a95c98766671ef14875b6aaf2eb5b78bea054ae7f4021e077b72d5cae5c088

Download Submit