647f9880a88f2117cdc3c2de87d9666444419d8d500ff27b0a2361f82c42faad

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
21/07/2024, 10:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TrianityRelease/bin/Editor/package/dev/vs/base/worker/workerMain.js.map
Size

780KB
MD5

89edf7b504d60911b000bf56164e075c
SHA1

fc2f70f4079654f65b0bf077ea9a999bfcc26d29
SHA256

5dd8bffb8c581b09b635bf1fe57b6f759bbe4a80f6a24fc875fa686264ea17af
SHA512

3e382ba3fedc0b9231a90c0ca0daf3eccb23b74e48b0cd1909b4f13346bb247b3874e3eb8634cfdb81f37cb5129219f4db8c2a89d79b92dd1bfa0afd340a7a7a
SSDEEP

6144:iDyVlsxgd2sAux+qpwpxFqp3B6mqpwpxHqpsBNrRFqGgst+z7yi71dsaX6ZONf70:kxQRrRFqGgst+z/f4

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\.map	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\map_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\map_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\map_auto_file\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\.map\ = "map_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\map_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\map_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\map_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2724	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2724	AcroRd32.exe
2724	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1316 wrote to memory of 2464	1316	cmd.exe	31
PID 1316 wrote to memory of 2464	1316	cmd.exe	31
PID 1316 wrote to memory of 2464	1316	cmd.exe	31
PID 2464 wrote to memory of 2724	2464	rundll32.exe	33
PID 2464 wrote to memory of 2724	2464	rundll32.exe	33
PID 2464 wrote to memory of 2724	2464	rundll32.exe	33
PID 2464 wrote to memory of 2724	2464	rundll32.exe	33

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\TrianityRelease\bin\Editor\package\dev\vs\base\worker\workerMain.js.map
1⤵
- Suspicious use of WriteProcessMemory
PID:1316
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\TrianityRelease\bin\Editor\package\dev\vs\base\worker\workerMain.js.map
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\TrianityRelease\bin\Editor\package\dev\vs\base\worker\workerMain.js.map"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
153c90d7b8101973ffed8d37522ccb6f

SHA1
d853bc98dbb18d6b75a7a0e954f6dbe9738d12ef

SHA256
02f70a2613bfa4875956194fed2a0fcdeb93d8836d79f3c0ffd4e7c1598b4ce5

SHA512
72af1442866d868a0aaba7ed3e39781f5cce91f1d1188a4909d1a313eb97b2f134652fef6db5c09cc3ef7a3f0588bb52f23d8f4db0bfaa7f3ddb02b563a75bf0

Download Submit