ecbd7691eefa1d91670485923917d508317eac186923a41fcd97d72e34914143

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
21-07-2024 16:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

null.cfg
Size

941B
MD5

7ec815b6c42beadb926f06b06aa28450
SHA1

82f29608edac567fa2a16022f719f0d9f4e62344
SHA256

ecbd7691eefa1d91670485923917d508317eac186923a41fcd97d72e34914143
SHA512

711f749cb8227b931be08f69644989ea4ac061c99ba641ffa231e2959a0aeb1863c0aa1d2d173345563f5591e51b3752ae41429f6f448d58261e9cde22227427

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\cfg_auto_file\shell	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\cfg_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\cfg_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\.cfg	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\.cfg\ = "cfg_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\cfg_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\cfg_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\cfg_auto_file	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2840	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2840	AcroRd32.exe
2840	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2900 wrote to memory of 2492	2900	cmd.exe	31
PID 2900 wrote to memory of 2492	2900	cmd.exe	31
PID 2900 wrote to memory of 2492	2900	cmd.exe	31
PID 2492 wrote to memory of 2840	2492	rundll32.exe	33
PID 2492 wrote to memory of 2840	2492	rundll32.exe	33
PID 2492 wrote to memory of 2840	2492	rundll32.exe	33
PID 2492 wrote to memory of 2840	2492	rundll32.exe	33

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\null.cfg
1⤵
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\null.cfg
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2492
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\null.cfg"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
e94ea06dda5e093077cb846082d5eea8

SHA1
9e275258f95ad978d5ff2b4eaf481fed9130b27f

SHA256
41c7d9d686aae779a7b5140097f329dd224cf30138becbcc0b9281e5388955ce

SHA512
3ca29efcc0f1690cf7ca6927f21a95180220c17d0d2e72cd0cb06d861d3bfba9ed02292bec08e939b1c071ca0329b57174d621f62658d518d676cfa448e6c19a

Download Submit