Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
23/07/2024, 22:07
General
-
Target
Cracked Serversides/SANITYSHITSIDE.rbxm
-
Size
164KB
-
MD5
8d441e8d81c86aea7300698545cd7bfe
-
SHA1
6d1a4d63b90cee976b19945f8927c3b8b889acbb
-
SHA256
e53bec56213ae5e8428a0ecc2cc61bf6b94edc519363e0ef2588eaa1f23973ab
-
SHA512
cc7b2d76795b15324df9f6bbc17b0b988bcab62873dacc998c1b25cc9f4787da4d8aadd1c0d99515b0fe549ce0d2515f12d8d47740f29a8a7c9c80453e8d8270
-
SSDEEP
3072:zsTBqj13zU1/TCZE4YB07bhBX63vSrfXsqUDfMVLcpEB3H7IW/vq/sQS:2BqjdU1LiPQ0/K3vSDsqmEVLR37IW6u
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 9 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Cracked Serversides\SANITYSHITSIDE.rbxm"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Cracked Serversides\SANITYSHITSIDE.rbxm2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Cracked Serversides\SANITYSHITSIDE.rbxm"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD50c9c31c24c142c8f04c660a71c167ae2
SHA134a4933e1eeecfe8b3d2d01adf6c9502e2f77d54
SHA2562a3a84661304a24579af3d9adf97676301066cf5a8138139680347744831cb1c
SHA5121ad5e9858058015971dbb0bb3212c8a6977c30b55c11af9f41ad85c73dcb609dfa4bf41fb850172a796c41be5ccc0a0c1f65afbe42643f05212fee51b12444f1