Overview
overview
10Static
static
1sample.zip
windows7-x64
1sample.zip
windows10-2004-x64
1Setup.exe
windows7-x64
10Setup.exe
windows10-2004-x64
10battuta.flv
windows7-x64
1battuta.flv
windows10-2004-x64
1datastate.dll
windows7-x64
1datastate.dll
windows10-2004-x64
3instrucciones.txt
windows7-x64
1instrucciones.txt
windows10-2004-x64
1madbasic_.dll
windows7-x64
1madbasic_.dll
windows10-2004-x64
1maddisAsm_.dll
windows7-x64
1maddisAsm_.dll
windows10-2004-x64
1madexcept_.dll
windows7-x64
1madexcept_.dll
windows10-2004-x64
1maidenhair.cfg
windows7-x64
3maidenhair.cfg
windows10-2004-x64
3rtl120.dll
windows7-x64
1rtl120.dll
windows10-2004-x64
1sqlite3.dll
windows7-x64
3sqlite3.dll
windows10-2004-x64
3vcl120.dll
windows7-x64
1vcl120.dll
windows10-2004-x64
1vclx120.dll
windows7-x64
3vclx120.dll
windows10-2004-x64
3Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
23-07-2024 06:40
Static task
static1
Behavioral task
behavioral1
Sample
sample.zip
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
sample.zip
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
Setup.exe
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
Setup.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral5
Sample
battuta.flv
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
battuta.flv
Resource
win10v2004-20240709-en
Behavioral task
behavioral7
Sample
datastate.dll
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
datastate.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral9
Sample
instrucciones.txt
Resource
win7-20240704-en
Behavioral task
behavioral10
Sample
instrucciones.txt
Resource
win10v2004-20240709-en
Behavioral task
behavioral11
Sample
madbasic_.dll
Resource
win7-20240704-en
Behavioral task
behavioral12
Sample
madbasic_.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral13
Sample
maddisAsm_.dll
Resource
win7-20240708-en
Behavioral task
behavioral14
Sample
maddisAsm_.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral15
Sample
madexcept_.dll
Resource
win7-20240704-en
Behavioral task
behavioral16
Sample
madexcept_.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral17
Sample
maidenhair.cfg
Resource
win7-20240708-en
Behavioral task
behavioral18
Sample
maidenhair.cfg
Resource
win10v2004-20240709-en
Behavioral task
behavioral19
Sample
rtl120.dll
Resource
win7-20240708-en
Behavioral task
behavioral20
Sample
rtl120.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral21
Sample
sqlite3.dll
Resource
win7-20240708-en
Behavioral task
behavioral22
Sample
sqlite3.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral23
Sample
vcl120.dll
Resource
win7-20240704-en
Behavioral task
behavioral24
Sample
vcl120.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral25
Sample
vclx120.dll
Resource
win7-20240704-en
Behavioral task
behavioral26
Sample
vclx120.dll
Resource
win10v2004-20240709-en
General
-
Target
maidenhair.cfg
-
Size
1.0MB
-
MD5
451049d3ac526f1abdd704c3b1fed580
-
SHA1
f0fa21249e2414831b59a038334fd659c94361f6
-
SHA256
931308cfe733376e19d6cd2401e27f8b2945cec0b9c696aebe7029ea76d45bf6
-
SHA512
0c1c8b81116bc4b9a3ec640ff37c668b7efe729aa2e4a58d14fc78fa679b51f15baf6fa7d473e30d44abb4bbbe83f1ccc9d5f519dc6a254fbbcca53244596421
-
SSDEEP
24576:gk39+FD860iMNjUhVckT2wynPc+rM/zU2UhbVXThLX7RXg/3r/B:gk3+D8lFUULnPc+ruY2Ud1hLX7Bg/7/B
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\cfg_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\cfg_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.cfg\ = "cfg_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\cfg_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\cfg_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.cfg rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\cfg_auto_file\shell rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\cfg_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid Process 3000 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid Process 3000 AcroRd32.exe 3000 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid Process procid_target PID 3032 wrote to memory of 1316 3032 cmd.exe 31 PID 3032 wrote to memory of 1316 3032 cmd.exe 31 PID 3032 wrote to memory of 1316 3032 cmd.exe 31 PID 1316 wrote to memory of 3000 1316 rundll32.exe 32 PID 1316 wrote to memory of 3000 1316 rundll32.exe 32 PID 1316 wrote to memory of 3000 1316 rundll32.exe 32 PID 1316 wrote to memory of 3000 1316 rundll32.exe 32
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\maidenhair.cfg1⤵
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\maidenhair.cfg2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\maidenhair.cfg"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3000
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5018370e7ca804b6ba74ceeeb7151eec1
SHA18fceedd4de550b4e3b339f0d09bd865421c78ab5
SHA2569213429354dc8f298fbf4cfee28a832a7a0f65f85097f55fa1d05b5e903e769b
SHA512d370a06b125e67cd7e29d3fd051b6da354c9890ad61157c1e2ceb863b3e110fc16993e24c1728322f9f302cd73326d24de0ebf3a05840181c765a236ba35a3c9