100b85a1e544ca868a5498cc88fb5d5f5775fa70bb336c87efa07528bc313271

Analysis

max time kernel
120s
max time network
131s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
27-07-2024 00:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MultiMC/libLauncher_nbt++.dll.a
Size

149KB
MD5

6b9900ce8bd0fddd98aee0b884f92c5e
SHA1

91e5878b470b3685cf3c4dac9b20c256468414ed
SHA256

48912397bbea8d5797302776fa6f95822f546dc3a0556ffdbe1484cc7d5988bb
SHA512

ccb6df4c25609c3181bfbc4e8bf8cfbfdfdc0288231ad155b73d258500956be2a5fdaa59c095cd7e0fd01a07d2c8f8e34f047a0dd71794e9f23db03b0b3ae416
SSDEEP

768:NPr973mZbLfBnCNQc99GDsFrQWQLRwoNBmuBMzKIKRDkfUqRVS6nMRISEyMFNNiB:Vr973mjDGKrIb3HquWg579YmS

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

AcroRd32.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 9 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\a_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\a_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\a_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\a_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\.a	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\.a\ = "a_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\a_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\a_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

1204 AcroRd32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AcroRd32.exe

pid process

1204 AcroRd32.exe
1204 AcroRd32.exe

pid	process
1204	AcroRd32.exe

pid	process
1204	AcroRd32.exe
1204	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

cmd.exerundll32.exe

description	pid	process	target process
PID 1572 wrote to memory of 2404	1572	cmd.exe	rundll32.exe
PID 1572 wrote to memory of 2404	1572	cmd.exe	rundll32.exe
PID 1572 wrote to memory of 2404	1572	cmd.exe	rundll32.exe
PID 2404 wrote to memory of 1204	2404	rundll32.exe	AcroRd32.exe
PID 2404 wrote to memory of 1204	2404	rundll32.exe	AcroRd32.exe
PID 2404 wrote to memory of 1204	2404	rundll32.exe	AcroRd32.exe
PID 2404 wrote to memory of 1204	2404	rundll32.exe	AcroRd32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\MultiMC\libLauncher_nbt++.dll.a
1⤵
- Suspicious use of WriteProcessMemory
PID:1572

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\MultiMC\libLauncher_nbt++.dll.a
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2404

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\MultiMC\libLauncher_nbt++.dll.a"
3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1204

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
Filesize
3KB

MD5
8fd84167fc3f528aaf1fac855fbca94d

SHA1
0cae1a177aa1b8a7bdf7e2f8fd8b09a716f37d41

SHA256
c68dae224c08f8d88e63a1b1cf6a25bf14e52de1484b8fc2771d0c48e5246f9b

SHA512
884f9ccb47a4ed6c21c6ea51fd9da15c5ce713bbd06a8a0b1bed0a7f6d904c391d5aade8fac5a1b6e3ed9cfb2b9e22cf7e3d9da8b655d3c8d2ea75b0de7174f8

Download Submit