43fc4d67b0150124d5da346a700b4cfc92a91c141653d9d3cb4beddb91642aca

Resubmissions

27-07-2024 06:21

240727-g4hl3svaqb 4

27-07-2024 05:35

240727-f92rgasfrc 10

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
27-07-2024 05:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Asuna Lite/Asuna.runtimeconfig.json
Size

340B
MD5

253333997e82f7d44ea8072dfae6db39
SHA1

03b9744e89327431a619505a7c72fd497783d884
SHA256

28329cf08f6505e73806b17558b187c02f0c1c516fe47ebfb7a013d082aaa306
SHA512

56d99039e0fb6305588e9f87361e7e0d5051507bf321ba36619c4d29741f35c27c62f025a52523c9e1c7287aabf1533444330a8cdf840fa5af0fa2241fcb4fc2

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

AcroRd32.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 9 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\json_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\json_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\.json	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\json_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\json_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\json_auto_file\shell\Read	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\json_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\.json\ = "json_auto_file"	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

2896 AcroRd32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AcroRd32.exe

pid process

2896 AcroRd32.exe
2896 AcroRd32.exe

pid	process
2896	AcroRd32.exe

pid	process
2896	AcroRd32.exe
2896	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

cmd.exerundll32.exe

description	pid	process	target process
PID 2436 wrote to memory of 2348	2436	cmd.exe	rundll32.exe
PID 2436 wrote to memory of 2348	2436	cmd.exe	rundll32.exe
PID 2436 wrote to memory of 2348	2436	cmd.exe	rundll32.exe
PID 2348 wrote to memory of 2896	2348	rundll32.exe	AcroRd32.exe
PID 2348 wrote to memory of 2896	2348	rundll32.exe	AcroRd32.exe
PID 2348 wrote to memory of 2896	2348	rundll32.exe	AcroRd32.exe
PID 2348 wrote to memory of 2896	2348	rundll32.exe	AcroRd32.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Asuna Lite\Asuna.runtimeconfig.json"
1⤵
- Suspicious use of WriteProcessMemory
PID:2436

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Asuna Lite\Asuna.runtimeconfig.json
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2348

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Asuna Lite\Asuna.runtimeconfig.json"
3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2896

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
Filesize
3KB

MD5
e0ee7c4228d7c52e2f631a5eb1a04a34

SHA1
d77abac7983e7c576e5457c279f14706028859f1

SHA256
571d5a8442822a601ef216ab94f0342a0a2c0f0a3b7814b80de3a51e284d42d2

SHA512
41a5eca260809f62b3105af08e08e39ef488026f6a81c25dd86b0704a99aa4ff8f213bc0646c3129bd5590023995d86a21db6cb3d428e4e32678ef49c5fa9c65

Download Submit