a1941786149857faebfd4f2731022d8af6aaa984b981bffd40bd123472b0beb4

Analysis

max time kernel
117s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
01-08-2024 19:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

resources/app/node_modules/chalk/node_modules/has-flag/package.json
Size

457B
MD5

b8775a9a70bd4e7bfcfd40c4004331a7
SHA1

7f821eb955adcd3f50d34fa5c2ecb8d29a5af554
SHA256

b72f29e906482722a0487d94cda6777a689a8f5c8c0a4969a9faa9961ef59082
SHA512

6f6f99fc9cf6509dcf57781e1dbc0f30b7533f8ce69c7edca5831abd036b620066f2f5a32ab040ea2c2676a30fbaf5725074ada030e74e410b62c46dec138eab

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\json_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\json_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\json_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\.json	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\.json\ = "json_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\json_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\json_auto_file\shell	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\json_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1992	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1992	AcroRd32.exe
1992	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 2844	2332	cmd.exe	31
PID 2332 wrote to memory of 2844	2332	cmd.exe	31
PID 2332 wrote to memory of 2844	2332	cmd.exe	31
PID 2844 wrote to memory of 1992	2844	rundll32.exe	32
PID 2844 wrote to memory of 1992	2844	rundll32.exe	32
PID 2844 wrote to memory of 1992	2844	rundll32.exe	32
PID 2844 wrote to memory of 1992	2844	rundll32.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\chalk\node_modules\has-flag\package.json
1⤵
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\chalk\node_modules\has-flag\package.json
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\resources\app\node_modules\chalk\node_modules\has-flag\package.json"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:1992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
9063fd99a4bcd932b1bef2b668af2cd3

SHA1
e731f7d9f9bc906f7f20dc7c8856598e6b445094

SHA256
65c449544ba2157716d5f797d849f59cfbc8020b6af51458916741cb1009a3b3

SHA512
d71b2dbd2438ce75c4623b8741bfec9ef36e13f74265c77c799b024024be39b815181e45cab265af3738b83a086caee48ce4fad9b11b604ab1f7878c05809ff7

Download Submit