a97caeea5750215ce3f795d9e309e43ae4afa66ca3092e172ce66688996f0b29

Analysis

max time kernel
110s
max time network
87s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
02/08/2024, 21:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

data/OFFLINE/5EC33410/175E02FE/Chainsaw Factory.ngrc
Size

10KB
MD5

712386dac161b475cba37e3b188bad8b
SHA1

16e13d1115fa52abea53151273b736fcd591a792
SHA256

2256f5da60a94c3d8cc613aba3b62d64ccb282c87bda97c0b6471b1b2e05044f
SHA512

f1496c96fa920e6a3f08cca37e187fb4f783a77d65e411051a0b1b4624890162519cb52474dc5242372d092e0361021c225ddd4579d520ee50b389987bb58a85
SSDEEP

96:Jz78wzMBvjKyLgBhjqas5qaMz9qaeiqaqiqamiqaZUdJhXgInjqas5qaMzJqaet5:pWmfk

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\.ngrc	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\ngrc_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\ngrc_auto_file\shell	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\ngrc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\ngrc_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\ngrc_auto_file\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\.ngrc\ = "ngrc_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\ngrc_auto_file\shell\Read\command	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2800	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2800	AcroRd32.exe
2800	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 2668	2332	cmd.exe	30
PID 2332 wrote to memory of 2668	2332	cmd.exe	30
PID 2332 wrote to memory of 2668	2332	cmd.exe	30
PID 2668 wrote to memory of 2800	2668	rundll32.exe	31
PID 2668 wrote to memory of 2800	2668	rundll32.exe	31
PID 2668 wrote to memory of 2800	2668	rundll32.exe	31
PID 2668 wrote to memory of 2800	2668	rundll32.exe	31

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\data\OFFLINE\5EC33410\175E02FE\Chainsaw Factory.ngrc"
1⤵
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\data\OFFLINE\5EC33410\175E02FE\Chainsaw Factory.ngrc
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\data\OFFLINE\5EC33410\175E02FE\Chainsaw Factory.ngrc"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
131854b04f4d81bbea6824f9c665a7b3

SHA1
b95bafac5b3e27c64df419271c61fa25a0801029

SHA256
50f194b7c67443af8816989fc73e58b55b82c4792ea49e67524fefa1ca244acf

SHA512
507e12c421d7f21447c7c60e178a1fbe45f81ccc0e977d1e392bfc5d9bccafb2cb70e2a196509a6d3283a79c7119b9bc1b9ea64d764f44127ed1a3f1d28eee28

Download Submit