Overview
overview
3Static
static
35ea55f3d-7...2).rar
windows7-x64
35ea55f3d-7...2).rar
windows10-2004-x64
3PS3 Avatar...s.json
windows7-x64
3PS3 Avatar...s.json
windows10-2004-x64
3PS3 Avatar...ls.exe
windows7-x64
1PS3 Avatar...ls.exe
windows10-2004-x64
1PS3 Avatar...ls.exe
windows7-x64
3PS3 Avatar...ls.exe
windows10-2004-x64
1PS3 Avatar...ls.pdb
windows7-x64
3PS3 Avatar...ls.pdb
windows10-2004-x64
3PS3 Avatar...v.json
windows7-x64
3PS3 Avatar...v.json
windows10-2004-x64
3PS3 Avatar...g.json
windows7-x64
3PS3 Avatar...g.json
windows10-2004-x64
3PS3 Avatar...on.dll
windows7-x64
1PS3 Avatar...on.dll
windows10-2004-x64
1PS3 Avatar...ls.exe
windows7-x64
1PS3 Avatar...ls.exe
windows10-2004-x64
1PS3 Avatar...ut.txt
windows7-x64
1PS3 Avatar...ut.txt
windows10-2004-x64
1Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
03-08-2024 05:34
Static task
static1
Behavioral task
behavioral1
Sample
5ea55f3d-72f9-42fa-90cd-871a9e1acf14 (2).rar
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
5ea55f3d-72f9-42fa-90cd-871a9e1acf14 (2).rar
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
PS3 Avatar Tool by x22/Avatar PSN Tools.deps.json
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
PS3 Avatar Tool by x22/Avatar PSN Tools.deps.json
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
PS3 Avatar Tool by x22/Avatar PSN Tools.exe
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
PS3 Avatar Tool by x22/Avatar PSN Tools.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
PS3 Avatar Tool by x22/Avatar PSN Tools.exe
Resource
win7-20240704-en
Behavioral task
behavioral8
Sample
PS3 Avatar Tool by x22/Avatar PSN Tools.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
PS3 Avatar Tool by x22/Avatar PSN Tools.pdb
Resource
win7-20240705-en
Behavioral task
behavioral10
Sample
PS3 Avatar Tool by x22/Avatar PSN Tools.pdb
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
PS3 Avatar Tool by x22/Avatar PSN Tools.runtimeconfig.dev.json
Resource
win7-20240704-en
Behavioral task
behavioral12
Sample
PS3 Avatar Tool by x22/Avatar PSN Tools.runtimeconfig.dev.json
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
PS3 Avatar Tool by x22/Avatar PSN Tools.runtimeconfig.json
Resource
win7-20240704-en
Behavioral task
behavioral14
Sample
PS3 Avatar Tool by x22/Avatar PSN Tools.runtimeconfig.json
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
PS3 Avatar Tool by x22/Newtonsoft.Json.dll
Resource
win7-20240708-en
Behavioral task
behavioral16
Sample
PS3 Avatar Tool by x22/Newtonsoft.Json.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral17
Sample
PS3 Avatar Tool by x22/ref/Avatar PSN Tools.exe
Resource
win7-20240729-en
Behavioral task
behavioral18
Sample
PS3 Avatar Tool by x22/ref/Avatar PSN Tools.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral19
Sample
PS3 Avatar Tool by x22/tut.txt
Resource
win7-20240704-en
Behavioral task
behavioral20
Sample
PS3 Avatar Tool by x22/tut.txt
Resource
win10v2004-20240802-en
General
-
Target
PS3 Avatar Tool by x22/Avatar PSN Tools.deps.json
-
Size
1KB
-
MD5
724c823582aa13a9a0f460fb3a7fac16
-
SHA1
3250b0999df20bfe37ab6fd6624886d159fac332
-
SHA256
4d834981db02af8510e7ff500b28d843c4a24e8c8f2c0d789e8b6353aba21bbc
-
SHA512
4596d45b6ec8f13cb7b899d177cfb2e18859031b6d7b31217b05400da3aab25a26781a92d91e3b8680cc7abc247bcc45943f2972629357b3e1b9577974b76e95
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\json_auto_file\shell\Read\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\.json rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\json_auto_file\shell rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\json_auto_file\ rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\.json\ = "json_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\json_auto_file\shell\Read rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\json_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\json_auto_file rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2604 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2604 AcroRd32.exe 2604 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 2808 wrote to memory of 2980 2808 cmd.exe rundll32.exe PID 2808 wrote to memory of 2980 2808 cmd.exe rundll32.exe PID 2808 wrote to memory of 2980 2808 cmd.exe rundll32.exe PID 2980 wrote to memory of 2604 2980 rundll32.exe AcroRd32.exe PID 2980 wrote to memory of 2604 2980 rundll32.exe AcroRd32.exe PID 2980 wrote to memory of 2604 2980 rundll32.exe AcroRd32.exe PID 2980 wrote to memory of 2604 2980 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\PS3 Avatar Tool by x22\Avatar PSN Tools.deps.json"1⤵
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\PS3 Avatar Tool by x22\Avatar PSN Tools.deps.json2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\PS3 Avatar Tool by x22\Avatar PSN Tools.deps.json"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2604
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5edf337ea10ee03c2cf685126d7c5c65b
SHA17b741f10f99dbb2ac8a78a2dbaab2a9970e4f6f2
SHA2564548f237364b9d7c8c5653e7d0a1910042c551a4e2887bb6b445c04ac81be1dd
SHA512506a00a9bab3e6a32b87bd7fd202dba4304c5b5ef786790f1a9e632f95178bc21069436d13f64e598d2be572cba4250d25a5040895d214570af7c432b819acf6