Resubmissions

07/08/2024, 12:20

240807-ph2rtsyejj 10

Analysis

  • max time kernel
    119s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    07/08/2024, 12:20

General

  • Target

    $APPDATA/TotalAV/updates/SAVAPI 8.0.1/aeheur_gwf.dat

  • Size

    912B

  • MD5

    27dbb4a716dc8d87eac34a14f814dbc8

  • SHA1

    2f3c673d444a0b996d609136d8741f6dfc47ba6a

  • SHA256

    b90baa70bd07bc5b3573909b37a6cf4fcccc3d7c9702806c94bd843988d0ed5d

  • SHA512

    dcfba0317f02771d40fa190e78c19fa2e178d0ffadd6b8d22da4be7f66a3e7983da2a0c14741ab9df0d9f034754c4ea758d758ec7a65c53f77f922d13648e9a5

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 9 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\$APPDATA\TotalAV\updates\SAVAPI 8.0.1\aeheur_gwf.dat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2888
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\$APPDATA\TotalAV\updates\SAVAPI 8.0.1\aeheur_gwf.dat
      2⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2580
      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\$APPDATA\TotalAV\updates\SAVAPI 8.0.1\aeheur_gwf.dat"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:2836

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

    Filesize

    3KB

    MD5

    62452e70547f9395e0e5bf228ccd169f

    SHA1

    53a89dd73fba344d98a1f0ac3d160f5e6cdfd384

    SHA256

    d20ee459b999c70b909be2c80ba3bf684f29c6af95cc335aeb05e53cb549bc9b

    SHA512

    409df9c4e327c750c5a154f2c9c148e906e0180fddd6dc402ec5ccf7c0d3cf148cfd7f9b489335d2631b8f72375990ebacee016c2591545cbc47baa827f106cf