cb29f363b86d19778ab202835bb6faa40918de2e98cbfe1e315183e7a4a15515

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
08/08/2024, 22:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

custom/Aperture Tag Gun/materials/models/weapons/v_models/portalgun/gelgunmap02.vtf
Size

5.3MB
MD5

842fbcd852bbd841c67a5269c7c08f6b
SHA1

0833a4e349032909f6e1c0c9fd5d8f7ab127eb1a
SHA256

0494f123d8fc7a5df2955cbd56bb0ddf4c81cb33b1b2ba1bda65b2ea8eaf7b74
SHA512

f6f8f649c28c68a3f88658aa4ce062729fbca3769cbfe8387039e2b444a58a32085b23fefd4fee3405376b1c36fc31e0ad86fe10391ec25df9dfba6e9d451904
SSDEEP

24576:9uWhRG8nF+FOHv3J6eoCEKnjNHLon+REZC6KHzAn:9HG8ncFOHv3JNoCEKnjxsniEZC6Ln

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\vtf_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\vtf_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\vtf_auto_file\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\.vtf\ = "vtf_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\vtf_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\.vtf	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\vtf_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\vtf_auto_file\shell\Read\command	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2748	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2748	AcroRd32.exe
2748	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1316 wrote to memory of 3040	1316	cmd.exe	32
PID 1316 wrote to memory of 3040	1316	cmd.exe	32
PID 1316 wrote to memory of 3040	1316	cmd.exe	32
PID 3040 wrote to memory of 2748	3040	rundll32.exe	33
PID 3040 wrote to memory of 2748	3040	rundll32.exe	33
PID 3040 wrote to memory of 2748	3040	rundll32.exe	33
PID 3040 wrote to memory of 2748	3040	rundll32.exe	33

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\custom\Aperture Tag Gun\materials\models\weapons\v_models\portalgun\gelgunmap02.vtf"
1⤵
- Suspicious use of WriteProcessMemory
PID:1316
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\custom\Aperture Tag Gun\materials\models\weapons\v_models\portalgun\gelgunmap02.vtf
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\custom\Aperture Tag Gun\materials\models\weapons\v_models\portalgun\gelgunmap02.vtf"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
602ee6563ca08d9bbedeb8e26037ac0c

SHA1
a604fa615e0bd4aae0f5daa29115b874dd85d881

SHA256
764d7163c450820943cc6c61033a1acab8ef11f66b4892ce685f57bf65bf2bf3

SHA512
f0883e695a386666fb53ecfcdf629956fa2688af48c6bc31f9fdc1213e56c2a807f43c2e710cafbf03f817e8e9028a3043b251e8d21be9e42760a93f23e9fe42

Download Submit