e78fa115af5a8cfa8e327fa2e7f26d30ae4f83987ca6fc49aad0ba9b5de293bd

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
08/08/2024, 17:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02.08.2022129.sh
Size

206KB
MD5

1e4f314f495692968a7b7d9dd2d804ce
SHA1

7912e389cf40fbcbc3b1eb149a1bb74951a2a46e
SHA256

e78fa115af5a8cfa8e327fa2e7f26d30ae4f83987ca6fc49aad0ba9b5de293bd
SHA512

4686aae22e21333bd53b89e019bc6ea99366a4d907455724379ffb4d3378ba41dbb1e02a7a1497ad53507757c70950921f37bc2b02d53276eb20fbd8aacfaa67
SSDEEP

6144:oM7lXZqkcOi0v4zKuHwn1dmnQmjNtRasBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBO:og1dbiq4GnbmnnfRE

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\sh_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\sh_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\sh_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\sh_auto_file\shell	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\.sh\ = "sh_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\sh_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\sh_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\.sh	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3004	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3004	AcroRd32.exe
3004	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 668 wrote to memory of 2832	668	cmd.exe	31
PID 668 wrote to memory of 2832	668	cmd.exe	31
PID 668 wrote to memory of 2832	668	cmd.exe	31
PID 2832 wrote to memory of 3004	2832	rundll32.exe	32
PID 2832 wrote to memory of 3004	2832	rundll32.exe	32
PID 2832 wrote to memory of 3004	2832	rundll32.exe	32
PID 2832 wrote to memory of 3004	2832	rundll32.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\02.08.2022129.sh
1⤵
- Suspicious use of WriteProcessMemory
PID:668
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\02.08.2022129.sh
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\02.08.2022129.sh"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
814c9fac9bd376c07c70952518aea300

SHA1
27b507fb4038196e1368441a5eba800cce7aed90

SHA256
51f2f9858e0052595c247e040b33db6d1333d08d2ddb633460b297b40f3d59eb

SHA512
1ff2015edd1b33bb4cdd2443b1f60c42621e784f7d422a99dcd52f265d29c9cacc14d7bb3cea68ba873d6748730b40a6688f71d0eec1d0f92dd1e8294f99209b

Download Submit