249bdaa4332b3e1a3a2148d4fd587a42bd48615af556d1c72da51c55bb2ca697

Analysis

max time kernel
119s
max time network
125s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
13-08-2024 18:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

chrome_200_percent.pak
Size

202KB
MD5

7d4f330a5443eadf32e041c63e7e70ad
SHA1

26ce6fb98c0f28f508d7b88cf94a442b81e80c88
SHA256

b8704be578e7396ee3f2188d0c87d0ede5c5702e9bb8c841b5f8d458abf1356d
SHA512

f1b9b0dd7396863aa0feca06175b7f9ea0be4122351ecf0a0549ee4c34f85ac8c63cc927d7409a40b6e19fa91d2cb00a145616ba19f47045b2345bfbc2d4802d
SSDEEP

6144:TDQYaF+9b7zA4m0k5GMRejnbdZnVE6Yopym74:gfs7T6edhVELo374

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

AcroRd32.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 9 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\pak_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.pak\ = "pak_auto_file"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\pak_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\pak_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\pak_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.pak	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\pak_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\pak_auto_file\shell	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

2664 AcroRd32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AcroRd32.exe

pid process

2664 AcroRd32.exe
2664 AcroRd32.exe

pid	process
2664	AcroRd32.exe

pid	process
2664	AcroRd32.exe
2664	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

cmd.exerundll32.exe

description	pid	process	target process
PID 2288 wrote to memory of 2080	2288	cmd.exe	rundll32.exe
PID 2288 wrote to memory of 2080	2288	cmd.exe	rundll32.exe
PID 2288 wrote to memory of 2080	2288	cmd.exe	rundll32.exe
PID 2080 wrote to memory of 2664	2080	rundll32.exe	AcroRd32.exe
PID 2080 wrote to memory of 2664	2080	rundll32.exe	AcroRd32.exe
PID 2080 wrote to memory of 2664	2080	rundll32.exe	AcroRd32.exe
PID 2080 wrote to memory of 2664	2080	rundll32.exe	AcroRd32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\chrome_200_percent.pak
1⤵
- Suspicious use of WriteProcessMemory
PID:2288

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\chrome_200_percent.pak
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2080

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\chrome_200_percent.pak"
3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
4cf3a658abdde53475726a82818dc06f

SHA1
52876623c52694c8a7e985692a7ecd742a150a66

SHA256
db541547384c1b5747d9e0eb378054208df4c8ac168b982345037d7aa21ffae1

SHA512
756a993be784f582503897d1a056711b6f744df492cfba30741eae8793297b28632cb3d27aff914d6a387779440488b7c93fe9d9074763267527d8bc7cf27e48

Download Submit