879ac6040a24da9f567e37c6cbcd714602aa9ed9485d0f9cae2f9da540827559

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
14/08/2024, 02:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33bc4291f7f7d09438b54d2d209cae78/asset.meta
Size

172B
MD5

076a9c4b92d5db1cee61fe4f0f360a94
SHA1

7ffc35bf405249d07602a8f85c76822ad9c70731
SHA256

b9d6763414a2c325158468c7cfe4fd9423272f0e5cc3b47db17cd0adda1dc174
SHA512

d39a0a40847a60e9a1588bb3fbac159004bece47c23ed1f040dd89d0b74f472367c27b4b77c973890ccfd212fc3e790ca628d44e16bae5530a2930e50d253355

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\meta_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\meta_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.meta	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.meta\ = "meta_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\meta_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\meta_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\meta_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\meta_auto_file	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2740	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2740	AcroRd32.exe
2740	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 1800	1620	cmd.exe	31
PID 1620 wrote to memory of 1800	1620	cmd.exe	31
PID 1620 wrote to memory of 1800	1620	cmd.exe	31
PID 1800 wrote to memory of 2740	1800	rundll32.exe	33
PID 1800 wrote to memory of 2740	1800	rundll32.exe	33
PID 1800 wrote to memory of 2740	1800	rundll32.exe	33
PID 1800 wrote to memory of 2740	1800	rundll32.exe	33

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\33bc4291f7f7d09438b54d2d209cae78\asset.meta
1⤵
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\33bc4291f7f7d09438b54d2d209cae78\asset.meta
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1800
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\33bc4291f7f7d09438b54d2d209cae78\asset.meta"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
9eed7857877808efa733366771ae326b

SHA1
44b847a9b0036d1434d082d6e7a53548e1de2b2d

SHA256
420ba1e584a137484706d694618adc43908974c37debaf5df601034817f9ff9e

SHA512
20bd06c9619d8701284220808b540f818cda34ff2fa43b35b0bdf8532a72291163eb37d3449297ac7f98892024e8184d9f9cd630c14600461fccd4d35596f1a8

Download Submit