879ac6040a24da9f567e37c6cbcd714602aa9ed9485d0f9cae2f9da540827559

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
14/08/2024, 02:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

archtemp.tar
Size

704KB
MD5

fae19e1186005e06bd7faa10acbad993
SHA1

81f15376dcf3003336238dd7c05eaf00e50b2d91
SHA256

5df7b704b862f1671b1b32566396304ff165ef4717e372732c7a2d65571db1e7
SHA512

6e7bf5192bd70b3e748d1e5d74ea899932d687ebb3452967b212b3621344d59ae2b94f371d8ffedc5f9da091b59de74daaf62060f7a3221966aeea2d1b40edaf
SSDEEP

12288:ElzYaJquo4pAqSy676pYtfGB2uU92XuxVOMroVBWDAwjRtPbnWoJLbQ6wtm1bC0X:ElzYaJ3kuKQxL+XDoV4pttPbnWoJLbQR

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2724	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2724	AcroRd32.exe
2724	AcroRd32.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 2888	3024	cmd.exe	31
PID 3024 wrote to memory of 2888	3024	cmd.exe	31
PID 3024 wrote to memory of 2888	3024	cmd.exe	31
PID 2888 wrote to memory of 2844	2888	rundll32.exe	32
PID 2888 wrote to memory of 2844	2888	rundll32.exe	32
PID 2888 wrote to memory of 2844	2888	rundll32.exe	32
PID 2844 wrote to memory of 2724	2844	rundll32.exe	35
PID 2844 wrote to memory of 2724	2844	rundll32.exe	35
PID 2844 wrote to memory of 2724	2844	rundll32.exe	35
PID 2844 wrote to memory of 2724	2844	rundll32.exe	35

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\archtemp.tar
1⤵
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\archtemp.tar
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\archtemp.tar
    3⤵
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
      "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\archtemp.tar"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
64ef9a7d8e8f5a8733d597af8333a11f

SHA1
70f3d8d2fa524c717f8f29e69b6c8bd67a271796

SHA256
785037b6557a44158e0eab254f90ef2cfc327a14a9cf6ebf5ae91d5b9cf21015

SHA512
8a3a582c4426589026a2739c1715cc004491ae30dd8872d1c9e8a055e6c7acb04cf4a694f6bff0978821f30bbe58fe20cbb88364f81233f419b21e1a6a04a9f5

Download Submit