Overview
overview
10Static
static
10R B X 1 2 5.rar
windows7-x64
5R B X 1 2 5.rar
windows10-2004-x64
3R B X 1 2 ...nt.exe
windows7-x64
1R B X 1 2 ...nt.exe
windows10-2004-x64
3R B X 1 2 ...or.exe
windows7-x64
7R B X 1 2 ...or.exe
windows10-2004-x64
10R B X 1 2 5/ai.cfg
windows7-x64
3R B X 1 2 5/ai.cfg
windows10-2004-x64
3R B X 1 2 ...rt.pem
windows7-x64
3R B X 1 2 ...rt.pem
windows10-2004-x64
3R B X 1 2 ...ig.vdf
windows7-x64
3R B X 1 2 ...ig.vdf
windows10-2004-x64
3Analysis
-
max time kernel
103s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
15-08-2024 11:22
Behavioral task
behavioral1
Sample
R B X 1 2 5.rar
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
R B X 1 2 5.rar
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
R B X 1 2 5/Client.exe
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
R B X 1 2 5/Client.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
R B X 1 2 5/Roblox Executor.exe
Resource
win7-20240704-en
Behavioral task
behavioral6
Sample
R B X 1 2 5/Roblox Executor.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
R B X 1 2 5/ai.cfg
Resource
win7-20240704-en
Behavioral task
behavioral8
Sample
R B X 1 2 5/ai.cfg
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
R B X 1 2 5/cacert.pem
Resource
win7-20240729-en
Behavioral task
behavioral10
Sample
R B X 1 2 5/cacert.pem
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
R B X 1 2 5/config.vdf
Resource
win7-20240708-en
Behavioral task
behavioral12
Sample
R B X 1 2 5/config.vdf
Resource
win10v2004-20240802-en
General
-
Target
R B X 1 2 5/ai.cfg
-
Size
44B
-
MD5
73ed0e22c8cc70ed93dfd0c1b8f81e19
-
SHA1
f16c87ca3eb393ee34f57fb59781cd37f5963db0
-
SHA256
db9ec7ae21d140904d44d6e6550c0c964e32ef11c055696b355835905c9c3a53
-
SHA512
3dbe1fd660c7446c4a70c99cf6bf7909c76cd02ca24930bdeee851da094850b2fd6f6742025d215ce7dbf3348225c0b64d28e3f1ba133bdd9c7beece84d7e54f
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\cfg_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\cfg_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\cfg_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\cfg_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\cfg_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\cfg_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\.cfg rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_Classes\Local Settings rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\.cfg\ = "cfg_auto_file" rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2900 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2900 AcroRd32.exe 2900 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2432 wrote to memory of 2268 2432 cmd.exe 30 PID 2432 wrote to memory of 2268 2432 cmd.exe 30 PID 2432 wrote to memory of 2268 2432 cmd.exe 30 PID 2268 wrote to memory of 2900 2268 rundll32.exe 31 PID 2268 wrote to memory of 2900 2268 rundll32.exe 31 PID 2268 wrote to memory of 2900 2268 rundll32.exe 31 PID 2268 wrote to memory of 2900 2268 rundll32.exe 31
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\R B X 1 2 5\ai.cfg"1⤵
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\R B X 1 2 5\ai.cfg2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\R B X 1 2 5\ai.cfg"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2900
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD55179788986734b528b95f312018caf69
SHA145cdc60a2a9920358b5220e0c9fd1baf3d15dd3f
SHA2561804ab8fef6cfdd3ae7521faa3252cdbe4ad88774aa1de047eed713a1a6a8f86
SHA512a2ce8edba49ea35f3c04876dbacec6d5b38b7f449f373e204f399ae89632a87dbffe87c5d1632331cfe0eb0e8513bf9fbca78cd267029d7b8639858d14394f0c