2a317c4fb8de70541b1daa06fa60e10fa8cc9d725497d003c7351c831dfdcb49

General

Target

18563261918.zip
Size

399KB
MD5

9bb6625f3305f5ac74c9186f9cb1afd0
SHA1

1a522430fc9b6f69330472c5c238803b8ae5c4b4
SHA256

2a317c4fb8de70541b1daa06fa60e10fa8cc9d725497d003c7351c831dfdcb49
SHA512

7377c3edfa6bf0c7f16667da74a9fa522467ac57edc05aabbe60b60eb2b7d953b6cc086c561fa23f19d058c0d1cd189b17499d6ee11ee879ab6407f3f871ff0f
SSDEEP

6144:ddMxFSStbjgIfilXuv6YEHnHIEDb29kJL+QNKjgJ4PuNZHABPxNBuQL6:dyPMRzNno429k5jK/PoZABPEQL6

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\AFFWallpaper = "C:\\ProgramData\\FFWallpaperCore\\SFFWallpaperCore.exe FFWallpaper"	Annex 1 - IISS PRAGUE DEFENCE SUMMIT (8 GÇô 10 November 2024).pif
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\AFFWallpaper = "C:\\ProgramData\\FFWallpaperCore\\SFFWallpaperCore.exe FFWallpaper"	Annex 1 - IISS PRAGUE DEFENCE SUMMIT (8 GÇô 10 November 2024).pif
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\AFFWallpaper = "C:\\ProgramData\\FFWallpaperCore\\SFFWallpaperCore.exe FFWallpaper"	Annex 1 - IISS PRAGUE DEFENCE SUMMIT (8 GÇô 10 November 2024).pif

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Annex 1 - IISS PRAGUE DEFENCE SUMMIT (8 GÇô 10 November 2024).pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Annex 1 - IISS PRAGUE DEFENCE SUMMIT (8 GÇô 10 November 2024).pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Annex 1 - IISS PRAGUE DEFENCE SUMMIT (8 GÇô 10 November 2024).pif

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1740	schtasks.exe
2344	schtasks.exe
792	schtasks.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1172	AcroRd32.exe
1172	AcroRd32.exe
1172	AcroRd32.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 2532	2324	Annex 1 - IISS PRAGUE DEFENCE SUMMIT (8 GÇô 10 November 2024).pif	57
PID 2324 wrote to memory of 2532	2324	Annex 1 - IISS PRAGUE DEFENCE SUMMIT (8 GÇô 10 November 2024).pif	57
PID 2324 wrote to memory of 2532	2324	Annex 1 - IISS PRAGUE DEFENCE SUMMIT (8 GÇô 10 November 2024).pif	57
PID 2324 wrote to memory of 2532	2324	Annex 1 - IISS PRAGUE DEFENCE SUMMIT (8 GÇô 10 November 2024).pif	57
PID 2532 wrote to memory of 792	2532	cmd.exe	59
PID 2532 wrote to memory of 792	2532	cmd.exe	59
PID 2532 wrote to memory of 792	2532	cmd.exe	59
PID 2532 wrote to memory of 792	2532	cmd.exe	59
PID 2060 wrote to memory of 2696	2060	Annex 1 - IISS PRAGUE DEFENCE SUMMIT (8 GÇô 10 November 2024).pif	61
PID 2060 wrote to memory of 2696	2060	Annex 1 - IISS PRAGUE DEFENCE SUMMIT (8 GÇô 10 November 2024).pif	61
PID 2060 wrote to memory of 2696	2060	Annex 1 - IISS PRAGUE DEFENCE SUMMIT (8 GÇô 10 November 2024).pif	61
PID 2060 wrote to memory of 2696	2060	Annex 1 - IISS PRAGUE DEFENCE SUMMIT (8 GÇô 10 November 2024).pif	61
PID 2696 wrote to memory of 1740	2696	cmd.exe	63
PID 2696 wrote to memory of 1740	2696	cmd.exe	63
PID 2696 wrote to memory of 1740	2696	cmd.exe	63
PID 2696 wrote to memory of 1740	2696	cmd.exe	63
PID 1968 wrote to memory of 2884	1968	Annex 1 - IISS PRAGUE DEFENCE SUMMIT (8 GÇô 10 November 2024).pif	65
PID 1968 wrote to memory of 2884	1968	Annex 1 - IISS PRAGUE DEFENCE SUMMIT (8 GÇô 10 November 2024).pif	65
PID 1968 wrote to memory of 2884	1968	Annex 1 - IISS PRAGUE DEFENCE SUMMIT (8 GÇô 10 November 2024).pif	65
PID 1968 wrote to memory of 2884	1968	Annex 1 - IISS PRAGUE DEFENCE SUMMIT (8 GÇô 10 November 2024).pif	65
PID 2884 wrote to memory of 2344	2884	cmd.exe	67
PID 2884 wrote to memory of 2344	2884	cmd.exe	67
PID 2884 wrote to memory of 2344	2884	cmd.exe	67
PID 2884 wrote to memory of 2344	2884	cmd.exe	67

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\18563261918.zip
1⤵
PID:2692

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1248

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:792

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_1387ec22a3391647e25d2cb722cd89e255d3ebfe586cf5f699eae22c6e008c34.zip\IISS Prague Defence Summit 2024\Annex 2\Annex 2 - IISS PRAGUE DEFENCE SUMMIT (8 GÇô 10 November 2024) - Copy.pdf"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1172

C:\Users\Admin\AppData\Local\Temp\Temp1_1387ec22a3391647e25d2cb722cd89e255d3ebfe586cf5f699eae22c6e008c34.zip\IISS Prague Defence Summit 2024\Annex 1\Annex 1 - IISS PRAGUE DEFENCE SUMMIT (8 GÇô 10 November 2024).pif
"C:\Users\Admin\AppData\Local\Temp\Temp1_1387ec22a3391647e25d2cb722cd89e255d3ebfe586cf5f699eae22c6e008c34.zip\IISS Prague Defence Summit 2024\Annex 1\Annex 1 - IISS PRAGUE DEFENCE SUMMIT (8 GÇô 10 November 2024).pif"
1⤵
PID:2552

C:\Users\Admin\AppData\Local\Temp\Temp1_1387ec22a3391647e25d2cb722cd89e255d3ebfe586cf5f699eae22c6e008c34.zip\IISS Prague Defence Summit 2024\Annex 1\Annex 1 - IISS PRAGUE DEFENCE SUMMIT (8 GÇô 10 November 2024).pif
"C:\Users\Admin\AppData\Local\Temp\Temp1_1387ec22a3391647e25d2cb722cd89e255d3ebfe586cf5f699eae22c6e008c34.zip\IISS Prague Defence Summit 2024\Annex 1\Annex 1 - IISS PRAGUE DEFENCE SUMMIT (8 GÇô 10 November 2024).pif"
1⤵
PID:1320

C:\Users\Admin\AppData\Local\Temp\Temp1_1387ec22a3391647e25d2cb722cd89e255d3ebfe586cf5f699eae22c6e008c34.zip\IISS Prague Defence Summit 2024\Annex 1\Annex 1 - IISS PRAGUE DEFENCE SUMMIT (8 GÇô 10 November 2024).pif
"C:\Users\Admin\AppData\Local\Temp\Temp1_1387ec22a3391647e25d2cb722cd89e255d3ebfe586cf5f699eae22c6e008c34.zip\IISS Prague Defence Summit 2024\Annex 1\Annex 1 - IISS PRAGUE DEFENCE SUMMIT (8 GÇô 10 November 2024).pif"
1⤵
PID:2352

C:\Users\Admin\Documents\18563261918\1387ec22a3391647e25d2cb722cd89e255d3ebfe586cf5f699eae22c6e008c34\IISS Prague Defence Summit 2024\Annex 1\Annex 1 - IISS PRAGUE DEFENCE SUMMIT (8 GÇô 10 November 2024).pif
"C:\Users\Admin\Documents\18563261918\1387ec22a3391647e25d2cb722cd89e255d3ebfe586cf5f699eae22c6e008c34\IISS Prague Defence Summit 2024\Annex 1\Annex 1 - IISS PRAGUE DEFENCE SUMMIT (8 GÇô 10 November 2024).pif"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2324
- \??\c:\windows\SysWOW64\cmd.exe
  /C schtasks /F /Create /TN FFWallpaperEmbCore /SC minute /MO 6 /TR "C:\ProgramData\FFWallpaperCore\SFFWallpaperCore.exe FFWallpaper"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /F /Create /TN FFWallpaperEmbCore /SC minute /MO 6 /TR "C:\ProgramData\FFWallpaperCore\SFFWallpaperCore.exe FFWallpaper"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:792

C:\Users\Admin\Documents\18563261918\1387ec22a3391647e25d2cb722cd89e255d3ebfe586cf5f699eae22c6e008c34\IISS Prague Defence Summit 2024\Annex 1\Annex 1 - IISS PRAGUE DEFENCE SUMMIT (8 GÇô 10 November 2024).pif
"C:\Users\Admin\Documents\18563261918\1387ec22a3391647e25d2cb722cd89e255d3ebfe586cf5f699eae22c6e008c34\IISS Prague Defence Summit 2024\Annex 1\Annex 1 - IISS PRAGUE DEFENCE SUMMIT (8 GÇô 10 November 2024).pif"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2060
- \??\c:\windows\SysWOW64\cmd.exe
  /C schtasks /F /Create /TN FFWallpaperEmbCore /SC minute /MO 6 /TR "C:\ProgramData\FFWallpaperCore\SFFWallpaperCore.exe FFWallpaper"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /F /Create /TN FFWallpaperEmbCore /SC minute /MO 6 /TR "C:\ProgramData\FFWallpaperCore\SFFWallpaperCore.exe FFWallpaper"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1740

C:\Users\Admin\Documents\18563261918\1387ec22a3391647e25d2cb722cd89e255d3ebfe586cf5f699eae22c6e008c34\IISS Prague Defence Summit 2024\Annex 1\Annex 1 - IISS PRAGUE DEFENCE SUMMIT (8 GÇô 10 November 2024).pif
"C:\Users\Admin\Documents\18563261918\1387ec22a3391647e25d2cb722cd89e255d3ebfe586cf5f699eae22c6e008c34\IISS Prague Defence Summit 2024\Annex 1\Annex 1 - IISS PRAGUE DEFENCE SUMMIT (8 GÇô 10 November 2024).pif"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1968
- \??\c:\windows\SysWOW64\cmd.exe
  /C schtasks /F /Create /TN FFWallpaperEmbCore /SC minute /MO 6 /TR "C:\ProgramData\FFWallpaperCore\SFFWallpaperCore.exe FFWallpaper"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /F /Create /TN FFWallpaperEmbCore /SC minute /MO 6 /TR "C:\ProgramData\FFWallpaperCore\SFFWallpaperCore.exe FFWallpaper"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2344

C:\Users\Admin\AppData\Local\Temp\Temp1_1387ec22a3391647e25d2cb722cd89e255d3ebfe586cf5f699eae22c6e008c34.zip\IISS Prague Defence Summit 2024\Annex 1\Annex 1 - IISS PRAGUE DEFENCE SUMMIT (8 GÇô 10 November 2024).pif
"C:\Users\Admin\AppData\Local\Temp\Temp1_1387ec22a3391647e25d2cb722cd89e255d3ebfe586cf5f699eae22c6e008c34.zip\IISS Prague Defence Summit 2024\Annex 1\Annex 1 - IISS PRAGUE DEFENCE SUMMIT (8 GÇô 10 November 2024).pif"
1⤵
PID:2404

C:\Users\Admin\AppData\Local\Temp\Temp1_1387ec22a3391647e25d2cb722cd89e255d3ebfe586cf5f699eae22c6e008c34.zip\IISS Prague Defence Summit 2024\Annex 1\Annex 1 - IISS PRAGUE DEFENCE SUMMIT (8 GÇô 10 November 2024).pif
"C:\Users\Admin\AppData\Local\Temp\Temp1_1387ec22a3391647e25d2cb722cd89e255d3ebfe586cf5f699eae22c6e008c34.zip\IISS Prague Defence Summit 2024\Annex 1\Annex 1 - IISS PRAGUE DEFENCE SUMMIT (8 GÇô 10 November 2024).pif"
1⤵
PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\FFWallpaperCore\SFFWallpaperCore.exe

Filesize
158KB

MD5
4444dafccc0f58cd782dc125bca2c966

SHA1
2a2c0c5d30b01398902732dba24693d33eecbdf2

SHA256
057fd248e0219dd31e1044afb7bc77c5f30a7315e136adfcca55ce1593d6cf5d

SHA512
9ec481119ab05104a3057bd2816faa7afff59a89e839b177fda6fb59b42c2872c1a438dca3f2a89753da880857c7c555f72718bbea6bb57e04a6c1d945d9c1c2

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
8114dba1e6e95b0e9c3835c6a132d03c

SHA1
6ef8c598f7b587354ab26c59b148892b0758d8c8

SHA256
a79fa7a6c9413c7bebd9d8cfe46d893567bcf6fad5d896e96c4ce1be56795c6f

SHA512
d5a85de5da4d55cee4c0c7581c4433b9e8e60dcad16933280ae6f025b4261cd0726cd44ff9920caf5bd5e30dd078739fc300c585f9c7c524bd0d7bed73d9ff32

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads