6a15c07382b7dbd5ab4cef6ab9e280c3d0cdf57dc6c3cd26b65e0343a9dcbdd3

Resubmissions

16-08-2024 20:36

240816-zdtwjawakc 3

16-08-2024 20:31

240816-za2rzayfml 7

16-08-2024 19:15

240816-xybjkssakc 3

Analysis

max time kernel
103s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
16-08-2024 19:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

package.json
Size

502B
MD5

6fae43b43119fb1a90d0d939ff2fd417
SHA1

26d54286ae79af1fa37f6993f57ecc979c9ed8c1
SHA256

4c657641b9a51982e2affbc26c43f57e8bf4e8fc07a962712dbc9d5caa883f56
SHA512

2576e8b7a6023a2c0f8257003139115bd2f08e9ac8804e9c40a1ef920cbe1befd222619494e6402e9942e5e830e46331ef9953aa3c426c6d787eacd8aeed2e91

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

AcroRd32.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 9 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\json_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\.json\ = "json_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\json_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\json_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\json_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\.json	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\json_auto_file\shell\Read	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\json_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

2916 AcroRd32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AcroRd32.exe

pid process

2916 AcroRd32.exe
2916 AcroRd32.exe

pid	process
2916	AcroRd32.exe

pid	process
2916	AcroRd32.exe
2916	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

cmd.exerundll32.exe

description	pid	process	target process
PID 3036 wrote to memory of 2832	3036	cmd.exe	rundll32.exe
PID 3036 wrote to memory of 2832	3036	cmd.exe	rundll32.exe
PID 3036 wrote to memory of 2832	3036	cmd.exe	rundll32.exe
PID 2832 wrote to memory of 2916	2832	rundll32.exe	AcroRd32.exe
PID 2832 wrote to memory of 2916	2832	rundll32.exe	AcroRd32.exe
PID 2832 wrote to memory of 2916	2832	rundll32.exe	AcroRd32.exe
PID 2832 wrote to memory of 2916	2832	rundll32.exe	AcroRd32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\package.json
1⤵
- Suspicious use of WriteProcessMemory
PID:3036

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\package.json
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2832

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\package.json"
3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2916

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
Filesize
3KB

MD5
ed77368f5aa97eb7e71b3d32b76f27ff

SHA1
20eb49a37d6b85372c44f5c08e1bf6e3094b50a4

SHA256
512568c6df75504c66c480324c33d655d607025c6d0974bf520e19ee9e05e9d1

SHA512
c84714134c734cd2de712408d77e4305c67ebf405a2ba39e9b21295ef32a2e9d3eb3f253736647de53c05c911e64f660dd73689454dfb5ea856b8803cb3f7d87

Download Submit