92e9e6765bf36034b5eba64e2609a4f53cbb4d8e234d06286504167a1ed39c62

Resubmissions

18/08/2024, 12:39

240818-pv2btstdrc 8

18/08/2024, 12:38

240818-pt66patdph 8

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
18/08/2024, 12:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

resources/luascripts/animations/jumpland.lua
Size

212B
MD5

e1bca62c7303c6cab7fd74aedf693eff
SHA1

55c3f436ecb9798a8b1e1dd7e1d674c1ce9bf949
SHA256

18722b1d3a7c36937ba964ecfcb39da4f32edb07bbc2800a6b6b168fcda628c4
SHA512

d8957912c84ff30068915559b619e6e294af5c9595102517b2dd18bdf6794b6ca213344151258a90d550b4317d5e711e6807d8b1201ca9468f0bd3e729b4bd5f

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\lua_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\.lua	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\lua_auto_file\shell	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\lua_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\lua_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\.lua\ = "lua_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\lua_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\lua_auto_file\shell\Read\command	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
936	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
936	AcroRd32.exe
936	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 2440	3064	cmd.exe	29
PID 3064 wrote to memory of 2440	3064	cmd.exe	29
PID 3064 wrote to memory of 2440	3064	cmd.exe	29
PID 2440 wrote to memory of 936	2440	rundll32.exe	32
PID 2440 wrote to memory of 936	2440	rundll32.exe	32
PID 2440 wrote to memory of 936	2440	rundll32.exe	32
PID 2440 wrote to memory of 936	2440	rundll32.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\resources\luascripts\animations\jumpland.lua
1⤵
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\resources\luascripts\animations\jumpland.lua
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\resources\luascripts\animations\jumpland.lua"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
89552a022eecc0636a33f4af7e6f5ee2

SHA1
5fb3f2598a0e80ff62f3ef48cc590f03d05cbd30

SHA256
555d95ada8a354ce0349c1d18fb18accc177300f9c7775d6b58d606762dc256e

SHA512
6a166864ce2a99449697d53e7dc82efe29dc18f0dd92fcbd25f0e4f5d2b5a033c0739b5f216c45cacda8c1d02f19341a1302b5ebd0b7a962d6b4cbdc7111230c

Download Submit