Analysis

  • max time kernel
    118s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    18-08-2024 21:09

General

  • Target

    bin/models/PhantomForces_Hamsta_v1.onnx

  • Size

    11.7MB

  • MD5

    50a0d0e8bed0f084ee46a154df442be1

  • SHA1

    6de46f518bfc1e512797287e9d1bf4d2cdfe0497

  • SHA256

    b25e0c6dbe87475837bb0f85a40cc7ab98ea40cd0b7486f53f3fede6ff405238

  • SHA512

    63be031e8949857c96a1fc396d4d471c9b5090e9051b3a724248f0c7725c7fb2f1988116f1b298548d28b2a5458de6eeb1300efbd4dc23521a7af4d46dc4ec8f

  • SSDEEP

    196608:3aqBE21+hlJP3/0l3/zKY4BMbvCb1hAeF5qT74midcpxnDx95isYIgp/7M7ItWoy:33b1qT/0F4BZfhad/JE1cUWQcmF5fmB1

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 9 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\bin\models\PhantomForces_Hamsta_v1.onnx
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1920
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bin\models\PhantomForces_Hamsta_v1.onnx
      2⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2172
      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\bin\models\PhantomForces_Hamsta_v1.onnx"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:2740

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

    Filesize

    3KB

    MD5

    1e09e1d2e18437c4da4c080b54e0f967

    SHA1

    2ea04b35ef41e2db80c14bfa8c80981cadb1a45c

    SHA256

    a7190d8632a740c7e7ffc23a2877346d8cdf3dca4ddec2f2e7e63627f7fe1ec3

    SHA512

    2ae0b76968910dce761ed4b6892004d87acea7dd4e28b54f455553af7785a6e6efdb199a8b2af68d383caba89a665abc26818c5c3ce5e72f98c4ccb9bd1930b1