9848432a2fdebd3205182e5ac33393204a3bbce0a1cdc7bcbdcbf4e32a0ae246

Analysis

max time kernel
104s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
20/08/2024, 00:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

F1 2022 (Mobile) RP/blends/MinecraftF1_postbake.blend1
Size

3.7MB
MD5

3351c74bf8d7688b399c99cc9ee1093e
SHA1

ea371f144598ca725257c2ca9e8bc3b2aa5f0dbd
SHA256

ecef3a3efea9c5483024fd27b54f530931a3ef3034111e6a94916afd4e8af9c9
SHA512

45a422a177b45ad1da0454bcfca7a13549a066538ca9c00be8581542402b6272cb7fffc36dad07f3216ef225d418db90ce912d7c54f3d4a9e25a7a8801040cd6
SSDEEP

98304:a7uGkCzTVaxqW89Q/kE/OmeqQX57o4o1IG/9msWFI7LHiq2yulTG:a7GkEfz1IGLiq2yulTG

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\.blend1	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\.blend1\ = "blend1_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\blend1_auto_file\shell\Read	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\blend1_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\blend1_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\blend1_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\blend1_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\blend1_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2816	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2816	AcroRd32.exe
2816	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1072 wrote to memory of 1044	1072	cmd.exe	30
PID 1072 wrote to memory of 1044	1072	cmd.exe	30
PID 1072 wrote to memory of 1044	1072	cmd.exe	30
PID 1044 wrote to memory of 2816	1044	rundll32.exe	31
PID 1044 wrote to memory of 2816	1044	rundll32.exe	31
PID 1044 wrote to memory of 2816	1044	rundll32.exe	31
PID 1044 wrote to memory of 2816	1044	rundll32.exe	31

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\F1 2022 (Mobile) RP\blends\MinecraftF1_postbake.blend1"
1⤵
- Suspicious use of WriteProcessMemory
PID:1072
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\F1 2022 (Mobile) RP\blends\MinecraftF1_postbake.blend1
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1044
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\F1 2022 (Mobile) RP\blends\MinecraftF1_postbake.blend1"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
13bdc8b39b562e78c6ea63bdb2531247

SHA1
32d0ef3d1b33947d638096ce8a9a1a465207a21b

SHA256
e5e5024331869b4e11f5d47c5ac77612adedbc31cc8ac804419373530481fce6

SHA512
7322f2231345f9a423ad02829b75bbf7533caed5b5311fab344bb455d8f828f3c8221979ce7704e5cc0bc0574cda04457481e133f4b9729f153732b7bb188624

Download Submit