Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
20-08-2024 12:04
Static task
static1
Behavioral task
behavioral1
Sample
openh264-win64-31c4d2e4a037526fd30d4e5c39f60885986cf865.zip
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
openh264-win64-31c4d2e4a037526fd30d4e5c39f60885986cf865.zip
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
gmpopenh264.dll
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
gmpopenh264.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
gmpopenh264.info
Resource
win7-20240729-en
Behavioral task
behavioral6
Sample
gmpopenh264.info
Resource
win10v2004-20240802-en
General
-
Target
gmpopenh264.info
-
Size
116B
-
MD5
2a461e9eb87fd1955cea740a3444ee7a
-
SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5
-
SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
-
SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\info_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\info_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\info_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\.info rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\info_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\info_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\.info\ = "info_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\info_auto_file\shell rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2596 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2596 AcroRd32.exe 2596 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 2412 wrote to memory of 2216 2412 cmd.exe rundll32.exe PID 2412 wrote to memory of 2216 2412 cmd.exe rundll32.exe PID 2412 wrote to memory of 2216 2412 cmd.exe rundll32.exe PID 2216 wrote to memory of 2596 2216 rundll32.exe AcroRd32.exe PID 2216 wrote to memory of 2596 2216 rundll32.exe AcroRd32.exe PID 2216 wrote to memory of 2596 2216 rundll32.exe AcroRd32.exe PID 2216 wrote to memory of 2596 2216 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\gmpopenh264.info1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\gmpopenh264.info2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\gmpopenh264.info"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEventsFilesize
3KB
MD59b899e5180012fa22c751f28f009f89e
SHA1b79e81d9b3e0ee8e8b2357d245a0a344914cf652
SHA2560af79f70f201720084cd3b1c4e599ca40be51931ad93722be7701592ab780d44
SHA5121bb45535536fc21d8cc9be034c108ac827b427f9224927da577ccefca097e89599d48022b141fb7f4ae2e6713e46b5a7589ea1ebf26ba617459ac823273b34aa