Resubmissions

22-08-2024 19:09

240822-xtvrnashnb 10

Analysis

  • max time kernel
    119s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    22-08-2024 19:09

General

  • Target

    v2/Settings.json

  • Size

    42B

  • MD5

    63d1cd599718645e402eafd28a7ada9f

  • SHA1

    d0099003d975cb8b81f74c7db9b6842d70691d2f

  • SHA256

    fc429ae28488b9238a34c3af7a3c5e6c9653d3fab13f9cd2f520ae57741136bf

  • SHA512

    1815bacb781516a91b1a46c85f752a836c3906efc15a46bbc355c34640d3905904a2da3e72f657249dd893c0e28de710c0942c0048773584c61c54ed2b327c21

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 9 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\v2\Settings.json
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2184
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\v2\Settings.json
      2⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2968
      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\v2\Settings.json"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:324

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

    Filesize

    3KB

    MD5

    dcd74793da938e1e592e90944ece2c37

    SHA1

    f9993119e5334629c13d6e199aa59cbee5df6810

    SHA256

    c80409a171df9a7fb0aa6210c54d84ddbcd4786d96092fe0ff4e2f57b5781438

    SHA512

    f242b95144f2c12d321b2554b86b6a524ff170b1209be7cbbcb1bd769cac9b7fe070b2fd09069eb95a336220b9c3a0dd70baa9af1261ec02316aabb933981c91