30b3e55bedb634e4ce48457ceb9f32a7931b390fbf9f1734f4f3c2fee012fb4d

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
24-08-2024 01:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4bb22c5bea15b4e227953baf1589e9380c033b507db80788ec0a9bded32e61ba.sh
Size

775B
MD5

24b3bc4c2ce5df7320de7af5143a9b89
SHA1

9ad737e10c3824a6b1090ef0071a0ae37cc678d9
SHA256

4bb22c5bea15b4e227953baf1589e9380c033b507db80788ec0a9bded32e61ba
SHA512

8aa9c65585e484db71a385d0754d77068f0a8fada68e8971e9bfeda8298d8b8e1de084acec975cc567855fc4126518c2d444e1ba96b6a0cb062dd53f6282ee66

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\.sh	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\.sh\ = "sh_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\sh_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\sh_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\sh_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\sh_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\sh_auto_file\shell\Read	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\sh_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2660	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2660	AcroRd32.exe
2660	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1792 wrote to memory of 2940	1792	cmd.exe	31
PID 1792 wrote to memory of 2940	1792	cmd.exe	31
PID 1792 wrote to memory of 2940	1792	cmd.exe	31
PID 2940 wrote to memory of 2660	2940	rundll32.exe	32
PID 2940 wrote to memory of 2660	2940	rundll32.exe	32
PID 2940 wrote to memory of 2660	2940	rundll32.exe	32
PID 2940 wrote to memory of 2660	2940	rundll32.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\4bb22c5bea15b4e227953baf1589e9380c033b507db80788ec0a9bded32e61ba.sh
1⤵
- Suspicious use of WriteProcessMemory
PID:1792
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\4bb22c5bea15b4e227953baf1589e9380c033b507db80788ec0a9bded32e61ba.sh
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\4bb22c5bea15b4e227953baf1589e9380c033b507db80788ec0a9bded32e61ba.sh"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
9d2426f43c3d318e1520f2d95c68605f

SHA1
2c6abd7d3407d94ce1a8b415b68b79c8387e82df

SHA256
ef68c202862d4bb353260b5562432e7be9ed79332c4ad4c0c9a0822ff33669a4

SHA512
ec088a48125e7bd1551bea4e8ca9d109cc28d88c724473fab94c169597d8572f63c4be410a9d1a28ec9359be46376ff5ae2c859cea52555ba3c88a8ef4e0645a

Download Submit