ea3c62424756f7a053d8b3167415b10fa6bba9600110cfbd73c4c557491263fa

Analysis

max time kernel
1565s
max time network
1568s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
26-08-2024 19:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Stockfish-15.1_Windows_32bit/source/.git/hooks/post-update.sample
Size

189B
MD5

2b7ea5cee3c49ff53d41e00785eb974c
SHA1

b614c2f63da7dca9f1db2e7ade61ef30448fc96c
SHA256

81765af2daef323061dcbc5e61fc16481cb74b3bac9ad8a174b186523586f6c5
SHA512

473ad124642571656276bf83b9ff63ab1804d3c23a5bdae52391c6f70a894849ac60c10c9d31deff3938922ce83b68b1e60c11592bbf7ea503f4acd39968cefa

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

AcroRd32.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 9 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\sample_auto_file\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\.sample\ = "sample_auto_file"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\sample_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\sample_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\sample_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\.sample	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\sample_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\sample_auto_file\shell	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

2748 AcroRd32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AcroRd32.exe

pid process

2748 AcroRd32.exe
2748 AcroRd32.exe

pid	process
2748	AcroRd32.exe

pid	process
2748	AcroRd32.exe
2748	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

cmd.exerundll32.exe

description	pid	process	target process
PID 2540 wrote to memory of 2756	2540	cmd.exe	rundll32.exe
PID 2540 wrote to memory of 2756	2540	cmd.exe	rundll32.exe
PID 2540 wrote to memory of 2756	2540	cmd.exe	rundll32.exe
PID 2756 wrote to memory of 2748	2756	rundll32.exe	AcroRd32.exe
PID 2756 wrote to memory of 2748	2756	rundll32.exe	AcroRd32.exe
PID 2756 wrote to memory of 2748	2756	rundll32.exe	AcroRd32.exe
PID 2756 wrote to memory of 2748	2756	rundll32.exe	AcroRd32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Stockfish-15.1_Windows_32bit\source\.git\hooks\post-update.sample
1⤵
- Suspicious use of WriteProcessMemory
PID:2540

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Stockfish-15.1_Windows_32bit\source\.git\hooks\post-update.sample
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2756

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Stockfish-15.1_Windows_32bit\source\.git\hooks\post-update.sample"
3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2748

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
Filesize
3KB

MD5
9233190d9a640549899306c49838ad38

SHA1
cd12dd83a864db054990f3c6d4962a3393802654

SHA256
acf30aaf472beff6298f4bc37e332e2b5550f56329c6c1e6adbc4d2a6e2e0236

SHA512
b22e51e0cf8fbbca56edfdcb8473be59b50dacd89e843bcea2ea777fc5037308b5bf0861f012427ed0e583b4cb665e5e509e40e7e4aee96a35323c67eb38b8ff

Download Submit