Overview
overview
3Static
static
3Avatar PSN...s.json
windows7-x64
3Avatar PSN...s.json
windows10-2004-x64
3Avatar PSN Tools.exe
windows7-x64
1Avatar PSN Tools.exe
windows10-2004-x64
1Avatar PSN Tools.exe
windows7-x64
3Avatar PSN Tools.exe
windows10-2004-x64
1Avatar PSN Tools.pdb
windows7-x64
3Avatar PSN Tools.pdb
windows10-2004-x64
3Avatar PSN...v.json
windows7-x64
3Avatar PSN...v.json
windows10-2004-x64
3Avatar PSN...g.json
windows7-x64
3Avatar PSN...g.json
windows10-2004-x64
3Newtonsoft.Json.dll
windows7-x64
1Newtonsoft.Json.dll
windows10-2004-x64
1ref/Avatar...ls.exe
windows7-x64
1ref/Avatar...ls.exe
windows10-2004-x64
1Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
29-08-2024 23:41
Static task
static1
Behavioral task
behavioral1
Sample
Avatar PSN Tools.deps.json
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
Avatar PSN Tools.deps.json
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
Avatar PSN Tools.exe
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
Avatar PSN Tools.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
Avatar PSN Tools.exe
Resource
win7-20240704-en
Behavioral task
behavioral6
Sample
Avatar PSN Tools.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
Avatar PSN Tools.pdb
Resource
win7-20240705-en
Behavioral task
behavioral8
Sample
Avatar PSN Tools.pdb
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
Avatar PSN Tools.runtimeconfig.dev.json
Resource
win7-20240729-en
Behavioral task
behavioral10
Sample
Avatar PSN Tools.runtimeconfig.dev.json
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
Avatar PSN Tools.runtimeconfig.json
Resource
win7-20240705-en
Behavioral task
behavioral12
Sample
Avatar PSN Tools.runtimeconfig.json
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
Newtonsoft.Json.dll
Resource
win7-20240704-en
Behavioral task
behavioral14
Sample
Newtonsoft.Json.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
ref/Avatar PSN Tools.exe
Resource
win7-20240704-en
Behavioral task
behavioral16
Sample
ref/Avatar PSN Tools.exe
Resource
win10v2004-20240802-en
General
-
Target
Avatar PSN Tools.runtimeconfig.json
-
Size
154B
-
MD5
42cfea46ed97e8dbbd7bd335329ec2ac
-
SHA1
c4861e68c17b69f8beffb68d9198c5b49d15da9a
-
SHA256
3620d53dc87b4aa2cbd50b5ca80baa3e3a017d9d38cb72f690e44295afc33f77
-
SHA512
51d132a2ec34ba11b4a806870e7955b8bc5caea9e783a38918859cf8fa988552bd40fb6c71e21cacf8e7164d5ce12f2a5665f990f58ef99527bde8dffc1b5a2b
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\.json\ = "json_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\json_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\json_auto_file\shell\Read\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\json_auto_file\shell rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\json_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\json_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\json_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\.json rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2640 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2640 AcroRd32.exe 2640 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 2180 wrote to memory of 2620 2180 cmd.exe rundll32.exe PID 2180 wrote to memory of 2620 2180 cmd.exe rundll32.exe PID 2180 wrote to memory of 2620 2180 cmd.exe rundll32.exe PID 2620 wrote to memory of 2640 2620 rundll32.exe AcroRd32.exe PID 2620 wrote to memory of 2640 2620 rundll32.exe AcroRd32.exe PID 2620 wrote to memory of 2640 2620 rundll32.exe AcroRd32.exe PID 2620 wrote to memory of 2640 2620 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Avatar PSN Tools.runtimeconfig.json"1⤵
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Avatar PSN Tools.runtimeconfig.json2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Avatar PSN Tools.runtimeconfig.json"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2640
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD590208e16c92a169aa49be6d493e1e193
SHA19075bc2b7857d1a4542c71e19f12b644c2cb05a5
SHA256f198dd8bc1c8d251221cf104ba6323d5e570d2871f70dc171cbfd8d023cd52cf
SHA512964a8eb914c8b85879d4854eb627b601905d669c038a10e4b80829c57e42897110268526b8f9d2c0187b9f7bc62a91de1c605b8ebf6d98ad56046f3d209b2107