6b8a5f0172a346d08d8e6325b5d5354a01055bdd8332f93aa174ad27b0ec1bee

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
30-08-2024 17:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

.bash_logout
Size

220B
MD5

22bfb8c1dd94b5f3813a2b25da67463f
SHA1

dc216ac4a4c232815731979db6e494f315b507dd
SHA256

26882b79471c25f945c970f8233d8ce29d54e9d5eedcd2884f88affa84a18f56
SHA512

c3d739f4934824d81f561c9b626b494e3c256b5a97642667882632db030fc1a8c7d23eb1ae5db7e9f63ae46ee84dbee69d15130dd1482a2c1e8aade1dfc545a2

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

AcroRd32.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 9 IoCs

Processes:

rundll32.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\.bash_logout	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\bash_logout_auto_file\shell	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\bash_logout_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\bash_logout_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\bash_logout_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\bash_logout_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\bash_logout_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\.bash_logout\ = "bash_logout_auto_file"	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid	Process
2724	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AcroRd32.exe

pid	Process
2724	AcroRd32.exe
2724	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

cmd.exerundll32.exe

description	pid	Process	procid_target
PID 2272 wrote to memory of 2672	2272	cmd.exe	32
PID 2272 wrote to memory of 2672	2272	cmd.exe	32
PID 2272 wrote to memory of 2672	2272	cmd.exe	32
PID 2672 wrote to memory of 2724	2672	rundll32.exe	33
PID 2672 wrote to memory of 2724	2672	rundll32.exe	33
PID 2672 wrote to memory of 2724	2672	rundll32.exe	33
PID 2672 wrote to memory of 2724	2672	rundll32.exe	33

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\.bash_logout
1⤵
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\.bash_logout
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\.bash_logout"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
9c68c35f9426f7cc79d972701b9b19cb

SHA1
841f8762879d83a5bd3f20ca690c892e05f615de

SHA256
76e9a49ce93deadf0353784f7185685e832e61a9bb29c9c069727b18923ce831

SHA512
1d598e414a937c096fb8fa5d9fca614ddbb047bd2fe8507b3c46e1ccc968266d255824c465673201ea9a42bd8ee26f69f9e52b21d9ed940d799734a43e0e5a91

Download Submit