dbaca2fe280af72be7c98d3cff7fc4e9c5899fa2845bb6eba58cb6931d170d4e

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
01/09/2024, 12:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

wang-bin-QtAV-f672e4a/debian/ubuntu.sh
Size

920B
MD5

687e224260d4303547378e7318260366
SHA1

fc4f02c9df5d9738fc792513d5c946a8a3587fd4
SHA256

021adc6b48d81eb670f0cea884fdbf2adb1312c5d04139139fad3acd899d27a2
SHA512

4d47ca6ae183ae36d91f77db7a24f5645c7daec19f2f896bd396d47972ffdc31eaccfc6601757c8837523c8186c94247f9162babc6dc56c92775d2151d832f88

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.sh\ = "sh_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\sh_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\sh_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\sh_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.sh	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\sh_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\sh_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\sh_auto_file\shell\Read\command	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2704	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2704	AcroRd32.exe
2704	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 2644	2972	cmd.exe	32
PID 2972 wrote to memory of 2644	2972	cmd.exe	32
PID 2972 wrote to memory of 2644	2972	cmd.exe	32
PID 2644 wrote to memory of 2704	2644	rundll32.exe	33
PID 2644 wrote to memory of 2704	2644	rundll32.exe	33
PID 2644 wrote to memory of 2704	2644	rundll32.exe	33
PID 2644 wrote to memory of 2704	2644	rundll32.exe	33

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\wang-bin-QtAV-f672e4a\debian\ubuntu.sh
1⤵
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\wang-bin-QtAV-f672e4a\debian\ubuntu.sh
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\wang-bin-QtAV-f672e4a\debian\ubuntu.sh"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
f9f6c5c7322d5f0d0cd53e9d51a31957

SHA1
797feb868749497e4009688c2147dd43cf5ce10a

SHA256
e246bb7705cc914aa741772a2811869e3b4237b7c6a855b788e17ce1df216ba3

SHA512
6d73cadb19ac12ac62cff2eef03d9305c2fea40aa7319e9e63118cc30c3821484ffa2dca49053638f68187b4696b1454ea819f93bc787a4c9852e6a80e4f7319

Download Submit