Analysis

  • max time kernel
    109s
  • max time network
    27s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03/09/2024, 13:34

General

  • Target

    $PLUGINSDIR/app-64.7z

  • Size

    76.0MB

  • MD5

    27553a121fe3f20fa5f6acb2188194ec

  • SHA1

    9bf6c3f68ece5a0d8fd61652462a8bb46a41e521

  • SHA256

    b8a041027d7f90eb6ed91df36b742f3caacd0fc0687d0b968eb3342f8d8e8e12

  • SHA512

    27de4001c09217d966766967fef68f1b02c361d4a8933785ec25b536ade36dc2841c27bcdd736913887efb8348d7352258f3d9cf266a42006aa7854e29c67507

  • SSDEEP

    1572864:drziNx5qbJJaoTl9ncU8gKEiPYlkJHo7XiCgo2ck7fT56UaO5UpLVqRij:4x5qbbtTlFdKlYSsXiCgHt6U1upzj

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app-64.7z
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2300
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app-64.7z
      2⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1644
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app-64.7z
        3⤵
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:3012
        • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
          "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app-64.7z"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          PID:1352

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

    Filesize

    3KB

    MD5

    b66ce176a6eed6751ef9a67c1802a93e

    SHA1

    3abfd3bb65a8ffb5865ca2522dcba6f0867f5142

    SHA256

    98f924561b223a9fc6ef76fd3ced3e851c0ef977aa2e4738dc5f637d3783a1a3

    SHA512

    6194dbeb81761c819c592d2d8be547026036dd4c471863047fe147bcdede66f970e2b7e870e0f4fb29beb51fea3dc9e512038eb7bad8de624ca8b1d7f4b53be5