be75f94398e7a9b047cf025f8b2b1effe4e3c3b8f607a1edec61d8682831525d

Analysis

max time kernel
363s
max time network
368s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05/09/2024, 01:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

! §4§lCHATO GAP RGB/assets/minecraft/models/item/cake.json
Size

93B
MD5

1f78f5b20a3ae0b10c5e42cc6641473c
SHA1

80cf24d18625916b9cf31306ae4f6cbc652abc50
SHA256

6d5b8f033a3d53f849ddc0b99bf8241c8ee5f9d24f24ff38b31f8229a4c5c4a9
SHA512

a76df363d20d45f2222b654bb95ab1cd1b64d0d6fc603ad5fe049d106b2d556b01e8562d669d58100ae26928de2a707e80eada0dd76f47c989e6503975543fc2

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\json_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\.json	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\json_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\json_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\json_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\.json\ = "json_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\json_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\json_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2856	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2856	AcroRd32.exe
2856	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 2924	2656	cmd.exe	31
PID 2656 wrote to memory of 2924	2656	cmd.exe	31
PID 2656 wrote to memory of 2924	2656	cmd.exe	31
PID 2924 wrote to memory of 2856	2924	rundll32.exe	32
PID 2924 wrote to memory of 2856	2924	rundll32.exe	32
PID 2924 wrote to memory of 2856	2924	rundll32.exe	32
PID 2924 wrote to memory of 2856	2924	rundll32.exe	32

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\! §4§lCHATO GAP RGB\assets\minecraft\models\item\cake.json"
1⤵
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\! §4§lCHATO GAP RGB\assets\minecraft\models\item\cake.json
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\! §4§lCHATO GAP RGB\assets\minecraft\models\item\cake.json"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
71be23f763d3f2c10f0ceb0c660fbcfc

SHA1
cc8083faa8ddb0c4a1874bf453c78431dc7999f0

SHA256
c685c9b1f1cb3e3bd886c4f6360d96059bb0c99cedd9fa240bce250bd303df6e

SHA512
56a9150dd3df0d66ee48d2ad8f1080cb28db05a5e63b76bd566e49d1c3e1254ebac11a5b4bd7b632c24cfa4a99e47542c9d86b7c18525bde2ea61e09b887266a

Download Submit