be75f94398e7a9b047cf025f8b2b1effe4e3c3b8f607a1edec61d8682831525d

Analysis

max time kernel
359s
max time network
360s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05/09/2024, 01:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

! §4§lCHATO GAP RGB/assets/minecraft/models/item/cooked_chicken.json
Size

103B
MD5

7f42731950a94d9c019ad170916eef01
SHA1

a5f26d379dc5f7d14afa18e2daedb947286f7889
SHA256

da61ebce6244395211785ec3d6435652fd5932b745b179ef639b2f43dad0c95b
SHA512

e6f0262533c105dcec47c76effa9d165303f156d909bd7bdf293738af5a1fd0f7d6fc7b26eacd425b14d8672e2f2e2967e372f20cc67fca9a8bf32e76f7677df

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\json_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\json_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\json_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\json_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\json_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\json_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\.json	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\.json\ = "json_auto_file"	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2760	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2760	AcroRd32.exe
2760	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2452 wrote to memory of 2624	2452	cmd.exe	32
PID 2452 wrote to memory of 2624	2452	cmd.exe	32
PID 2452 wrote to memory of 2624	2452	cmd.exe	32
PID 2624 wrote to memory of 2760	2624	rundll32.exe	33
PID 2624 wrote to memory of 2760	2624	rundll32.exe	33
PID 2624 wrote to memory of 2760	2624	rundll32.exe	33
PID 2624 wrote to memory of 2760	2624	rundll32.exe	33

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\! §4§lCHATO GAP RGB\assets\minecraft\models\item\cooked_chicken.json"
1⤵
- Suspicious use of WriteProcessMemory
PID:2452
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\! §4§lCHATO GAP RGB\assets\minecraft\models\item\cooked_chicken.json
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\! §4§lCHATO GAP RGB\assets\minecraft\models\item\cooked_chicken.json"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
df08f72911c47e058a0a2687645951b0

SHA1
c77ff1af3237405fd5e5ce0edcf6a21c0b73d308

SHA256
f23d26f56db739a685182c26bf6c2dba9d993a45ccda9b24d600c2f1b3f7af0b

SHA512
4a1d36e2df0b66e0c378cbf7525fc5dc8f92556ee0df87e2315a23ac318ceb97655b8645d37520f5b1b38bae233ecaccd40e9d8e793d2b4b49c2e3e7527131f3

Download Submit