12c8a9ab93649f8c75399b6b96f4c54e7454cd0eaa25090dc53c223788c85222

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-09-2024 12:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bin/anti_recoil_configs/Default.cfg
Size

105B
MD5

ce1699b43cac56a1db708eb47fb895ed
SHA1

b459711e26677a97573209b48a2dfba18f5d2124
SHA256

ad346cf890e24061ecb780c0ccb64c14b97a0fadc3cfbb35079370664fbdba65
SHA512

7a130b9f968760862945b986efea104c3a0345a1ac41e52322ff7afc566af26b9845091b9c3933ea36874ab6c389903145d280db829d457c82476fd1ef6268d8

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\cfg_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\cfg_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\cfg_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\cfg_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\cfg_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\.cfg	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\.cfg\ = "cfg_auto_file"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\cfg_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2424	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2424	AcroRd32.exe
2424	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 2572	2324	cmd.exe	29
PID 2324 wrote to memory of 2572	2324	cmd.exe	29
PID 2324 wrote to memory of 2572	2324	cmd.exe	29
PID 2572 wrote to memory of 2424	2572	rundll32.exe	30
PID 2572 wrote to memory of 2424	2572	rundll32.exe	30
PID 2572 wrote to memory of 2424	2572	rundll32.exe	30
PID 2572 wrote to memory of 2424	2572	rundll32.exe	30

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\bin\anti_recoil_configs\Default.cfg
1⤵
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bin\anti_recoil_configs\Default.cfg
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\bin\anti_recoil_configs\Default.cfg"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
7a254b198064012bd82de3975a74e9fd

SHA1
a52a3a6077160f25080768b3a0cd6e4129fea2d4

SHA256
37d3103a20f1b0af3e66fca877a4a05df3aec22974fb34ea5e8ff59399c14fd1

SHA512
38dc62f2533cd2df4fe24aa13113db1b6a04ef739857cf5e7b20da7d52df8acd113780979d473742e1a5a0d44518dfb2edd1b2a9967b1ef652db254616d1a6d0

Download Submit