12c8a9ab93649f8c75399b6b96f4c54e7454cd0eaa25090dc53c223788c85222

Analysis

max time kernel
120s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-09-2024 12:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bin/models/PhantomForces_Hamsta_v1.onnx
Size

11.7MB
MD5

50a0d0e8bed0f084ee46a154df442be1
SHA1

6de46f518bfc1e512797287e9d1bf4d2cdfe0497
SHA256

b25e0c6dbe87475837bb0f85a40cc7ab98ea40cd0b7486f53f3fede6ff405238
SHA512

63be031e8949857c96a1fc396d4d471c9b5090e9051b3a724248f0c7725c7fb2f1988116f1b298548d28b2a5458de6eeb1300efbd4dc23521a7af4d46dc4ec8f
SSDEEP

196608:3aqBE21+hlJP3/0l3/zKY4BMbvCb1hAeF5qT74midcpxnDx95isYIgp/7M7ItWoy:33b1qT/0F4BZfhad/JE1cUWQcmF5fmB1

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\.onnx	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\onnx_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\onnx_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\onnx_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\onnx_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\onnx_auto_file\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\.onnx\ = "onnx_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\onnx_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2924	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2924	AcroRd32.exe
2924	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1128 wrote to memory of 2392	1128	cmd.exe	32
PID 1128 wrote to memory of 2392	1128	cmd.exe	32
PID 1128 wrote to memory of 2392	1128	cmd.exe	32
PID 2392 wrote to memory of 2924	2392	rundll32.exe	33
PID 2392 wrote to memory of 2924	2392	rundll32.exe	33
PID 2392 wrote to memory of 2924	2392	rundll32.exe	33
PID 2392 wrote to memory of 2924	2392	rundll32.exe	33

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\bin\models\PhantomForces_Hamsta_v1.onnx
1⤵
- Suspicious use of WriteProcessMemory
PID:1128
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\bin\models\PhantomForces_Hamsta_v1.onnx
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\bin\models\PhantomForces_Hamsta_v1.onnx"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
88759ac95c3a7a38cec734487c185d5f

SHA1
9b9f453576781f57a85cd49a93f3815926302bd6

SHA256
225303e1572de8a6522ae45a28438f6571d5d1f314fc841fe764145b6cbaf8af

SHA512
77b1b9236eaf407ac1c06c21c7e65be5c7c32e5618d3fd9baf86b94ab5d5583c3175c72e95c15fd8294d45e3fbf07b8ff5b840866ee51310959333e83621a372

Download Submit