Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05-09-2024 12:37
Behavioral task
behavioral1
Sample
b894980cf8646ca7c9e1ca281d9251fe5d0589654fd6867653755c44e486083c.unknown
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
b894980cf8646ca7c9e1ca281d9251fe5d0589654fd6867653755c44e486083c.unknown
Resource
win10v2004-20240802-en
General
-
Target
b894980cf8646ca7c9e1ca281d9251fe5d0589654fd6867653755c44e486083c.unknown
-
Size
24KB
-
MD5
c87f55966d5c7521f65bab509a3920b4
-
SHA1
63186c1769ad957771d300ec31b2bb3e74c6117f
-
SHA256
b894980cf8646ca7c9e1ca281d9251fe5d0589654fd6867653755c44e486083c
-
SHA512
36a96b3c96a750622c8c215ec1f1bddb7e2ebdf7fdc3b370d05d49beb31f27447c3fe208fe6d91b1a1d7647aa28f251b7985b53d29a7201ff26f4b7791832ab2
-
SSDEEP
192:r8oK3rcd5kM7ffi4UMF1pkOvpF3EiRcx+NSzfxmrmE76tNY2pCumJ0pQrXVjavmc:gGekfnVxVNOmrmEu3YcrmSpC1c
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Modifies registry class 9 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\.unknown\ = "unknown_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\unknown_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\unknown_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\unknown_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\unknown_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\unknown_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\.unknown rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\unknown_auto_file\shell\Read rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2852 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2852 AcroRd32.exe 2852 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2520 wrote to memory of 2692 2520 cmd.exe 31 PID 2520 wrote to memory of 2692 2520 cmd.exe 31 PID 2520 wrote to memory of 2692 2520 cmd.exe 31 PID 2692 wrote to memory of 2852 2692 rundll32.exe 32 PID 2692 wrote to memory of 2852 2692 rundll32.exe 32 PID 2692 wrote to memory of 2852 2692 rundll32.exe 32 PID 2692 wrote to memory of 2852 2692 rundll32.exe 32
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\b894980cf8646ca7c9e1ca281d9251fe5d0589654fd6867653755c44e486083c.unknown1⤵
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\b894980cf8646ca7c9e1ca281d9251fe5d0589654fd6867653755c44e486083c.unknown2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\b894980cf8646ca7c9e1ca281d9251fe5d0589654fd6867653755c44e486083c.unknown"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2852
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD59623d38c382867906c59d1729bf615bb
SHA1b2da09a27a33e7f228af0946b3ce644a5a80b698
SHA2562ee933c45e2c3d38f0b9d5d5a0f2b92ae5f2ee9cc67d388dee592200d85e7a97
SHA51212c10c5318db84d5129c2e9ee856ab1647666d5915b3928f16bb0c21722566ac2754c92a4f18d082a2716cab74792932ddebf5cec7d59c59def1424c048723a7