69943738a2f0a000191138d02b8b2395c0a110027e801da8f6a2a4ff78861c3d

Analysis

max time kernel
111s
max time network
68s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07/09/2024, 14:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Lillian Night Succubus Exclusive Contract-v1.2.0/LillianNight_Data/GI/level1/31/3189e8f177434ce566e33cc1ffa515f0.caw
Size

21KB
MD5

e04cde28869859d7412ecdad63be0934
SHA1

a5796f0765a3e7cac3de312c3557cfaed3d00e18
SHA256

5884a89f8d83600eb0ea9183363ca0002da69a2d0bf70234b97b37689e1f0103
SHA512

ef63c68d9a45700404fe5608ef9396482d0928769ef67a8282977ee3d6746e7bb90af2ffb54494321e87a30968ee39ac266ec9084fa64bc2eff7c3eef847cc52
SSDEEP

384:feQV1eiEJz8TIvoIytQ0XnS2UCM0X8bAaPIv9/L:feQV1EQTIj8lUCNM81L

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\caw_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\caw_auto_file\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\.caw\ = "caw_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\caw_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\caw_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\caw_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\caw_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\.caw	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1752	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1752	AcroRd32.exe
1752	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 2824	2784	cmd.exe	30
PID 2784 wrote to memory of 2824	2784	cmd.exe	30
PID 2784 wrote to memory of 2824	2784	cmd.exe	30
PID 2824 wrote to memory of 1752	2824	rundll32.exe	31
PID 2824 wrote to memory of 1752	2824	rundll32.exe	31
PID 2824 wrote to memory of 1752	2824	rundll32.exe	31
PID 2824 wrote to memory of 1752	2824	rundll32.exe	31

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Lillian Night Succubus Exclusive Contract-v1.2.0\LillianNight_Data\GI\level1\31\3189e8f177434ce566e33cc1ffa515f0.caw"
1⤵
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Lillian Night Succubus Exclusive Contract-v1.2.0\LillianNight_Data\GI\level1\31\3189e8f177434ce566e33cc1ffa515f0.caw
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Lillian Night Succubus Exclusive Contract-v1.2.0\LillianNight_Data\GI\level1\31\3189e8f177434ce566e33cc1ffa515f0.caw"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:1752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
58e9daa24278ee032f2be7b5dcff16cd

SHA1
47e4c0f7f1c63612848e469ef4dad8196542438a

SHA256
7457e103f976f7f1d6f72413e3d6ac4f9810e6cda2c49faee1265b00b6a5230a

SHA512
479919ff780dc84f9e6d7a6fba47b7434803a22af9626accd8c006a636075dce99fa50f952a8126ccfa85a57b6c5839b2e1c6a39b90fbdd39075b9b6235c2f36

Download Submit