Analysis

  • max time kernel
    122s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12-09-2024 04:00

General

  • Target

    Solar/locales/es-419.pak

  • Size

    550KB

  • MD5

    befc1833e265f2d404288379fba640dc

  • SHA1

    ea5f938a7ba36a64a28aed3b1f41313cddded049

  • SHA256

    ea57a6261e9336b991b253127e4457337ab0c5435000396e48791ac52b222386

  • SHA512

    f46368c616ecdcc1a9729621d1be89dc0978f0b6441c2f108481397b0a5f244220b9821ee45bf55958926ecb41d1d72ff320e2ae5076d92bc3d8b6077c16b766

  • SSDEEP

    6144:ga1ooYkG/nHOP5mglpuYfKBoo5g6yLu5pqAm+Z:l1g/nuvpwh5g6guVZ

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 9 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\Solar\locales\es-419.pak
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2496
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Solar\locales\es-419.pak
      2⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1436
      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Solar\locales\es-419.pak"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:2796

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

    Filesize

    3KB

    MD5

    70b817b7e0b4c858e20b60d9cf3c76fd

    SHA1

    3e4d579a588c7df52d9029cab5706ca486dc40e6

    SHA256

    0d936df0ccc783ba06dbe0d564df23fff0b142531819efaf2fbd901a67bc6d19

    SHA512

    485e3a760aa1cd8d81286113dfa4887ced1af14e7e59891dc45896242db1025a581aed49cb4de122ae673381945183b559addc265d8618a267a8929f4cdb2b58