Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12-09-2024 04:00

General

  • Target

    Solar/locales/af.pak

  • Size

    494KB

  • MD5

    c9a3eae18f5c5b237a2bd4fa5fe3cd6e

  • SHA1

    0457bb0902682e4b036b61a79aa54d20f6bc9d5c

  • SHA256

    1c4b71a30dbb98d19d6cb2704ff2ae2ea72f3a4d117d45b96bfaf4ae0e66df9e

  • SHA512

    6db4f90a31d3bc01474fdc45743375f03aa0eec2cf05354e3dbba76f475224cacf2efc58357da12d502c21a0650cc0012c2cce7bf449b2d9efcf5d21de44f99c

  • SSDEEP

    12288:KA04L9o3w7irJGiCJYR2+H2JynyaI4In6ro0v7ENgI2CRwHM+2rs3e0lOX5g6tlj:jzL9oA7eJdsYR2+H2JynyaI4In6ro0vw

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 9 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\Solar\locales\af.pak
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2496
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Solar\locales\af.pak
      2⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:844
      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Solar\locales\af.pak"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:2212

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

    Filesize

    3KB

    MD5

    f2d37e22c93076a1e265dddd559748c8

    SHA1

    ea65e6f14ebfbfa5051bd636cee2effd25b6a3d9

    SHA256

    6c2018aaba9c67a1754ace840787d40dc2276893a3b761b7fde138ac8c51551f

    SHA512

    07e1c41565f2b8502d0e2760420e9c3086fc0ad00da496d57f17c525dadb9816cf3ed15f7ac518f29ea23c73966e3eb1c17d8c0daf232279545e7e74ab791f3b