0c89616a3c3f9fca80ef731c8e0130d30b8e5fa41682ea52ec4481331f9f98ab

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/09/2024, 04:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

723.7z
Size

10.5MB
MD5

55c0b65cc02aeaae2e6cbb94947b9c05
SHA1

f8f3434679aa154f38921d7c5b68787b6ef2ffb1
SHA256

b9d8f132826a61e15d1681f9ed82ab572fa182b062abc4d6e4e3291681dfb2b5
SHA512

49f216712b371fc73add2f24ac229c97034b374b408c6631619f115675803f95e1d28a375e5311af40e2fc3c0192b75eb65159ba7a7db91d9926f95a97dddc16
SSDEEP

196608:9lN05erlbndN+5Y4r+qFJ4epLK0g1MxBC1W4W7AyrIJzo0ba:9lN0EZdN+5Y4r+qFvpWwxqWCJPe

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2632	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2632	AcroRd32.exe
2632	AcroRd32.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 2080	3040	cmd.exe	31
PID 3040 wrote to memory of 2080	3040	cmd.exe	31
PID 3040 wrote to memory of 2080	3040	cmd.exe	31
PID 2080 wrote to memory of 2840	2080	rundll32.exe	33
PID 2080 wrote to memory of 2840	2080	rundll32.exe	33
PID 2080 wrote to memory of 2840	2080	rundll32.exe	33
PID 2840 wrote to memory of 2632	2840	rundll32.exe	35
PID 2840 wrote to memory of 2632	2840	rundll32.exe	35
PID 2840 wrote to memory of 2632	2840	rundll32.exe	35
PID 2840 wrote to memory of 2632	2840	rundll32.exe	35

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\723.7z
1⤵
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\723.7z
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\723.7z
    3⤵
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
      "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\723.7z"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
b794b8cc05d5d234a90e6129162d9c3a

SHA1
93e2fcd6fb16f734facf5134d2c004bb3d0aa40e

SHA256
f4fae3b1a9ab7f9de546ab54c99004712ad2a806949db704f63e7883ae25e31c

SHA512
c7373ac181891e8d1761ad76e4861daf11ed0829b852e84052ac701936130b9f05396d6839d8f86bb4b0e835d847e4127ba0cc1489e07b29442ad4aa8477f716

Download Submit