Analysis

  • max time kernel
    117s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13/09/2024, 04:07

General

  • Target

    723.7z

  • Size

    10.5MB

  • MD5

    55c0b65cc02aeaae2e6cbb94947b9c05

  • SHA1

    f8f3434679aa154f38921d7c5b68787b6ef2ffb1

  • SHA256

    b9d8f132826a61e15d1681f9ed82ab572fa182b062abc4d6e4e3291681dfb2b5

  • SHA512

    49f216712b371fc73add2f24ac229c97034b374b408c6631619f115675803f95e1d28a375e5311af40e2fc3c0192b75eb65159ba7a7db91d9926f95a97dddc16

  • SSDEEP

    196608:9lN05erlbndN+5Y4r+qFJ4epLK0g1MxBC1W4W7AyrIJzo0ba:9lN0EZdN+5Y4r+qFvpWwxqWCJPe

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\723.7z
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3040
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\723.7z
      2⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2080
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\723.7z
        3⤵
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2840
        • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
          "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\723.7z"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          PID:2632

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

    Filesize

    3KB

    MD5

    b794b8cc05d5d234a90e6129162d9c3a

    SHA1

    93e2fcd6fb16f734facf5134d2c004bb3d0aa40e

    SHA256

    f4fae3b1a9ab7f9de546ab54c99004712ad2a806949db704f63e7883ae25e31c

    SHA512

    c7373ac181891e8d1761ad76e4861daf11ed0829b852e84052ac701936130b9f05396d6839d8f86bb4b0e835d847e4127ba0cc1489e07b29442ad4aa8477f716