82acf8c2016905d0c0e40850b8f4bda1915e043a94e335390b553f94481811be

Resubmissions

14/09/2024, 11:46

240914-nxbzaasakp 3

14/09/2024, 11:44

240914-nwjbza1hql 3

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14/09/2024, 11:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

wordbomb-cheat-main/script.lua
Size

3KB
MD5

ca0b847ce0dbd59b7098563f8d514d50
SHA1

3ad99620d242ad1db83b0c725ec5fb6bebdc72cd
SHA256

974199709db011ed5e51993ceb2cc80780453847d9e8728d850e0dfe8ad1b2c0
SHA512

b3773beee878c183613ae4682095901a6d89e641b7b5449be988c4e58ff3f2fe24badb51561aa0cf7353bc9d9d80b7cdcbc7052cb10b31bfc64365a892aa0600

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\lua_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\lua_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\lua_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\lua_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\lua_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\lua_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\.lua	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\.lua\ = "lua_auto_file"	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2864	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2864	AcroRd32.exe
2864	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1076 wrote to memory of 2460	1076	cmd.exe	31
PID 1076 wrote to memory of 2460	1076	cmd.exe	31
PID 1076 wrote to memory of 2460	1076	cmd.exe	31
PID 2460 wrote to memory of 2864	2460	rundll32.exe	32
PID 2460 wrote to memory of 2864	2460	rundll32.exe	32
PID 2460 wrote to memory of 2864	2460	rundll32.exe	32
PID 2460 wrote to memory of 2864	2460	rundll32.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\wordbomb-cheat-main\script.lua
1⤵
- Suspicious use of WriteProcessMemory
PID:1076
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\wordbomb-cheat-main\script.lua
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\wordbomb-cheat-main\script.lua"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
79b5bf8f61d0dce477ea94e2979712a3

SHA1
908aaaa9bd299b10e158b82e4c8cef3fd5eb499f

SHA256
bbbb9ca076c686202e5f4432234f34bd632ff24d9717ffe4dae718904eb0ad2a

SHA512
72e1ea43a52d6885f6358fee8b4a1eed23aeca9becefed68d645d5db73706c7b5da8c4524f163a2bc20f2ed2e1a112b39dc93ef5c14a2f08dba8e296a95e5eb5

Download Submit