82acf8c2016905d0c0e40850b8f4bda1915e043a94e335390b553f94481811be

Resubmissions

14/09/2024, 11:46

240914-nxbzaasakp 3

14/09/2024, 11:44

240914-nwjbza1hql 3

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14/09/2024, 11:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

wordbomb-cheat-main/script.lua
Size

3KB
MD5

ca0b847ce0dbd59b7098563f8d514d50
SHA1

3ad99620d242ad1db83b0c725ec5fb6bebdc72cd
SHA256

974199709db011ed5e51993ceb2cc80780453847d9e8728d850e0dfe8ad1b2c0
SHA512

b3773beee878c183613ae4682095901a6d89e641b7b5449be988c4e58ff3f2fe24badb51561aa0cf7353bc9d9d80b7cdcbc7052cb10b31bfc64365a892aa0600

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\lua_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\lua_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\lua_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\lua_auto_file\shell\Read	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\lua_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\lua_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\.lua	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\.lua\ = "lua_auto_file"	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2888	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2888	AcroRd32.exe
2888	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 2944	2352	cmd.exe	32
PID 2352 wrote to memory of 2944	2352	cmd.exe	32
PID 2352 wrote to memory of 2944	2352	cmd.exe	32
PID 2944 wrote to memory of 2888	2944	rundll32.exe	33
PID 2944 wrote to memory of 2888	2944	rundll32.exe	33
PID 2944 wrote to memory of 2888	2944	rundll32.exe	33
PID 2944 wrote to memory of 2888	2944	rundll32.exe	33

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\wordbomb-cheat-main\script.lua
1⤵
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\wordbomb-cheat-main\script.lua
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\wordbomb-cheat-main\script.lua"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
ff4e9b2adfe17bd9d28cdd2e445d4fa4

SHA1
1a5c313bfbae0fec29522e95fa1235a85880e972

SHA256
89f191abf4a17fb08d41d4dd87d9e2135c92f6764ee8642b1abd2dab9ef9c106

SHA512
61d1a94edce6edf5a422917817cb2f62311fccd00dd2e7bf81bd011f650efab0f2bda58abe19bf92e5268b52de9a587289afcbc49e2812cf10b5fbc2a7de74e9

Download Submit