f60e689830b70645133be31e9db094e258da3ea96b0fd4190cef3c1d07e9643c

Analysis

max time kernel
359s
max time network
361s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
15/09/2024, 00:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Resource/AttachmentManager.admx
Size

5KB
MD5

a7f3bb7ecbcbaeba34ae99a473fc78d4
SHA1

35519185fd4a538d8ca1b9ceb46cdda78f6f1cd4
SHA256

5eca8151e2ebc1c5c3beeec2b6d79d16f54eb543fba45ed6e8cc6a7d3d5632a8
SHA512

9f8833d9e10013b8d092e999a3c0f4caa7bfbac6a725ec85e5bb4ad3ab99a6cca1a99899521603b0b9f0912e0ff0e2264f29898044c2d366282568d9fc148e36
SSDEEP

96:QeD/mDZK0ovKnKJrb5PwWA+P3WvwGFi1PdWhlhQWAsPOWA7dPlwwxbe1Pw5IFtX9:vYZJMfpYmPGsddWhlh4MiZBxbedw5IFX

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\.admx\ = "admx_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\admx_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\admx_auto_file\shell	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\admx_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\admx_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\admx_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\.admx	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\admx_auto_file\shell\Read\command	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
860	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
860	AcroRd32.exe
860	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 1728	3052	cmd.exe	29
PID 3052 wrote to memory of 1728	3052	cmd.exe	29
PID 3052 wrote to memory of 1728	3052	cmd.exe	29
PID 1728 wrote to memory of 860	1728	rundll32.exe	32
PID 1728 wrote to memory of 860	1728	rundll32.exe	32
PID 1728 wrote to memory of 860	1728	rundll32.exe	32
PID 1728 wrote to memory of 860	1728	rundll32.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Resource\AttachmentManager.admx
1⤵
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Resource\AttachmentManager.admx
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Resource\AttachmentManager.admx"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
5ec6ee8707781253bf7693636be5f22b

SHA1
da583583b11724fee96865f56f6c0d264abefc99

SHA256
577bc41a92af08a8de7b2bacbaf0c860928824ab2d328e3df83db696ee580975

SHA512
42c1c6d53858edeab52223fe53030d1e2b25f927979cfd84fffa6e55430c4c4bdbe9532447a4b357764402f315d4a64dde68e797754bd23e9d5aa3cb7b1a767f

Download Submit