809f6517480548b9976840145ff402d2598cdf6cc7bc210646306957ca41032e

Analysis

max time kernel
102s
max time network
19s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
17-09-2024 14:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

icudtl.dat
Size

10.0MB
MD5

3f019441588332ac8b79a3a3901a5449
SHA1

c8930e95b78deef5b7730102acd39f03965d479a
SHA256

594637e10b8f5c97157413528f0cbf5bc65b4ab9e79f5fa34fe268092655ec57
SHA512

ee083ae5e93e70d5bbebe36ec482aa75c47d908df487a43db2b55ddd6b55c291606649175cf7907d6ab64fc81ead7275ec56e3193b631f8f78b10d2c775fd1a9
SSDEEP

196608:gmXwSv9AAQMlptodliXUxR0rHf93WhlA6tnoB:gjKlQMlpgliXUxR0rHf93WhlA6tnoB

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\.dat\ = "dat_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\dat_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\dat_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\dat_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\dat_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\dat_auto_file\shell\Read	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\dat_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\.dat	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2704	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2704	AcroRd32.exe
2704	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 908 wrote to memory of 2816	908	cmd.exe	30
PID 908 wrote to memory of 2816	908	cmd.exe	30
PID 908 wrote to memory of 2816	908	cmd.exe	30
PID 2816 wrote to memory of 2704	2816	rundll32.exe	31
PID 2816 wrote to memory of 2704	2816	rundll32.exe	31
PID 2816 wrote to memory of 2704	2816	rundll32.exe	31
PID 2816 wrote to memory of 2704	2816	rundll32.exe	31

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\icudtl.dat
1⤵
- Suspicious use of WriteProcessMemory
PID:908
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\icudtl.dat
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\icudtl.dat"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
43d0d2b0cc59a055bed962d9ccdbecb8

SHA1
d410e8cc73bef73b9c4f48f354844472af531b1a

SHA256
84edf1eee9774e94fb6e6176a5dfd2202bae4e7e8e2820bf84ab5a3ee8ffad89

SHA512
a1125792393992de655eba216ca6c67bc6687e14d36dc57b1f2b5f386eefb6c8ab07a8f719d5d5be3e7f19f703f25d205daf9c786f86efc93c9e346ee9a3dce0

Download Submit