9ed5767db68fb669b3f18a0565cae471ee3800b94a187c4512e5a6691797c511

Resubmissions

27-11-2024 20:39

241127-zfpdtszjes 6

27-11-2024 20:33

25-11-2024 22:14

25-11-2024 20:57

28-09-2024 18:21

Analysis

max time kernel
118s
max time network
125s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28-09-2024 18:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

browserres/cef_200_percent.pak
Size

274KB
MD5

360d0c8b817b29f8ba97195453056b1b
SHA1

0ec45a8112de876816f833e75327c8549b6b7898
SHA256

6b9df3dcd3b36213d54effef64e2dddab7266ed46d24fe86bd725f4e9f036fe7
SHA512

a79d9655d22f019cde7df0a27d499cab104ef418abcb2106b7c7b11144f7be79bd42151d4819d07822945dc02f181a74cdb3ce30e460ce1703aecd94e6fc870e
SSDEEP

6144:1YS+zaSR3aW2r6DQYaF+9bQHgs4jTl5Nz73QYV85u/oFY1lo+:1c32/fs4gs4jT3Zg5u/oFu

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\pak_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\.pak	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\pak_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\pak_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\pak_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\.pak\ = "pak_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\pak_auto_file\shell\Read	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\pak_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2832	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2832	AcroRd32.exe
2832	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 376 wrote to memory of 2744	376	cmd.exe	32
PID 376 wrote to memory of 2744	376	cmd.exe	32
PID 376 wrote to memory of 2744	376	cmd.exe	32
PID 2744 wrote to memory of 2832	2744	rundll32.exe	33
PID 2744 wrote to memory of 2832	2744	rundll32.exe	33
PID 2744 wrote to memory of 2832	2744	rundll32.exe	33
PID 2744 wrote to memory of 2832	2744	rundll32.exe	33

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\browserres\cef_200_percent.pak
1⤵
- Suspicious use of WriteProcessMemory
PID:376
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\browserres\cef_200_percent.pak
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\browserres\cef_200_percent.pak"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
f07a1e3a21013018fef589d5c6280628

SHA1
4d98ffdd564a01c6ef7e47574bb5052e7fbbc699

SHA256
dd91e745c425e52383c5fc4686ba34c68bc8ba9bf8254f151a67049e0105125c

SHA512
c3f4dc41f58b3f38097625d792ee355d8db6a9cd6851fa01c83250bde2f24f00214e416d2581233aa5d6a9df19ebbee319c6eff08bc72ecbefef76332cab1b99

Download Submit