f93c3a4931c1d065d6d2d7c5233e6d6415926f240b512bb41e12a2610dc898a9

Resubmissions

06-10-2024 12:47

241006-p1hfxayfqa 10

06-10-2024 12:45

241006-pzch9syfmc 8

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
06-10-2024 12:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

resources/luascripts/animations/jumpland.lua
Size

217B
MD5

2899ec217aef73b127c9328785012eef
SHA1

445ee17a3f9d5912a7de0715b96e67dd606ce9e3
SHA256

7d4ca7b02c90b0b21d64c2baa6e5940dcce895db5bc125d0e993a5a883186721
SHA512

9a01d23442c0b1baba6ef6fef1c7498726958d67caa85728e0cc152800a4ed2259d0e5cd63509df397239714f5bb288552b31bee7fc49a60f69e05991eb6beb0

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2720	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2720	AcroRd32.exe
2720	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 2216	2416	cmd.exe	31
PID 2416 wrote to memory of 2216	2416	cmd.exe	31
PID 2416 wrote to memory of 2216	2416	cmd.exe	31
PID 2216 wrote to memory of 2720	2216	rundll32.exe	33
PID 2216 wrote to memory of 2720	2216	rundll32.exe	33
PID 2216 wrote to memory of 2720	2216	rundll32.exe	33
PID 2216 wrote to memory of 2720	2216	rundll32.exe	33

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\resources\luascripts\animations\jumpland.lua
1⤵
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\resources\luascripts\animations\jumpland.lua
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\resources\luascripts\animations\jumpland.lua"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
b740a0ce08195f39722e29ff31251d2d

SHA1
3d988f0dd9b5098a466f514cdef09cb461903a8d

SHA256
03fc864c7ef269ab0f87e903b9a0da48b13eca3eef89b74d4398b0d4b77b50a0

SHA512
360c8b3213a81e694c2fc0cb3310e4c596333f012b268d71093ee9e346bb3aa86ad646ce86a991b34b71e772a28a15d647bb973ef5f0256f5e2eaad9353555b2

Download Submit