f93c3a4931c1d065d6d2d7c5233e6d6415926f240b512bb41e12a2610dc898a9

Resubmissions

06/10/2024, 12:47

241006-p1hfxayfqa 10

06/10/2024, 12:45

241006-pzch9syfmc 8

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06/10/2024, 12:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

resources/luascripts/animations/levitate.lua
Size

217B
MD5

d09da2b730602a59c3289b72e63137bb
SHA1

a8793635ae9ceddac54d1e6e6d27eb4938c4446a
SHA256

2af3980171cc17a4d7687b7489fe8b0bb193e5080c0ca76e5501983a0b3efadb
SHA512

21c0dafdd0f6d7ce7fa57b38ffd5af13bb9dc228bb466372e60f5d7c645895faecb81a55342b8abac1669e8c9b412d2b278cfeb1da65380b8876f809928b1b22

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2748	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2748	AcroRd32.exe
2748	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2612 wrote to memory of 2784	2612	cmd.exe	31
PID 2612 wrote to memory of 2784	2612	cmd.exe	31
PID 2612 wrote to memory of 2784	2612	cmd.exe	31
PID 2784 wrote to memory of 2748	2784	rundll32.exe	32
PID 2784 wrote to memory of 2748	2784	rundll32.exe	32
PID 2784 wrote to memory of 2748	2784	rundll32.exe	32
PID 2784 wrote to memory of 2748	2784	rundll32.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\resources\luascripts\animations\levitate.lua
1⤵
- Suspicious use of WriteProcessMemory
PID:2612
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\resources\luascripts\animations\levitate.lua
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\resources\luascripts\animations\levitate.lua"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
91fdd06e48545040cd5b64b89864303d

SHA1
bedbe3787757d6934e1eb20bc389f7d0ee9b1969

SHA256
f441e59cf86dfb34e0e5a0c4346a1036f71de5aecbca38d33afdba00ebc366bf

SHA512
abd8fdc5be5d0591b9768b68f07bd2bae6d62c51ddc702bbe4d0ca193755d6dcfd7be50eac0860cc5bad98772b9f8a67b94f1ca25b768a436c4ec878b1ad77ea

Download Submit