b7da3b3684234f6959fc1b0bd217f111faa5b4048c62b6339320144d790ac178

Analysis

max time kernel
103s
max time network
48s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
10-10-2024 17:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Cina/Desktop (2)/IPRoyalPawns/resources/app/resources/tray-icon/resize.sh
Size

290B
MD5

316970b940f5731b6bca20e047c9dbfb
SHA1

71b4eae8195054122b373583f4e85b9b0fb06502
SHA256

8acb907ca652bfb87000f90c8f2d1d2432630c11160e64190b35576be0647ceb
SHA512

6e300490981319b234a396f3e7e0a4690da986def6c1ba141457339c516c275a3b41b5ed26d63c73031d31a45a705811b097b36a98cff4919c4df772f3470974

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

AcroRd32.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe
Modifies registry class 1 IoCs

Processes:

rundll32.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings rundll32.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

2772 AcroRd32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AcroRd32.exe

pid process

2772 AcroRd32.exe
2772 AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings	rundll32.exe

pid	process
2772	AcroRd32.exe

pid	process
2772	AcroRd32.exe
2772	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

cmd.exerundll32.exe

description	pid	process	target process
PID 2860 wrote to memory of 3032	2860	cmd.exe	rundll32.exe
PID 2860 wrote to memory of 3032	2860	cmd.exe	rundll32.exe
PID 2860 wrote to memory of 3032	2860	cmd.exe	rundll32.exe
PID 3032 wrote to memory of 2772	3032	rundll32.exe	AcroRd32.exe
PID 3032 wrote to memory of 2772	3032	rundll32.exe	AcroRd32.exe
PID 3032 wrote to memory of 2772	3032	rundll32.exe	AcroRd32.exe
PID 3032 wrote to memory of 2772	3032	rundll32.exe	AcroRd32.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Cina\Desktop (2)\IPRoyalPawns\resources\app\resources\tray-icon\resize.sh"
1⤵
- Suspicious use of WriteProcessMemory
PID:2860

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Cina\Desktop (2)\IPRoyalPawns\resources\app\resources\tray-icon\resize.sh
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3032

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Cina\Desktop (2)\IPRoyalPawns\resources\app\resources\tray-icon\resize.sh"
3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
0071d8496aa6a5f2735cfe961dbf36d8

SHA1
2a0af885ac1865ebc00e9581e68f8d1ee0c23c31

SHA256
fc1627f4143e7d848748b3f6cb0e67cc23205933e701ee3064955166a62bff91

SHA512
b9ac622540cbbd946225403fea990cd97d921f7ff916d209a1c88d91a8881121a280d2487ea6e7333393262a5fa19bf38d9eff6134a78258010c608c90eb7a29

Download Submit