67bfb1d5f2cff3053578d83dd34a7b5b2f006616d145b3184a958ed45ce92f1b

Analysis

max time kernel
103s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
14-10-2024 17:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OTP BY Blazee/OTP BOT BY SYNDICATE.rar/helpers/config.json
Size

334B
MD5

770138a3c4d28e7f5c3384f11ff518d6
SHA1

67ac1b3b387bac40c1b57624adcb1b6072b4aeb5
SHA256

1d7699dee8cf5dceacf805641983f3056ce951563eca2ec5f42247c75279b615
SHA512

0698b4562df2fc7b225df66dede685c7a953caeb72e882297db0ac235637d768736e4271d4da4e6584a7436240251ece3b328995296d49dce0077b66fb9b99b5

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2976	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2976	AcroRd32.exe
2976	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 3008	2736	cmd.exe	31
PID 2736 wrote to memory of 3008	2736	cmd.exe	31
PID 2736 wrote to memory of 3008	2736	cmd.exe	31
PID 3008 wrote to memory of 2976	3008	rundll32.exe	32
PID 3008 wrote to memory of 2976	3008	rundll32.exe	32
PID 3008 wrote to memory of 2976	3008	rundll32.exe	32
PID 3008 wrote to memory of 2976	3008	rundll32.exe	32

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\OTP BY Blazee\OTP BOT BY SYNDICATE.rar\helpers\config.json"
1⤵
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\OTP BY Blazee\OTP BOT BY SYNDICATE.rar\helpers\config.json
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\OTP BY Blazee\OTP BOT BY SYNDICATE.rar\helpers\config.json"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
29d82720a993b44766af8d14a736dda0

SHA1
6f9d244603fede62e73c79d8e766c9071bf116ce

SHA256
f3a6b429297d52c2f34311a1c6fd2b80e2047438aa29384c3d8ddee75495f7b9

SHA512
2d39c6336a33ad0a28a85db9ffc2b67409cced4b59db8b08f330da45e88906415c322b3d912c685a39e1a53b1e6d864d59de01c59d7fbbdb29470a1d47249a48

Download Submit