39eed41a282105d827a5ed1c6bd0e50e5b69d8535f80c2e67aeb2f0da72e1628

Resubmissions

15/10/2024, 23:54

241015-3x4fvsxemq 8

15/10/2024, 23:51

241015-3v719sxdrl 7

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15/10/2024, 23:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Payload/Mabz.app/PhoneNumberKit_PhoneNumberKit.bundle/Info.plist
Size

702B
MD5

f4f10c2f85b6cd580c91fc1542e058a0
SHA1

a62004a0e0cd12a50d9ad4879bc920cc8b819f3a
SHA256

45df6d34e4df0d58e47007cdb0b5ae2f9b98d9d017331e071b230de437a0c716
SHA512

91c46d56905e0515f577f8a1754218c0b98a80a9270a5faaa2dfc14bc4374119510ce808c320f1d8d5def6aaa7170289af20bdd24f0aa468f6b74ff0e2bb3360

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2896	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2896	AcroRd32.exe
2896	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 2244	1964	cmd.exe	31
PID 1964 wrote to memory of 2244	1964	cmd.exe	31
PID 1964 wrote to memory of 2244	1964	cmd.exe	31
PID 2244 wrote to memory of 2896	2244	rundll32.exe	32
PID 2244 wrote to memory of 2896	2244	rundll32.exe	32
PID 2244 wrote to memory of 2896	2244	rundll32.exe	32
PID 2244 wrote to memory of 2896	2244	rundll32.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Payload\Mabz.app\PhoneNumberKit_PhoneNumberKit.bundle\Info.plist
1⤵
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Payload\Mabz.app\PhoneNumberKit_PhoneNumberKit.bundle\Info.plist
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Payload\Mabz.app\PhoneNumberKit_PhoneNumberKit.bundle\Info.plist"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
622c13b7a1d13ad5a0cc565a22da5fef

SHA1
e8af9a94727348f13b1abb482262a66a91ce50b3

SHA256
0e734e53af9aef5dee6f96a62211be35cdb7fcea4e8c6a4c3962fd3088baab8f

SHA512
160fd38ab019a1e841ff0edd7636691c7e5979184a7e8a143446474985aac1cdc7fd3154323ac986187f4847c124403b557d0f9a2c76fc74622210d116518a06

Download Submit