1252c59f28ed87f9236af0b045978c17351faf34649e639b1dc8fdfdd5ccc0ae

Analysis

max time kernel
313s
max time network
318s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
23-10-2024 15:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

安装指南/README.md
Size

506B
MD5

d3ff53a5c69a36e2c6da3e1c2e766eee
SHA1

b62877a8a3bbb2a7eab7024535a7b8fe27030220
SHA256

3c87c1b8b6f05a185b27ba4eec8f46619fae5799d81caa72ad40eca6e7c081c5
SHA512

51d2ea43dc0f7d31b5c343a21f84aaa9436d2cd7f7d7a023c8f2ed9174970fac642cc8aca9e3bee906504e6612690ee226775e76d794b8ee70b488f8e525a12b

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

AcroRd32.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

Processes:

rundll32.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid	Process
2876	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AcroRd32.exe

pid	Process
2876	AcroRd32.exe
2876	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

cmd.exerundll32.exe

description	pid	Process	procid_target
PID 2396 wrote to memory of 2264	2396	cmd.exe	30
PID 2396 wrote to memory of 2264	2396	cmd.exe	30
PID 2396 wrote to memory of 2264	2396	cmd.exe	30
PID 2264 wrote to memory of 2876	2264	rundll32.exe	31
PID 2264 wrote to memory of 2876	2264	rundll32.exe	31
PID 2264 wrote to memory of 2876	2264	rundll32.exe	31
PID 2264 wrote to memory of 2876	2264	rundll32.exe	31

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\安装指南\README.md
1⤵
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\安装指南\README.md
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\安装指南\README.md"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
9680452582b4aa84c39f7baa693370dc

SHA1
812caf3ffde9dbfa209e891929fa7e9e11b702b1

SHA256
ddb277c8b547daadae35706f162562ad73604fd1a05138177b0df5d0077074ee

SHA512
0ff69a5833e4fc5eb0c6e8a1984e9bea0b596ad659c0c09b2b1d2831ae877f9293bfd63f9a0431db69dda186125fc1b9290ed7756d09f24c96ab3148be6e51c1

Download Submit