d32298f1f5afdd3cd03e29ba3fd08787b346bf6ab7fa9296e6bbe2aaff40470c

Analysis

max time kernel
1561s
max time network
1566s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
01-11-2024 17:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

kg_patch/linux/libida32.so
Size

5.8MB
MD5

77e963a6e35ca4edfde1c69eee71b91b
SHA1

3124cf98f4f03539122db10f5f614fb3f390f36d
SHA256

94e8afe3c416a25f07ad7feaf24da9037ec86f3ac35f6c5eb5d3c9999d88a3c8
SHA512

7222314493ae8c22cb583a4dbfadf8802a5d14051cf9082ff65a44cd894e0b5b1290debe3c40422611d91a6b4e698e0820e4d9013853302dd65c570de65f1da5
SSDEEP

98304:qyjxbtmXFYleUYjQIm4Pkx/KeLovd6QdXKCUNHKkGsy6fCJMOC0:fmVQ/s1doZaGq

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

AcroRd32.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe
Modifies registry class 1 IoCs

Processes:

rundll32.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings rundll32.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

2764 AcroRd32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AcroRd32.exe

pid process

2764 AcroRd32.exe
2764 AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings	rundll32.exe

pid	process
2764	AcroRd32.exe

pid	process
2764	AcroRd32.exe
2764	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

cmd.exerundll32.exe

description	pid	process	target process
PID 1520 wrote to memory of 2864	1520	cmd.exe	rundll32.exe
PID 1520 wrote to memory of 2864	1520	cmd.exe	rundll32.exe
PID 1520 wrote to memory of 2864	1520	cmd.exe	rundll32.exe
PID 2864 wrote to memory of 2764	2864	rundll32.exe	AcroRd32.exe
PID 2864 wrote to memory of 2764	2864	rundll32.exe	AcroRd32.exe
PID 2864 wrote to memory of 2764	2864	rundll32.exe	AcroRd32.exe
PID 2864 wrote to memory of 2764	2864	rundll32.exe	AcroRd32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\kg_patch\linux\libida32.so
1⤵
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\kg_patch\linux\libida32.so
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2864

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\kg_patch\linux\libida32.so"
3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
5dfb7c2aa8c26418ec844f61b87db7bd

SHA1
399030f97af74248df2f57e2f36f69496bc16f23

SHA256
4ce4e82900adfdaeac03f1e3d79dcd81826dfb463ba73b518a2fc79182d6d91f

SHA512
3fc18a592eee2a321edae1f36e9ff4eb8bd08ada32416f4c931976a5abd31ecf8f4c537f1af24d2db05eeabd378bf36927986d2289316b7ae4c35082dc443bb7

Download Submit