7fa3c53115c61a095da7ce93276e828198fba45f93c30bf245a0ffd9266a77bf

Analysis

max time kernel
102s
max time network
23s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
04-11-2024 13:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

app-11.17.0/resources.pak
Size

5.1MB
MD5

57fd79bd2c10adacc288fb6aec1576a9
SHA1

7fad7349dc93adb1580447914db2c15abc5c162c
SHA256

862431f3cbef4af67677e6a86f5a8202ba3703400323bc192fd0b11b9e7a40e8
SHA512

ad07cfd072f7c8a04a9971b863a0d15d9b8c40735391f44c7d64caf847c7ca9a5c24e0d6380dad8da4d02b017ebcffdcede05675a549268dc715e855b9d15f6d
SSDEEP

98304:It1j25dN0JgWPVcz+cd31rJ7JBXbwHgf31/LrwrWBpcdmTHWCF3UlfPcauPFcHNp:Itp8v0JPdB831FJ5wHwlzkrWBQmTHWoM

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

AcroRd32.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe
Modifies registry class 1 IoCs

Processes:

rundll32.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings rundll32.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

2820 AcroRd32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AcroRd32.exe

pid process

2820 AcroRd32.exe
2820 AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe

pid	process
2820	AcroRd32.exe

pid	process
2820	AcroRd32.exe
2820	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

cmd.exerundll32.exe

description	pid	process	target process
PID 2116 wrote to memory of 2964	2116	cmd.exe	rundll32.exe
PID 2116 wrote to memory of 2964	2116	cmd.exe	rundll32.exe
PID 2116 wrote to memory of 2964	2116	cmd.exe	rundll32.exe
PID 2964 wrote to memory of 2820	2964	rundll32.exe	AcroRd32.exe
PID 2964 wrote to memory of 2820	2964	rundll32.exe	AcroRd32.exe
PID 2964 wrote to memory of 2820	2964	rundll32.exe	AcroRd32.exe
PID 2964 wrote to memory of 2820	2964	rundll32.exe	AcroRd32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\app-11.17.0\resources.pak
1⤵
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\app-11.17.0\resources.pak
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\app-11.17.0\resources.pak"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
705ccdd5c4ec4f2e52395d5f34a190e3

SHA1
6e63a187cf4ae2fbe8d71eafa03548afa9ec638e

SHA256
53015096c780f0a78821f95e53b376be40220faf53f981042a60910bb51a4c6d

SHA512
383332a74422311e5f3a6b14b4c4bbaa6ba9b6056fa929ae8a8e9ab482783eccf2e3e3c0c64b5e46d1dbdcda66ab30778bfb7073c24496c7fbba07ee4897e119

Download Submit