7fa3c53115c61a095da7ce93276e828198fba45f93c30bf245a0ffd9266a77bf

Analysis

max time kernel
122s
max time network
131s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
04-11-2024 13:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

app-11.17.0/chrome_100_percent.pak
Size

163KB
MD5

4fc6564b727baa5fecf6bf3f6116cc64
SHA1

6ced7b16dc1abe862820dfe25f4fe7ead1d3f518
SHA256

b7805392bfce11118165e3a4e747ac0ca515e4e0ceadab356d685575f6aa45fb
SHA512

fa7eab7c9b67208bd076b2cbda575b5cc16a81f59cc9bba9512a0e85af97e2f3adebc543d0d847d348d513b9c7e8bef375ab2fef662387d87c82b296d76dffa2
SSDEEP

3072:IOzwJCGIekwdLpsXYFAXg6IL2o418Gb0+VRLf0ld0GY3cQ3ERVm2I:IOzw1Iekam5QpK18Gb0OV8ld0GecQ3Ey

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2944	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2944	AcroRd32.exe
2944	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2608 wrote to memory of 2152	2608	cmd.exe	32
PID 2608 wrote to memory of 2152	2608	cmd.exe	32
PID 2608 wrote to memory of 2152	2608	cmd.exe	32
PID 2152 wrote to memory of 2944	2152	rundll32.exe	33
PID 2152 wrote to memory of 2944	2152	rundll32.exe	33
PID 2152 wrote to memory of 2944	2152	rundll32.exe	33
PID 2152 wrote to memory of 2944	2152	rundll32.exe	33

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\app-11.17.0\chrome_100_percent.pak
1⤵
- Suspicious use of WriteProcessMemory
PID:2608
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\app-11.17.0\chrome_100_percent.pak
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2152
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\app-11.17.0\chrome_100_percent.pak"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
538c01e83df9c34e570dc5fe15c78b88

SHA1
edffb18b8b638db68a2c6b3d41a36df8bb181bc7

SHA256
cdab1f188b358b87bbe4eb692fa5f002d8981c920d463a82ef568b8e7bac4f2d

SHA512
abb7289884dff70d341d4e77565132eb06fbaea7e38db23f76e95c59ac02b7ad6f6cb2a611be928d4a03f03c233e7c66241daf96c362a8c71147ef36b98d39df

Download Submit