ca5a0e2963dc959524712f6d71b937d20a2bf15a4fece708ede9a84b50bb2ebf

Analysis

max time kernel
43s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
14-11-2024 10:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Unlearnability/quadding.tyr
Size

72KB
MD5

a959e5a5fd15840c3a0c589620a29fa4
SHA1

fae450e740c69aa7d2486f7a9acae6912b1a0b4a
SHA256

74f8506cdf0fc211b9abb284ec7b6f608d155b3b5060287f773abe80822ab3d3
SHA512

88269f17fceb7222d222c277fb0e1bd8c873743ff36bb45287cb5ba907429cd1edf17089ba17ca80377d86b87974421cc083d457a46bd9098c9fd5b007674b72
SSDEEP

384:QBTulxdphSS9mcIE5JeQrqaaMgjdK4hfYUaNuUE/sIzisU2bG+6:QBs9uE5jlasv3cw0GN

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings	rundll32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2740	AcroRd32.exe
2740	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 2464	2248	cmd.exe	30
PID 2248 wrote to memory of 2464	2248	cmd.exe	30
PID 2248 wrote to memory of 2464	2248	cmd.exe	30
PID 2464 wrote to memory of 2740	2464	rundll32.exe	31
PID 2464 wrote to memory of 2740	2464	rundll32.exe	31
PID 2464 wrote to memory of 2740	2464	rundll32.exe	31
PID 2464 wrote to memory of 2740	2464	rundll32.exe	31

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Unlearnability\quadding.tyr
1⤵
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Unlearnability\quadding.tyr
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Unlearnability\quadding.tyr"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
9e653dcc5fc40bcddd113b90bf0a84c7

SHA1
fb62fad24300efdbb35dfd50448ca73e0e31e082

SHA256
98821f2d297c4e557002d959935fffe6b54e67a61765853fdd41f09e7e430ed7

SHA512
c89f146107236d11723eda8390c7757b1d0f103b984906d4eac41ad2d310b722d7b7ba7bce2bc7a01fd972b3df5e7451f75ece798e63e4d780715654d60e5331

Download Submit