13483dc0f61d29683c45092618e98775462e5f68805de9931a5802b05ddda5fc

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
14-11-2024 18:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GrowCastleAutobot-main/__open_in_clickermann.cms
Size

261B
MD5

98d882d45c5d939b0af212dd9f758f9e
SHA1

6a293568ac6d1bdd6eacb1d9652ce406a0ff88e7
SHA256

a36e2027b371a7f019a56bd3bd01c3fb2372287dc84378c9b3c3a3cf9cb0e478
SHA512

46fc513480967c77bda06df8186423b3a7467a5b369a00613d7423ab2653e788d93aa9c97ec29f9b6748a199e6b35c043f2c164b9129ff7fbe16f0952c2f0d36

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2776	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2776	AcroRd32.exe
2776	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 2520	2352	cmd.exe	32
PID 2352 wrote to memory of 2520	2352	cmd.exe	32
PID 2352 wrote to memory of 2520	2352	cmd.exe	32
PID 2520 wrote to memory of 2776	2520	rundll32.exe	33
PID 2520 wrote to memory of 2776	2520	rundll32.exe	33
PID 2520 wrote to memory of 2776	2520	rundll32.exe	33
PID 2520 wrote to memory of 2776	2520	rundll32.exe	33

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\GrowCastleAutobot-main\__open_in_clickermann.cms
1⤵
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\GrowCastleAutobot-main\__open_in_clickermann.cms
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\GrowCastleAutobot-main\__open_in_clickermann.cms"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
4c18c3d82ba4a8b6e11000427898cbbc

SHA1
1acd15d934857628cc785104584d628bfc517852

SHA256
ff0a0b08d0c48e8a5091513ba46c5614453dae7375a36a021c4ce63b0dca8875

SHA512
31ce1b47c6b1f8b059551ec58d787c7e459d29a47abeb1ab072820076a7d5592c203be502f7e1749c14a112aab62d3608bc3223c8a67752d5182fad307e2c4e7

Download Submit