b87b4a52420908ca443b973a854c650b1a0b2ef436854ceeed320bd0357aff43

Analysis

max time kernel
122s
max time network
139s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 19:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

data/obs-plugins/win-capture/inject-helper64.pdb
Size

428KB
MD5

7aafb78fc0dbd076c9f321ae02852dc6
SHA1

fd720fad8b076985e8f6ebf32ccc8983056b0b15
SHA256

01d7ac865b08cf9ed1a5d2f265e3328cd6532bd648115978c5bd1b7f790690db
SHA512

6d31acc9f52de7547aaf0e323cc35ad1a87fcf7a20db7518fcbb7843d293c0cc7f44d513918a75900bcd671a0c6ec5cb5b12ca2c626345343dead06de6f1553c
SSDEEP

3072:MXEVrOAM0t8k69CAaPBQjeW17GGAkxlRHieGC2Rw8vkOjzOAa:6ExYvALg7Gy3ieGC2Rw+knn

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3036	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3036	AcroRd32.exe
3036	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 1668	2844	cmd.exe	29
PID 2844 wrote to memory of 1668	2844	cmd.exe	29
PID 2844 wrote to memory of 1668	2844	cmd.exe	29
PID 1668 wrote to memory of 3036	1668	rundll32.exe	32
PID 1668 wrote to memory of 3036	1668	rundll32.exe	32
PID 1668 wrote to memory of 3036	1668	rundll32.exe	32
PID 1668 wrote to memory of 3036	1668	rundll32.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\data\obs-plugins\win-capture\inject-helper64.pdb
1⤵
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\data\obs-plugins\win-capture\inject-helper64.pdb
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\data\obs-plugins\win-capture\inject-helper64.pdb"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
8f088e987a90bcc8db26823385846c5d

SHA1
6e394aa388317afa231d3ea359e6733dca408071

SHA256
f8d5b62c83d36067b0049ecbc7d59a73bda5adaf274083ae818bfd7c34c578f4

SHA512
9e5ff4218af90589180800f4084bbe363e555be481e9845d9778d880c034722c1267010fb8e33e50f91b982bdf6c07bc657d25b62cb57914581c542484190f57

Download Submit