6f75e4e4094e055f39022d677bd04e89f58fa9934c2ad4e10dda4c4b41b0b3e1

Analysis

max time kernel
119s
max time network
128s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/11/2024, 02:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Aura/com/google/gson/Gson$4.class
Size

1KB
MD5

1b0e4089b42b77178c91dddec375267d
SHA1

0d9bf37e0b4186df714ad367be53932ebd7c18a5
SHA256

cecf9f7431c1b73b342146717c1f95434709d443bb67dab62f5d2d0b811a71ac
SHA512

f02e992e325ed89abc6b75ad3a60c2262160be2590d5d4e350062c1013bf2db7f2fc563ccdaa8c06ff2fc2476c3130a7a5e52048227f0dba471f8766c54780cb

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2768	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2768	AcroRd32.exe
2768	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 236 wrote to memory of 2280	236	cmd.exe	31
PID 236 wrote to memory of 2280	236	cmd.exe	31
PID 236 wrote to memory of 2280	236	cmd.exe	31
PID 2280 wrote to memory of 2768	2280	rundll32.exe	32
PID 2280 wrote to memory of 2768	2280	rundll32.exe	32
PID 2280 wrote to memory of 2768	2280	rundll32.exe	32
PID 2280 wrote to memory of 2768	2280	rundll32.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Aura\com\google\gson\Gson$4.class
1⤵
- Suspicious use of WriteProcessMemory
PID:236
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Aura\com\google\gson\Gson$4.class
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2280
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Aura\com\google\gson\Gson$4.class"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
5a29fd4b5f05312fb01c1d4348c4ee18

SHA1
a38bf890ea6834a9677cc788f615e720ba64ca69

SHA256
61b7c5269692486d766d3571f277a94e5fe7a430f0a991eaf19553e61cbb7e71

SHA512
2c23e228e5face8d35a88005a149f7dfe64f32bf73d9ebecd82f36a49fc20283a0fe31a456de157fc248f28b51163db5b9d864641b43ae0142e31f02dd6dabcb

Download Submit