00aad8286667267aa201d918a83ed305bc2585e54a80304e17c14857b40939f2

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
20/11/2024, 14:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

encrypt.sh
Size

181B
MD5

61e5437e98dfc1ddb6589e617d57793b
SHA1

4eecf6c6fa6db4242ba1b24fb919c2a974295ef4
SHA256

00aad8286667267aa201d918a83ed305bc2585e54a80304e17c14857b40939f2
SHA512

c18a6fb7411425cc5f905228650495d4b3c5c05215a09a697734a0056d07d86f46e2aa457e4d25be4aa9e6bb47d633c20bb6750167548e6e7b36d54f72c38125

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2788	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2788	AcroRd32.exe
2788	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 2380	2404	cmd.exe	31
PID 2404 wrote to memory of 2380	2404	cmd.exe	31
PID 2404 wrote to memory of 2380	2404	cmd.exe	31
PID 2380 wrote to memory of 2788	2380	rundll32.exe	33
PID 2380 wrote to memory of 2788	2380	rundll32.exe	33
PID 2380 wrote to memory of 2788	2380	rundll32.exe	33
PID 2380 wrote to memory of 2788	2380	rundll32.exe	33

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\encrypt.sh
1⤵
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\encrypt.sh
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\encrypt.sh"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
059deead7cc38784d3c512993df94e6d

SHA1
5c95cd9693a6bacdfd385e19b588cadf276dd61c

SHA256
7865e79c7f7fad761c7718a48e7934470f45e189496b4bd24c6f3cf9c42e21a4

SHA512
0851171be7b19e081b3099c2bf627f22c5f5f87e4449bd318ba6d815e85cdb51eae758df8b7d7eaabbf31021a844c37afd44f3db28814e9d7cf088fc07fb318f

Download Submit