c1152916f8118500a2abf7792af3fb7e52f8a2e219c24a5c4db2ea8ec2eb8d78

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
20/11/2024, 14:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

runn.sh
Size

225B
MD5

ffbb1e71f3a537717887b4562786c91e
SHA1

7c59088e2865157eff04eccba48eeccb42c2e0da
SHA256

c1152916f8118500a2abf7792af3fb7e52f8a2e219c24a5c4db2ea8ec2eb8d78
SHA512

cda29a9e909715299c0d3bd8ff305cc1559589f9baf6ad7141d3453142ad27bdc2d68c151b1e8e4e44f85b67f1ad25c03980c7c4a5a09cc75d2e49e106b6fdff

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2924	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2924	AcroRd32.exe
2924	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2580 wrote to memory of 2900	2580	cmd.exe	31
PID 2580 wrote to memory of 2900	2580	cmd.exe	31
PID 2580 wrote to memory of 2900	2580	cmd.exe	31
PID 2900 wrote to memory of 2924	2900	rundll32.exe	33
PID 2900 wrote to memory of 2924	2900	rundll32.exe	33
PID 2900 wrote to memory of 2924	2900	rundll32.exe	33
PID 2900 wrote to memory of 2924	2900	rundll32.exe	33

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\runn.sh
1⤵
- Suspicious use of WriteProcessMemory
PID:2580
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\runn.sh
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\runn.sh"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
16d72b2b9ad6d8198e06ca36f6bcb872

SHA1
066c5a6bd232435dd388f9228431399537a0366c

SHA256
a8aab9c9903d9af5c6cc91670ba8aefffd982ab1063817fd6e7545045b391510

SHA512
b5be1820466f9368b64c22adb1e877bf52075934ff07f9a10546c5c9bb261cd30d57fcb80b8eeee225260e4930bdb0c3560c3426290b466363c708cf82a45361

Download Submit