Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23-11-2024 01:15
Static task
static1
Behavioral task
behavioral1
Sample
голые фото.apk
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
голые фото.apk
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
голые фото.apk
Resource
win11-20241007-en
General
-
Target
голые фото.apk
-
Size
4.2MB
-
MD5
d3c9ff78acd0d1852fa2431aa735b4bb
-
SHA1
1630b2dbbdc42c6c9bdf18ab8a062c946cd4b762
-
SHA256
d9092bf5bfa631044fd1392fdf988ac5e5dffa2384202d6e7f6e6760fc5dde0b
-
SHA512
419a529305403ea80fafa344db6b48dc02423dcf2c08d1d8b62e699f69e7dc635c8b8770ca4af1277db39e81bc40e0b4cf00aa22b53b4fc9a0d58cb45658e8ca
-
SSDEEP
98304:yKukrQKBHMmuLd2QLuBnGOSyMwBqIGRoorkGT:tQKBHMmuLd2QegRoorh
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2820 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2820 AcroRd32.exe 2820 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1724 wrote to memory of 2500 1724 cmd.exe 31 PID 1724 wrote to memory of 2500 1724 cmd.exe 31 PID 1724 wrote to memory of 2500 1724 cmd.exe 31 PID 2500 wrote to memory of 2820 2500 rundll32.exe 33 PID 2500 wrote to memory of 2820 2500 rundll32.exe 33 PID 2500 wrote to memory of 2820 2500 rundll32.exe 33 PID 2500 wrote to memory of 2820 2500 rundll32.exe 33
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\голые фото.apk"1⤵
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\голые фото.apk2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\голые фото.apk"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2820
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5a528310eef2490b9a59070cd2713738a
SHA1d6507cf0a381f203aa8d175a68da507085e16ad0
SHA256a227fa338642c0a84ce305aeeae00dea578eab36dbd4f3a9073125ec9cb0459d
SHA5129ace9d74ede0609d90cee71470930af8dd823425a7dc9adec6d1f2733cd712f461e2bd54aa44b3004e2fff85fcd9d34b07b0db032df7f65f1a5ecf063b412dd3