644372d31b62c327439aefff7ae0d2d2b09cf8a9963c4d10408731358c1ce879

Analysis

max time kernel
122s
max time network
133s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-11-2024 15:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

locales/te.pak
Size

942KB
MD5

02415ded02cc7ac25e8f8d0e83365061
SHA1

5a25bf63ec97dbeb37e64ab3825cbbce6326a5cf
SHA256

97024f0cfac78e0c738e771beea1e35f5a8eb2b132b3043b59ce4ecd6c153523
SHA512

54e658c6d432b29b031be278e5b4396ac14b0f85e1f772a0a76c0431d4cbe2370ff2898077837688e2fb9700db1eab7a19e4e350a280a2ffad8176d861d93e45
SSDEEP

12288:zqfk4UYABx3p1F9SviTlw2cTgCNFO9gr/p54JkQJgw4taJCb8+58XfX0Dxq9OyUn:eM4U4lp5WMfD

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

AcroRd32.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe
Modifies registry class 1 IoCs

Processes:

rundll32.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings rundll32.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

2796 AcroRd32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AcroRd32.exe

pid process

2796 AcroRd32.exe
2796 AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings	rundll32.exe

pid	process
2796	AcroRd32.exe

pid	process
2796	AcroRd32.exe
2796	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

cmd.exerundll32.exe

description	pid	process	target process
PID 2128 wrote to memory of 2912	2128	cmd.exe	rundll32.exe
PID 2128 wrote to memory of 2912	2128	cmd.exe	rundll32.exe
PID 2128 wrote to memory of 2912	2128	cmd.exe	rundll32.exe
PID 2912 wrote to memory of 2796	2912	rundll32.exe	AcroRd32.exe
PID 2912 wrote to memory of 2796	2912	rundll32.exe	AcroRd32.exe
PID 2912 wrote to memory of 2796	2912	rundll32.exe	AcroRd32.exe
PID 2912 wrote to memory of 2796	2912	rundll32.exe	AcroRd32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\locales\te.pak
1⤵
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\locales\te.pak
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\locales\te.pak"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
70dbc82cdf186f657ee948e197bae81b

SHA1
3afa03f4eb817e5cbac4dcfa2a0440b7cea36366

SHA256
079b326d52cf5d19e23f39890b691155db99b9c037d402299ad527b0e904f7e2

SHA512
44870498153161ced48358c411cba189f52b9ae440f0a998ab7db562fd2de7e395eacd1bf236e9555ecab000c2f910a5a70b7072473168113b40ed53d2e72a36

Download Submit