4861dc86e0eef13b546d4a6e69e1f9ada2a81ee13bf4c2a4f55f381e6c4a2c72

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-11-2024 15:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

platforms/aix/local/701.sh
Size

254B
MD5

c1bb34335be971e81ed7151e7a9509e2
SHA1

af88306bc96eb540d33a5a66e87299af25b9d01c
SHA256

5e1a429e18711ad8072c8bd15985f48e103862dc19e42f68030de5deaef9cf50
SHA512

ee62d0cdc3dd4fa87909b65456019a411b83cab6eb44fc5fd67a469bc995a8acf8eddaffce702162fc815a061c73ec448f6a524957a41e1036feb2b4fd758820

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2924	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2924	AcroRd32.exe
2924	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 2456	1728	cmd.exe	31
PID 1728 wrote to memory of 2456	1728	cmd.exe	31
PID 1728 wrote to memory of 2456	1728	cmd.exe	31
PID 2456 wrote to memory of 2924	2456	rundll32.exe	32
PID 2456 wrote to memory of 2924	2456	rundll32.exe	32
PID 2456 wrote to memory of 2924	2456	rundll32.exe	32
PID 2456 wrote to memory of 2924	2456	rundll32.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\platforms\aix\local\701.sh
1⤵
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\platforms\aix\local\701.sh
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\platforms\aix\local\701.sh"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
cdd096af4d21b1352ff0d5b2ca16651d

SHA1
92cea6cd84f4173dae8fa808b185f64bd6913cba

SHA256
d7c27009016f61bb08915bdf2eca2be902df2d808e948d286fc520bdd0c03562

SHA512
0c181c1c426ae2cf92013a3b355c673bb62a9097bdc6822ccc1a1b7d45302e5ea8aff53bafb7034f135b86aa3283dfb2b6d842c0f926a575f71fdec5c6272039

Download Submit