Analysis
-
max time kernel
118s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04-12-2024 19:57
Static task
static1
Behavioral task
behavioral1
Sample
186efc26ace999808724cecc29182a6a348c0c4de8e18cbd40041dae2221ea77.a3x
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
186efc26ace999808724cecc29182a6a348c0c4de8e18cbd40041dae2221ea77.a3x
Resource
win10v2004-20241007-en
General
-
Target
186efc26ace999808724cecc29182a6a348c0c4de8e18cbd40041dae2221ea77.a3x
-
Size
4.3MB
-
MD5
08c6a7bcd8945856dfcc5bf247049586
-
SHA1
ada4b5594a44eba87d3afc23f182f452ba0dc7c9
-
SHA256
186efc26ace999808724cecc29182a6a348c0c4de8e18cbd40041dae2221ea77
-
SHA512
9089fa2655390bfe335a654743c718bc743a10ce042874c09e9093b6eab706c6a756a9b977c9f49874637f5ca99a112fc893dfcd9ab4582f9a5304a8a86de148
-
SSDEEP
98304:iwAdbxY2G3T5moaWIlyhe2UwB9W4WlTAXZRolhmwmxIXjuSA:IdFRINmoUyhd5BwvTAXZRolhmwmxIXj2
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2724 AcroRd32.exe 2724 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1388 wrote to memory of 2828 1388 cmd.exe 32 PID 1388 wrote to memory of 2828 1388 cmd.exe 32 PID 1388 wrote to memory of 2828 1388 cmd.exe 32 PID 2828 wrote to memory of 2724 2828 rundll32.exe 33 PID 2828 wrote to memory of 2724 2828 rundll32.exe 33 PID 2828 wrote to memory of 2724 2828 rundll32.exe 33 PID 2828 wrote to memory of 2724 2828 rundll32.exe 33
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\186efc26ace999808724cecc29182a6a348c0c4de8e18cbd40041dae2221ea77.a3x1⤵
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\186efc26ace999808724cecc29182a6a348c0c4de8e18cbd40041dae2221ea77.a3x2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\186efc26ace999808724cecc29182a6a348c0c4de8e18cbd40041dae2221ea77.a3x"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2724
-
-