Analysis

  • max time kernel
    117s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2024 12:52

General

  • Target

    Exodus-12.20/Shaders/BasicPS_Deferred.cso

  • Size

    6KB

  • MD5

    0559cd1ae8efcb68a517791b4c90a897

  • SHA1

    661d7122952e6c8afbb39db6961bf63f36a28ca6

  • SHA256

    c757edb4fda126d67e873fee88e5c415c140855527b19f301aff45b113bd89c7

  • SHA512

    0da780d4fb1eb19f538bdcffeb88b0796a4fdb882f94720bc0f64196c69d8d55f2dc202a4cdd5dfe4b0819d180b2df483f80f8bcb2a11a4ce3a77414071fbaa1

  • SSDEEP

    96:b35xGVE0mlpK1AY0VQIYS1CSWeJ6uUhaK:ViE0ml/Q41CSWeJ6uU4K

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\Exodus-12.20\Shaders\BasicPS_Deferred.cso
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2116
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Exodus-12.20\Shaders\BasicPS_Deferred.cso
      2⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2376
      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Exodus-12.20\Shaders\BasicPS_Deferred.cso"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:2284

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

    Filesize

    3KB

    MD5

    d24c1d1c67b1528eccf5ff4e5ec951e0

    SHA1

    2298bd6434dae042a8d4af037d917f632b268db8

    SHA256

    34a3f26fe2f634090452a18a3543988f416e0cefa566f0a18b95afa952926b40

    SHA512

    f9e9f944adc48c27e575b23455ff3884e8ec6195eb240a3c7fd5033aa49d70d2013b657efa70ba868553530d4dcde5c3ebfd67b2e6ae9c7cc42bbe566d873743

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.