3d6bc3c0247c2b4f87282da002475ac068b5b6cac948743f697832a9a4a4c6de

Resubmissions

21-12-2024 17:42

241221-v9y3xavlaz 10

20-12-2024 23:19

241220-3bbtqawpat 10

20-12-2024 19:29

241220-x7fjwssqdm 10

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 17:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XPloit.runtimeconfig.json
Size

443B
MD5

9db099f143ead47e224653d0dde19fe9
SHA1

d050db767fc64aa1705353132da3e35048475d3c
SHA256

7e79af92820e50910b90f1cade2728f45987393f24b50e384dc225d9773b7194
SHA512

579c3c870903b3d47dbc2567153fa7c73e0aa47387c6969b8982037884033a4b25de702e0efb8c7ae717b6b463192b917b18a79b1ef5f8c969f257422af2b65f

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2672	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2672	AcroRd32.exe
2672	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2940 wrote to memory of 3036	2940	cmd.exe	31
PID 2940 wrote to memory of 3036	2940	cmd.exe	31
PID 2940 wrote to memory of 3036	2940	cmd.exe	31
PID 3036 wrote to memory of 2672	3036	rundll32.exe	32
PID 3036 wrote to memory of 2672	3036	rundll32.exe	32
PID 3036 wrote to memory of 2672	3036	rundll32.exe	32
PID 3036 wrote to memory of 2672	3036	rundll32.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\XPloit.runtimeconfig.json
1⤵
- Suspicious use of WriteProcessMemory
PID:2940
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\XPloit.runtimeconfig.json
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3036
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\XPloit.runtimeconfig.json"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
3d6e96dba96856c9aac129aec5e77e3e

SHA1
0697dd564723bd04bc8f1bea839339113f63561c

SHA256
df4de4f7b5bee3785d9f7d6da6234333b4e960710d3abdd014945da3dd41c1d4

SHA512
6e5848e4e39c690e519de817cf14b217ba809b590f38fce94baed6159dd62380628e968eb2996df1cd77ee181fa752c73694e29a823c774b8007d4c57d1d0ef1

Download Submit