ed71cd9ff18c0b4d79ded9c8798e5c99de85986a30a46ad25f40c4e8d6f0ce23

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
02-01-2025 23:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

250103/random.sh
Size

1KB
MD5

95bbe14ac6fcdd039906129c5a23d596
SHA1

4ecce0daeb15c10384e784cc98aca114c50ad2c4
SHA256

ee0faf107bf34a08c98f720ef0ff6225b14df94b50baa2d827451ad04f4d5971
SHA512

d0240667d4c2eba2f1545e0bed499fffdd73c6a2d339ce338aa24c245b3d36700af374460b8a296365e7faf03c50f54936f24a686eaa9ea5d287a87f7e7b4bc3

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2832	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2832	AcroRd32.exe
2832	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 2840	2804	cmd.exe	31
PID 2804 wrote to memory of 2840	2804	cmd.exe	31
PID 2804 wrote to memory of 2840	2804	cmd.exe	31
PID 2840 wrote to memory of 2832	2840	rundll32.exe	32
PID 2840 wrote to memory of 2832	2840	rundll32.exe	32
PID 2840 wrote to memory of 2832	2840	rundll32.exe	32
PID 2840 wrote to memory of 2832	2840	rundll32.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\250103\random.sh
1⤵
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\250103\random.sh
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\250103\random.sh"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
dc33f28f58e76db30d01d1c196768042

SHA1
cbe0c3b6583c197018b51718936adf5862cc3309

SHA256
0a296672042fee6b4e0414b4c740e7f02e4ff7febea5944dddccff016b45d1bb

SHA512
12be9d6fb204ba4b5575333669c8089e89d25938adc4a35f8a1ddcfd9554cec55164303bae66e1d4f47e466e019f83ceddba50d69967481f928a663d5e5124e5

Download Submit