8e7391f55642f8b52e8c20afb4007a7df1a85215a12660cff88590b4cc631420

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-01-2025 19:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

x64/bin/fgetcsv_variation14.phpt
Size

4KB
MD5

a0f14607f14a2646e0f88046a549c247
SHA1

afde6665d6206580f3c124bee57941cbbbd1b487
SHA256

07b9e0b8eb22533f6f4f7781aec76d42a9d696b66db0fd0800754ce15ccc7efc
SHA512

4ee0291e266266dfd973a7622d731cfe0da650cc5a66ffe6f9a02c54f3890a805e9840d69f3949869ec2881c6e991630611533e42d9299e24ed2949191721938
SSDEEP

48:mz0JUp1euozN+X8bkFuD/L9CAQwCqTqbS1/q62fI:mrkuWN+sQFy/ZCAvYSB3

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2724	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2724	AcroRd32.exe
2724	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 112	2272	cmd.exe	31
PID 2272 wrote to memory of 112	2272	cmd.exe	31
PID 2272 wrote to memory of 112	2272	cmd.exe	31
PID 112 wrote to memory of 2724	112	rundll32.exe	32
PID 112 wrote to memory of 2724	112	rundll32.exe	32
PID 112 wrote to memory of 2724	112	rundll32.exe	32
PID 112 wrote to memory of 2724	112	rundll32.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\x64\bin\fgetcsv_variation14.phpt
1⤵
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\x64\bin\fgetcsv_variation14.phpt
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:112
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\x64\bin\fgetcsv_variation14.phpt"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
6ac6739a53be5777b713668720bfe9ec

SHA1
6bd8124386a1465be9192e9573677d6952af9dc0

SHA256
aa76c95129969e0faf33d149cd5c8ad5ada93a45d0e4d5eb0eb413154398db71

SHA512
faf7d92b67902011533e8c82f118cd94e2d6f6c705088931e5c5d21904d14c2267c47db1532bb1a9db053b92feaaacefed37390a6130cafeb8c2a4282160c8a1

Download Submit