80a014e40493d25ab26964e06ee2c8c885bb8c70d549d1eacd6fb2626cd9a9f5

Resubmissions

13/01/2025, 00:07

250113-aet59aymcl 3

11/01/2025, 23:31

250111-3h1resxjcl 10

11/01/2025, 23:29

250111-3g1p2awrgr 10

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11/01/2025, 23:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Drivers.tlog/CL.read.1.tlog
Size

37KB
MD5

540800b6faee0f47d6a3b10b6d922f23
SHA1

3967e534bbfa085628e5bcde3fd5ac1c3f5c0bea
SHA256

f268463fdc5d6124b54c8712fce2ffb3b1d0d6e2c8bb19538b2942e16416eda8
SHA512

92635ae853db82d130ef9d123e38fdbf4a76ec16954df9e5aaa4fb06650b4de7f622a17d73601493edc10fcba4ec1ea01e9745dafd6a3e2e956df5efe870eeb3
SSDEEP

768:TOGFKvHUg2P1KvRF34iGo+FNEkcg7JEkE2faXuFM61u5iGa1do:TOGFKvHx2P1KvRF34iGo+FNEkcg7JEki

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2672	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2672	AcroRd32.exe
2672	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2628 wrote to memory of 2696	2628	cmd.exe	32
PID 2628 wrote to memory of 2696	2628	cmd.exe	32
PID 2628 wrote to memory of 2696	2628	cmd.exe	32
PID 2696 wrote to memory of 2672	2696	rundll32.exe	33
PID 2696 wrote to memory of 2672	2696	rundll32.exe	33
PID 2696 wrote to memory of 2672	2696	rundll32.exe	33
PID 2696 wrote to memory of 2672	2696	rundll32.exe	33

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Drivers.tlog\CL.read.1.tlog
1⤵
- Suspicious use of WriteProcessMemory
PID:2628
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Drivers.tlog\CL.read.1.tlog
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Drivers.tlog\CL.read.1.tlog"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
8d8483ad1675e84a4aeb6818f01e6949

SHA1
da81980838da9f297599dd19b26c82a2bc4b135d

SHA256
8aa98e316b02f97e04e35e91b903e0074993f6ee8b6198b0854a9e443dcbfd31

SHA512
d501538cee06eed803d75aad813261160ae21ec65164fa0245f7271481e35b0be0ab871196dbcaf210a2c238b81a7e9d763b4afdaf86500aeed65d7200ae8778

Download Submit