Resubmissions

13/01/2025, 00:07

250113-aet59aymcl 3

11/01/2025, 23:31

250111-3h1resxjcl 10

11/01/2025, 23:29

250111-3g1p2awrgr 10

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11/01/2025, 23:29

General

  • Target

    Drivers.tlog/CL.read.1.tlog

  • Size

    37KB

  • MD5

    540800b6faee0f47d6a3b10b6d922f23

  • SHA1

    3967e534bbfa085628e5bcde3fd5ac1c3f5c0bea

  • SHA256

    f268463fdc5d6124b54c8712fce2ffb3b1d0d6e2c8bb19538b2942e16416eda8

  • SHA512

    92635ae853db82d130ef9d123e38fdbf4a76ec16954df9e5aaa4fb06650b4de7f622a17d73601493edc10fcba4ec1ea01e9745dafd6a3e2e956df5efe870eeb3

  • SSDEEP

    768:TOGFKvHUg2P1KvRF34iGo+FNEkcg7JEkE2faXuFM61u5iGa1do:TOGFKvHx2P1KvRF34iGo+FNEkcg7JEki

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\Drivers.tlog\CL.read.1.tlog
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2628
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Drivers.tlog\CL.read.1.tlog
      2⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2696
      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Drivers.tlog\CL.read.1.tlog"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:2672

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

    Filesize

    3KB

    MD5

    8d8483ad1675e84a4aeb6818f01e6949

    SHA1

    da81980838da9f297599dd19b26c82a2bc4b135d

    SHA256

    8aa98e316b02f97e04e35e91b903e0074993f6ee8b6198b0854a9e443dcbfd31

    SHA512

    d501538cee06eed803d75aad813261160ae21ec65164fa0245f7271481e35b0be0ab871196dbcaf210a2c238b81a7e9d763b4afdaf86500aeed65d7200ae8778