Analysis
-
max time kernel
117s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
14-01-2025 21:10
General
-
Target
OblivionCheatVIP 2.1/Addons/Microsoft/WinMaps.admx
-
Size
2KB
-
MD5
5a08143f3fd10007d14526c13b873e78
-
SHA1
7286e0823164400f7dbb5eb31e1e87a586913098
-
SHA256
dc368259c70a4dcf91b04f71a80961bb0dd8233092b01318c43fe01f6088e255
-
SHA512
87027f48cee30f40edef797f0b482521456f5749532ab8a5606aebe6535c3e0d7b23b9c979f06c40ac2aca11ac5c450c8456c59b70a49c187e06f81d0380528f
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\OblivionCheatVIP 2.1\Addons\Microsoft\WinMaps.admx"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\OblivionCheatVIP 2.1\Addons\Microsoft\WinMaps.admx2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\OblivionCheatVIP 2.1\Addons\Microsoft\WinMaps.admx"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD582d56e867db907f02e1c0f3342a3bc50
SHA1e225762e0194eeadec191d612673206df174f69d
SHA2560815944119ada0e838f635fb839ce12e277afae29d7ab24b69112b023be95fbc
SHA51256cac65f05797ae2f3e1f6eacba3b9a45a469a1abab31ab43f10f790390dde2017263cdbfb6859e54c3b1e372f7aef88cc6759ffb35882ee6ddc5351cb33ab30