304947e91f66751b25d0899c7b9feffe43a5620b13fd5de4a8c5642d638ce45f

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-01-2025 08:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Modisterne.pse
Size

2.5MB
MD5

1b2d833eaef04d649440096bc2ddb99b
SHA1

4a930d046e17a26c6ba326b67f83844023f09e98
SHA256

9406dbd3013617834c7b1023fbe67e1edc622dd4cd1e5c314ea8d651ce480d62
SHA512

575a45869e9d260b87eead265820f08a6ef6ed47f3b91cd88fd56f2d95abb46b8cbbb5aec09b4ecc7cb35984a0420d0a0db48fee657bb34c7e1784e4486aaeb2
SSDEEP

768:pJXirUX802MSH/8z9pnOiOTLK4ZRTs4M5WNzmScNtsyiv8DJ1ke4Z/lHdXose5kX:nnqwuyr

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2604	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2604	AcroRd32.exe
2604	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 2584	2676	cmd.exe	31
PID 2676 wrote to memory of 2584	2676	cmd.exe	31
PID 2676 wrote to memory of 2584	2676	cmd.exe	31
PID 2584 wrote to memory of 2604	2584	rundll32.exe	32
PID 2584 wrote to memory of 2604	2584	rundll32.exe	32
PID 2584 wrote to memory of 2604	2584	rundll32.exe	32
PID 2584 wrote to memory of 2604	2584	rundll32.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Modisterne.pse
1⤵
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Modisterne.pse
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Modisterne.pse"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
804a412697e18ca3fd5b48fc1c5c9d62

SHA1
8df88d8c3c91a251f63aa546aab725c27dc03de3

SHA256
ac47f3c5c72bdbb5f2b878ac09166770b46fee6bb50247b925a3c11085ef5731

SHA512
89699e212884eec96f9fad29d3fd1a36711e4f499393355c1e65f0ceb1b3250deb29ebfae5d83e2393f8f0308cfb5d97e63ea31772361fb8ff4143c57e1c6626

Download Submit