304947e91f66751b25d0899c7b9feffe43a5620b13fd5de4a8c5642d638ce45f

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-01-2025 08:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Uncleanness.eug
Size

3.5MB
MD5

9f17dea8336aa77ebe99d5ae830599a5
SHA1

4b96dad7cef514097c8ce27f59dd7336aa042137
SHA256

db28f064f22a938f1df25a92caf0ede928d394e74edbd5eeae9284f45271c0ae
SHA512

ea2a1594beca24312782f0c5e2beebf995bababf021c2bd77d90367b1e1c85e502ff692df290e9a55a2830fcafa5e5aed07cc6333fd466e8983e788a68d070d1
SSDEEP

768:DR1y8+DeswkiCnPDx28+wzVhdlm5z9xUT2hhDvY1ALowOvixHJaBpU4og59Nud+3:8/EE4HQNFVttkw3CL4B

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2748	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2748	AcroRd32.exe
2748	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 2884	3040	cmd.exe	31
PID 3040 wrote to memory of 2884	3040	cmd.exe	31
PID 3040 wrote to memory of 2884	3040	cmd.exe	31
PID 2884 wrote to memory of 2748	2884	rundll32.exe	32
PID 2884 wrote to memory of 2748	2884	rundll32.exe	32
PID 2884 wrote to memory of 2748	2884	rundll32.exe	32
PID 2884 wrote to memory of 2748	2884	rundll32.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Uncleanness.eug
1⤵
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Uncleanness.eug
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Uncleanness.eug"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
6959190e3b30add5f817b0069a65eb2d

SHA1
c7b3c966e0ac43aa1d8759cc73f258c907a8fa3f

SHA256
22b303d6e91c84b0f671484f8be8b240322806044d82bb58bb382ed2fbad234f

SHA512
285828a9c147fbc8b0fa4441306703f0d3ee31e327110acdd4f6733101419a56da028837eed1af3cc0013cf31e069ac6e78817f28baf77005588a6fd0fe6fc10

Download Submit