61a6e4dbd178f255925e5155f25e3677dab20b5a25b56de0c46ee94000fe7af1

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
31/01/2025, 00:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AK-grabber-main/A5 Grabber/Components/rarreg.key
Size

456B
MD5

4531984cad7dacf24c086830068c4abe
SHA1

fa7c8c46677af01a83cf652ef30ba39b2aae14c3
SHA256

58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211
SHA512

00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2264	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2264	AcroRd32.exe
2264	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 2740	3044	cmd.exe	31
PID 3044 wrote to memory of 2740	3044	cmd.exe	31
PID 3044 wrote to memory of 2740	3044	cmd.exe	31
PID 2740 wrote to memory of 2264	2740	rundll32.exe	32
PID 2740 wrote to memory of 2264	2740	rundll32.exe	32
PID 2740 wrote to memory of 2264	2740	rundll32.exe	32
PID 2740 wrote to memory of 2264	2740	rundll32.exe	32

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\AK-grabber-main\A5 Grabber\Components\rarreg.key"
1⤵
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AK-grabber-main\A5 Grabber\Components\rarreg.key
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\AK-grabber-main\A5 Grabber\Components\rarreg.key"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
2b8d0fb8c633d73515178c83448313c8

SHA1
f40f6be9c235e003eff75093fdf7b0026ad2e281

SHA256
d00bcea0d1b9b680ac668184e8021bfccb576295e89f9761e8d5cd60d7c428ed

SHA512
ab96c1c459aa3fcae8ec36f76abbd5b186fad6f9547ae044ccbda57e59945929a13658ccaae2c0868ad6184e9d8b8b9f771aae8548545beb65de58adc37396fc

Download Submit