144778790d4a43a1d93dff6b660a6acb3a6d37a19e6a6f0a6bf1ef47e919648e

Analysis

max time kernel
118s
max time network
123s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
02/02/2025, 19:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Pegasus.apk
Size

7.0MB
MD5

29183814f45616d831fdc139e3113718
SHA1

aa47b601dd3a01cf0ec5e2e6da5c4f90c49ba71d
SHA256

144778790d4a43a1d93dff6b660a6acb3a6d37a19e6a6f0a6bf1ef47e919648e
SHA512

c255f6751e97692b4517c9a4d240393098c58e626e09b0d0189b81a8f6cd20967a2f15ce9d793fa8aec76246cafc7d9b2326bf06f6adbd547f458a7d04b17d1d
SSDEEP

196608:pJVfGouCB8oMxqANNjYYUMLRoCRMggq2k+E9p+o3k:prf7uC/Mxq4YSLRowMPqj+E9Io3k

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2668	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2668	AcroRd32.exe
2668	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 2948	2816	cmd.exe	31
PID 2816 wrote to memory of 2948	2816	cmd.exe	31
PID 2816 wrote to memory of 2948	2816	cmd.exe	31
PID 2948 wrote to memory of 2668	2948	rundll32.exe	32
PID 2948 wrote to memory of 2668	2948	rundll32.exe	32
PID 2948 wrote to memory of 2668	2948	rundll32.exe	32
PID 2948 wrote to memory of 2668	2948	rundll32.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Pegasus.apk
1⤵
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Pegasus.apk
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Pegasus.apk"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
28b2c34a53620ecec2b268926d2b32f5

SHA1
6aa7440cbe15e646bb104dd8bc522fb455fe1a3e

SHA256
998f4042ee0064621e9dc7ce2d44f788fb15b371b12ce23223ec8cf3d5aba190

SHA512
a180220d3d1a41e007e76ff7dc112b7071d201da5388ca66f10000832486310d50b556a198d40e5219e3639ad59e2329174ee3f8058d8002c5b8e904cce2dff5

Download Submit