3d1067331b7bed8a818ca2efcec2136667f2a180d0ee716a6f9b475e9df2fd7d

Analysis

max time kernel
103s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
25/02/2025, 13:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Unrhymed.adi
Size

92KB
MD5

4e17cfae8be669dc88bb9343f971862b
SHA1

642ea7d1c06f438146d2df1b132ac7e85a261917
SHA256

25615665769858efd92342269955c6acd095520d8fe5b5fb1633d28ed92cd840
SHA512

7209c60bd74062f9e689a8389f671c0e0b531b764858957c5724ae548e28a163809b5a7b998d680250afd84d1bc28414ead65d12d8d352cf4d4b0e9e4bac2237
SSDEEP

768:RtbjIxO6JaLTYpLJL8Ku9ytaVXzM3gdDENCc2wqlx9:z6gLTIgt9Krox9

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2060	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2060	AcroRd32.exe
2060	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 2104	1996	cmd.exe	30
PID 1996 wrote to memory of 2104	1996	cmd.exe	30
PID 1996 wrote to memory of 2104	1996	cmd.exe	30
PID 2104 wrote to memory of 2060	2104	rundll32.exe	31
PID 2104 wrote to memory of 2060	2104	rundll32.exe	31
PID 2104 wrote to memory of 2060	2104	rundll32.exe	31
PID 2104 wrote to memory of 2060	2104	rundll32.exe	31

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Unrhymed.adi
1⤵
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Unrhymed.adi
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2104
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Unrhymed.adi"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
a209e45558e4dbd2b6b1b8a97ea3c3b6

SHA1
476582ca8852ccaeb4d34abf67b5cc6b514f3e13

SHA256
e68fd2d7b42fd0a9268ac991aa5a644bb50efa208f38620877983f1e6a2027bf

SHA512
195106e1dfd26ad6891cab873e642d257afdf6203bc7218007271bf0b84884963e508f60c3f8fa670ef2440f06ce4727ccf0c9fadcc0c3ba926b2a7aba31c12a

Download Submit