650880b1ce23cd5339011a06388fa5e2be9eb74c21b65f46efcd8bb5ca8cb8bc

Analysis

max time kernel
120s
max time network
128s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
25/03/2025, 11:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Item/item_bean.dds
Size

14KB
MD5

77da9f735888a397b3e05a736e17066d
SHA1

af8cce309fa61f2c4366fdbe84921fbe821ffe9e
SHA256

bd08ab8e5394e8bbaff816920a87cd75bf0aa0b6f8fbac944026c97a75d5b96c
SHA512

2b45d985d6060b329256758af95e70db9a90c2e42cf2fff796aad7dd6ab45a0222b87ce637d071d9574743987c29f770fc051981dfec14d137c52e822a2c28a1
SSDEEP

384:VMfkdSIbdaBrbif8p28pzdWubqe96DuPYap9TvHayvz2/zf:V3dSIYhbif8M8phW1Rc1HNW

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2920	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2920	AcroRd32.exe
2920	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 2756	2324	cmd.exe	31
PID 2324 wrote to memory of 2756	2324	cmd.exe	31
PID 2324 wrote to memory of 2756	2324	cmd.exe	31
PID 2756 wrote to memory of 2920	2756	rundll32.exe	33
PID 2756 wrote to memory of 2920	2756	rundll32.exe	33
PID 2756 wrote to memory of 2920	2756	rundll32.exe	33
PID 2756 wrote to memory of 2920	2756	rundll32.exe	33

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Item\item_bean.dds
1⤵
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Item\item_bean.dds
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Item\item_bean.dds"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
66e5bdbccf7af42686f823180ccb6a16

SHA1
c231eeb208fc8f81312b07db1f3c84dac6e3721a

SHA256
664d499062970ccbee477d77c1c8b27c20bbb01aacd156a32700e5288ed2936d

SHA512
7990b347e5e86ca3f6671f18995093edb30fcc73a1ff73f26984b2052b77a580253d5f13d1cd78f2e6c980421ce1ebb877f62cfc12ff69dd92c5afed868416cc

Download Submit