650880b1ce23cd5339011a06388fa5e2be9eb74c21b65f46efcd8bb5ca8cb8bc

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25/03/2025, 11:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Item/item_balloon.dds
Size

5KB
MD5

04e3b569cf14c5e3a89564fe6f5312b1
SHA1

90d764818efa4d1861a83b09b589988c36f62a48
SHA256

8102c2381032844962c42d65e43c7ac54a36428043d398bc8efd65dd8cbcbb03
SHA512

18f08b6a2effb5c1b19a95388f45521db4cd38d399dc69eb9948d697dc791cef1bbb6abcde5eb56851becdf53eb70678ade4ca319e70acc043217e160d2bf49b
SSDEEP

96:I9lkzkGQopLwFdneAtNIbvLUXtcfOSz2gVKvZwYJAkIvQ4vjhF7NyIPr3ZLlAj8v:IEzx8eia7wXtcfm65YCjpys5qjbVI

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2668	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2668	AcroRd32.exe
2668	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 2796	2080	cmd.exe	31
PID 2080 wrote to memory of 2796	2080	cmd.exe	31
PID 2080 wrote to memory of 2796	2080	cmd.exe	31
PID 2796 wrote to memory of 2668	2796	rundll32.exe	32
PID 2796 wrote to memory of 2668	2796	rundll32.exe	32
PID 2796 wrote to memory of 2668	2796	rundll32.exe	32
PID 2796 wrote to memory of 2668	2796	rundll32.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Item\item_balloon.dds
1⤵
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Item\item_balloon.dds
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Item\item_balloon.dds"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
d48c170a7d6b0901593470185ceae544

SHA1
8fc22725686415ff501f20b893ad547c193e4a6c

SHA256
f88904ea1aaecd81ade2561e83c5a617b7a3fbf820d2aa588b6d1d5da740cc04

SHA512
0fd4e79253681148c02908163e877cc32f3f061e06babacd0ec05ce9a7a46979675b19f4654fc676a6c56cb47323335b00daa0eb6f060c1c34eeddaf71cb3a48

Download Submit