abf685e78562fa3aee73f00110685c5c7340ede3acb6fcda88ba25ad85a4b180

Analysis

max time kernel
150s
max time network
16s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
30/03/2025, 20:53 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

custom_Suiika_V1_03/Custom_Suiika_V1_03_4k/Expressions/Glasses.exp3.json
Size

164B
MD5

5cf2f0a3bff6f8baaa67bb0c503cfd0f
SHA1

e0b1542ae3718df87e806ffe6f37bc2831088b96
SHA256

a58e69f09e4d39c022b9512d2fbc1ee2044b02e31bedd253e96b5c9cfe76db68
SHA512

c06879d29d87cc1f556472764721e935975ddae2309ed3d4d5602feefc94be3b1080f4e6155b196ac8fb3a197d101c1cb829302bc8d13fed2722e7cb51e58c5e

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2932	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2932	AcroRd32.exe
2932	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1340 wrote to memory of 2844	1340	cmd.exe	30
PID 1340 wrote to memory of 2844	1340	cmd.exe	30
PID 1340 wrote to memory of 2844	1340	cmd.exe	30
PID 2844 wrote to memory of 2932	2844	rundll32.exe	31
PID 2844 wrote to memory of 2932	2844	rundll32.exe	31
PID 2844 wrote to memory of 2932	2844	rundll32.exe	31
PID 2844 wrote to memory of 2932	2844	rundll32.exe	31

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\custom_Suiika_V1_03\Custom_Suiika_V1_03_4k\Expressions\Glasses.exp3.json
1⤵
- Suspicious use of WriteProcessMemory
PID:1340
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\custom_Suiika_V1_03\Custom_Suiika_V1_03_4k\Expressions\Glasses.exp3.json
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\custom_Suiika_V1_03\Custom_Suiika_V1_03_4k\Expressions\Glasses.exp3.json"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
34362a1ca831ebdd7b319a25b5416776

SHA1
169015df647236c4b9a9f932cab857a93489e9ee

SHA256
6771dbc2e58662224bcdb6dcbebc52e02fa99ba0c6224f00ca6ab040a4a9552d

SHA512
6daaa936577b5c3fb86608c1ac9edd26b9b41e32ca85687f4b0661a2e261936763e9b6a3aab33c66313bfe9f970a988d35a091106df6ce780b5c782eba1638f8

Download Submit