Analysis
-
max time kernel
151s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
26-07-2023 17:03
Behavioral task
behavioral1
Sample
x64.elf
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
x64.elf
Resource
win10v2004-20230703-en
General
-
Target
x64.elf
-
Size
130B
-
MD5
b56959ff164d8f7ba900dd34b6441e96
-
SHA1
4ac524eb4b5a1393e815148bc15f1eb92b368924
-
SHA256
26f6af63d50641c16e65d7fe22e8675e0ecd4ffddf9fd1fc3652d862ef4e8f8e
-
SHA512
ebce3ea370d67f5a9202babc2fc58c5d9f1e301c3ca1de5ad30cb2e4273076005f2f8fa38d5340e60efffb03a894a462b6d88836fa82e1ba7205ca4169a57bd3
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000_CLASSES\elf_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000_CLASSES\.elf rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000_CLASSES\.elf\ = "elf_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000_CLASSES\elf_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000_CLASSES\elf_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000_CLASSES\elf_auto_file\shell\Read\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000_Classes\Local Settings rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000_CLASSES\elf_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000_CLASSES\elf_auto_file rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 1576 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
AcroRd32.exepid process 1576 AcroRd32.exe 1576 AcroRd32.exe 1576 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 2804 wrote to memory of 2944 2804 cmd.exe rundll32.exe PID 2804 wrote to memory of 2944 2804 cmd.exe rundll32.exe PID 2804 wrote to memory of 2944 2804 cmd.exe rundll32.exe PID 2944 wrote to memory of 1576 2944 rundll32.exe AcroRd32.exe PID 2944 wrote to memory of 1576 2944 rundll32.exe AcroRd32.exe PID 2944 wrote to memory of 1576 2944 rundll32.exe AcroRd32.exe PID 2944 wrote to memory of 1576 2944 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\x64.elf1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\x64.elf2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\x64.elf"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEventsFilesize
3KB
MD5dda07bbba8913a05a36994d50846d4c2
SHA1ca46e3b7dd874f3912b79f5eaf41dcc86545ea34
SHA256b51e903d0cced27b7f8d383a43e888b26fc0809e3b993a7f0eccc055a81ac54d
SHA51268b195a889891af1f28b169bfedc7681e64c6a4528f0454426fdf4ce02564dd1e9de859bbc28e8e44db9588163a50987d9eb3c7d37cd1e486bd666809599629f