Analysis
-
max time kernel
56s -
max time network
35s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
24-06-2024 18:30
Behavioral task
behavioral1
Sample
Windows 7 x64-000009.vmdk
Resource
win7-20240220-en
General
-
Target
Windows 7 x64-000009.vmdk
-
Size
475.0MB
-
MD5
adb21185882da71d445509457e45cc18
-
SHA1
e9533997b5f641bc81198d65f3d24fbdb7f1e036
-
SHA256
3869c7aab60c885f924a99fa7ce3fdb2346fe0fb3b1538110373cc2190eab664
-
SHA512
c931afb24652cfcd26925518d0a426c6b8c2ca5dbb8c137473a0f96d2ec84de135fb9f243d3e3534db7f3c173ea709b5141b6617f71090a81c40385aecae264d
-
SSDEEP
3145728:BpC0yBb0pEnRJFP0X7z/S+9IV16ZYrBZ4qkrJ+NWDfb0sO:qlR4mRJN6zq+9IV1t+mWED
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_Classes\Local Settings rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\vmdk_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.vmdk rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\vmdk_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\vmdk_auto_file\shell rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\vmdk_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\vmdk_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.vmdk\ = "vmdk_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\vmdk_auto_file\shell\Read\command rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2704 AcroRd32.exe 2704 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 2252 wrote to memory of 2532 2252 cmd.exe rundll32.exe PID 2252 wrote to memory of 2532 2252 cmd.exe rundll32.exe PID 2252 wrote to memory of 2532 2252 cmd.exe rundll32.exe PID 2532 wrote to memory of 2704 2532 rundll32.exe AcroRd32.exe PID 2532 wrote to memory of 2704 2532 rundll32.exe AcroRd32.exe PID 2532 wrote to memory of 2704 2532 rundll32.exe AcroRd32.exe PID 2532 wrote to memory of 2704 2532 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Windows 7 x64-000009.vmdk"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Windows 7 x64-000009.vmdk2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Windows 7 x64-000009.vmdk"3⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEventsFilesize
3KB
MD5d07ce3b594bb0f90e7b45dc00f44d7ec
SHA1c82ea4f41bcf82ab2a79cffbcba0f6d71955e252
SHA256663c6dd16eadc74f5c43604c70eba55cab20cf379a54588958ac0a09ae728f04
SHA5121ce7d2e5992814dfff0c7f301ddf84bc9478c93f08b9d916fe7077bdeb24cc9b13426274884084e1061eee5bb85e6407c69e76c3686725e8abe8bcc8ffbec0ce