3869c7aab60c885f924a99fa7ce3fdb2346fe0fb3b1538110373cc2190eab664

Analysis

max time kernel
56s
max time network
35s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
24-06-2024 18:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Windows 7 x64-000009.vmdk
Size

475.0MB
MD5

adb21185882da71d445509457e45cc18
SHA1

e9533997b5f641bc81198d65f3d24fbdb7f1e036
SHA256

3869c7aab60c885f924a99fa7ce3fdb2346fe0fb3b1538110373cc2190eab664
SHA512

c931afb24652cfcd26925518d0a426c6b8c2ca5dbb8c137473a0f96d2ec84de135fb9f243d3e3534db7f3c173ea709b5141b6617f71090a81c40385aecae264d
SSDEEP

3145728:BpC0yBb0pEnRJFP0X7z/S+9IV16ZYrBZ4qkrJ+NWDfb0sO:qlR4mRJN6zq+9IV1t+mWED

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\vmdk_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.vmdk	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\vmdk_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\vmdk_auto_file\shell	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\vmdk_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\vmdk_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.vmdk\ = "vmdk_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\vmdk_auto_file\shell\Read\command	rundll32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AcroRd32.exe

pid process

2704 AcroRd32.exe
2704 AcroRd32.exe

pid	process
2704	AcroRd32.exe
2704	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

cmd.exerundll32.exe

description	pid	process	target process
PID 2252 wrote to memory of 2532	2252	cmd.exe	rundll32.exe
PID 2252 wrote to memory of 2532	2252	cmd.exe	rundll32.exe
PID 2252 wrote to memory of 2532	2252	cmd.exe	rundll32.exe
PID 2532 wrote to memory of 2704	2532	rundll32.exe	AcroRd32.exe
PID 2532 wrote to memory of 2704	2532	rundll32.exe	AcroRd32.exe
PID 2532 wrote to memory of 2704	2532	rundll32.exe	AcroRd32.exe
PID 2532 wrote to memory of 2704	2532	rundll32.exe	AcroRd32.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Windows 7 x64-000009.vmdk"
1⤵
- Suspicious use of WriteProcessMemory
PID:2252

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Windows 7 x64-000009.vmdk
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2532

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Windows 7 x64-000009.vmdk"
3⤵
- Suspicious use of SetWindowsHookEx
PID:2704

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
Filesize
3KB

MD5
d07ce3b594bb0f90e7b45dc00f44d7ec

SHA1
c82ea4f41bcf82ab2a79cffbcba0f6d71955e252

SHA256
663c6dd16eadc74f5c43604c70eba55cab20cf379a54588958ac0a09ae728f04

SHA512
1ce7d2e5992814dfff0c7f301ddf84bc9478c93f08b9d916fe7077bdeb24cc9b13426274884084e1061eee5bb85e6407c69e76c3686725e8abe8bcc8ffbec0ce

Download Submit