Overview
overview
10Static
static
3R B X 9 5.rar
windows7-x64
3R B X 9 5.rar
windows10-2004-x64
3R B X 9 5/Client.exe
windows7-x64
1R B X 9 5/Client.exe
windows10-2004-x64
1R B X 9 5/...or.exe
windows7-x64
7R B X 9 5/...or.exe
windows10-2004-x64
10R B X 9 5/ai.cfg
windows7-x64
3R B X 9 5/ai.cfg
windows10-2004-x64
3R B X 9 5/cacert.pem
windows7-x64
3R B X 9 5/cacert.pem
windows10-2004-x64
3R B X 9 5/config.vdf
windows7-x64
3R B X 9 5/config.vdf
windows10-2004-x64
3Analysis
-
max time kernel
34s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
30-06-2024 07:37
Static task
static1
Behavioral task
behavioral1
Sample
R B X 9 5.rar
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
R B X 9 5.rar
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
R B X 9 5/Client.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
R B X 9 5/Client.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
R B X 9 5/Roblox Executor.exe
Resource
win7-20240419-en
Behavioral task
behavioral6
Sample
R B X 9 5/Roblox Executor.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral7
Sample
R B X 9 5/ai.cfg
Resource
win7-20240611-en
Behavioral task
behavioral8
Sample
R B X 9 5/ai.cfg
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
R B X 9 5/cacert.pem
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
R B X 9 5/cacert.pem
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
R B X 9 5/config.vdf
Resource
win7-20240508-en
Behavioral task
behavioral12
Sample
R B X 9 5/config.vdf
Resource
win10v2004-20240611-en
General
-
Target
R B X 9 5/ai.cfg
-
Size
44B
-
MD5
73ed0e22c8cc70ed93dfd0c1b8f81e19
-
SHA1
f16c87ca3eb393ee34f57fb59781cd37f5963db0
-
SHA256
db9ec7ae21d140904d44d6e6550c0c964e32ef11c055696b355835905c9c3a53
-
SHA512
3dbe1fd660c7446c4a70c99cf6bf7909c76cd02ca24930bdeee851da094850b2fd6f6742025d215ce7dbf3348225c0b64d28e3f1ba133bdd9c7beece84d7e54f
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\cfg_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\cfg_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\cfg_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\.cfg rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\cfg_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\cfg_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\cfg_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\.cfg\ = "cfg_auto_file" rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2496 AcroRd32.exe 2496 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 2768 wrote to memory of 2344 2768 cmd.exe rundll32.exe PID 2768 wrote to memory of 2344 2768 cmd.exe rundll32.exe PID 2768 wrote to memory of 2344 2768 cmd.exe rundll32.exe PID 2344 wrote to memory of 2496 2344 rundll32.exe AcroRd32.exe PID 2344 wrote to memory of 2496 2344 rundll32.exe AcroRd32.exe PID 2344 wrote to memory of 2496 2344 rundll32.exe AcroRd32.exe PID 2344 wrote to memory of 2496 2344 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\R B X 9 5\ai.cfg"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\R B X 9 5\ai.cfg2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\R B X 9 5\ai.cfg"3⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEventsFilesize
3KB
MD562335fd1f459cc29afd65c0f256a8a2a
SHA129ade1a54308488e0586c5f4799c8e09cf74772f
SHA256742b53000a2cad920c0ee5eb0679afdcc658dae823be8649a37322dd825970aa
SHA5129d15f675367d1125a56333fb01ae824b2b874ba98ae799a9cdd5374e3f27d8c1378d30c790cded569c41d226b423c7229da0734c29c4b0b8e7bc8bb249f73c60