Overview
overview
10Static
static
3R B X 9 5.rar
windows7-x64
3R B X 9 5.rar
windows10-2004-x64
3R B X 9 5/Client.exe
windows7-x64
1R B X 9 5/Client.exe
windows10-2004-x64
1R B X 9 5/...or.exe
windows7-x64
7R B X 9 5/...or.exe
windows10-2004-x64
10R B X 9 5/ai.cfg
windows7-x64
3R B X 9 5/ai.cfg
windows10-2004-x64
3R B X 9 5/cacert.pem
windows7-x64
3R B X 9 5/cacert.pem
windows10-2004-x64
3R B X 9 5/config.vdf
windows7-x64
3R B X 9 5/config.vdf
windows10-2004-x64
3Analysis
-
max time kernel
18s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
30-06-2024 07:37
Static task
static1
Behavioral task
behavioral1
Sample
R B X 9 5.rar
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
R B X 9 5.rar
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
R B X 9 5/Client.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
R B X 9 5/Client.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
R B X 9 5/Roblox Executor.exe
Resource
win7-20240419-en
Behavioral task
behavioral6
Sample
R B X 9 5/Roblox Executor.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral7
Sample
R B X 9 5/ai.cfg
Resource
win7-20240611-en
Behavioral task
behavioral8
Sample
R B X 9 5/ai.cfg
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
R B X 9 5/cacert.pem
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
R B X 9 5/cacert.pem
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
R B X 9 5/config.vdf
Resource
win7-20240508-en
Behavioral task
behavioral12
Sample
R B X 9 5/config.vdf
Resource
win10v2004-20240611-en
General
-
Target
R B X 9 5/cacert.pem
-
Size
2KB
-
MD5
39f89143815797c4a41c62f30f137094
-
SHA1
39a602c37ee958e5a5779c167ea095a56f0218e4
-
SHA256
5513aa54afe134569e08b27aa61e60e888ab31d9e112f8c5881adbaecc817678
-
SHA512
02cfee4a3fdc728e63e5a63797c58c5a6fbd805f6f6e5c0ab4e5dbf1d1701636a6aefc94095096b627b7475e731327d620c519ddc1a65b3ee49dd41b4d219d6d
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\pem_auto_file\shell rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\pem_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\pem_auto_file\shell\Read\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\pem_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\pem_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.pem rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.pem\ = "pem_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\pem_auto_file\shell\Read rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2080 AcroRd32.exe 2080 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 1744 wrote to memory of 2752 1744 cmd.exe rundll32.exe PID 1744 wrote to memory of 2752 1744 cmd.exe rundll32.exe PID 1744 wrote to memory of 2752 1744 cmd.exe rundll32.exe PID 2752 wrote to memory of 2080 2752 rundll32.exe AcroRd32.exe PID 2752 wrote to memory of 2080 2752 rundll32.exe AcroRd32.exe PID 2752 wrote to memory of 2080 2752 rundll32.exe AcroRd32.exe PID 2752 wrote to memory of 2080 2752 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\R B X 9 5\cacert.pem"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\R B X 9 5\cacert.pem2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\R B X 9 5\cacert.pem"3⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEventsFilesize
3KB
MD5ea6f04d27f02c3312988af9392267bfc
SHA1bf4025178c4e3c77e2aeb61dbb456c202153d2de
SHA256f980a2bbfc7cb315608978001ea1005240e041b04db89922411082e25ddbe11a
SHA5128f2e6e366ed56ad40a27656e32bc71a0a19539b7ee2352b26526682a41715c8a498ca110596ba57e980816c0da3c4c961f013386374dc54442705c7153e8c242