Overview
overview
10Static
static
341f3f2ddba...22.exe
windows7-x64
1041f3f2ddba...22.exe
windows10-2004-x64
7$PLUGINSDI...qy.dll
windows7-x64
1$PLUGINSDI...qy.dll
windows10-2004-x64
1emteyvnnuao.ti
windows7-x64
3emteyvnnuao.ti
windows10-2004-x64
3xoxpvgducyg.a
windows7-x64
3xoxpvgducyg.a
windows10-2004-x64
3Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
30-06-2024 20:12
Static task
static1
Behavioral task
behavioral1
Sample
41f3f2ddba5d6c64f4052044b5b15126bfdc76a93c69e8fd8c53600231b63422.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
41f3f2ddba5d6c64f4052044b5b15126bfdc76a93c69e8fd8c53600231b63422.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/zhwzxmwaqy.dll
Resource
win7-20240611-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/zhwzxmwaqy.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
emteyvnnuao.ti
Resource
win7-20240611-en
Behavioral task
behavioral6
Sample
emteyvnnuao.ti
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
xoxpvgducyg.a
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
xoxpvgducyg.a
Resource
win10v2004-20240508-en
General
-
Target
xoxpvgducyg.a
-
Size
263KB
-
MD5
ab80c860ddf234f58f8eae5b05f8753c
-
SHA1
d6e08550c3339d61dd07e49d4785406124090591
-
SHA256
81dcba6db6ae4eef2c2f6ba562d4fd3ad4f2b336544e5ca730c3283c79e48ac0
-
SHA512
62883952905dad7c8cc4fd7145e41fab0f9e1b1baade0b48a03b1370fde670c988360c7582a234709efadd7cd8a19192d09ccb1e4d510d88c92525b31ffd2176
-
SSDEEP
6144:Cqe2ya9apTnbaFvYWxgV6JFoVAHLWMZQ+Y0OXaaLyOM/VAY:CdaQAKVhWVZ5Y3XaaWOMNb
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\a_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\a_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\a_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\a_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.a rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.a\ = "a_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\a_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\a_auto_file\shell rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2028 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2028 AcroRd32.exe 2028 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 2240 wrote to memory of 2600 2240 cmd.exe rundll32.exe PID 2240 wrote to memory of 2600 2240 cmd.exe rundll32.exe PID 2240 wrote to memory of 2600 2240 cmd.exe rundll32.exe PID 2600 wrote to memory of 2028 2600 rundll32.exe AcroRd32.exe PID 2600 wrote to memory of 2028 2600 rundll32.exe AcroRd32.exe PID 2600 wrote to memory of 2028 2600 rundll32.exe AcroRd32.exe PID 2600 wrote to memory of 2028 2600 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\xoxpvgducyg.a1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\xoxpvgducyg.a2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\xoxpvgducyg.a"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEventsFilesize
3KB
MD574e367150401544f03c9069c22308f1e
SHA15532725ddca749febc4233481b2bc9755a0baede
SHA25617ad424d5a5b3f295a83e35093877aef16ee8d0ca001c9d956375f5b4ac678c2
SHA512f5d2314999429b2145bd785a6abd690ba7b9033da80e9c083f1a80c55e867eee3cda0157595b97ad194d4820fa8299dc186de6b29c4e1163bd9ed5d8d2e0b58a