Analysis

  • max time kernel
    118s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    21-01-2022 05:29

General

  • Target

    mamago.pdf

  • Size

    63KB

  • MD5

    522a026230fda9e221eea0b74626389e

  • SHA1

    28204a9fac09be3e7ceff80499200f7c3c83d47d

  • SHA256

    c10e10cdf5f8b37ff02575408b51fe9b9415d9f62bcf22ffa17d11ca88ecc0b6

  • SHA512

    bdaff677e460422121970b30cdd8a1679a1ff60905f6ba289289119aac3acc758e90665d92bb42958a424102f92a0d1c1d0bb46be189e791b911824e373f78a6

Score
1/10

Malware Config

Signatures

  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\mamago.pdf"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1916
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/DOqCt-cVA4I/uplcv?utm_term=iec+60079+7+pdf
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1492
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1492 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1120

Network

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

1
T1112

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
    MD5

    a266bb7dcc38a562631361bbf61dd11b

    SHA1

    3b1efd3a66ea28b16697394703a72ca340a05bd5

    SHA256

    df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

    SHA512

    0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    MD5

    0a13f902601bdb764ea170c2669f8cc0

    SHA1

    ac297ddc5659437f2aae2b832dec51af1ba2ddb6

    SHA256

    bb7dbd9d628838bbf955b467913df1e9cfb35e7de88d12b352ad037a9abd3ebe

    SHA512

    5b04f38375b1f79d56347cb3ec8255fa72499a45300b0c2e396acd1330d638d8489b807687dcd112f9700e030f370f246a04bff3c7d2c78682429ccd9008e564

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
    MD5

    8e16ad63c8e838e309d682190d696707

    SHA1

    2820156bc4b191c3278c8ec763508436caed0324

    SHA256

    d8a2d83d2ef3aacf9ddfff674463972c0d895e05b645d9e3fee022850a0a4e49

    SHA512

    4be4143d7dbad26c4bfb5ccea2913da05030f6d26e88f9cb7c3ba41225dfb924bfeffc9b1a66feb401650146fa155286c069b9318cb7d9522cd9abca3bb5fd76

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\6RU0PBQS.txt
    MD5

    37c156614b45cf8f0f25f2dc32febe5b

    SHA1

    efb0641d792340c911cefe84552b752eb747fdf2

    SHA256

    0cc803e0cf0a45bed9aaab808e6e51361192c5e2b7f959b53fd061f3b83bc6cf

    SHA512

    b94dee83a6f9a991056b2d4d83c446fbaea9b0f0b9b83aff3b2eb121333839b5655b9f849159bbd03ed45542ff3e4da5f325473355a5158ecdaecfcee0acd2f8

  • memory/1916-54-0x0000000075F21000-0x0000000075F23000-memory.dmp
    Filesize

    8KB