Analysis
-
max time kernel
152s -
max time network
123s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
28-01-2022 20:44
Static task
static1
Behavioral task
behavioral1
Sample
83bf9f870b3195dc3ca0a92211489aa353348f7581759e3c93d594327e194849.exe
Resource
win7-en-20211208
General
-
Target
83bf9f870b3195dc3ca0a92211489aa353348f7581759e3c93d594327e194849.exe
-
Size
936KB
-
MD5
d398d699709ad400db9e7555cb4cfde9
-
SHA1
5cc4f248595268a0c9988daee3f0f8f9f5ac0a7f
-
SHA256
83bf9f870b3195dc3ca0a92211489aa353348f7581759e3c93d594327e194849
-
SHA512
3d9812f07f1cb25fb4aa7cc996614de00956d0f69f815a0f821b32b529ed8bb510aacb8d71c3baf2ce4628ea349f32e752e90c9aa67d6af17d373dc54da60724
Malware Config
Signatures
-
HTTP links in PDF interactive object 1 IoCs
Detects HTTP links in interactive objects within PDF files.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\RarSFX0\Zakon.pdf pdf_with_link_action -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 1616 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
AcroRd32.exepid process 1616 AcroRd32.exe 1616 AcroRd32.exe 1616 AcroRd32.exe 1616 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
83bf9f870b3195dc3ca0a92211489aa353348f7581759e3c93d594327e194849.exedescription pid process target process PID 1056 wrote to memory of 1616 1056 83bf9f870b3195dc3ca0a92211489aa353348f7581759e3c93d594327e194849.exe AcroRd32.exe PID 1056 wrote to memory of 1616 1056 83bf9f870b3195dc3ca0a92211489aa353348f7581759e3c93d594327e194849.exe AcroRd32.exe PID 1056 wrote to memory of 1616 1056 83bf9f870b3195dc3ca0a92211489aa353348f7581759e3c93d594327e194849.exe AcroRd32.exe PID 1056 wrote to memory of 1616 1056 83bf9f870b3195dc3ca0a92211489aa353348f7581759e3c93d594327e194849.exe AcroRd32.exe PID 1056 wrote to memory of 1616 1056 83bf9f870b3195dc3ca0a92211489aa353348f7581759e3c93d594327e194849.exe AcroRd32.exe PID 1056 wrote to memory of 1616 1056 83bf9f870b3195dc3ca0a92211489aa353348f7581759e3c93d594327e194849.exe AcroRd32.exe PID 1056 wrote to memory of 1616 1056 83bf9f870b3195dc3ca0a92211489aa353348f7581759e3c93d594327e194849.exe AcroRd32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\83bf9f870b3195dc3ca0a92211489aa353348f7581759e3c93d594327e194849.exe"C:\Users\Admin\AppData\Local\Temp\83bf9f870b3195dc3ca0a92211489aa353348f7581759e3c93d594327e194849.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Zakon.pdf"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Zakon.pdfMD5
fdcf34d0d0e7a4adba4a40faa10d0b07
SHA11e0c4a5f0ff2e835d12c3b6571ae6000e81a014b
SHA2565ced3780b8875351b8d69bef2c6da3ad696a2e3c69d6c1ef4e457dbcf1494292
SHA512f4296b49e1b3828c3adfca219b2d634ecf00ad534382eae7f4a61f743cbf70e0420789bf7864212bd9830743b66414cb71707e14dce99f462408f5342cd512d7
-
memory/1056-55-0x0000000074EC1000-0x0000000074EC3000-memory.dmpFilesize
8KB