83bf9f870b3195dc3ca0a92211489aa353348f7581759e3c93d594327e194849

Analysis

max time kernel
152s
max time network
123s
platform
windows7_x64
resource
win7-en-20211208
submitted
28-01-2022 20:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

83bf9f870b3195dc3ca0a92211489aa353348f7581759e3c93d594327e194849.exe
Size

936KB
MD5

d398d699709ad400db9e7555cb4cfde9
SHA1

5cc4f248595268a0c9988daee3f0f8f9f5ac0a7f
SHA256

83bf9f870b3195dc3ca0a92211489aa353348f7581759e3c93d594327e194849
SHA512

3d9812f07f1cb25fb4aa7cc996614de00956d0f69f815a0f821b32b529ed8bb510aacb8d71c3baf2ce4628ea349f32e752e90c9aa67d6af17d373dc54da60724

Score

4^/10

link pdf

Malware Config

Signatures

HTTP links in PDF interactive object 1 IoCs

Detects HTTP links in interactive objects within PDF files.

pdf link

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Zakon.pdf	pdf_with_link_action

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

1616 AcroRd32.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

1616 AcroRd32.exe
1616 AcroRd32.exe
1616 AcroRd32.exe
1616 AcroRd32.exe

pid	process
1616	AcroRd32.exe

pid	process
1616	AcroRd32.exe
1616	AcroRd32.exe
1616	AcroRd32.exe
1616	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

83bf9f870b3195dc3ca0a92211489aa353348f7581759e3c93d594327e194849.exe

description	pid	process	target process
PID 1056 wrote to memory of 1616	1056	83bf9f870b3195dc3ca0a92211489aa353348f7581759e3c93d594327e194849.exe	AcroRd32.exe
PID 1056 wrote to memory of 1616	1056	83bf9f870b3195dc3ca0a92211489aa353348f7581759e3c93d594327e194849.exe	AcroRd32.exe
PID 1056 wrote to memory of 1616	1056	83bf9f870b3195dc3ca0a92211489aa353348f7581759e3c93d594327e194849.exe	AcroRd32.exe
PID 1056 wrote to memory of 1616	1056	83bf9f870b3195dc3ca0a92211489aa353348f7581759e3c93d594327e194849.exe	AcroRd32.exe
PID 1056 wrote to memory of 1616	1056	83bf9f870b3195dc3ca0a92211489aa353348f7581759e3c93d594327e194849.exe	AcroRd32.exe
PID 1056 wrote to memory of 1616	1056	83bf9f870b3195dc3ca0a92211489aa353348f7581759e3c93d594327e194849.exe	AcroRd32.exe
PID 1056 wrote to memory of 1616	1056	83bf9f870b3195dc3ca0a92211489aa353348f7581759e3c93d594327e194849.exe	AcroRd32.exe

C:\Users\Admin\AppData\Local\Temp\83bf9f870b3195dc3ca0a92211489aa353348f7581759e3c93d594327e194849.exe
"C:\Users\Admin\AppData\Local\Temp\83bf9f870b3195dc3ca0a92211489aa353348f7581759e3c93d594327e194849.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1056

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Zakon.pdf"
2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1616

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Zakon.pdf
MD5
fdcf34d0d0e7a4adba4a40faa10d0b07

SHA1
1e0c4a5f0ff2e835d12c3b6571ae6000e81a014b

SHA256
5ced3780b8875351b8d69bef2c6da3ad696a2e3c69d6c1ef4e457dbcf1494292

SHA512
f4296b49e1b3828c3adfca219b2d634ecf00ad534382eae7f4a61f743cbf70e0420789bf7864212bd9830743b66414cb71707e14dce99f462408f5342cd512d7

Download Submit
memory/1056-55-0x0000000074EC1000-0x0000000074EC3000-memory.dmp

Filesize
8KB

Download