ca0b804c30052456362fe22ae6fa8482f91651c2c18dc41cda4c6e282fdede6f

Analysis

max time kernel
155s
max time network
137s
platform
windows7_x64
resource
win7-en-20211208
submitted
29-01-2022 23:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca0b804c30052456362fe22ae6fa8482f91651c2c18dc41cda4c6e282fdede6f.exe
Size

2.6MB
MD5

51ea28f4f3fa794d5b207475897b1eef
SHA1

9eef49fc724b9f40be795a80bc6363eb0c6b6dd6
SHA256

ca0b804c30052456362fe22ae6fa8482f91651c2c18dc41cda4c6e282fdede6f
SHA512

72678ef9d7ac623a85b23bd20f28499b851ef72c18c652ed200ad58562dd23796f8e7388b039fbc872e4e616b67900dd832172b5838b444405a28cae703dacdf

Score

8^/10

link pdf

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

oracle.exeoracle.exe

pid process

1216 oracle.exe
1708 oracle.exe

pid	process
1216	oracle.exe
1708	oracle.exe

Loads dropped DLL 5 IoCs

Processes:

ca0b804c30052456362fe22ae6fa8482f91651c2c18dc41cda4c6e282fdede6f.exeoracle.exe

pid	process
1736	ca0b804c30052456362fe22ae6fa8482f91651c2c18dc41cda4c6e282fdede6f.exe
1736	ca0b804c30052456362fe22ae6fa8482f91651c2c18dc41cda4c6e282fdede6f.exe
1736	ca0b804c30052456362fe22ae6fa8482f91651c2c18dc41cda4c6e282fdede6f.exe
1736	ca0b804c30052456362fe22ae6fa8482f91651c2c18dc41cda4c6e282fdede6f.exe
1216	oracle.exe

HTTP links in PDF interactive object 1 IoCs

Detects HTTP links in interactive objects within PDF files.

pdf link

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\382142.pdf	pdf_with_link_action

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

1380 AcroRd32.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

1380 AcroRd32.exe
1380 AcroRd32.exe
1380 AcroRd32.exe
1380 AcroRd32.exe

pid	process
1380	AcroRd32.exe

pid	process
1380	AcroRd32.exe
1380	AcroRd32.exe
1380	AcroRd32.exe
1380	AcroRd32.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

ca0b804c30052456362fe22ae6fa8482f91651c2c18dc41cda4c6e282fdede6f.exeoracle.exeoracle.exe

description	pid	process	target process
PID 1736 wrote to memory of 1216	1736	ca0b804c30052456362fe22ae6fa8482f91651c2c18dc41cda4c6e282fdede6f.exe	oracle.exe
PID 1736 wrote to memory of 1216	1736	ca0b804c30052456362fe22ae6fa8482f91651c2c18dc41cda4c6e282fdede6f.exe	oracle.exe
PID 1736 wrote to memory of 1216	1736	ca0b804c30052456362fe22ae6fa8482f91651c2c18dc41cda4c6e282fdede6f.exe	oracle.exe
PID 1736 wrote to memory of 1216	1736	ca0b804c30052456362fe22ae6fa8482f91651c2c18dc41cda4c6e282fdede6f.exe	oracle.exe
PID 1736 wrote to memory of 1216	1736	ca0b804c30052456362fe22ae6fa8482f91651c2c18dc41cda4c6e282fdede6f.exe	oracle.exe
PID 1736 wrote to memory of 1216	1736	ca0b804c30052456362fe22ae6fa8482f91651c2c18dc41cda4c6e282fdede6f.exe	oracle.exe
PID 1736 wrote to memory of 1216	1736	ca0b804c30052456362fe22ae6fa8482f91651c2c18dc41cda4c6e282fdede6f.exe	oracle.exe
PID 1216 wrote to memory of 1708	1216	oracle.exe	oracle.exe
PID 1216 wrote to memory of 1708	1216	oracle.exe	oracle.exe
PID 1216 wrote to memory of 1708	1216	oracle.exe	oracle.exe
PID 1216 wrote to memory of 1708	1216	oracle.exe	oracle.exe
PID 1216 wrote to memory of 1708	1216	oracle.exe	oracle.exe
PID 1216 wrote to memory of 1708	1216	oracle.exe	oracle.exe
PID 1216 wrote to memory of 1708	1216	oracle.exe	oracle.exe
PID 1736 wrote to memory of 1380	1736	ca0b804c30052456362fe22ae6fa8482f91651c2c18dc41cda4c6e282fdede6f.exe	AcroRd32.exe
PID 1736 wrote to memory of 1380	1736	ca0b804c30052456362fe22ae6fa8482f91651c2c18dc41cda4c6e282fdede6f.exe	AcroRd32.exe
PID 1736 wrote to memory of 1380	1736	ca0b804c30052456362fe22ae6fa8482f91651c2c18dc41cda4c6e282fdede6f.exe	AcroRd32.exe
PID 1736 wrote to memory of 1380	1736	ca0b804c30052456362fe22ae6fa8482f91651c2c18dc41cda4c6e282fdede6f.exe	AcroRd32.exe
PID 1736 wrote to memory of 1380	1736	ca0b804c30052456362fe22ae6fa8482f91651c2c18dc41cda4c6e282fdede6f.exe	AcroRd32.exe
PID 1736 wrote to memory of 1380	1736	ca0b804c30052456362fe22ae6fa8482f91651c2c18dc41cda4c6e282fdede6f.exe	AcroRd32.exe
PID 1736 wrote to memory of 1380	1736	ca0b804c30052456362fe22ae6fa8482f91651c2c18dc41cda4c6e282fdede6f.exe	AcroRd32.exe
PID 1708 wrote to memory of 1720	1708	oracle.exe	cscript.exe
PID 1708 wrote to memory of 1720	1708	oracle.exe	cscript.exe
PID 1708 wrote to memory of 1720	1708	oracle.exe	cscript.exe
PID 1708 wrote to memory of 1720	1708	oracle.exe	cscript.exe
PID 1708 wrote to memory of 1720	1708	oracle.exe	cscript.exe
PID 1708 wrote to memory of 1720	1708	oracle.exe	cscript.exe
PID 1708 wrote to memory of 1720	1708	oracle.exe	cscript.exe

C:\Users\Admin\AppData\Local\Temp\ca0b804c30052456362fe22ae6fa8482f91651c2c18dc41cda4c6e282fdede6f.exe
"C:\Users\Admin\AppData\Local\Temp\ca0b804c30052456362fe22ae6fa8482f91651c2c18dc41cda4c6e282fdede6f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1736

C:\Users\Admin\AppData\Local\Temp\oracle.exe
"C:\Users\Admin\AppData\Local\Temp\oracle.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1216

C:\Users\Admin\AppData\Local\Temp\oracle.exe
"C:\Users\Admin\AppData\Local\Temp\oracle.exe" -m 1
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1708

C:\Windows\SysWOW64\cscript.exe
cscript.exe /B /NOLOGO .\1.vbs
4⤵
PID:1720

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\382142.pdf"
2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1380

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.vbs
MD5
38c084f65cd7bcd0fe8c937e6280fe1d

SHA1
9fcb1cfe8c3f1b5015fd6d157191b223392fb339

SHA256
202c88eda9dfdc48e94e08d5fce93590d0621c9c303b4d5b77dcb16018e0429b

SHA512
c402028a60dba2381a3bc6af021154b016067ee9198b05beadc9d2db016b9bbdd5de2dbf47cac34ae9cb3be5c5905de807111f28b63db69191be9f3e7e71e5f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\382142.pdf
MD5
0b246279b248dd1960e923a35663b8db

SHA1
c926ed463c8d41ac73f8c32a87164e22971c4865

SHA256
847710262dd6ce7a85d1b33aad47381a623138cc598d6a1d68da88b3afa816c0

SHA512
67b70a015ed3eb8dc04c78354309d6a71c2a2ea121e4740fa6219522a151e345b43ce2f7b0975f454979ec4408ae0d9d777f846a2a09b8f92b8763912cdbce5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\oracle.exe
MD5
964e4b516d72b7717aabb71ad7cc7bf6

SHA1
2e27c59f0cf0dbf81466cc63d87d421b33843e87

SHA256
1d4ac97d43fab1d464017abb5d57a6b4601f99eaa93b01443427ef25ae5127f7

SHA512
1ff1cc2586755ed89902a7450856b3b082783ab060a0799503c5dbe0981ff9e640c6a404e09e4d7a2d79dc719449082b4d29891d620ed35767dfd967fcf16563

Download Submit
C:\Users\Admin\AppData\Local\Temp\oracle.exe
MD5
964e4b516d72b7717aabb71ad7cc7bf6

SHA1
2e27c59f0cf0dbf81466cc63d87d421b33843e87

SHA256
1d4ac97d43fab1d464017abb5d57a6b4601f99eaa93b01443427ef25ae5127f7

SHA512
1ff1cc2586755ed89902a7450856b3b082783ab060a0799503c5dbe0981ff9e640c6a404e09e4d7a2d79dc719449082b4d29891d620ed35767dfd967fcf16563

Download Submit
C:\Users\Admin\AppData\Local\Temp\oracle.exe
MD5
964e4b516d72b7717aabb71ad7cc7bf6

SHA1
2e27c59f0cf0dbf81466cc63d87d421b33843e87

SHA256
1d4ac97d43fab1d464017abb5d57a6b4601f99eaa93b01443427ef25ae5127f7

SHA512
1ff1cc2586755ed89902a7450856b3b082783ab060a0799503c5dbe0981ff9e640c6a404e09e4d7a2d79dc719449082b4d29891d620ed35767dfd967fcf16563

Download Submit
\Users\Admin\AppData\Local\Temp\oracle.exe
MD5
964e4b516d72b7717aabb71ad7cc7bf6

SHA1
2e27c59f0cf0dbf81466cc63d87d421b33843e87

SHA256
1d4ac97d43fab1d464017abb5d57a6b4601f99eaa93b01443427ef25ae5127f7

SHA512
1ff1cc2586755ed89902a7450856b3b082783ab060a0799503c5dbe0981ff9e640c6a404e09e4d7a2d79dc719449082b4d29891d620ed35767dfd967fcf16563

Download Submit
\Users\Admin\AppData\Local\Temp\oracle.exe
MD5
964e4b516d72b7717aabb71ad7cc7bf6

SHA1
2e27c59f0cf0dbf81466cc63d87d421b33843e87

SHA256
1d4ac97d43fab1d464017abb5d57a6b4601f99eaa93b01443427ef25ae5127f7

SHA512
1ff1cc2586755ed89902a7450856b3b082783ab060a0799503c5dbe0981ff9e640c6a404e09e4d7a2d79dc719449082b4d29891d620ed35767dfd967fcf16563

Download Submit
\Users\Admin\AppData\Local\Temp\oracle.exe
MD5
964e4b516d72b7717aabb71ad7cc7bf6

SHA1
2e27c59f0cf0dbf81466cc63d87d421b33843e87

SHA256
1d4ac97d43fab1d464017abb5d57a6b4601f99eaa93b01443427ef25ae5127f7

SHA512
1ff1cc2586755ed89902a7450856b3b082783ab060a0799503c5dbe0981ff9e640c6a404e09e4d7a2d79dc719449082b4d29891d620ed35767dfd967fcf16563

Download Submit
\Users\Admin\AppData\Local\Temp\oracle.exe
MD5
964e4b516d72b7717aabb71ad7cc7bf6

SHA1
2e27c59f0cf0dbf81466cc63d87d421b33843e87

SHA256
1d4ac97d43fab1d464017abb5d57a6b4601f99eaa93b01443427ef25ae5127f7

SHA512
1ff1cc2586755ed89902a7450856b3b082783ab060a0799503c5dbe0981ff9e640c6a404e09e4d7a2d79dc719449082b4d29891d620ed35767dfd967fcf16563

Download Submit
\Users\Admin\AppData\Local\Temp\oracle.exe
MD5
964e4b516d72b7717aabb71ad7cc7bf6

SHA1
2e27c59f0cf0dbf81466cc63d87d421b33843e87

SHA256
1d4ac97d43fab1d464017abb5d57a6b4601f99eaa93b01443427ef25ae5127f7

SHA512
1ff1cc2586755ed89902a7450856b3b082783ab060a0799503c5dbe0981ff9e640c6a404e09e4d7a2d79dc719449082b4d29891d620ed35767dfd967fcf16563

Download Submit
memory/1708-66-0x00000000001E0000-0x000000000020B000-memory.dmp

Filesize
172KB

Download
memory/1708-67-0x00000000001E0000-0x000000000020B000-memory.dmp

Filesize
172KB

Download
memory/1736-54-0x0000000076911000-0x0000000076913000-memory.dmp

Filesize
8KB

Download