Analysis
-
max time kernel
157s -
max time network
141s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
29-01-2022 17:09
Static task
static1
Behavioral task
behavioral1
Sample
815ba75ac821b7c656c9c9bc0e663f9570f71bf247e374d60f9142fcc380efad.exe
Resource
win7-en-20211208
General
-
Target
815ba75ac821b7c656c9c9bc0e663f9570f71bf247e374d60f9142fcc380efad.exe
-
Size
3.0MB
-
MD5
d97e2f58687e310634994cd3c5c29844
-
SHA1
683bce40ebea9d0ad561376c44b8d21634fd8a62
-
SHA256
815ba75ac821b7c656c9c9bc0e663f9570f71bf247e374d60f9142fcc380efad
-
SHA512
696ef99e318733c71ea115006e604a67a8ccde20022c38b33e478c434b292d7f2fec87dad1d4acf2d9fd8464d86a866541acfa7865e026cea7d3be1b082d4e59
Malware Config
Signatures
-
HTTP links in PDF interactive object 1 IoCs
Detects HTTP links in interactive objects within PDF files.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\A0F.tmp\BL Oct 2014.pdf pdf_with_link_action -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 1320 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
AcroRd32.exepid process 1320 AcroRd32.exe 1320 AcroRd32.exe 1320 AcroRd32.exe 1320 AcroRd32.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
815ba75ac821b7c656c9c9bc0e663f9570f71bf247e374d60f9142fcc380efad.execmd.exedescription pid process target process PID 1888 wrote to memory of 460 1888 815ba75ac821b7c656c9c9bc0e663f9570f71bf247e374d60f9142fcc380efad.exe cmd.exe PID 1888 wrote to memory of 460 1888 815ba75ac821b7c656c9c9bc0e663f9570f71bf247e374d60f9142fcc380efad.exe cmd.exe PID 1888 wrote to memory of 460 1888 815ba75ac821b7c656c9c9bc0e663f9570f71bf247e374d60f9142fcc380efad.exe cmd.exe PID 1888 wrote to memory of 460 1888 815ba75ac821b7c656c9c9bc0e663f9570f71bf247e374d60f9142fcc380efad.exe cmd.exe PID 460 wrote to memory of 1320 460 cmd.exe AcroRd32.exe PID 460 wrote to memory of 1320 460 cmd.exe AcroRd32.exe PID 460 wrote to memory of 1320 460 cmd.exe AcroRd32.exe PID 460 wrote to memory of 1320 460 cmd.exe AcroRd32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\815ba75ac821b7c656c9c9bc0e663f9570f71bf247e374d60f9142fcc380efad.exe"C:\Users\Admin\AppData\Local\Temp\815ba75ac821b7c656c9c9bc0e663f9570f71bf247e374d60f9142fcc380efad.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\A0F.tmp\2.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:460 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\A0F.tmp\BL Oct 2014.pdf"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1320
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\A0F.tmp\2.batMD5
695ee5af133361b3a4a4e036478b8d3f
SHA155ebe607e52c7f43a2abbd85ba30536e4cf3b6a5
SHA256758b1e136086ae24c6c172e734bcc41e163e9947e226baa4e39ce74195e4f38f
SHA51279f99a2f1d0a7f20545bba6e65bc2d42673e16635b591406f9d600192e90258c0f36588d6bbee3fb45d5056167655902e9c94a94d674392e4c9626d21d483f8f
-
C:\Users\Admin\AppData\Local\Temp\A0F.tmp\BL Oct 2014.pdfMD5
d1117946c2084f5d7518af2256da7d0d
SHA163b694882f2cd7dc08d9d41efc9e3b16b9af58ae
SHA2568ca0a6b5dd79f4dccdd619697ff22f49825217515e5824c48e235593ecf37049
SHA512c4f1512b6915f04221de0be8126cb2956f10daf113ad8fd31fbc269055ee08e3f2e071c57e3ecae1e63e6ef54fcbd6cdd6dae41d08fc151eee2c567f28436b07
-
memory/1888-54-0x0000000075D61000-0x0000000075D63000-memory.dmpFilesize
8KB