815ba75ac821b7c656c9c9bc0e663f9570f71bf247e374d60f9142fcc380efad

General

Target

815ba75ac821b7c656c9c9bc0e663f9570f71bf247e374d60f9142fcc380efad.exe
Size

3.0MB
MD5

d97e2f58687e310634994cd3c5c29844
SHA1

683bce40ebea9d0ad561376c44b8d21634fd8a62
SHA256

815ba75ac821b7c656c9c9bc0e663f9570f71bf247e374d60f9142fcc380efad
SHA512

696ef99e318733c71ea115006e604a67a8ccde20022c38b33e478c434b292d7f2fec87dad1d4acf2d9fd8464d86a866541acfa7865e026cea7d3be1b082d4e59

Score

4^/10

link pdf

Malware Config

Signatures

HTTP links in PDF interactive object 1 IoCs

Detects HTTP links in interactive objects within PDF files.

pdf link

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\A0F.tmp\BL Oct 2014.pdf	pdf_with_link_action

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

1320 AcroRd32.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

1320 AcroRd32.exe
1320 AcroRd32.exe
1320 AcroRd32.exe
1320 AcroRd32.exe

pid	process
1320	AcroRd32.exe

pid	process
1320	AcroRd32.exe
1320	AcroRd32.exe
1320	AcroRd32.exe
1320	AcroRd32.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

815ba75ac821b7c656c9c9bc0e663f9570f71bf247e374d60f9142fcc380efad.execmd.exe

description	pid	process	target process
PID 1888 wrote to memory of 460	1888	815ba75ac821b7c656c9c9bc0e663f9570f71bf247e374d60f9142fcc380efad.exe	cmd.exe
PID 1888 wrote to memory of 460	1888	815ba75ac821b7c656c9c9bc0e663f9570f71bf247e374d60f9142fcc380efad.exe	cmd.exe
PID 1888 wrote to memory of 460	1888	815ba75ac821b7c656c9c9bc0e663f9570f71bf247e374d60f9142fcc380efad.exe	cmd.exe
PID 1888 wrote to memory of 460	1888	815ba75ac821b7c656c9c9bc0e663f9570f71bf247e374d60f9142fcc380efad.exe	cmd.exe
PID 460 wrote to memory of 1320	460	cmd.exe	AcroRd32.exe
PID 460 wrote to memory of 1320	460	cmd.exe	AcroRd32.exe
PID 460 wrote to memory of 1320	460	cmd.exe	AcroRd32.exe
PID 460 wrote to memory of 1320	460	cmd.exe	AcroRd32.exe

C:\Users\Admin\AppData\Local\Temp\815ba75ac821b7c656c9c9bc0e663f9570f71bf247e374d60f9142fcc380efad.exe
"C:\Users\Admin\AppData\Local\Temp\815ba75ac821b7c656c9c9bc0e663f9570f71bf247e374d60f9142fcc380efad.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1888

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\A0F.tmp\2.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:460

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\A0F.tmp\BL Oct 2014.pdf"
3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1320

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A0F.tmp\2.bat
MD5
695ee5af133361b3a4a4e036478b8d3f

SHA1
55ebe607e52c7f43a2abbd85ba30536e4cf3b6a5

SHA256
758b1e136086ae24c6c172e734bcc41e163e9947e226baa4e39ce74195e4f38f

SHA512
79f99a2f1d0a7f20545bba6e65bc2d42673e16635b591406f9d600192e90258c0f36588d6bbee3fb45d5056167655902e9c94a94d674392e4c9626d21d483f8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\A0F.tmp\BL Oct 2014.pdf
MD5
d1117946c2084f5d7518af2256da7d0d

SHA1
63b694882f2cd7dc08d9d41efc9e3b16b9af58ae

SHA256
8ca0a6b5dd79f4dccdd619697ff22f49825217515e5824c48e235593ecf37049

SHA512
c4f1512b6915f04221de0be8126cb2956f10daf113ad8fd31fbc269055ee08e3f2e071c57e3ecae1e63e6ef54fcbd6cdd6dae41d08fc151eee2c567f28436b07

Download Submit
memory/1888-54-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing