832cafb6e88dd4723002d8b0e2221b3d357c22aaf3cfda3de2017b6378b22d9d

General

Target

832cafb6e88dd4723002d8b0e2221b3d357c22aaf3cfda3de2017b6378b22d9d.exe
Size

1.3MB
MD5

3c9aa6dc8c4501ffa2798f044df53438
SHA1

0076a7342908f675c1d7bf630ec6912cd75060dd
SHA256

832cafb6e88dd4723002d8b0e2221b3d357c22aaf3cfda3de2017b6378b22d9d
SHA512

0406541e3a89abfefaca7834a3d5cae07d2ce876ef0fa47a51915e464cb80fcad2cd4bb45b81ba026cf15616eafcb6cd97fac73037a1c0635835f376ae398fca

Score

8^/10

link pdf persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

winword.exe

pid process

564 winword.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

560 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

832cafb6e88dd4723002d8b0e2221b3d357c22aaf3cfda3de2017b6378b22d9d.exe

pid process

604 832cafb6e88dd4723002d8b0e2221b3d357c22aaf3cfda3de2017b6378b22d9d.exe

pid	process
564	winword.exe

pid	process
560	cmd.exe

pid	process
604	832cafb6e88dd4723002d8b0e2221b3d357c22aaf3cfda3de2017b6378b22d9d.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

832cafb6e88dd4723002d8b0e2221b3d357c22aaf3cfda3de2017b6378b22d9d.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run	832cafb6e88dd4723002d8b0e2221b3d357c22aaf3cfda3de2017b6378b22d9d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\McUpdate = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\winword.exe\""	832cafb6e88dd4723002d8b0e2221b3d357c22aaf3cfda3de2017b6378b22d9d.exe

HTTP links in PDF interactive object 1 IoCs

Detects HTTP links in interactive objects within PDF files.

pdf link

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\九州の温泉紹介-九州観光旅館連絡会-平成25年.pdf	pdf_with_link_action

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

936 AcroRd32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

832cafb6e88dd4723002d8b0e2221b3d357c22aaf3cfda3de2017b6378b22d9d.exe

description pid process

Token: SeIncBasePriorityPrivilege 604 832cafb6e88dd4723002d8b0e2221b3d357c22aaf3cfda3de2017b6378b22d9d.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

936 AcroRd32.exe
936 AcroRd32.exe
936 AcroRd32.exe
936 AcroRd32.exe

pid	process
936	AcroRd32.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	604	832cafb6e88dd4723002d8b0e2221b3d357c22aaf3cfda3de2017b6378b22d9d.exe

pid	process
936	AcroRd32.exe
936	AcroRd32.exe
936	AcroRd32.exe
936	AcroRd32.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

832cafb6e88dd4723002d8b0e2221b3d357c22aaf3cfda3de2017b6378b22d9d.exe

description	pid	process	target process
PID 604 wrote to memory of 936	604	832cafb6e88dd4723002d8b0e2221b3d357c22aaf3cfda3de2017b6378b22d9d.exe	AcroRd32.exe
PID 604 wrote to memory of 936	604	832cafb6e88dd4723002d8b0e2221b3d357c22aaf3cfda3de2017b6378b22d9d.exe	AcroRd32.exe
PID 604 wrote to memory of 936	604	832cafb6e88dd4723002d8b0e2221b3d357c22aaf3cfda3de2017b6378b22d9d.exe	AcroRd32.exe
PID 604 wrote to memory of 936	604	832cafb6e88dd4723002d8b0e2221b3d357c22aaf3cfda3de2017b6378b22d9d.exe	AcroRd32.exe
PID 604 wrote to memory of 564	604	832cafb6e88dd4723002d8b0e2221b3d357c22aaf3cfda3de2017b6378b22d9d.exe	winword.exe
PID 604 wrote to memory of 564	604	832cafb6e88dd4723002d8b0e2221b3d357c22aaf3cfda3de2017b6378b22d9d.exe	winword.exe
PID 604 wrote to memory of 564	604	832cafb6e88dd4723002d8b0e2221b3d357c22aaf3cfda3de2017b6378b22d9d.exe	winword.exe
PID 604 wrote to memory of 564	604	832cafb6e88dd4723002d8b0e2221b3d357c22aaf3cfda3de2017b6378b22d9d.exe	winword.exe
PID 604 wrote to memory of 560	604	832cafb6e88dd4723002d8b0e2221b3d357c22aaf3cfda3de2017b6378b22d9d.exe	cmd.exe
PID 604 wrote to memory of 560	604	832cafb6e88dd4723002d8b0e2221b3d357c22aaf3cfda3de2017b6378b22d9d.exe	cmd.exe
PID 604 wrote to memory of 560	604	832cafb6e88dd4723002d8b0e2221b3d357c22aaf3cfda3de2017b6378b22d9d.exe	cmd.exe
PID 604 wrote to memory of 560	604	832cafb6e88dd4723002d8b0e2221b3d357c22aaf3cfda3de2017b6378b22d9d.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\832cafb6e88dd4723002d8b0e2221b3d357c22aaf3cfda3de2017b6378b22d9d.exe
"C:\Users\Admin\AppData\Local\Temp\832cafb6e88dd4723002d8b0e2221b3d357c22aaf3cfda3de2017b6378b22d9d.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:604
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\九州の温泉紹介-九州観光旅館連絡会-平成25年.pdf"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:936
- C:\Users\Admin\AppData\Local\Temp\winword.exe
  "C:\Users\Admin\AppData\Local\Temp\winword.exe"
  2⤵
  - Executes dropped EXE
  PID:564
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\832CAF~1.EXE > nul
  2⤵
  - Deletes itself
  PID:560

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\winword.exe

MD5
6dc5d006eafa5e135ec89fa456060b58

SHA1
e7cd3a1e6a1017401ade9bf55456553313e3a8c1

SHA256
ff13f9b00580f19e389d8852144ecb6ae7876e1091861aad796ab619fea33398

SHA512
a7f40c7226134d811c8d8035fbbe47220a480356be83d86b28518402c04156f4f905f81d00f2e342001c788209e26e7a6f4b7e74798b17d176a4a23800b6c66b

Download Submit
C:\Users\Admin\AppData\Local\Temp\九州の温泉紹介-九州観光旅館連絡会-平成25年.pdf

MD5
8778792f2917620f454f8e1d13670f60

SHA1
8c6a3802df06d89b5d325491d9720e3f2ee67e04

SHA256
44aacc0bf620886c1ed51f6b19f0c63229b10114db4ee322daede67dc7953bf6

SHA512
5f01867193f58149565c6d4f14f34c0f1e8ff2872e33f5a09c28ed0165200c3383943f76cbe2c8f30a5ee8cafb92b24fbb4b2709835e0b03a08bd80d96042829

Download Submit
\Users\Admin\AppData\Local\Temp\winword.exe

MD5
6dc5d006eafa5e135ec89fa456060b58

SHA1
e7cd3a1e6a1017401ade9bf55456553313e3a8c1

SHA256
ff13f9b00580f19e389d8852144ecb6ae7876e1091861aad796ab619fea33398

SHA512
a7f40c7226134d811c8d8035fbbe47220a480356be83d86b28518402c04156f4f905f81d00f2e342001c788209e26e7a6f4b7e74798b17d176a4a23800b6c66b

Download Submit
memory/604-54-0x0000000075191000-0x0000000075193000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads