Overview

overview

8

Static

static

4

4ff741a791...08.pdf

windows7_x64

1

4ff741a791...08.pdf

windows10-2004_x64

8

Analysis

  • max time kernel
    180s
  • max time network
    195s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    01-02-2022 14:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4ff741a791c5745b455b82371bb73d889def2d51fa04b977a5d1376a3bdd6208.pdf

  • Size

    397KB

  • MD5

    e5cebfe077cb3d81b861d1da482848d3

  • SHA1

    9335780419b6dd8db53fcb29948beff3c26478fd

  • SHA256

    4ff741a791c5745b455b82371bb73d889def2d51fa04b977a5d1376a3bdd6208

  • SHA512

    c1c5bf057794ffe7b68ad8974f0d66d9985b73b97460b525f2cd306c72bbf7f34f09fc063af6036ce8c72f71126c07fff103d31941ee12388ed1d77e9ca9af6a

Score
8/10
persistence

Malware Config

Signatures

  • Sets service image path in registry 2 TTPs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 41 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\4ff741a791c5745b455b82371bb73d889def2d51fa04b977a5d1376a3bdd6208.pdf"
    1⤵
    • Checks processor information in registry
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1168
    • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
      2⤵
        PID:2544
      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
        2⤵
          PID:1800
      • C:\Windows\System32\WaaSMedicAgent.exe
        C:\Windows\System32\WaaSMedicAgent.exe e34f5808a2f800ce469ecd3e500af9fd 32MVc5QI0USemlPwHkQbUQ.0.1.0.0.0
        1⤵
        • Modifies data under HKEY_USERS
        PID:5060
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
        1⤵
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        PID:3816

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/3816-216-0x000001653F570000-0x000001653F580000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3816-223-0x00000165422F0000-0x00000165422F4000-memory.dmp

        Filesize

        16KB

        Download