Overview

overview

8

Static

static

ab3054a54a...9e.exe

windows7_x64

8

ab3054a54a...9e.exe

windows10-2004_x64

8

Analysis

  • max time kernel
    172s
  • max time network
    185s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    03-02-2022 15:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ab3054a54af3808532968a950a3ca056b4bf875d6cf51fc26309040446374b9e.exe

  • Size

    435KB

  • MD5

    12c78eb58d6739303f370dba8c9501bc

  • SHA1

    802c4f0d5f9cf2b40520177fff64cbe242b3988a

  • SHA256

    ab3054a54af3808532968a950a3ca056b4bf875d6cf51fc26309040446374b9e

  • SHA512

    3e2875ac117c6b091003cd61866f5bac742d4678b116d93913cc4a153c120802a7ab3eceb4eaf228e88462d7588e6be748912fa65c3c2d2121a1eaa72cf6fb85

Score
8/10
linkpdfpersistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Sets service image path in registry 2 TTPs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • HTTP links in PDF interactive object 1 IoCs

    Detects HTTP links in interactive objects within PDF files.

    pdflink
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Enumerates system info in registry 2 TTPs 5 IoCs
  • Modifies data under HKEY_USERS 41 IoCs
  • Modifies registry class 35 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ab3054a54af3808532968a950a3ca056b4bf875d6cf51fc26309040446374b9e.exe
    "C:\Users\Admin\AppData\Local\Temp\ab3054a54af3808532968a950a3ca056b4bf875d6cf51fc26309040446374b9e.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4072
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\Recollection Of My Mayor-time In Roberval(Denis Lebel).pdf
      2⤵
      • Enumerates system info in registry
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:2684
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd3abc46f8,0x7ffd3abc4708,0x7ffd3abc4718
        3⤵
          PID:2336
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,8159846274626822731,704700286038494661,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
          3⤵
            PID:208
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,8159846274626822731,704700286038494661,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2328 /prefetch:3
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:676
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,8159846274626822731,704700286038494661,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:8
            3⤵
              PID:4520
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8159846274626822731,704700286038494661,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3932 /prefetch:1
              3⤵
                PID:2392
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8159846274626822731,704700286038494661,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3944 /prefetch:1
                3⤵
                  PID:3656
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8159846274626822731,704700286038494661,131072 --disable-gpu-compositing --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
                  3⤵
                    PID:4660
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8159846274626822731,704700286038494661,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6052 /prefetch:1
                    3⤵
                      PID:2752
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8159846274626822731,704700286038494661,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:1
                      3⤵
                        PID:4624
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=ppapi --field-trial-handle=2144,8159846274626822731,704700286038494661,131072 --lang=en-US --device-scale-factor=1 --ppapi-antialiased-text-enabled=1 --ppapi-subpixel-rendering-setting=1 --mojo-platform-channel-handle=6784 /prefetch:6
                        3⤵
                          PID:4112
                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,8159846274626822731,704700286038494661,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2628 /prefetch:8
                          3⤵
                            PID:3780
                          • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
                            3⤵
                              PID:3496
                          • C:\Users\Admin\AppData\Local\Temp\SVCHOST.exe
                            "C:\Users\Admin\AppData\Local\Temp\SVCHOST.exe"
                            2⤵
                            • Executes dropped EXE
                            • Adds Run key to start application
                            PID:1176
                        • C:\Windows\System32\CompPkgSrv.exe
                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                          1⤵
                            PID:4284
                          • C:\Windows\System32\WaaSMedicAgent.exe
                            C:\Windows\System32\WaaSMedicAgent.exe 8cd9e4fd0d85482577e9d03b0544dcdd RtQv6Go+EUmv1nsbgWwDXw.0.1.0.0.0
                            1⤵
                            • Modifies data under HKEY_USERS
                            PID:1840
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
                            1⤵
                            • Drops file in Windows directory
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2524
                          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                            1⤵
                            • Enumerates system info in registry
                            • Modifies registry class
                            • Suspicious use of SetWindowsHookEx
                            PID:400
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
                            1⤵
                              PID:3464
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
                              1⤵
                                PID:4076

                              Network

                              MITRE ATT&CK Matrix ATT&CK v6

                              Initial Access

                              Execution

                              Persistence

                              Registry Run Keys / Startup Folder

                              2
                              T1060

                              Privilege Escalation

                              Defense Evasion

                              Modify Registry

                              2
                              T1112

                              Credential Access

                              Discovery

                              Query Registry

                              2
                              T1012

                              System Information Discovery

                              3
                              T1082

                              Lateral Movement

                              Collection

                              Exfiltration

                              Command and Control

                              Impact

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\Local\Temp\Recollection Of My Mayor-time In Roberval(Denis Lebel).pdf
                                MD5

                                d7fe76a07d0b3930057bff95ec82040b

                                SHA1

                                7aa5c183539cb5a3aac8dca29d1a7eb712a510e5

                                SHA256

                                e87aa4203e9ce19eb5ad1a50d4111d8fb9cbdf84c2ff21067a3f76a38b1411f0

                                SHA512

                                53da8a0da15d8173820686f25163271932d07f0c2f9f5583d93439bc4dfb240dd8538796d1288aa521cea5a00218a111f3f396c010524c562761a3eefdc5c2e5

                                Download Submit
                              • C:\Users\Admin\AppData\Local\Temp\SVCHOST.exe
                                MD5

                                2154815bb388e44567fd88f1a5351112

                                SHA1

                                492fe05bfc16d6b4571c64e9b04b7e5df8be1a9d

                                SHA256

                                c463de0b0334940ef533c9109f49edbb931b7c060c083ae2256a9c6ce389f95c

                                SHA512

                                77556679e86085d62b5831e4f2d56514e9472150cb9cefab82d48b55ccfcce4c137b9a3df294d4f459c3410902a86caf50b1c402490fa9dbe8dcde34c40923f1

                                Download Submit
                              • C:\Users\Admin\AppData\Local\Temp\SVCHOST.exe
                                MD5

                                2154815bb388e44567fd88f1a5351112

                                SHA1

                                492fe05bfc16d6b4571c64e9b04b7e5df8be1a9d

                                SHA256

                                c463de0b0334940ef533c9109f49edbb931b7c060c083ae2256a9c6ce389f95c

                                SHA512

                                77556679e86085d62b5831e4f2d56514e9472150cb9cefab82d48b55ccfcce4c137b9a3df294d4f459c3410902a86caf50b1c402490fa9dbe8dcde34c40923f1

                                Download Submit
                              • \??\pipe\LOCAL\crashpad_2684_JWCZUBXMFRCPQCGK
                                MD5

                                d41d8cd98f00b204e9800998ecf8427e

                                SHA1

                                da39a3ee5e6b4b0d3255bfef95601890afd80709

                                SHA256

                                e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                SHA512

                                cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                Download Submit
                              • memory/208-133-0x00007FFD594D0000-0x00007FFD594D1000-memory.dmp
                                Filesize

                                4KB

                                Download
                              • memory/2524-193-0x000001C492F80000-0x000001C492F90000-memory.dmp
                                Filesize

                                64KB

                                Download
                              • memory/2524-200-0x000001C495D00000-0x000001C495D04000-memory.dmp
                                Filesize

                                16KB

                                Download