Overview

overview

3

Static

static

3

NOTIFICACI...IA.pdf

windows7_x64

3

NOTIFICACI...IA.pdf

windows10-2004_x64

1

Analysis

  • max time kernel
    150s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    27-04-2022 14:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NOTIFICACION DE TRANSFERENCIA.pdf

  • Size

    27KB

  • MD5

    3beab282bacd77f411e71edd1ee7fad3

  • SHA1

    061dcd99c124ddc93262c3e18a8fa1bfcc9f0412

  • SHA256

    89694b9f2f390337f9a8a2dbb7a5fe10182b2a81e9beee9d35605dd130f4dc46

  • SHA512

    e96f27b9f4e9e9dceb15d46527de687a08ec0296cc7b9d34ec30b594c8a3c743fad9412179c6bd45c23e5a7a5a5e2188e93d408c892f64dc5a0499260cf80017

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 30 IoCs
    adwarespyware
  • Modifies registry class 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of FindShellTrayWindow 23 IoCs
  • Suspicious use of SendNotifyMessage 20 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\NOTIFICACION DE TRANSFERENCIA.pdf"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1556
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://bit.ly/u5_trans_fer_noti_ficatio_0055
      2⤵
      • Modifies Internet Explorer Phishing Filter
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1480
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1480 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1780
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YM59SHP3\NOTIFICACION DE TRANSFERENCIA_27D5.rar
        3⤵
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:1504
        • C:\Program Files\VideoLAN\VLC\vlc.exe
          "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YM59SHP3\NOTIFICACION DE TRANSFERENCIA_27D5.rar"
          4⤵
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of SetWindowsHookEx
          PID:1132

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    fbf0c960193ee798db32b4058ba0be82

    SHA1

    2eea6239dd5dd15309e5b3ff47adad471fc0af03

    SHA256

    05a57f628f3a807b465d64460e9c5567ed0e4e7dd48175ad5bdbaa3c6637d71b

    SHA512

    68190c7c5f0e082b561a3d6ceae80ede6cac337770a647128472cf3c367b3768f357d9167b67cf4fb21810d1647bd239522039657c9826cae8729ac9d7cda188

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YM59SHP3\NOTIFICACION DE TRANSFERENCIA_27D5.rar.p6weeyt.partial
    Filesize

    4.7MB

    MD5

    2e963d92bddf62381811770c4ed33e1a

    SHA1

    4ec83d0436ad8e47cafaed56756ad3e0ada59b68

    SHA256

    b3dd9f3d0c64eaa8c9714eeb95a8d3cd4bbfe1ea5777d5589c5a8936a37a051f

    SHA512

    3af721f76778cf104c2e1447cb54c250ae2480ff5f2ee126d88c6cf36ab95d45ceebfc7937c00cdc6f9267bc78432e37cee083aa0a55e155388e902430a85d01

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\8HGH5BMA.txt
    Filesize

    600B

    MD5

    213ec9f4c19931d383887f373dc6b3e3

    SHA1

    f9d59526b1f19f0f629c44eab7e9f39e7f635540

    SHA256

    28fb17ae572717f533976b536fe4cc21304a4f845c30ca5a355c91b9e118701e

    SHA512

    34cd1a0c5ee9d6433bc5663becec431b616362ddaff2025dbccd6a644befd023fd2c4b6a5313f9dc0ef7025c02f93faa75cbf5f26a3d3f0d42c0f72e67a6890a

    Download Submit
  • memory/1132-58-0x0000000000000000-mapping.dmp
    Download
  • memory/1504-56-0x0000000000000000-mapping.dmp
    Download
  • memory/1504-57-0x000007FEFC1F1000-0x000007FEFC1F3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1556-54-0x00000000761F1000-0x00000000761F3000-memory.dmp
    Filesize

    8KB

    Download