Analysis
-
max time kernel
167s -
max time network
196s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
11-05-2022 23:14
Static task
static1
Behavioral task
behavioral1
Sample
a6861bd9915fd262288a5791c06b5225eadb5f6a41164a748413c366ccfcc9f2.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
a6861bd9915fd262288a5791c06b5225eadb5f6a41164a748413c366ccfcc9f2.exe
Resource
win10v2004-20220414-en
General
-
Target
a6861bd9915fd262288a5791c06b5225eadb5f6a41164a748413c366ccfcc9f2.exe
-
Size
5.0MB
-
MD5
42323246c59f61bfd143eb0071792077
-
SHA1
228dac3655f53569f4535ea9d74ee3814434021f
-
SHA256
a6861bd9915fd262288a5791c06b5225eadb5f6a41164a748413c366ccfcc9f2
-
SHA512
da8810ac726c95c44d699d1bbc916c77af6936cba199a261121a7f4533163ebd60a169254bc19174988a0828c5d7a1be9c0eae9d06b9c777aaceed9c2b9bc23a
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
a6861bd9915fd262288a5791c06b5225eadb5f6a41164a748413c366ccfcc9f2.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Certificate Manager.exe a6861bd9915fd262288a5791c06b5225eadb5f6a41164a748413c366ccfcc9f2.exe -
HTTP links in PDF interactive object 1 IoCs
Detects HTTP links in interactive objects within PDF files.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\address.pdf pdf_with_link_action -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
AcroRd32.exepid process 2000 AcroRd32.exe 2000 AcroRd32.exe 2000 AcroRd32.exe 2000 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
a6861bd9915fd262288a5791c06b5225eadb5f6a41164a748413c366ccfcc9f2.exeexplorer.exedescription pid process target process PID 1372 wrote to memory of 1968 1372 a6861bd9915fd262288a5791c06b5225eadb5f6a41164a748413c366ccfcc9f2.exe explorer.exe PID 1372 wrote to memory of 1968 1372 a6861bd9915fd262288a5791c06b5225eadb5f6a41164a748413c366ccfcc9f2.exe explorer.exe PID 1372 wrote to memory of 1968 1372 a6861bd9915fd262288a5791c06b5225eadb5f6a41164a748413c366ccfcc9f2.exe explorer.exe PID 2016 wrote to memory of 2000 2016 explorer.exe AcroRd32.exe PID 2016 wrote to memory of 2000 2016 explorer.exe AcroRd32.exe PID 2016 wrote to memory of 2000 2016 explorer.exe AcroRd32.exe PID 2016 wrote to memory of 2000 2016 explorer.exe AcroRd32.exe
Processes
-
C:\Windows\explorer.exeexplorer.exe C:\Users\Admin\AppData\Local\Temp\"address.pdf1⤵
-
C:\Users\Admin\AppData\Local\Temp\a6861bd9915fd262288a5791c06b5225eadb5f6a41164a748413c366ccfcc9f2.exe"C:\Users\Admin\AppData\Local\Temp\a6861bd9915fd262288a5791c06b5225eadb5f6a41164a748413c366ccfcc9f2.exe"1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\address.pdf"2⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\address.pdfFilesize
580KB
MD5a3a2e63107bd3985b94c6b791422084f
SHA1f2481de7449382188a1fc945e2e834191b8cd9ce
SHA2569910d30be27bd60fc384798bdd182984aa6091efe4803c5c95670e0273ec387b
SHA512b2fa008b4ae18b587d8c6f4c4db9f62b30ce548cb20b6189d5cbea8722429dbdb14f3ce7a683ea01f994f4017b007ec780b702803411343494f04e4feeff673c
-
memory/1968-54-0x0000000000000000-mapping.dmp
-
memory/1968-55-0x000007FEFBE51000-0x000007FEFBE53000-memory.dmpFilesize
8KB
-
memory/2000-58-0x00000000763E1000-0x00000000763E3000-memory.dmpFilesize
8KB
-
memory/2000-57-0x0000000000000000-mapping.dmp