a6861bd9915fd262288a5791c06b5225eadb5f6a41164a748413c366ccfcc9f2

Analysis

Target

a6861bd9915fd262288a5791c06b5225eadb5f6a41164a748413c366ccfcc9f2.exe
Size

5.0MB
MD5

42323246c59f61bfd143eb0071792077
SHA1

228dac3655f53569f4535ea9d74ee3814434021f
SHA256

a6861bd9915fd262288a5791c06b5225eadb5f6a41164a748413c366ccfcc9f2
SHA512

da8810ac726c95c44d699d1bbc916c77af6936cba199a261121a7f4533163ebd60a169254bc19174988a0828c5d7a1be9c0eae9d06b9c777aaceed9c2b9bc23a

Score

7^/10

link pdf

Drops startup file 1 IoCs

Processes:

a6861bd9915fd262288a5791c06b5225eadb5f6a41164a748413c366ccfcc9f2.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Certificate Manager.exe	a6861bd9915fd262288a5791c06b5225eadb5f6a41164a748413c366ccfcc9f2.exe

HTTP links in PDF interactive object 1 IoCs

Detects HTTP links in interactive objects within PDF files.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\address.pdf	pdf_with_link_action

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

2000 AcroRd32.exe
2000 AcroRd32.exe
2000 AcroRd32.exe
2000 AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

a6861bd9915fd262288a5791c06b5225eadb5f6a41164a748413c366ccfcc9f2.exeexplorer.exe

description	pid	process	target process
PID 1372 wrote to memory of 1968	1372	a6861bd9915fd262288a5791c06b5225eadb5f6a41164a748413c366ccfcc9f2.exe	explorer.exe
PID 1372 wrote to memory of 1968	1372	a6861bd9915fd262288a5791c06b5225eadb5f6a41164a748413c366ccfcc9f2.exe	explorer.exe
PID 1372 wrote to memory of 1968	1372	a6861bd9915fd262288a5791c06b5225eadb5f6a41164a748413c366ccfcc9f2.exe	explorer.exe
PID 2016 wrote to memory of 2000	2016	explorer.exe	AcroRd32.exe
PID 2016 wrote to memory of 2000	2016	explorer.exe	AcroRd32.exe
PID 2016 wrote to memory of 2000	2016	explorer.exe	AcroRd32.exe
PID 2016 wrote to memory of 2000	2016	explorer.exe	AcroRd32.exe

C:\Windows\explorer.exe
explorer.exe C:\Users\Admin\AppData\Local\Temp\"address.pdf
1⤵
PID:1968

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:2016

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\address.pdf"
2⤵
- Suspicious use of SetWindowsHookEx
PID:2000

C:\Users\Admin\AppData\Local\Temp\address.pdf
Filesize
580KB

MD5
a3a2e63107bd3985b94c6b791422084f

SHA1
f2481de7449382188a1fc945e2e834191b8cd9ce

SHA256
9910d30be27bd60fc384798bdd182984aa6091efe4803c5c95670e0273ec387b

SHA512
b2fa008b4ae18b587d8c6f4c4db9f62b30ce548cb20b6189d5cbea8722429dbdb14f3ce7a683ea01f994f4017b007ec780b702803411343494f04e4feeff673c

Download Submit
memory/1968-54-0x0000000000000000-mapping.dmp

Download
memory/1968-55-0x000007FEFBE51000-0x000007FEFBE53000-memory.dmp

Filesize
8KB

Download
memory/2000-58-0x00000000763E1000-0x00000000763E3000-memory.dmp

Filesize
8KB

Download
memory/2000-57-0x0000000000000000-mapping.dmp

Download