Analysis
-
max time kernel
81s -
max time network
52s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 02:21
Static task
static1
Behavioral task
behavioral1
Sample
Company Presentation~pdf.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Company Presentation~pdf.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
Infrared Thermometer~pdf.exe
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
Infrared Thermometer~pdf.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral5
Sample
Mask samples & qty needed~pdf.exe
Resource
win7-20220414-en
Behavioral task
behavioral6
Sample
Mask samples & qty needed~pdf.exe
Resource
win10v2004-20220414-en
General
-
Target
Mask samples & qty needed~pdf.exe
-
Size
1.2MB
-
MD5
cbc2a4c4b531711337eb807fbd082adc
-
SHA1
f9114fe1e6ebe680831900fce56fde5ed2a748eb
-
SHA256
2ae247545c4291da9b83ad9ba0c6af00bd80c896a3fb9fafd028e09444bf3baf
-
SHA512
e5649d648c989049af1dd13c12f397483935d019e93e655801f51f642f7db8bd536c945b4ef92a1f46ff73e8e8952ddb397857c935408e52862543c0a58a92e2
Malware Config
Signatures
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
InstallUtil.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Mask samples & qty needed~pdf.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\OfuoM = "C:\\TBHNEBSE\\OfuoMN\\OfuoMNeUP.vbs" Mask samples & qty needed~pdf.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
Mask samples & qty needed~pdf.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 Mask samples & qty needed~pdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Mask samples & qty needed~pdf.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Mask samples & qty needed~pdf.exedescription pid process target process PID 1932 set thread context of 2044 1932 Mask samples & qty needed~pdf.exe InstallUtil.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
InstallUtil.exepid process 2044 InstallUtil.exe 2044 InstallUtil.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
Mask samples & qty needed~pdf.exepid process 1932 Mask samples & qty needed~pdf.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
InstallUtil.exedescription pid process Token: SeDebugPrivilege 2044 InstallUtil.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
InstallUtil.exepid process 2044 InstallUtil.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
Mask samples & qty needed~pdf.exeInstallUtil.exedescription pid process target process PID 1932 wrote to memory of 2044 1932 Mask samples & qty needed~pdf.exe InstallUtil.exe PID 1932 wrote to memory of 2044 1932 Mask samples & qty needed~pdf.exe InstallUtil.exe PID 1932 wrote to memory of 2044 1932 Mask samples & qty needed~pdf.exe InstallUtil.exe PID 1932 wrote to memory of 2044 1932 Mask samples & qty needed~pdf.exe InstallUtil.exe PID 1932 wrote to memory of 2044 1932 Mask samples & qty needed~pdf.exe InstallUtil.exe PID 1932 wrote to memory of 2044 1932 Mask samples & qty needed~pdf.exe InstallUtil.exe PID 1932 wrote to memory of 2044 1932 Mask samples & qty needed~pdf.exe InstallUtil.exe PID 1932 wrote to memory of 2044 1932 Mask samples & qty needed~pdf.exe InstallUtil.exe PID 2044 wrote to memory of 436 2044 InstallUtil.exe REG.exe PID 2044 wrote to memory of 436 2044 InstallUtil.exe REG.exe PID 2044 wrote to memory of 436 2044 InstallUtil.exe REG.exe PID 2044 wrote to memory of 436 2044 InstallUtil.exe REG.exe PID 2044 wrote to memory of 1364 2044 InstallUtil.exe netsh.exe PID 2044 wrote to memory of 1364 2044 InstallUtil.exe netsh.exe PID 2044 wrote to memory of 1364 2044 InstallUtil.exe netsh.exe PID 2044 wrote to memory of 1364 2044 InstallUtil.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
InstallUtil.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe -
outlook_win_path 1 IoCs
Processes:
InstallUtil.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Mask samples & qty needed~pdf.exe"C:\Users\Admin\AppData\Local\Temp\Mask samples & qty needed~pdf.exe"1⤵
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"C:\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\InstallUtil.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/436-60-0x0000000000000000-mapping.dmp
-
memory/1364-61-0x0000000000000000-mapping.dmp
-
memory/1932-54-0x0000000000CD0000-0x0000000000E00000-memory.dmpFilesize
1.2MB
-
memory/1932-55-0x0000000000C30000-0x0000000000CB0000-memory.dmpFilesize
512KB
-
memory/1932-56-0x0000000000200000-0x0000000000203000-memory.dmpFilesize
12KB
-
memory/2044-57-0x000000000044A6EE-mapping.dmp
-
memory/2044-58-0x00000000757C1000-0x00000000757C3000-memory.dmpFilesize
8KB
-
memory/2044-59-0x00000000735B0000-0x0000000073B5B000-memory.dmpFilesize
5.7MB