Analysis

  • max time kernel
    145s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20220715-en
  • resource tags

    arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
  • submitted
    23-07-2022 09:21

General

  • Target

    e269f955f008635d1df7033c38dd3f4049d15fa3ec74cff9db43d240282aff45.pdf

  • Size

    46KB

  • MD5

    8bdd2cdd39b2ad7b679faa50f629ce2b

  • SHA1

    30a585a33ab6a192758dfe07c375c0dca8fdaa66

  • SHA256

    e269f955f008635d1df7033c38dd3f4049d15fa3ec74cff9db43d240282aff45

  • SHA512

    3f49221e2b26e0da669890774c4776ffed0f871a519110d9ade975e6fa2c3a3adaec122b220520a2c9e2ea24a22e277860522aeabd23ddaf937889253e25ce24

Score
1/10

Malware Config

Signatures

  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\e269f955f008635d1df7033c38dd3f4049d15fa3ec74cff9db43d240282aff45.pdf"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1136
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://worksflow.net/geoid
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:980
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:980 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:1152
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x530
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1608

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    340B

    MD5

    25f8406663671efabf802488b3b5fdf7

    SHA1

    d97abce37d936cfce0ee5f841e53018a8017d7f4

    SHA256

    631701cce37195687dd60be80971524a41cd6fd3c342e2746d897f20dec2bae3

    SHA512

    e44c9029d5229a2764ba0b0a6ecd26f96f3f0986d20b3859102adee25827f1ea53e00cc2c945c9c58e363c2e4ac780df3e5e872489bddb221f7524975506f50f

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\lvx0ibj\imagestore.dat

    Filesize

    4KB

    MD5

    82e6c39a4e2348d40364d123db19335d

    SHA1

    40d0ca253197c8e72ff77e11b463c3ed68d6f262

    SHA256

    6287621c2345e1953e5d20d45792ee26cc06c100e3fb14208dc69d1f117a1872

    SHA512

    690446548b907d15fc054f06566e576f881f02de3a41e6dcc308bc5c4fed02b1ae8c71090c275949a06df846646ee38d4eb6ba1627acd5ce7e77ea19dd1dab95

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\C9MC7XMT.txt

    Filesize

    606B

    MD5

    41a54d0a5486f4c5d34c0e0757d2335a

    SHA1

    be4caa17fb1b1dd2d30e56fbba9bcf868c9bd80b

    SHA256

    58d90c8ca184cb235115082d3b784473ca1c81e005eefbcf945a95fb392eb580

    SHA512

    63b04b53f8a0267fdc34605cccc78514a277b9fc402a5ca2eaac99b92d6dcf7fb3e52147f51d531835e174f96c7a03374e8c41f33f666f5d5c3029c1a9a40d3b

  • memory/1136-54-0x0000000075681000-0x0000000075683000-memory.dmp

    Filesize

    8KB