9d7f63ff52fbd0c5850a599fc8e3b6999fc93b742333d85275db9ee547c4348a

Analysis

max time kernel
592s
max time network
616s
platform
windows7_x64
resource
win7-20220718-en
resource tags

arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
submitted
10-08-2022 08:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Document.pdf.exe
Size

362.9MB
MD5

23531c33d025a8e7466511284ecaf046
SHA1

f93032d253b36df7a339a22bacfd3aaf2827a1af
SHA256

9d7f63ff52fbd0c5850a599fc8e3b6999fc93b742333d85275db9ee547c4348a
SHA512

3430525b0a078bd3e2af8e5c1ffc2b99319487d9736924c98a937a771aeb26908f711a01ea1208553f29e11f146d12285fbca53b71209e00668e023af7fc51a8

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

SETUP_~2.EXE

pid process

1584 SETUP_~2.EXE

pid	process
1584	SETUP_~2.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Document.pdf.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	Document.pdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Document.pdf.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

SETUP_~2.EXE

description pid process

Token: SeDebugPrivilege 1584 SETUP_~2.EXE

description	pid	process
Token: SeDebugPrivilege	1584	SETUP_~2.EXE

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

Document.pdf.exe

description	pid	process	target process
PID 1672 wrote to memory of 1584	1672	Document.pdf.exe	SETUP_~2.EXE
PID 1672 wrote to memory of 1584	1672	Document.pdf.exe	SETUP_~2.EXE
PID 1672 wrote to memory of 1584	1672	Document.pdf.exe	SETUP_~2.EXE
PID 1672 wrote to memory of 1584	1672	Document.pdf.exe	SETUP_~2.EXE
PID 1672 wrote to memory of 1584	1672	Document.pdf.exe	SETUP_~2.EXE
PID 1672 wrote to memory of 1584	1672	Document.pdf.exe	SETUP_~2.EXE
PID 1672 wrote to memory of 1584	1672	Document.pdf.exe	SETUP_~2.EXE

C:\Users\Admin\AppData\Local\Temp\Document.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Document.pdf.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1672

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1584

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE
Filesize
333.8MB

MD5
eb7ff434c93e6bf312ad028178e25183

SHA1
bbea766fe135a3ef4e9e13f3e5c933a22a9adeed

SHA256
7b4b6a198ec51d960953b6b973985096fa796927fdd1b0552e7455a725c2ea0b

SHA512
56ce9597203a3b960d0824036dfa693f31d81815effdeecc843c7d1d0c4e8c71396d5bb232cc39eff34fefce1eac29d7753cc19f2f0873690bba8ce853d3a874

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE
Filesize
333.8MB

MD5
eb7ff434c93e6bf312ad028178e25183

SHA1
bbea766fe135a3ef4e9e13f3e5c933a22a9adeed

SHA256
7b4b6a198ec51d960953b6b973985096fa796927fdd1b0552e7455a725c2ea0b

SHA512
56ce9597203a3b960d0824036dfa693f31d81815effdeecc843c7d1d0c4e8c71396d5bb232cc39eff34fefce1eac29d7753cc19f2f0873690bba8ce853d3a874

Download Submit
memory/1584-54-0x0000000000000000-mapping.dmp

Download
memory/1584-57-0x0000000000370000-0x0000000000380000-memory.dmp

Filesize
64KB

Download
memory/1584-58-0x0000000076291000-0x0000000076293000-memory.dmp

Filesize
8KB

Download