Overview

overview

6

Static

static

3

SecurePaym...et.pdf

windows7-x64

6

SecurePaym...et.pdf

windows10-2004-x64

1

Analysis

  • max time kernel
    415s
  • max time network
    418s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    12-09-2022 00:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecurePayment_HealthNet.pdf

  • Size

    23KB

  • MD5

    10a075ce1ee756195cdcf53ab543c28b

  • SHA1

    a1df7aa413b196c8e66e3567ee166e5441e5a0a1

  • SHA256

    d950627ba013c91ea5fce0503032f797fc523e7e4f3a6547ae8c9b25cc0dfbd7

  • SHA512

    194abdc5d209022e034ad384ece64c5e7909f04db1809cf60692fec573f2f019969f2a413eee44564b6afee74ad9f6ffc6ded43f2ca3e94abbdbb402a4e4c233

  • SSDEEP

    384:8O4hg9ui9E0Vxo+oVORBAFcUDZw6zGCUSRb5eWnP0bUOCUSN:8OWgwi9E8xGVOEqOwLCbVsNK

Score
6/10
collection

Malware Config

Signatures

  • Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs
    collection
  • Drops file in System32 directory 14 IoCs
  • Drops file in Windows directory 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 43 IoCs
    adwarespyware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\SecurePayment_HealthNet.pdf"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:752
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://dik.si/mWTeL
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1792
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1792 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:920
        • C:\Windows\SysWOW64\msdt.exe
          -modal 65986 -skip TRUE -path C:\Windows\diagnostics\system\networking -af C:\Users\Admin\AppData\Local\Temp\NDFABEC.tmp -ep NetworkDiagnosticsWeb
          4⤵
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of FindShellTrayWindow
          PID:536
    • C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
      "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE" -c IPM.Note /m "mailto:[email protected]"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Suspicious behavior: AddClipboardFormatListener
      • outlook_win_path
      PID:1528
  • C:\Windows\SysWOW64\sdiagnhost.exe
    C:\Windows\SysWOW64\sdiagnhost.exe -Embedding
    1⤵
      PID:1828

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      340B

      MD5

      4045ec2e5c76962fabeab02cd54aee08

      SHA1

      bb5fe422ad47ac440dc73ec2838611abd34f9dc1

      SHA256

      6af18d020af3b6e4dddf28b6a79e8770282ab2c17b32f22c88e7229410a97731

      SHA512

      d09bcd2983ec80f97b51341ff0bd9a4aa506cf1a1e08c8c1e250728e8d4126f1b59806bd10d79a3974228c91efc5870bb42628fba755a960a125449f8dda5f20

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\NDFABEC.tmp
      Filesize

      3KB

      MD5

      6bc8d5d12aa69b08b74b877eea7e304c

      SHA1

      4b146cdb7546cc168702fb949563fdd90c325390

      SHA256

      78beb83f08c088d6624ac6941449c3ad990eeb7cd743a65bfb4a0dc488127c0f

      SHA512

      99ff4ae55db436d9ffa06497fbd233976f6ecc702b257a735db6610d783842424f3555a314b3429fb848170cfc6e8bc3109ea1d9a867c641fc48ea6eea90b5d9

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\ESVOYMJQ.txt
      Filesize

      601B

      MD5

      5cbf0df89c5bf324d02e53cae39b925c

      SHA1

      d79df38f090f1c931355144aff3f40d15552a9e2

      SHA256

      2a05d518c86e662904a55786a6cbe43d7c39368f2cea5efecff743d1fc58d387

      SHA512

      5380e3c1ccc6a93486196c2a4cffc62cb0d9109bbff67efee107fb3047eb17981c227aa3251e5745dcf18e8b4264147270841c9ced5ce739fa2a739046b5a924

      Download Submit

    • C:\Windows\TEMP\SDIAG_45dafa9d-cadd-4e56-8920-69e71bfe79b8\NetworkDiagnosticsTroubleshoot.ps1
      Filesize

      23KB

      MD5

      1d192ce36953dbb7dc7ee0d04c57ad8d

      SHA1

      7008e759cb47bf74a4ea4cd911de158ef00ace84

      SHA256

      935a231924ae5d4a017b0c99d4a5f3904ef280cea4b3f727d365283e26e8a756

      SHA512

      e864ac74e9425a6c7f1be2bbc87df9423408e16429cb61fa1de8875356226293aa07558b2fafdd5d0597254474204f5ba181f4e96c2bc754f1f414748f80a129

      Download Submit

    • C:\Windows\TEMP\SDIAG_45dafa9d-cadd-4e56-8920-69e71bfe79b8\UtilityFunctions.ps1
      Filesize

      52KB

      MD5

      2f7c3db0c268cf1cf506fe6e8aecb8a0

      SHA1

      fb35af6b329d60b0ec92e24230eafc8e12b0a9f9

      SHA256

      886a625f71e0c35e5722423ed3aa0f5bff8d120356578ab81a64de2ab73d47f3

      SHA512

      322f2b1404a59ee86c492b58d56b8a6ed6ebc9b844a8c38b7bb0b0675234a3d5cfc9f1d08c38c218070e60ce949aa5322de7a2f87f952e8e653d0ca34ff0de45

      Download Submit

    • C:\Windows\TEMP\SDIAG_45dafa9d-cadd-4e56-8920-69e71bfe79b8\UtilitySetConstants.ps1
      Filesize

      2KB

      MD5

      0c75ae5e75c3e181d13768909c8240ba

      SHA1

      288403fc4bedaacebccf4f74d3073f082ef70eb9

      SHA256

      de5c231c645d3ae1e13694284997721509f5de64ee5c96c966cdfda9e294db3f

      SHA512

      8fc944515f41a837c61a6c4e5181ca273607a89e48fbf86cf8eb8db837aed095aa04fc3043029c3b5cb3710d59abfd86f086ac198200f634bfb1a5dd0823406b

      Download Submit

    • C:\Windows\TEMP\SDIAG_45dafa9d-cadd-4e56-8920-69e71bfe79b8\en-US\LocalizationData.psd1
      Filesize

      5KB

      MD5

      dc9be0fdf9a4e01693cfb7d8a0d49054

      SHA1

      74730fd9c9bd4537fd9a353fe4eafce9fcc105e6

      SHA256

      944186cd57d6adc23a9c28fc271ed92dd56efd6f3bb7c9826f7208ea1a1db440

      SHA512

      92ad96fa6b221882a481b36ff2b7114539eb65be46ee9e3139e45b72da80aac49174155483cba6254b10fff31f0119f07cbc529b1b69c45234c7bb61766aad66

      Download Submit

    • memory/536-55-0x0000000000000000-mapping.dmp

      Download

    • memory/536-58-0x000000006D811000-0x000000006D813000-memory.dmp

      Filesize

      8KB

      Download

    • memory/752-54-0x0000000075841000-0x0000000075843000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1528-68-0x00000000689FD000-0x0000000068A08000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1528-67-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1528-66-0x0000000067A11000-0x0000000067A13000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1528-65-0x0000000000000000-mapping.dmp

      Download

    • memory/1828-70-0x000000006D190000-0x000000006D73B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1828-60-0x000000006D190000-0x000000006D73B000-memory.dmp

      Filesize

      5.7MB

      Download