Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
22/09/2022, 15:11
Static task
static1
Behavioral task
behavioral1
Sample
10935009_pdf.js
Resource
win7-20220812-en
General
-
Target
10935009_pdf.js
-
Size
348KB
-
MD5
c6364fd257b51beb031c4745e31dcf74
-
SHA1
277115c94f56547ee4499c9280a23da6fff9b060
-
SHA256
29e1cf438fcd048f5ddaf71c092127c0d2eaae73f202b200a53e0ec3010f35a0
-
SHA512
cd035d6c963daef3da8d0c1d86620f39ad8e4b3e317532018f8bdd5fbed31fb26f5ce499c22b74c11581897e83c03007925418d269b730df5165ea56b11a3cc6
-
SSDEEP
6144:9aOWRyX3U5uw1WNOB5uIa6We0/oken9Tm0D4cWSB/LxPCTxUOHe:CQ0LP2Ia6Ws9Tmo4pSB/FC13+
Malware Config
Extracted
formbook
xrob
dV8FCtdWdnfMJ9thh8l/
IJG6Bh4iMeHVBHNp2MrpTA==
NhPKKtmQxnHYF/80
f4M2RhGEf3Ot13+qLrKqxb9f3dXj9Q==
A/689/MibSRBgkPkx07m+H+g
e8OOkUu9y/uYCMsdrR3s0mODmGw3d8t9Og==
gLN5bn+Zq1VQXmOOvw==
NFcQGvViY5sxmkty83Fde4GQhg==
XWMfFSM3f7GT9w==
Ih6vvqf9R8gDObM=
FGAlLASHlpLaUUKUJIwm9ABQ2Js=
v8R615LDC8iWchwv
m+u3rLUxScgDObM=
jc3eahERf7GT9w==
TYNBVDadkpTF76HeNl/rbwWtLSbyPzM=
j6NQmhWeOi2B
aqJocUfM3v97ryScY6EiSMbVyBak
V7nYOyEZKa2J/KKh5RMhJrbyK/eC/Q==
8zPsAt3ejcgDObM=
Rpe+BrGBzpGa9q8FHKpi
/WmW2322D7fNRPTILa58Juqk/ZM=
+RXDz2RnrG6J
G2uU9LualUtez4NigNITbgyuIybyPzM=
edeuu22xD1rTFu+ci/JLpyGuIybyPzM=
pP8hbRJZqelZrXS+HWDm+H+g
8STQ6HSb4lE4XmOOvw==
hr/lDpXMc4jYF/80
zQ/HzrVdryLZMvhEZ+Y=
HV4gPCecmZPFL8v1N6x1
LEf38qRZvLgqVfTXPa19
7euZ5pxpp2ZtrYb1N6x1
iqU5LgL782FBXmOOvw==
gtbwN+MldLRNoQZhh8l/
WUgMbA3KHBFYvlM6xk7m+H+g
b1zuBfz/FgrL92U4
Q6jeIxKBj5a+66DmTJCE7LZkK/eC/Q==
5BnV1pTXMa+W8aXGFVdhe4GQhg==
0UIRgvizzg8=
Cf/BDgD1/4JpqGQveZhw
+SPb0ojBEZzzTLk=
1ihEmlgPYYcJPPhEZ+Y=
va9ioKotR8gDObM=
66NR6ZvZGVfLLgOkSXLm+H+g
s7Ftp5/JE9zxPsv1N6x1
OZjAEbHmQr57flVNog==
SWYQJhbPGKdlXmOOvw==
D2UxQCXKFoVIoSu9IHUrWw==
ISLrKBL7AbPbCiJc5FAkMhM=
yhErdYm07KzDN9oFHKpi
vL5nTlhRf7GT9w==
p/wcbinhJe3eP90FHKpi
JCG1tJvLI+MUMwHVtw==
YKGzBi9gqWJ7tXgqW9cve4GQhg==
GzDd8t2F3lM7nzQw0Urm+H+g
gHo/fQEoa6tAVjiEqA==
zQ7U6cY1RYcJPPhEZ+Y=
BEEFEwEwYhkxlEUD+TMJnhs=
wfubpSsNjM5t4sOGqWbFp+K6pc/n9Q==
NntHSf0ybNuawX/q4Blh68nzK/eC/Q==
BVRywXVfdfjPK+DImLD3SQBQ2Js=
pOOyL/izzg8=
2c2Sxo8iuKv0L78=
wRU0iU8CRLSS9Q==
+Sjk78IvKRNv364HcZ4l+bAXxhes
pauloeamanda.com
Signatures
-
Blocklisted process makes network request 17 IoCs
flow pid Process 4 1076 wscript.exe 5 1076 wscript.exe 10 584 cmd.exe 11 1076 wscript.exe 16 1076 wscript.exe 22 1076 wscript.exe 27 1076 wscript.exe 31 1076 wscript.exe 36 1076 wscript.exe 41 1076 wscript.exe 47 1076 wscript.exe 51 1076 wscript.exe 56 1076 wscript.exe 63 1076 wscript.exe 67 1076 wscript.exe 72 1076 wscript.exe 78 1076 wscript.exe -
Executes dropped EXE 1 IoCs
pid Process 2020 bin.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\International\Geo\Nation bin.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\njdKUZLNhC.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\njdKUZLNhC.js wscript.exe -
Loads dropped DLL 1 IoCs
pid Process 584 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2020 set thread context of 1256 2020 bin.exe 13 PID 584 set thread context of 1256 584 cmd.exe 13 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Key created \Registry\User\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 cmd.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 2020 bin.exe 2020 bin.exe 2020 bin.exe 2020 bin.exe 584 cmd.exe 584 cmd.exe 584 cmd.exe 584 cmd.exe 584 cmd.exe 584 cmd.exe 584 cmd.exe 584 cmd.exe 584 cmd.exe 584 cmd.exe 584 cmd.exe 584 cmd.exe 584 cmd.exe 584 cmd.exe 584 cmd.exe 584 cmd.exe 584 cmd.exe 584 cmd.exe 584 cmd.exe 584 cmd.exe 584 cmd.exe 584 cmd.exe 584 cmd.exe 584 cmd.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
pid Process 2020 bin.exe 2020 bin.exe 2020 bin.exe 584 cmd.exe 584 cmd.exe 584 cmd.exe 584 cmd.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2020 bin.exe Token: SeDebugPrivilege 584 cmd.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1256 Explorer.EXE 1256 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1256 Explorer.EXE 1256 Explorer.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1948 wrote to memory of 1076 1948 wscript.exe 27 PID 1948 wrote to memory of 1076 1948 wscript.exe 27 PID 1948 wrote to memory of 1076 1948 wscript.exe 27 PID 1948 wrote to memory of 2020 1948 wscript.exe 28 PID 1948 wrote to memory of 2020 1948 wscript.exe 28 PID 1948 wrote to memory of 2020 1948 wscript.exe 28 PID 1948 wrote to memory of 2020 1948 wscript.exe 28 PID 1256 wrote to memory of 584 1256 Explorer.EXE 30 PID 1256 wrote to memory of 584 1256 Explorer.EXE 30 PID 1256 wrote to memory of 584 1256 Explorer.EXE 30 PID 1256 wrote to memory of 584 1256 Explorer.EXE 30 PID 584 wrote to memory of 1304 584 cmd.exe 33 PID 584 wrote to memory of 1304 584 cmd.exe 33 PID 584 wrote to memory of 1304 584 cmd.exe 33 PID 584 wrote to memory of 1304 584 cmd.exe 33 PID 584 wrote to memory of 1304 584 cmd.exe 33
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\10935009_pdf.js2⤵
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\njdKUZLNhC.js"3⤵
- Blocklisted process makes network request
- Drops startup file
PID:1076
-
-
C:\Users\Admin\AppData\Local\Temp\bin.exe"C:\Users\Admin\AppData\Local\Temp\bin.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2020
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe"2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:1304
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
185KB
MD526db0806c0871f293a77e5d5676e2fd8
SHA17c17ccce454d81bb999c04d45e9e4913969a73ee
SHA2562c623f8e02e0aef43501e320fd20a3b407dcf35676e6620574bf7e8ce4844e66
SHA5120dac19dab4827a036a4e42371807639a4c378b440c3edc9ae30171cfb62a894243dc55ad5145434fac384aa37dd32381d148757e35c08300bbfe45c4cb85c09f
-
Filesize
185KB
MD526db0806c0871f293a77e5d5676e2fd8
SHA17c17ccce454d81bb999c04d45e9e4913969a73ee
SHA2562c623f8e02e0aef43501e320fd20a3b407dcf35676e6620574bf7e8ce4844e66
SHA5120dac19dab4827a036a4e42371807639a4c378b440c3edc9ae30171cfb62a894243dc55ad5145434fac384aa37dd32381d148757e35c08300bbfe45c4cb85c09f
-
Filesize
5KB
MD5774056eb9cff6381f64e2c3450308480
SHA164c0ce514a5099f26f29704d4f26f997dcb01002
SHA2560e6fb5c470045032112462913660c348ea900d428ea7d6eba247262a2f0d4ec8
SHA512532650f4060f602e2d4c8f31c97a3293fefd77757835061ca9dd0ca01e8df479fff0cb5924af7bb9c97d30ff6317a9a3c73e81afcb643cc9b5037d6255ccaf03
-
Filesize
841KB
MD55fc6cd5d5ca1489d2a3c361717359a95
SHA15c630e232cd5761e7a611e41515be4afa3e7a141
SHA25685c8b8a648c56cf5f063912e0e26ecebb90e0caf2f442fd5cdd8287301fe7e81
SHA5125f9124a721f6b463d4f980920e87925098aa753b0fa2a59a3ff48b48d2b1a45d760fd46445414d84fb66321181cd2c82a4194361811114c15e35b42f838ab792