Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
22/09/2022, 15:11
Static task
static1
Behavioral task
behavioral1
Sample
10935009_pdf.js
Resource
win7-20220812-en
General
-
Target
10935009_pdf.js
-
Size
348KB
-
MD5
c6364fd257b51beb031c4745e31dcf74
-
SHA1
277115c94f56547ee4499c9280a23da6fff9b060
-
SHA256
29e1cf438fcd048f5ddaf71c092127c0d2eaae73f202b200a53e0ec3010f35a0
-
SHA512
cd035d6c963daef3da8d0c1d86620f39ad8e4b3e317532018f8bdd5fbed31fb26f5ce499c22b74c11581897e83c03007925418d269b730df5165ea56b11a3cc6
-
SSDEEP
6144:9aOWRyX3U5uw1WNOB5uIa6We0/oken9Tm0D4cWSB/LxPCTxUOHe:CQ0LP2Ia6Ws9Tmo4pSB/FC13+
Malware Config
Extracted
formbook
xrob
dV8FCtdWdnfMJ9thh8l/
IJG6Bh4iMeHVBHNp2MrpTA==
NhPKKtmQxnHYF/80
f4M2RhGEf3Ot13+qLrKqxb9f3dXj9Q==
A/689/MibSRBgkPkx07m+H+g
e8OOkUu9y/uYCMsdrR3s0mODmGw3d8t9Og==
gLN5bn+Zq1VQXmOOvw==
NFcQGvViY5sxmkty83Fde4GQhg==
XWMfFSM3f7GT9w==
Ih6vvqf9R8gDObM=
FGAlLASHlpLaUUKUJIwm9ABQ2Js=
v8R615LDC8iWchwv
m+u3rLUxScgDObM=
jc3eahERf7GT9w==
TYNBVDadkpTF76HeNl/rbwWtLSbyPzM=
j6NQmhWeOi2B
aqJocUfM3v97ryScY6EiSMbVyBak
V7nYOyEZKa2J/KKh5RMhJrbyK/eC/Q==
8zPsAt3ejcgDObM=
Rpe+BrGBzpGa9q8FHKpi
/WmW2322D7fNRPTILa58Juqk/ZM=
+RXDz2RnrG6J
G2uU9LualUtez4NigNITbgyuIybyPzM=
edeuu22xD1rTFu+ci/JLpyGuIybyPzM=
pP8hbRJZqelZrXS+HWDm+H+g
8STQ6HSb4lE4XmOOvw==
hr/lDpXMc4jYF/80
zQ/HzrVdryLZMvhEZ+Y=
HV4gPCecmZPFL8v1N6x1
LEf38qRZvLgqVfTXPa19
7euZ5pxpp2ZtrYb1N6x1
iqU5LgL782FBXmOOvw==
gtbwN+MldLRNoQZhh8l/
WUgMbA3KHBFYvlM6xk7m+H+g
b1zuBfz/FgrL92U4
Q6jeIxKBj5a+66DmTJCE7LZkK/eC/Q==
5BnV1pTXMa+W8aXGFVdhe4GQhg==
0UIRgvizzg8=
Cf/BDgD1/4JpqGQveZhw
+SPb0ojBEZzzTLk=
1ihEmlgPYYcJPPhEZ+Y=
va9ioKotR8gDObM=
66NR6ZvZGVfLLgOkSXLm+H+g
s7Ftp5/JE9zxPsv1N6x1
OZjAEbHmQr57flVNog==
SWYQJhbPGKdlXmOOvw==
D2UxQCXKFoVIoSu9IHUrWw==
ISLrKBL7AbPbCiJc5FAkMhM=
yhErdYm07KzDN9oFHKpi
vL5nTlhRf7GT9w==
p/wcbinhJe3eP90FHKpi
JCG1tJvLI+MUMwHVtw==
YKGzBi9gqWJ7tXgqW9cve4GQhg==
GzDd8t2F3lM7nzQw0Urm+H+g
gHo/fQEoa6tAVjiEqA==
zQ7U6cY1RYcJPPhEZ+Y=
BEEFEwEwYhkxlEUD+TMJnhs=
wfubpSsNjM5t4sOGqWbFp+K6pc/n9Q==
NntHSf0ybNuawX/q4Blh68nzK/eC/Q==
BVRywXVfdfjPK+DImLD3SQBQ2Js=
pOOyL/izzg8=
2c2Sxo8iuKv0L78=
wRU0iU8CRLSS9Q==
+Sjk78IvKRNv364HcZ4l+bAXxhes
pauloeamanda.com
Signatures
-
Blocklisted process makes network request 17 IoCs
flow pid Process 7 3076 wscript.exe 19 3076 wscript.exe 23 3076 wscript.exe 27 3076 wscript.exe 55 3076 wscript.exe 60 3076 wscript.exe 67 3076 wscript.exe 74 3076 wscript.exe 80 3076 wscript.exe 85 3076 wscript.exe 91 3076 wscript.exe 96 3076 wscript.exe 100 3076 wscript.exe 106 3076 wscript.exe 110 3076 wscript.exe 115 3076 wscript.exe 119 3076 wscript.exe -
Executes dropped EXE 1 IoCs
pid Process 208 bin.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation bin.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\njdKUZLNhC.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\njdKUZLNhC.js wscript.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 208 set thread context of 2440 208 bin.exe 47 PID 4516 set thread context of 2440 4516 raserver.exe 47 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Key created \Registry\User\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 raserver.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 208 bin.exe 208 bin.exe 208 bin.exe 208 bin.exe 208 bin.exe 208 bin.exe 208 bin.exe 208 bin.exe 4516 raserver.exe 4516 raserver.exe 4516 raserver.exe 4516 raserver.exe 4516 raserver.exe 4516 raserver.exe 4516 raserver.exe 4516 raserver.exe 4516 raserver.exe 4516 raserver.exe 4516 raserver.exe 4516 raserver.exe 4516 raserver.exe 4516 raserver.exe 4516 raserver.exe 4516 raserver.exe 4516 raserver.exe 4516 raserver.exe 4516 raserver.exe 4516 raserver.exe 4516 raserver.exe 4516 raserver.exe 4516 raserver.exe 4516 raserver.exe 4516 raserver.exe 4516 raserver.exe 4516 raserver.exe 4516 raserver.exe 4516 raserver.exe 4516 raserver.exe 4516 raserver.exe 4516 raserver.exe 4516 raserver.exe 4516 raserver.exe 4516 raserver.exe 4516 raserver.exe 4516 raserver.exe 4516 raserver.exe 4516 raserver.exe 4516 raserver.exe 4516 raserver.exe 4516 raserver.exe 4516 raserver.exe 4516 raserver.exe 4516 raserver.exe 4516 raserver.exe 4516 raserver.exe 4516 raserver.exe 4516 raserver.exe 4516 raserver.exe 4516 raserver.exe 4516 raserver.exe 4516 raserver.exe 4516 raserver.exe 4516 raserver.exe 4516 raserver.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2440 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
pid Process 208 bin.exe 208 bin.exe 208 bin.exe 4516 raserver.exe 4516 raserver.exe 4516 raserver.exe 4516 raserver.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 208 bin.exe Token: SeDebugPrivilege 4516 raserver.exe Token: SeShutdownPrivilege 2440 Explorer.EXE Token: SeCreatePagefilePrivilege 2440 Explorer.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1884 wrote to memory of 3076 1884 wscript.exe 85 PID 1884 wrote to memory of 3076 1884 wscript.exe 85 PID 1884 wrote to memory of 208 1884 wscript.exe 86 PID 1884 wrote to memory of 208 1884 wscript.exe 86 PID 1884 wrote to memory of 208 1884 wscript.exe 86 PID 2440 wrote to memory of 4516 2440 Explorer.EXE 87 PID 2440 wrote to memory of 4516 2440 Explorer.EXE 87 PID 2440 wrote to memory of 4516 2440 Explorer.EXE 87 PID 4516 wrote to memory of 2832 4516 raserver.exe 94 PID 4516 wrote to memory of 2832 4516 raserver.exe 94 PID 4516 wrote to memory of 2832 4516 raserver.exe 94
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\10935009_pdf.js2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\njdKUZLNhC.js"3⤵
- Blocklisted process makes network request
- Drops startup file
PID:3076
-
-
C:\Users\Admin\AppData\Local\Temp\bin.exe"C:\Users\Admin\AppData\Local\Temp\bin.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:208
-
-
-
C:\Windows\SysWOW64\raserver.exe"C:\Windows\SysWOW64\raserver.exe"2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:2832
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
185KB
MD526db0806c0871f293a77e5d5676e2fd8
SHA17c17ccce454d81bb999c04d45e9e4913969a73ee
SHA2562c623f8e02e0aef43501e320fd20a3b407dcf35676e6620574bf7e8ce4844e66
SHA5120dac19dab4827a036a4e42371807639a4c378b440c3edc9ae30171cfb62a894243dc55ad5145434fac384aa37dd32381d148757e35c08300bbfe45c4cb85c09f
-
Filesize
185KB
MD526db0806c0871f293a77e5d5676e2fd8
SHA17c17ccce454d81bb999c04d45e9e4913969a73ee
SHA2562c623f8e02e0aef43501e320fd20a3b407dcf35676e6620574bf7e8ce4844e66
SHA5120dac19dab4827a036a4e42371807639a4c378b440c3edc9ae30171cfb62a894243dc55ad5145434fac384aa37dd32381d148757e35c08300bbfe45c4cb85c09f
-
Filesize
5KB
MD5774056eb9cff6381f64e2c3450308480
SHA164c0ce514a5099f26f29704d4f26f997dcb01002
SHA2560e6fb5c470045032112462913660c348ea900d428ea7d6eba247262a2f0d4ec8
SHA512532650f4060f602e2d4c8f31c97a3293fefd77757835061ca9dd0ca01e8df479fff0cb5924af7bb9c97d30ff6317a9a3c73e81afcb643cc9b5037d6255ccaf03