11e329f394675a2cf12b6c20ccd696ba555838872e4ec93797186683fe68588e

General

Target

SumatraPDF-3.4-64-install.exe
Size

7.1MB
MD5

92cd610bc19dc7a462aa8ca52a8cf0cf
SHA1

6f2c728a604efa75302097e66aebb91bbd828f82
SHA256

1d24e11ea522c4bdbdb20b0f112fba5ceaa0e4eddf2227cf7310c8da4b123bbd
SHA512

54afab5f75fbbd3289f5ea106dff53df3e0547e05b0c31474165b18433c268ff6ee8f111ea0baffdc85c4a63b27df0102db884a48c3af1d53c7ec87e90770417
SSDEEP

196608:LTxCcXis/+6yoGetiKQPKV6I6YZvbr8AKXI:h7+6Bt+ParZvb/SI

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

SumatraPDF.exe

pid process

5048 SumatraPDF.exe
Loads dropped DLL 1 IoCs

Processes:

SumatraPDF.exe

pid process

5048 SumatraPDF.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
5048	SumatraPDF.exe

pid	process
5048	SumatraPDF.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SumatraPDF.exeSumatraPDF-3.4-64-install.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	SumatraPDF.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	SumatraPDF-3.4-64-install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\ProcessorNameString	SumatraPDF-3.4-64-install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SumatraPDF-3.4-64-install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	SumatraPDF-3.4-64-install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	SumatraPDF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\ProcessorNameString	SumatraPDF.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SumatraPDF.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

SumatraPDF-3.4-64-install.exeSumatraPDF.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SumatraPDF-3.4-64-install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	SumatraPDF-3.4-64-install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	SumatraPDF-3.4-64-install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SumatraPDF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	SumatraPDF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	SumatraPDF.exe

Modifies registry class 64 IoCs

Processes:

SumatraPDF-3.4-64-install.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\.oxps\OpenWithProgids\SumatraPDF.oxps = "0"	SumatraPDF-3.4-64-install.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SumatraPDF.cbz\DefaultIcon	SumatraPDF-3.4-64-install.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SumatraPDF.cbz\shell\open\command	SumatraPDF-3.4-64-install.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SumatraPDF.cb7\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\SumatraPDF\\SumatraPDF.exe\" \"%1\""	SumatraPDF-3.4-64-install.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SumatraPDF.mobi\Application\ApplicationName = "SumatraPDF"	SumatraPDF-3.4-64-install.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\.azw\OpenWithProgids	SumatraPDF-3.4-64-install.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SumatraPDF.pdf\DefaultIcon	SumatraPDF-3.4-64-install.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SumatraPDF.pdf\shell\PrintTo	SumatraPDF-3.4-64-install.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SumatraPDF.gif\shell\open\Icon = "C:\\Users\\Admin\\AppData\\Local\\SumatraPDF\\SumatraPDF.exe"	SumatraPDF-3.4-64-install.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SumatraPDF.azw4\Application\ApplicationName = "SumatraPDF"	SumatraPDF-3.4-64-install.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SumatraPDF.azw4\shell\open\command	SumatraPDF-3.4-64-install.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\.cbr\OpenWithProgids\SumatraPDF.cbr = "0"	SumatraPDF-3.4-64-install.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\.djvu	SumatraPDF-3.4-64-install.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SumatraPDF.azw\ = "AZW File"	SumatraPDF-3.4-64-install.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SumatraPDF.fb2\shell\open	SumatraPDF-3.4-64-install.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SumatraPDF.fb2z\shell\open	SumatraPDF-3.4-64-install.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SumatraPDF.prc\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\SumatraPDF\\SumatraPDF.exe"	SumatraPDF-3.4-64-install.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SumatraPDF.oxps\DefaultIcon	SumatraPDF-3.4-64-install.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SumatraPDF.cbz	SumatraPDF-3.4-64-install.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\.tiff	SumatraPDF-3.4-64-install.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SumatraPDF.mobi\Application\ApplicationCompany = "Krzysztof Kowalczyk"	SumatraPDF-3.4-64-install.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SumatraPDF.azw\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\SumatraPDF\\SumatraPDF.exe\" \"%1\""	SumatraPDF-3.4-64-install.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SumatraPDF.fb2\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\SumatraPDF\\SumatraPDF.exe"	SumatraPDF-3.4-64-install.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SumatraPDF.fb2z\Application\ApplicationName = "SumatraPDF"	SumatraPDF-3.4-64-install.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SumatraPDF.png	SumatraPDF-3.4-64-install.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SumatraPDF.png\shell\open\Icon = "C:\\Users\\Admin\\AppData\\Local\\SumatraPDF\\SumatraPDF.exe"	SumatraPDF-3.4-64-install.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SumatraPDF.pdf\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\SumatraPDF\\SumatraPDF.exe\" \"%1\""	SumatraPDF-3.4-64-install.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SumatraPDF.xps\Application\ApplicationName = "SumatraPDF"	SumatraPDF-3.4-64-install.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\.jpeg\OpenWithProgids\SumatraPDF.jpeg = "0"	SumatraPDF-3.4-64-install.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SumatraPDF.azw\shell\open\command	SumatraPDF-3.4-64-install.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SumatraPDF.azw3\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\SumatraPDF\\SumatraPDF.exe"	SumatraPDF-3.4-64-install.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\.prc\OpenWithProgids	SumatraPDF-3.4-64-install.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\.jpeg\OpenWithProgids	SumatraPDF-3.4-64-install.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SumatraPDF.cb7\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\SumatraPDF\\SumatraPDF.exe,-4"	SumatraPDF-3.4-64-install.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SumatraPDF.chm\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\SumatraPDF\\SumatraPDF.exe"	SumatraPDF-3.4-64-install.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\.tga\OpenWithProgids	SumatraPDF-3.4-64-install.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SumatraPDF.mobi\shell	SumatraPDF-3.4-64-install.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SumatraPDF.tiff\ = "TIFF File"	SumatraPDF-3.4-64-install.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SumatraPDF.epub\ = "EPUB File"	SumatraPDF-3.4-64-install.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SumatraPDF.epub\Application	SumatraPDF-3.4-64-install.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SumatraPDF.jp2\shell	SumatraPDF-3.4-64-install.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SumatraPDF.chm\Application\ApplicationName = "SumatraPDF"	SumatraPDF-3.4-64-install.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SumatraPDF.tif\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\SumatraPDF\\SumatraPDF.exe"	SumatraPDF-3.4-64-install.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SumatraPDF.oxps\Application	SumatraPDF-3.4-64-install.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SumatraPDF.cbz\Application\ApplicationName = "SumatraPDF"	SumatraPDF-3.4-64-install.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SumatraPDF.cbt\Application\ApplicationName = "SumatraPDF"	SumatraPDF-3.4-64-install.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SumatraPDF.djvu\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\SumatraPDF\\SumatraPDF.exe\" \"%1\""	SumatraPDF-3.4-64-install.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SumatraPDF.mobi\ = "MOBI File"	SumatraPDF-3.4-64-install.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SumatraPDF.mobi\Application	SumatraPDF-3.4-64-install.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\.tiff\OpenWithProgids	SumatraPDF-3.4-64-install.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SumatraPDF.xps\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\SumatraPDF\\SumatraPDF.exe"	SumatraPDF-3.4-64-install.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SumatraPDF.prc	SumatraPDF-3.4-64-install.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SumatraPDF.tif\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\SumatraPDF\\SumatraPDF.exe\" \"%1\""	SumatraPDF-3.4-64-install.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\.tif	SumatraPDF-3.4-64-install.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SumatraPDF.tga\shell\open\Icon = "C:\\Users\\Admin\\AppData\\Local\\SumatraPDF\\SumatraPDF.exe"	SumatraPDF-3.4-64-install.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SumatraPDF.mobi\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\SumatraPDF\\SumatraPDF.exe"	SumatraPDF-3.4-64-install.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\.mobi\OpenWithProgids	SumatraPDF-3.4-64-install.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SumatraPDF.azw\shell\open	SumatraPDF-3.4-64-install.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SumatraPDF.azw3\shell\open	SumatraPDF-3.4-64-install.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\.jpg	SumatraPDF-3.4-64-install.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SumatraPDF.jpeg\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\SumatraPDF\\SumatraPDF.exe"	SumatraPDF-3.4-64-install.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.pdf\ShellEx\{8895b1c6-b41f-4c1c-a562-0d564250836f}	SumatraPDF-3.4-64-install.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\.cb7\OpenWithProgids\SumatraPDF.cb7 = "0"	SumatraPDF-3.4-64-install.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\SumatraPDF.jpeg\shell\open	SumatraPDF-3.4-64-install.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

SumatraPDF-3.4-64-install.exe

pid process

4384 SumatraPDF-3.4-64-install.exe
4384 SumatraPDF-3.4-64-install.exe

pid	process
4384	SumatraPDF-3.4-64-install.exe
4384	SumatraPDF-3.4-64-install.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SumatraPDF-3.4-64-install.exeexplorer.exe

description	pid	process	target process
PID 4384 wrote to memory of 2916	4384	SumatraPDF-3.4-64-install.exe	explorer.exe
PID 4384 wrote to memory of 2916	4384	SumatraPDF-3.4-64-install.exe	explorer.exe
PID 2308 wrote to memory of 5048	2308	explorer.exe	SumatraPDF.exe
PID 2308 wrote to memory of 5048	2308	explorer.exe	SumatraPDF.exe

C:\Users\Admin\AppData\Local\Temp\SumatraPDF-3.4-64-install.exe
"C:\Users\Admin\AppData\Local\Temp\SumatraPDF-3.4-64-install.exe"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4384

C:\Windows\explorer.exe
"C:\Windows\explorer.exe" "C:\Users\Admin\AppData\Local\SumatraPDF\SumatraPDF.exe"
2⤵
PID:2916

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:2308

C:\Users\Admin\AppData\Local\SumatraPDF\SumatraPDF.exe
"C:\Users\Admin\AppData\Local\SumatraPDF\SumatraPDF.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
PID:5048

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\SumatraPDF\SumatraPDF.exe

Filesize
7.1MB

MD5
92cd610bc19dc7a462aa8ca52a8cf0cf

SHA1
6f2c728a604efa75302097e66aebb91bbd828f82

SHA256
1d24e11ea522c4bdbdb20b0f112fba5ceaa0e4eddf2227cf7310c8da4b123bbd

SHA512
54afab5f75fbbd3289f5ea106dff53df3e0547e05b0c31474165b18433c268ff6ee8f111ea0baffdc85c4a63b27df0102db884a48c3af1d53c7ec87e90770417

Download Submit
C:\Users\Admin\AppData\Local\SumatraPDF\SumatraPDF.exe

Filesize
7.1MB

MD5
92cd610bc19dc7a462aa8ca52a8cf0cf

SHA1
6f2c728a604efa75302097e66aebb91bbd828f82

SHA256
1d24e11ea522c4bdbdb20b0f112fba5ceaa0e4eddf2227cf7310c8da4b123bbd

SHA512
54afab5f75fbbd3289f5ea106dff53df3e0547e05b0c31474165b18433c268ff6ee8f111ea0baffdc85c4a63b27df0102db884a48c3af1d53c7ec87e90770417

Download Submit
C:\Users\Admin\AppData\Local\SumatraPDF\libmupdf.dll

Filesize
11.1MB

MD5
25e2080061c52a5dfeb7ed8e0ebc06a4

SHA1
29def96639dce75977729ca8e05f7a0ac9eb3af6

SHA256
2dde1f0d842a079853c771d558852f50367016d7f6ba53f5289a79225eca04ef

SHA512
2574000d2d7393633bb660acfc2b339b7ea701a1d88431414a27ab96589e280023ebf7dedcec7b9c5991624865524918f9fc9f221d4ebe6a37b729ee6f1b963f

Download Submit
C:\Users\Admin\AppData\Local\SumatraPDF\libmupdf.dll

Filesize
11.1MB

MD5
25e2080061c52a5dfeb7ed8e0ebc06a4

SHA1
29def96639dce75977729ca8e05f7a0ac9eb3af6

SHA256
2dde1f0d842a079853c771d558852f50367016d7f6ba53f5289a79225eca04ef

SHA512
2574000d2d7393633bb660acfc2b339b7ea701a1d88431414a27ab96589e280023ebf7dedcec7b9c5991624865524918f9fc9f221d4ebe6a37b729ee6f1b963f

Download Submit
memory/2916-132-0x0000000000000000-mapping.dmp

Download
memory/5048-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads