aacaf8cdd33492631621ef0d6d741dacb65fecfdb1e18da648c2474f76a4a427

General

Target

SumatraPDF-3.4.6-64-install.exe
Size

7.1MB
MD5

5825a6110accced8f5580207c94e2805
SHA1

ec3e46a43e95e4d1f3380f3022ebcbbef49d27af
SHA256

aa79391c7db478fbb969875da39ce09e3e8124b869acc3178f5b6a3b4e10d5ce
SHA512

0b5cef31e7e29337f45502977b0c3293c0041133c353962bf6836ec314ddd474701834d270fa891b1dc2fbecdeab4cde2fa9483f264dc166a86a8ee0d654472e
SSDEEP

196608:gGWpkdKiynKtTuSyM1MeRk9BqHtLKpfX/TL1LKo+7SH94WSv8:6SDXtTrTRk9ButLKpP//1LKo+7SKvv8

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

SumatraPDF.exe

pid process

4116 SumatraPDF.exe
Loads dropped DLL 1 IoCs

Processes:

SumatraPDF.exe

pid process

4116 SumatraPDF.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
4116	SumatraPDF.exe

pid	process
4116	SumatraPDF.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SumatraPDF-3.4.6-64-install.exeSumatraPDF.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	SumatraPDF-3.4.6-64-install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\ProcessorNameString	SumatraPDF-3.4.6-64-install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SumatraPDF-3.4.6-64-install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	SumatraPDF-3.4.6-64-install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	SumatraPDF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\ProcessorNameString	SumatraPDF.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SumatraPDF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	SumatraPDF.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

SumatraPDF-3.4.6-64-install.exeSumatraPDF.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SumatraPDF-3.4.6-64-install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	SumatraPDF-3.4.6-64-install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	SumatraPDF-3.4.6-64-install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SumatraPDF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	SumatraPDF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	SumatraPDF.exe

Modifies registry class 64 IoCs

Processes:

SumatraPDF-3.4.6-64-install.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\.djvu\OpenWithProgids\SumatraPDF.djvu = "0"	SumatraPDF-3.4.6-64-install.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SumatraPDF.mobi\shell\open	SumatraPDF-3.4.6-64-install.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SumatraPDF.epub\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\SumatraPDF\\SumatraPDF.exe\" \"%1\""	SumatraPDF-3.4.6-64-install.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SumatraPDF.azw\shell\open\command	SumatraPDF-3.4.6-64-install.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\.tiff\OpenWithProgids\SumatraPDF.tiff = "0"	SumatraPDF-3.4.6-64-install.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SumatraPDF.cb7\DefaultIcon	SumatraPDF-3.4.6-64-install.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SumatraPDF.cb7\shell\open\command	SumatraPDF-3.4.6-64-install.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SumatraPDF.tif\Application	SumatraPDF-3.4.6-64-install.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\.tif	SumatraPDF-3.4.6-64-install.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\.png\OpenWithProgids	SumatraPDF-3.4.6-64-install.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SumatraPDF.jpeg\ = "JPEG File"	SumatraPDF-3.4.6-64-install.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\.jpeg\OpenWithProgids\SumatraPDF.jpeg = "0"	SumatraPDF-3.4.6-64-install.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\.pdf\Content Type = "application/pdf"	SumatraPDF-3.4.6-64-install.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SumatraPDF.cbz\shell	SumatraPDF-3.4.6-64-install.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SumatraPDF.chm\Application\ApplicationName = "SumatraPDF"	SumatraPDF-3.4.6-64-install.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SumatraPDF.mobi\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\SumatraPDF\\SumatraPDF.exe\" \"%1\""	SumatraPDF-3.4.6-64-install.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\.azw	SumatraPDF-3.4.6-64-install.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SumatraPDF.fb2z\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\SumatraPDF\\SumatraPDF.exe\" \"%1\""	SumatraPDF-3.4.6-64-install.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SumatraPDF.tiff\Application\ApplicationCompany = "Krzysztof Kowalczyk"	SumatraPDF-3.4.6-64-install.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SumatraPDF.pdf\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\SumatraPDF\\SumatraPDF.exe\" \"%1\""	SumatraPDF-3.4.6-64-install.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SumatraPDF.pdf\shell\PrintTo\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\SumatraPDF\\SumatraPDF.exe\" -print-to \"%2\" \"%1\""	SumatraPDF-3.4.6-64-install.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SumatraPDF.xps	SumatraPDF-3.4.6-64-install.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SumatraPDF.cbt\ = "CBT File"	SumatraPDF-3.4.6-64-install.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SumatraPDF.chm\Application	SumatraPDF-3.4.6-64-install.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SumatraPDF.epub\DefaultIcon	SumatraPDF-3.4.6-64-install.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SumatraPDF.epub\shell	SumatraPDF-3.4.6-64-install.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\.azw4	SumatraPDF-3.4.6-64-install.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SumatraPDF.fb2\shell	SumatraPDF-3.4.6-64-install.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\.fb2\OpenWithProgids\SumatraPDF.fb2 = "0"	SumatraPDF-3.4.6-64-install.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SumatraPDF.jp2\Application\ApplicationCompany = "Krzysztof Kowalczyk"	SumatraPDF-3.4.6-64-install.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SumatraPDF.jp2\shell	SumatraPDF-3.4.6-64-install.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SumatraPDF.xps\shell\open	SumatraPDF-3.4.6-64-install.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\.gif\OpenWithProgids	SumatraPDF-3.4.6-64-install.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\.cbt\OpenWithProgids\SumatraPDF.cbt = "0"	SumatraPDF-3.4.6-64-install.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SumatraPDF.djvu	SumatraPDF-3.4.6-64-install.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SumatraPDF.mobi\shell	SumatraPDF-3.4.6-64-install.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SumatraPDF.fb2z\shell\open	SumatraPDF-3.4.6-64-install.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SumatraPDF.prc\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\SumatraPDF\\SumatraPDF.exe\" \"%1\""	SumatraPDF-3.4.6-64-install.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SumatraPDF.tif\shell\open\Icon = "C:\\Users\\Admin\\AppData\\Local\\SumatraPDF\\SumatraPDF.exe"	SumatraPDF-3.4.6-64-install.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SumatraPDF.tiff	SumatraPDF-3.4.6-64-install.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SumatraPDF.jpg\Application	SumatraPDF-3.4.6-64-install.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.pdf\PersistentHandler	SumatraPDF-3.4.6-64-install.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\.png	SumatraPDF-3.4.6-64-install.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SumatraPDF.cbt\Application	SumatraPDF-3.4.6-64-install.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SumatraPDF.fb2z\Application	SumatraPDF-3.4.6-64-install.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\.tiff	SumatraPDF-3.4.6-64-install.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\MIME\Database\Content Type\application/pdf\Extension = ".pdf"	SumatraPDF-3.4.6-64-install.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\.pdf\OpenWithProgids\SumatraPDF.pdf = "0"	SumatraPDF-3.4.6-64-install.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SumatraPDF.azw	SumatraPDF-3.4.6-64-install.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SumatraPDF.prc\shell\open\command	SumatraPDF-3.4.6-64-install.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SumatraPDF.jpeg\Application	SumatraPDF-3.4.6-64-install.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SumatraPDF.cbr\Application	SumatraPDF-3.4.6-64-install.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\.jpeg	SumatraPDF-3.4.6-64-install.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SumatraPDF.pdf\shell\open	SumatraPDF-3.4.6-64-install.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SumatraPDF.epub\Application\ApplicationCompany = "Krzysztof Kowalczyk"	SumatraPDF-3.4.6-64-install.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SumatraPDF.azw3\Application\ApplicationName = "SumatraPDF"	SumatraPDF-3.4.6-64-install.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\.prc\OpenWithProgids\SumatraPDF.prc = "0"	SumatraPDF-3.4.6-64-install.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SumatraPDF.png\Application\ApplicationCompany = "Krzysztof Kowalczyk"	SumatraPDF-3.4.6-64-install.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SumatraPDF.jpg\Application\ApplicationCompany = "Krzysztof Kowalczyk"	SumatraPDF-3.4.6-64-install.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SumatraPDF.jpeg\DefaultIcon	SumatraPDF-3.4.6-64-install.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SumatraPDF.jpeg\shell\open	SumatraPDF-3.4.6-64-install.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\.gif\OpenWithProgids\SumatraPDF.gif = "0"	SumatraPDF-3.4.6-64-install.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SumatraPDF.cbr	SumatraPDF-3.4.6-64-install.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\SumatraPDF.cbr\ = "CBR File"	SumatraPDF-3.4.6-64-install.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

SumatraPDF-3.4.6-64-install.exe

pid process

1220 SumatraPDF-3.4.6-64-install.exe
1220 SumatraPDF-3.4.6-64-install.exe

pid	process
1220	SumatraPDF-3.4.6-64-install.exe
1220	SumatraPDF-3.4.6-64-install.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SumatraPDF-3.4.6-64-install.exeexplorer.exe

description	pid	process	target process
PID 1220 wrote to memory of 3724	1220	SumatraPDF-3.4.6-64-install.exe	explorer.exe
PID 1220 wrote to memory of 3724	1220	SumatraPDF-3.4.6-64-install.exe	explorer.exe
PID 2788 wrote to memory of 4116	2788	explorer.exe	SumatraPDF.exe
PID 2788 wrote to memory of 4116	2788	explorer.exe	SumatraPDF.exe

C:\Users\Admin\AppData\Local\Temp\SumatraPDF-3.4.6-64-install.exe
"C:\Users\Admin\AppData\Local\Temp\SumatraPDF-3.4.6-64-install.exe"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1220

C:\Windows\explorer.exe
"C:\Windows\explorer.exe" "C:\Users\Admin\AppData\Local\SumatraPDF\SumatraPDF.exe"
2⤵
PID:3724

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:2788

C:\Users\Admin\AppData\Local\SumatraPDF\SumatraPDF.exe
"C:\Users\Admin\AppData\Local\SumatraPDF\SumatraPDF.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
PID:4116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\SumatraPDF\SumatraPDF.exe

Filesize
7.1MB

MD5
5825a6110accced8f5580207c94e2805

SHA1
ec3e46a43e95e4d1f3380f3022ebcbbef49d27af

SHA256
aa79391c7db478fbb969875da39ce09e3e8124b869acc3178f5b6a3b4e10d5ce

SHA512
0b5cef31e7e29337f45502977b0c3293c0041133c353962bf6836ec314ddd474701834d270fa891b1dc2fbecdeab4cde2fa9483f264dc166a86a8ee0d654472e

Download Submit
C:\Users\Admin\AppData\Local\SumatraPDF\SumatraPDF.exe

Filesize
7.1MB

MD5
5825a6110accced8f5580207c94e2805

SHA1
ec3e46a43e95e4d1f3380f3022ebcbbef49d27af

SHA256
aa79391c7db478fbb969875da39ce09e3e8124b869acc3178f5b6a3b4e10d5ce

SHA512
0b5cef31e7e29337f45502977b0c3293c0041133c353962bf6836ec314ddd474701834d270fa891b1dc2fbecdeab4cde2fa9483f264dc166a86a8ee0d654472e

Download Submit
C:\Users\Admin\AppData\Local\SumatraPDF\libmupdf.dll

Filesize
11.1MB

MD5
3f86ec8c34bf38425ab76255c33485ba

SHA1
a1cc5894beb7cf3e9d1a0a7c3a570fb091ad50a1

SHA256
d8210ac1cb117a92a60794378b73931a233ba71958ea06f1e6382894ce9ef261

SHA512
7227906048c5f0aa22626629fab73986158e9077bcaa6f2a9f2b84196ecdd9a4b21ee360b9da7b1372d24462c7da12b9032747e2681199f4c4d758e5b3e8e5dd

Download Submit
C:\Users\Admin\AppData\Local\SumatraPDF\libmupdf.dll

Filesize
11.1MB

MD5
3f86ec8c34bf38425ab76255c33485ba

SHA1
a1cc5894beb7cf3e9d1a0a7c3a570fb091ad50a1

SHA256
d8210ac1cb117a92a60794378b73931a233ba71958ea06f1e6382894ce9ef261

SHA512
7227906048c5f0aa22626629fab73986158e9077bcaa6f2a9f2b84196ecdd9a4b21ee360b9da7b1372d24462c7da12b9032747e2681199f4c4d758e5b3e8e5dd

Download Submit
memory/3724-132-0x0000000000000000-mapping.dmp

Download
memory/4116-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads