Overview

overview

5

Static

static

Doc Pdf Ex...s..scr

windows7-x64

5

Doc Pdf Ex...s..scr

windows10-2004-x64

5

Analysis

  • max time kernel
    60s
  • max time network
    79s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 14:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Doc Pdf Exploit Builder‮nls..scr

  • Size

    643KB

  • MD5

    9fd996ce42d667ba01c902124bf95f6d

  • SHA1

    db1a3b2fd8fafda32f8c7ebba0bbe76e0c89697d

  • SHA256

    b19cbd208fdf60f9b9318bf8c4a5615afa49d4c21bb9f620aad14fb8d60d892b

  • SHA512

    787b4e431f5e3c57dc466b39e240f94867a68b1d2bd261af5e7b62c2cda0c1f56991ec5ba57b4644bcb59fe80bace10c26dde6c9e15231421fc0c225cfb34633

  • SSDEEP

    6144:b7fQzevfWMppNRMaSzBro8brQhXKHvfg2R2dfhUQieNyiVRnWt09zE:PZRpN8JB4uXfRWmZeNyiVRnWO2

Score
5/10

Malware Config

Signatures

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Doc Pdf Exploit Builder‮nls..scr
    "C:\Users\Admin\AppData\Local\Temp\Doc Pdf Exploit Builder‮nls..scr" /S
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:884
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Cngtmwpdpyully-loader.sln
      2⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1700
      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Cngtmwpdpyully-loader.sln"
        3⤵
        • Suspicious use of SetWindowsHookEx
        PID:1152
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1312
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:1928

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Cngtmwpdpyully-loader.sln
      Filesize

      1KB

      MD5

      ab33cc57f33f9120678383c9152d07c3

      SHA1

      4be668b9403b67658d96748a93d03e6dbd9c7be0

      SHA256

      be9f6e5f8fde9fae7ef9166359430b063c25ffe21ed13218f07b7a668b915c8a

      SHA512

      78a15ed018c883372dee7f83e7db379551ec4a4b8f3838187c4d95da59b212291e2416bc4a5f188d1c20d8e580b0b6958011216f5026f59b0536b8a0643e0413

      Download Submit
    • memory/884-54-0x0000000000B70000-0x0000000000C16000-memory.dmp
      Filesize

      664KB

      Download
    • memory/884-55-0x0000000076411000-0x0000000076413000-memory.dmp
      Filesize

      8KB

      Download
    • memory/884-56-0x00000000045C0000-0x0000000004628000-memory.dmp
      Filesize

      416KB

      Download
    • memory/884-57-0x0000000000910000-0x000000000093C000-memory.dmp
      Filesize

      176KB

      Download
    • memory/884-58-0x0000000004B80000-0x0000000004BCC000-memory.dmp
      Filesize

      304KB

      Download
    • memory/1152-74-0x0000000000000000-mapping.dmp
      Download
    • memory/1312-64-0x0000000000400000-0x000000000040A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/1312-62-0x0000000000400000-0x000000000040A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/1312-66-0x0000000000400000-0x000000000040A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/1312-68-0x0000000000403046-mapping.dmp
      Download
    • memory/1312-67-0x0000000000400000-0x000000000040A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/1312-70-0x0000000000400000-0x000000000040A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/1312-72-0x0000000000400000-0x000000000040A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/1312-61-0x0000000000400000-0x000000000040A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/1700-59-0x0000000000000000-mapping.dmp
      Download
    • memory/1928-77-0x000007FEFBFE1000-0x000007FEFBFE3000-memory.dmp
      Filesize

      8KB

      Download