Overview

overview

7

Static

static

quickpdfme...xe.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    52s
  • max time network
    52s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/01/2023, 19:46

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    quickpdfmerger_ac669ee5798140229b36c7b4d19f566a_exe.exe

  • Size

    365KB

  • MD5

    da7b9fdfa5abae84596c5afc908d206e

  • SHA1

    dd63a3193bee9071743105846669aa0de465b1e0

  • SHA256

    41b1769574cf6f2e847e1aa34cec941260029fc72451ba554d8ab23cf5ef478a

  • SHA512

    cdf34405d9a64f3f7e3e86ba45aca2b7d2ee463df6e1f954db0648f00d41ff1780bcc6eebed795f50e7be583d2ce5f082d2cffd25576841375e3f82ee91ba1a4

  • SSDEEP

    6144:lbUTp1ufT7v+gbTFVGTM+/87wBeat1RAAx94DqoJz7xRXPRSDJikrHLAPS7EQRMm:lIefnfvw87wBe2Rf4DqoVPPRSDskrHMq

Score
7/10
discovery

Malware Config

Signatures

  • Loads dropped DLL 3 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
    stealer
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\quickpdfmerger_ac669ee5798140229b36c7b4d19f566a_exe.exe
    "C:\Users\Admin\AppData\Local\Temp\quickpdfmerger_ac669ee5798140229b36c7b4d19f566a_exe.exe"
    1⤵
    • Loads dropped DLL
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4832
    • C:\Windows\SysWOW64\Rundll32.exe
      "Rundll32.exe" "C:\Users\Admin\AppData\Local\QuickPDFMergerTooltab\TooltabExtension.dll",A -hp=http://hp.myway.com/quickpdfmerger/ttab02/index.html -ua="(Windows NT 10.0; Win64; MSIE 11.789; Build 19041; SP 0)" -ul=http://anx.mindspark.com/anx.gif?anxa=%251&anxe=%252&anxt=84B26473-24AE-4745-A4D1-804C69AAE01B&anxtv=2.8.1.1000&anxp=^CQO^mni000^TTAB02&anxsi=&anxv=%253&anxd=2023-01-05&anxr=%254 -hu=SHOW
      2⤵
      • Loads dropped DLL
      PID:3484
  • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
    "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
    1⤵
      PID:672
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1496
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1496 CREDAT:17410 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1060
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1496 CREDAT:17416 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:3232

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
            Filesize

            717B

            MD5

            ec8ff3b1ded0246437b1472c69dd1811

            SHA1

            d813e874c2524e3a7da6c466c67854ad16800326

            SHA256

            e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab

            SHA512

            e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_A30EA9B4E1BC5DBF09A8EF399E086D27
            Filesize

            471B

            MD5

            959c18de8ca7ac55d52ee614ad340dba

            SHA1

            8ed45204712868eac5491c7625c9a5375e7eae2c

            SHA256

            f0a1dbda8b1b50450f4a6f0fa73d7fe4808ad8c29f122772bf3ec520c32b0910

            SHA512

            1afd793f88937c6dba979f15c70531f90b1d0388d491ab6f0691aeb6b0fb594a0e8b5d4e8639c9d601d77c1af749fe84b87bde23f81feeeee6177a59570ebf21

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
            Filesize

            192B

            MD5

            b208a41f33d21adcc09656e76dbd346c

            SHA1

            9fd612e1f73fc5034b33083ae311fd1f5099ff2f

            SHA256

            0abd4f98be8b30cd9fec5996e15e6e60d4340967439a5920badafd0bef3819dd

            SHA512

            33d52c1f88449969c70e9be470388864361005d29db8df3a791664e493a2a81355671c9bb082b7f65c0ea1783f71a6bd35ed01324ff649967a908298e07074a6

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_A30EA9B4E1BC5DBF09A8EF399E086D27
            Filesize

            434B

            MD5

            b8bbe4a92e869e5e516fcb83358d7a56

            SHA1

            a460763d1c24302a39371948cb1b23c2491b1c45

            SHA256

            d2b57f06077189c19d7534bbf7a312f8f12c84381d28eea9267dd7d86f0fac0c

            SHA512

            f6e5c3e0e8c0c971ffc5a8268e0e2a8fd9204b137547ae7057956b457b1f47f42e243583d8b6deeee2ec78836c021befd762c5c941828e737503e63dfaff6212

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\3mhxqpl\imagestore.dat
            Filesize

            1KB

            MD5

            4f4d330a6680d687636156c6a23a1ee1

            SHA1

            6117e66f6ae978308e4ea56088ffadfed3d5daff

            SHA256

            04743f1637fc2bb8457ed2f2529cb12a718a194b4dd185175239ff3d8ea2599e

            SHA512

            5939a9cd7aa4db4d2950426d40d73849b58ae2633dac98279c88ab667ada7c716b18877964c2e96a45d3de26f4269a60a357de1d17e4d35123ccc1de4a6d51aa

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\3mhxqpl\imagestore.dat
            Filesize

            2KB

            MD5

            57a3b3bb0a3b697edb79889e46ce5c43

            SHA1

            dcaa9fe679d9d28adad9fe55ea0e91d99c3ca1ed

            SHA256

            79877068d65c5989c5124a415a2b9988c4b9fe1a97f1dd4d8db40c5a65214f5c

            SHA512

            7df1c6a9f1d8d7f4648e0130c801cd66ca2f06d6a011ea84ab644df15b74d7c4a75dd7def4ae9fe2eff77b4e692765344aabc05daf7c16c3a544ac1e68689baa

            Download Submit

          • C:\Users\Admin\AppData\Local\QuickPDFMergerTooltab\TooltabExtension.dll
            Filesize

            260KB

            MD5

            bc960383d1656e444bb0037a74bd5185

            SHA1

            64f5f422ecf4356dc28ac94fbe39d3337d6f658f

            SHA256

            8a9ce7852f05b574249e4f671d155297632aa563dd26b79695120801ac97e1fc

            SHA512

            91345f87d87c6688ea3ccf48657c1c8fc60daf9500139c0cdcbc36af842880bb363d434eeb5c37cf7e322cf7ed890a9327217fe0d31ca1de34dd8ec0683091ca

            Download Submit

          • C:\Users\Admin\AppData\Local\QuickPDFMergerTooltab\TooltabExtension.dll
            Filesize

            260KB

            MD5

            bc960383d1656e444bb0037a74bd5185

            SHA1

            64f5f422ecf4356dc28ac94fbe39d3337d6f658f

            SHA256

            8a9ce7852f05b574249e4f671d155297632aa563dd26b79695120801ac97e1fc

            SHA512

            91345f87d87c6688ea3ccf48657c1c8fc60daf9500139c0cdcbc36af842880bb363d434eeb5c37cf7e322cf7ed890a9327217fe0d31ca1de34dd8ec0683091ca

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\nsb5838.tmp\System.dll
            Filesize

            11KB

            MD5

            7399323923e3946fe9140132ac388132

            SHA1

            728257d06c452449b1241769b459f091aabcffc5

            SHA256

            5a1c20a3e2e2eb182976977669f2c5d9f3104477e98f74d69d2434e79b92fdc3

            SHA512

            d6f28ba761351f374ae007c780be27758aea7b9f998e2a88a542eede459d18700adffe71abcb52b8a8c00695efb7ccc280175b5eeb57ca9a645542edfabb64f1

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\nsb5838.tmp\nsDialogs.dll
            Filesize

            182KB

            MD5

            069a101bebdfb14e86993cf75b84daae

            SHA1

            37d0cbdea012a7a6811162465d77d4fe7355fc6f

            SHA256

            83207332e588690d6df3c0a50325c943e6fcc51a4af0ab74e357bd94c99c29b8

            SHA512

            3a03ab6bfc5bd766b252583fceb1aedc0a7ec967af38d453740f088b3a979ac006016c010ecd51d49c617adfa927310cd84bd7bf14919f2867f71961763530da

            Download Submit