hxxps://anonfile[.]com/v3n3ub1fn8/Instacash_pdf

Analysis

max time kernel
1606s
max time network
1611s
platform
windows7_x64
resource
win7-20220901-es
resource tags

arch:x64arch:x86image:win7-20220901-eslocale:es-esos:windows7-x64systemwindows
submitted
07/01/2023, 22:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://anonfile.com/v3n3ub1fn8/Instacash_pdf

Score

8^/10

link pdf

Malware Config

Signatures

Downloads MZ/PE file

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	firefox.exe

HTTP links in PDF interactive object 1 IoCs

Detects HTTP links in interactive objects within PDF files.

pdf link

resource	yara_rule
behavioral1/files/0x0008000000014ab1-55.dat	pdf_with_link_action

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\Instacash.pdf:Zone.Identifier	firefox.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2404	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	992	firefox.exe
Token: SeDebugPrivilege	992	firefox.exe
Token: SeDebugPrivilege	992	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
992	firefox.exe
992	firefox.exe
992	firefox.exe
992	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
992	firefox.exe
992	firefox.exe
992	firefox.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
992	firefox.exe
992	firefox.exe
992	firefox.exe
2404	AcroRd32.exe
2404	AcroRd32.exe
2404	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 628 wrote to memory of 992	628	firefox.exe	27
PID 628 wrote to memory of 992	628	firefox.exe	27
PID 628 wrote to memory of 992	628	firefox.exe	27
PID 628 wrote to memory of 992	628	firefox.exe	27
PID 628 wrote to memory of 992	628	firefox.exe	27
PID 628 wrote to memory of 992	628	firefox.exe	27
PID 628 wrote to memory of 992	628	firefox.exe	27
PID 628 wrote to memory of 992	628	firefox.exe	27
PID 628 wrote to memory of 992	628	firefox.exe	27
PID 628 wrote to memory of 992	628	firefox.exe	27
PID 992 wrote to memory of 1824	992	firefox.exe	29
PID 992 wrote to memory of 1824	992	firefox.exe	29
PID 992 wrote to memory of 1824	992	firefox.exe	29
PID 992 wrote to memory of 852	992	firefox.exe	30
PID 992 wrote to memory of 852	992	firefox.exe	30
PID 992 wrote to memory of 852	992	firefox.exe	30
PID 992 wrote to memory of 852	992	firefox.exe	30
PID 992 wrote to memory of 852	992	firefox.exe	30
PID 992 wrote to memory of 852	992	firefox.exe	30
PID 992 wrote to memory of 852	992	firefox.exe	30
PID 992 wrote to memory of 852	992	firefox.exe	30
PID 992 wrote to memory of 852	992	firefox.exe	30
PID 992 wrote to memory of 852	992	firefox.exe	30
PID 992 wrote to memory of 852	992	firefox.exe	30
PID 992 wrote to memory of 852	992	firefox.exe	30
PID 992 wrote to memory of 852	992	firefox.exe	30
PID 992 wrote to memory of 852	992	firefox.exe	30
PID 992 wrote to memory of 852	992	firefox.exe	30
PID 992 wrote to memory of 852	992	firefox.exe	30
PID 992 wrote to memory of 852	992	firefox.exe	30
PID 992 wrote to memory of 852	992	firefox.exe	30
PID 992 wrote to memory of 852	992	firefox.exe	30
PID 992 wrote to memory of 852	992	firefox.exe	30
PID 992 wrote to memory of 852	992	firefox.exe	30
PID 992 wrote to memory of 852	992	firefox.exe	30
PID 992 wrote to memory of 852	992	firefox.exe	30
PID 992 wrote to memory of 852	992	firefox.exe	30
PID 992 wrote to memory of 852	992	firefox.exe	30
PID 992 wrote to memory of 852	992	firefox.exe	30
PID 992 wrote to memory of 852	992	firefox.exe	30
PID 992 wrote to memory of 852	992	firefox.exe	30
PID 992 wrote to memory of 852	992	firefox.exe	30
PID 992 wrote to memory of 852	992	firefox.exe	30
PID 992 wrote to memory of 852	992	firefox.exe	30
PID 992 wrote to memory of 852	992	firefox.exe	30
PID 992 wrote to memory of 852	992	firefox.exe	30
PID 992 wrote to memory of 852	992	firefox.exe	30
PID 992 wrote to memory of 852	992	firefox.exe	30
PID 992 wrote to memory of 852	992	firefox.exe	30
PID 992 wrote to memory of 852	992	firefox.exe	30
PID 992 wrote to memory of 852	992	firefox.exe	30
PID 992 wrote to memory of 852	992	firefox.exe	30
PID 992 wrote to memory of 852	992	firefox.exe	30
PID 992 wrote to memory of 852	992	firefox.exe	30
PID 992 wrote to memory of 852	992	firefox.exe	30
PID 992 wrote to memory of 852	992	firefox.exe	30
PID 992 wrote to memory of 852	992	firefox.exe	30
PID 992 wrote to memory of 1588	992	firefox.exe	31
PID 992 wrote to memory of 1588	992	firefox.exe	31
PID 992 wrote to memory of 1588	992	firefox.exe	31
PID 992 wrote to memory of 1588	992	firefox.exe	31
PID 992 wrote to memory of 1588	992	firefox.exe	31
PID 992 wrote to memory of 1588	992	firefox.exe	31
PID 992 wrote to memory of 1588	992	firefox.exe	31

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://anonfile.com/v3n3ub1fn8/Instacash_pdf
1⤵
- Suspicious use of WriteProcessMemory
PID:628
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" https://anonfile.com/v3n3ub1fn8/Instacash_pdf
  2⤵
  - Drops file in Windows directory
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:992
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="992.0.516238498\1937503584" -parentBuildID 20200403170909 -prefsHandle 1184 -prefMapHandle 1176 -prefsLen 1 -prefMapSize 220106 -appdir "C:\Program Files\Mozilla Firefox\browser" - 992 "\\.\pipe\gecko-crash-server-pipe.992" 1248 gpu
    3⤵
    PID:1824
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="992.3.216610059\493280697" -childID 1 -isForBrowser -prefsHandle 1768 -prefMapHandle 1764 -prefsLen 156 -prefMapSize 220106 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 992 "\\.\pipe\gecko-crash-server-pipe.992" 1704 tab
    3⤵
    PID:852
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="992.13.1836512697\1681568106" -childID 2 -isForBrowser -prefsHandle 2648 -prefMapHandle 2644 -prefsLen 6938 -prefMapSize 220106 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 992 "\\.\pipe\gecko-crash-server-pipe.992" 2660 tab
    3⤵
    PID:1588

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\Instacash.pdf"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2404

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Downloads\Instacash.pdf

Filesize
272KB

MD5
f3a51e1369eb46dcc23590616e3a8deb

SHA1
8207021c5ed9ff7c4f8b41961d045cc481cd8e76

SHA256
aa3c6ab78143b6b92f08d573631a38010cf3f108fc7904fdd9ad88c087bb594f

SHA512
2a41031260c9bf0a71214858ffddb7f2196d5a5a823b3af6c6bdd0c851769627f91ffea24b497e5c7cdaa40ab7403e6d4b78a6232383f5a18f8a1c380adb3821

Download Submit
memory/2404-54-0x0000000075691000-0x0000000075693000-memory.dmp

Filesize
8KB

Download