254ed5fed795e8ca481785c3190f428fef25ee0326bb6bbbe461078bd2cdfd43

General

Target

FoxitPDFReader121_enu_Setup_Prom.exe
Size

1.5MB
MD5

0578fb34cae800e8e048a20417743bd7
SHA1

c6deed315110ef67b5e465fd01fe5f7496b86975
SHA256

254ed5fed795e8ca481785c3190f428fef25ee0326bb6bbbe461078bd2cdfd43
SHA512

fee7dfa9fceb152f00c24c53b518d4e6546fa43d531f9b67dd09e9351fa20e07a9960e83263623c1b11b829261ec400b94deba78626a120b81679f06b40e6801
SSDEEP

24576:gWmAFubS6dt9McpUGUT/oe4PWroZP8ZLfywzD/XKBCxnBmthc4w:826dRpEk3PWroFwyGD/XK4zB

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1944	Engine.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a000000012767-55.dat	upx
behavioral1/files/0x000a000000012767-57.dat	upx
behavioral1/memory/1944-65-0x0000000000400000-0x0000000000558000-memory.dmp	upx
behavioral1/memory/1944-72-0x0000000000400000-0x0000000000558000-memory.dmp	upx

Loads dropped DLL 1 IoCs

pid	Process
864	FoxitPDFReader121_enu_Setup_Prom.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
456	powershell.exe
456	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	456	powershell.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 864 wrote to memory of 1944	864	FoxitPDFReader121_enu_Setup_Prom.exe	27
PID 864 wrote to memory of 1944	864	FoxitPDFReader121_enu_Setup_Prom.exe	27
PID 864 wrote to memory of 1944	864	FoxitPDFReader121_enu_Setup_Prom.exe	27
PID 864 wrote to memory of 1944	864	FoxitPDFReader121_enu_Setup_Prom.exe	27
PID 864 wrote to memory of 1944	864	FoxitPDFReader121_enu_Setup_Prom.exe	27
PID 864 wrote to memory of 1944	864	FoxitPDFReader121_enu_Setup_Prom.exe	27
PID 864 wrote to memory of 1944	864	FoxitPDFReader121_enu_Setup_Prom.exe	27
PID 1944 wrote to memory of 2012	1944	Engine.exe	28
PID 1944 wrote to memory of 2012	1944	Engine.exe	28
PID 1944 wrote to memory of 2012	1944	Engine.exe	28
PID 1944 wrote to memory of 2012	1944	Engine.exe	28
PID 2012 wrote to memory of 1104	2012	CmD.exe	30
PID 2012 wrote to memory of 1104	2012	CmD.exe	30
PID 2012 wrote to memory of 1104	2012	CmD.exe	30
PID 2012 wrote to memory of 1104	2012	CmD.exe	30
PID 1104 wrote to memory of 456	1104	cmd.exe	31
PID 1104 wrote to memory of 456	1104	cmd.exe	31
PID 1104 wrote to memory of 456	1104	cmd.exe	31
PID 1104 wrote to memory of 456	1104	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\FoxitPDFReader121_enu_Setup_Prom.exe
"C:\Users\Admin\AppData\Local\Temp\FoxitPDFReader121_enu_Setup_Prom.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:864
- C:\Users\Admin\AppData\Local\Temp\SETUP_32152\Engine.exe
  C:\Users\Admin\AppData\Local\Temp\SETUP_32152\Engine.exe /TH_ID=_280 /OriginExe="C:\Users\Admin\AppData\Local\Temp\FoxitPDFReader121_enu_Setup_Prom.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1944
- - C:\Windows\SysWOW64\CmD.exe
    C:\Windows\system32\CmD.exe /c cmd < 86
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2012
  - - C:\Windows\SysWOW64\cmd.exe
      cmd
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1104
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell get-process avastui
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:456

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SETUP_32152\00000#3

Filesize
1.2MB

MD5
c3d7a7077ac61967c03d78f73d5925ad

SHA1
6ffb2b4f3d0e896e8a38eab9b6388266e95a0575

SHA256
868f08fec86d4ee984bc9db15f5aaa2ded0d31449531541da4b63fcb760d91df

SHA512
30a05cada0d23975b569e91d5a9af862fccd356c6ab5973ae2b0c5253aefdff22f04486ce2a52e1c4b26e5832562a859f97aaf2ae22057f41c994c3d539f442c

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_32152\00001#47

Filesize
949KB

MD5
77743554e71702b538da21005bc096b5

SHA1
283040300491d93d44efb7d7b556316ce232efa7

SHA256
199268e64b5aea15529e70074532412477fd658c7a77e9ba9da6df6c98f4ef63

SHA512
344c2e3441322c5803d27379dfef649ae0b292f10f92b48ff401e3c266b9a8e17d95a9f29df090d45bb8fbbd4b587f229bbb1256ceba54b886355ccf4a8a3a8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_32152\00002#86

Filesize
14KB

MD5
2ca115bfaa3fdd9f4a4e3850902690fc

SHA1
58ecade34d9a8ec9e857503f4c482108b5702f07

SHA256
14a9e8cf38e1f350fd4a344fb1436da14f4b65b203675a12cb1e11d2f7d26028

SHA512
c7680240880b99264b76bd3498773581482642f23e7212b16a4943f5d08686e49d9c74cba0ba73def9b21ceba2d2f00ffefe4b11c0aa185a5ba46d06279a710e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_32152\Engine.exe

Filesize
392KB

MD5
a7a99a201774531d761f6aac2651a9df

SHA1
b122ae368c4bf103e959a6ebb54ddb310117ab96

SHA256
e6e73497e85e9ece4c92ac7d49e07b9d55e932ba2d9e5789b94b95a9841ee524

SHA512
056504da2afeed547a4123ac8c38b35291b7dc0126fb638ae304eee802ac572715f9d608e9f1655788a030f488354741ee27c805434111c8e915cf841c0892f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_32152\Modern_Icon.bmp

Filesize
7KB

MD5
1dd88f67f029710d5c5858a6293a93f1

SHA1
3e5ef66613415fe9467b2a24ccc27d8f997e7df6

SHA256
b5dad33ceb6eb1ac2a05fbda76e29a73038403939218a88367925c3a20c05532

SHA512
7071fd64038e0058c8c586c63c62677c0ca403768100f90323cf9c0bc7b7fcb538391e6f3606bd7970b8769445606ada47adcdcfc1e991e25caf272a13e10c94

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_32152\Setup.txt

Filesize
2KB

MD5
ab4b5559c91d2906c70123bd673d0f47

SHA1
d24619a86ade578ad5b2c0a8364914c17dcd361b

SHA256
2b86387418740406f9f6b8c087168f9078ac7776c068b88e14b28d767d68a654

SHA512
7533db74ea6ae178ea458822c2eed6541c897119142d0fd0fd849cc1fd168214d1d6e183b39fc663574b413e5e83d283e98c5813e4f3619fc9ac935374d66b55

Download Submit
\Users\Admin\AppData\Local\Temp\SETUP_32152\Engine.exe

Filesize
392KB

MD5
a7a99a201774531d761f6aac2651a9df

SHA1
b122ae368c4bf103e959a6ebb54ddb310117ab96

SHA256
e6e73497e85e9ece4c92ac7d49e07b9d55e932ba2d9e5789b94b95a9841ee524

SHA512
056504da2afeed547a4123ac8c38b35291b7dc0126fb638ae304eee802ac572715f9d608e9f1655788a030f488354741ee27c805434111c8e915cf841c0892f1

Download Submit
memory/456-70-0x0000000073CA0000-0x000000007424B000-memory.dmp

Filesize
5.7MB

Download
memory/456-71-0x0000000073CA0000-0x000000007424B000-memory.dmp

Filesize
5.7MB

Download
memory/864-54-0x0000000076831000-0x0000000076833000-memory.dmp

Filesize
8KB

Download
memory/864-64-0x00000000020C0000-0x0000000002218000-memory.dmp

Filesize
1.3MB

Download
memory/1944-65-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/1944-72-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing