Overview

overview

3

Static

static

3

Material.pdf

windows7-x64

3

Material.pdf

windows10-2004-x64

1

Resubmissions

25-01-2023 13:46

230125-q3dq6sge75 8

25-01-2023 13:44

230125-q1t1dage67 3

Analysis

  • max time kernel
    73s
  • max time network
    75s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    25-01-2023 13:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Material.pdf

  • Size

    350KB

  • MD5

    72c812cf21909a48eb9cceb9e04b865d

  • SHA1

    2dc265f23be4cf7cda328bdf5826601cf4f4bf43

  • SHA256

    39fb927c32221134a423760c5d1f58bca4cbbcc87c891c79e390a22b63608eb4

  • SHA512

    dd246487f348dbba52c7dfaae3f943b0324414c182e0de862db7d23e82ab5362c21b8733cf84af466529c631938fc544d96d78c51ea4330877993e9da7e5cbd3

  • SSDEEP

    6144:zB1De0g/RC7lTqMAwraJOZMtXEHJGPSgwsTx/xE99jvQrZqZDxlK0oZ9TK2A6CO8:6+lq1wWAZMtUHJGPksFJYtdlK5TXuWM

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 30 IoCs
    adwarespyware
  • Modifies registry class 11 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Material.pdf"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1996
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://a.pomf.cat/hgfetb.R11
      2⤵
      • Modifies Internet Explorer Phishing Filter
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1424
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1424 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1792
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I9NA5QYV\hgfetb.R11
        3⤵
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:780
        • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
          "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I9NA5QYV\hgfetb.R11"
          4⤵
            PID:1512
        • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
          "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\hgfetb.R11"
          3⤵
            PID:536
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Downloads\hgfetb.R11
            3⤵
              PID:968
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" https://a.pomf.cat/hgfetb.R11
            2⤵
              PID:1304

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Privilege Escalation

          Defense Evasion

          Modify Registry

          2
          T1112

          Credential Access

          Discovery

          System Information Discovery

          1
          T1082

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
            Filesize

            61KB

            MD5

            fc4666cbca561e864e7fdf883a9e6661

            SHA1

            2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

            SHA256

            10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

            SHA512

            c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

            Download Submit
          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            342B

            MD5

            7f784809fb7355ef88253e873eaa5a18

            SHA1

            a9c4a029136174c7f00235240ca8af9a986496f6

            SHA256

            5a8551e13e4185a0e66c2eca2b9856c98430a705ae0cfe475ec0500159faab6c

            SHA512

            898e5eeb8ebeafb8fe25185975fa61b6f088c20231cd40ec82a09a5792d7a9548c08e152f858f20362120a233d7011b7a8f2c7e6940adacc71832c958493acf4

            Download Submit
          • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I9NA5QYV\hgfetb.R11.xlx65cz.partial
            Filesize

            813KB

            MD5

            26323ec2ddb6ed0211dcfcac34409697

            SHA1

            3fab9d3b6782d12e1ac723e83095918d934f90b8

            SHA256

            8fe2456322a912436f60adb6ca18f068c86a76004849fcaf03cb160158e50031

            SHA512

            fbf193195fa0bf7ffe7e4b3595e0e8d3cf6d1f6b9664a75c6dc666f3c2e813cdca0dae31879ab17ea27712fbd255c33536b002710f3539e241484c68c32f7832

            Download Submit
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\5CB21YYZ.txt
            Filesize

            608B

            MD5

            23d57b074fa4c771886369d237f77e08

            SHA1

            fe8792239fde734f2921676761d7a5aaf6cc7654

            SHA256

            a636e55dad70ab9e3173f6bc8548fa7796eef21297317e651879f099c23f8a37

            SHA512

            68edc8c71cb2d00040d099fd1a182c2177a7deb253e853b0998589b7e89c59edfedf676cea78e50eb2744c65e68ec17206c816372064bce8db476d3fb28be309

            Download Submit
          • C:\Users\Admin\Downloads\hgfetb.R11.vwuvkn6.partial
            Filesize

            813KB

            MD5

            26323ec2ddb6ed0211dcfcac34409697

            SHA1

            3fab9d3b6782d12e1ac723e83095918d934f90b8

            SHA256

            8fe2456322a912436f60adb6ca18f068c86a76004849fcaf03cb160158e50031

            SHA512

            fbf193195fa0bf7ffe7e4b3595e0e8d3cf6d1f6b9664a75c6dc666f3c2e813cdca0dae31879ab17ea27712fbd255c33536b002710f3539e241484c68c32f7832

            Download Submit
          • memory/536-61-0x0000000000000000-mapping.dmp
            Download
          • memory/780-56-0x0000000000000000-mapping.dmp
            Download
          • memory/780-57-0x000007FEFB831000-0x000007FEFB833000-memory.dmp
            Filesize

            8KB

            Download
          • memory/1512-58-0x0000000000000000-mapping.dmp
            Download
          • memory/1996-54-0x0000000076031000-0x0000000076033000-memory.dmp
            Filesize

            8KB

            Download