Analysis
-
max time kernel
31s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
17-02-2023 02:00
Static task
static1
Behavioral task
behavioral1
Sample
390e0e2b14e5ba0cd0c4380cd228a2b71f8943cf7fff908e9125ede868168ec1.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
390e0e2b14e5ba0cd0c4380cd228a2b71f8943cf7fff908e9125ede868168ec1.exe
Resource
win10v2004-20220812-en
General
-
Target
390e0e2b14e5ba0cd0c4380cd228a2b71f8943cf7fff908e9125ede868168ec1.exe
-
Size
10.6MB
-
MD5
815de73dc2d4c2bea8952aab00a554e9
-
SHA1
8431925184dfe4dfba9580fc86b9ba6720c084fb
-
SHA256
390e0e2b14e5ba0cd0c4380cd228a2b71f8943cf7fff908e9125ede868168ec1
-
SHA512
af5d53b1d5c30fec0b52ae3a6ded5396174425cdedd497b5e81f64c6fc1c10390f1f475cc38998c29148e65064de917edcf1c514a166173d84681d0a2f4d9284
-
SSDEEP
196608:Lgl3d+nF3BwUIpv1qlAbHFWnvewYfk/wlDA4+7zfqr6Z9WtMKwtyZNl5H9Mw:Lgl3d+FxKqlQHJHVJuzfqE2hBZZdZ
Malware Config
Signatures
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\PDFShaper\pdfspr.dll aspack_v212_v242 \Users\Admin\AppData\Local\Temp\7ZipSfx.000\PDFShaper\pdfspr.dll aspack_v212_v242 -
Executes dropped EXE 1 IoCs
Processes:
PDFShaper.exepid process 596 PDFShaper.exe -
Loads dropped DLL 2 IoCs
Processes:
390e0e2b14e5ba0cd0c4380cd228a2b71f8943cf7fff908e9125ede868168ec1.exePDFShaper.exepid process 1112 390e0e2b14e5ba0cd0c4380cd228a2b71f8943cf7fff908e9125ede868168ec1.exe 596 PDFShaper.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 33 IoCs
Processes:
PDFShaper.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{866AE3B2-6F4E-57B1-5793-942AAD7E1A50}\1.0\ PDFShaper.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{866AE3B2-6F4E-57B1-5793-942AAD7E1A50}\1.0\0\ PDFShaper.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{866AE3B2-6F4E-57B1-5793-942AAD7E1A50}\1.0\FLAGS\ PDFShaper.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E4F717AA-E212-4B16-93AC-EEE2618BED0D}\InprocServer32\ PDFShaper.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{866AE3B2-6F4E-57B1-5793-942AAD7E1A50}\1.0\0 PDFShaper.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{866AE3B2-6F4E-57B1-5793-942AAD7E1A50}\1.0\HELPDIR PDFShaper.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E4F717AA-E212-4B16-93AC-EEE2618BED0D}\TypeLib PDFShaper.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E4F717AA-E212-4B16-93AC-EEE2618BED0D}\VersionIndependentProgID\ PDFShaper.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E4F717AA-E212-4B16-93AC-EEE2618BED0D} PDFShaper.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E4F717AA-E212-4B16-93AC-EEE2618BED0D}\InprocServer32 PDFShaper.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E4F717AA-E212-4B16-93AC-EEE2618BED0D}\ProgID\ = "Sapi.SpInprocRecognizer.1" PDFShaper.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{866AE3B2-6F4E-57B1-5793-942AAD7E1A50} PDFShaper.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{866AE3B2-6F4E-57B1-5793-942AAD7E1A50}\1.0\FLAGS\ = "0" PDFShaper.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E4F717AA-E212-4B16-93AC-EEE2618BED0D}\ = "Xademas Komog Axonepin Class" PDFShaper.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{866AE3B2-6F4E-57B1-5793-942AAD7E1A50}\ PDFShaper.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{866AE3B2-6F4E-57B1-5793-942AAD7E1A50}\1.0\ = "Groove UI Framework Win32 1.0 Type Library" PDFShaper.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{866AE3B2-6F4E-57B1-5793-942AAD7E1A50}\1.0\0\win32\ PDFShaper.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{866AE3B2-6F4E-57B1-5793-942AAD7E1A50}\1.0\HELPDIR\ PDFShaper.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{866AE3B2-6F4E-57B1-5793-942AAD7E1A50}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\" PDFShaper.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E4F717AA-E212-4B16-93AC-EEE2618BED0D}\ProgID PDFShaper.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{866AE3B2-6F4E-57B1-5793-942AAD7E1A50}\1.0 PDFShaper.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{866AE3B2-6F4E-57B1-5793-942AAD7E1A50}\1.0\0\win32 PDFShaper.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{866AE3B2-6F4E-57B1-5793-942AAD7E1A50}\1.0\0\win32\ = "C:\\PROGRA~2\\MICROS~1\\Office14\\GROOVE.EXE\\85" PDFShaper.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E4F717AA-E212-4B16-93AC-EEE2618BED0D}\TypeLib\ = "{866AE3B2-6F4E-57B1-5793-942AAD7E1A50}" PDFShaper.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E4F717AA-E212-4B16-93AC-EEE2618BED0D}\VersionIndependentProgID PDFShaper.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E4F717AA-E212-4B16-93AC-EEE2618BED0D}\Version PDFShaper.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E4F717AA-E212-4B16-93AC-EEE2618BED0D}\Version\ PDFShaper.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E4F717AA-E212-4B16-93AC-EEE2618BED0D}\VersionIndependentProgID\ = "Sapi.SpInprocRecognizer" PDFShaper.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E4F717AA-E212-4B16-93AC-EEE2618BED0D}\InprocServer32\ = "%SystemRoot%\\SysWow64\\Speech\\Common\\sapi.dll" PDFShaper.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E4F717AA-E212-4B16-93AC-EEE2618BED0D}\ProgID\ PDFShaper.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{866AE3B2-6F4E-57B1-5793-942AAD7E1A50}\1.0\FLAGS PDFShaper.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E4F717AA-E212-4B16-93AC-EEE2618BED0D}\TypeLib\ PDFShaper.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E4F717AA-E212-4B16-93AC-EEE2618BED0D}\Version\ = "5.4" PDFShaper.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
PDFShaper.exepid process 596 PDFShaper.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
PDFShaper.exepid process 596 PDFShaper.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
390e0e2b14e5ba0cd0c4380cd228a2b71f8943cf7fff908e9125ede868168ec1.exedescription pid process target process PID 1112 wrote to memory of 596 1112 390e0e2b14e5ba0cd0c4380cd228a2b71f8943cf7fff908e9125ede868168ec1.exe PDFShaper.exe PID 1112 wrote to memory of 596 1112 390e0e2b14e5ba0cd0c4380cd228a2b71f8943cf7fff908e9125ede868168ec1.exe PDFShaper.exe PID 1112 wrote to memory of 596 1112 390e0e2b14e5ba0cd0c4380cd228a2b71f8943cf7fff908e9125ede868168ec1.exe PDFShaper.exe PID 1112 wrote to memory of 596 1112 390e0e2b14e5ba0cd0c4380cd228a2b71f8943cf7fff908e9125ede868168ec1.exe PDFShaper.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\390e0e2b14e5ba0cd0c4380cd228a2b71f8943cf7fff908e9125ede868168ec1.exe"C:\Users\Admin\AppData\Local\Temp\390e0e2b14e5ba0cd0c4380cd228a2b71f8943cf7fff908e9125ede868168ec1.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\PDFShaper\PDFShaper.exe"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\PDFShaper\PDFShaper.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:596
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\PDFShaper\Chinese.lngFilesize
14KB
MD5ca8c4f1166b5ac32316839b37af29a92
SHA1e36ed0f83ddf057415b2f0c060ddd8f330efc9c2
SHA2565dc6b984d188dc50a5cf30a16748e7b7d3a63ce1c5ed3efb8b412bbda27b2b10
SHA512c4eea1a2deb9039a381dcd0c9ba58fe9967f48d00e4637e96c08e6c27d38153b27df2070e1686a5bc7f0cf2ad6c6dcf0a6ed2ca209d51e7071141c4965cd8f33
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\PDFShaper\PDFShaper.exeFilesize
8.9MB
MD5dc61074e15febd61fc327a71fd5fd828
SHA1dfbeb8f183890361de4a83aaf7b4ed5990db220d
SHA25628d8cdb09a23eb63f0c7771b33b28c824e70c22f61732a496d1ee41704e67a10
SHA5127fe2444819cfabcb711e5f09ab40db2dfc129f52066b1ce2c572708c30651391f21b7b5de758a0b7c3207e94d67795363d768aa4c73b6b5421d3158dbd2e14d4
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\PDFShaper\pdfspr.dllFilesize
540KB
MD5a7ac79d567b99c4ffe76ff5e8c3eddf6
SHA1d23cd4f3efd015dac51cd74e94e27fd82d6ccee5
SHA2564970fc58e635873136d17cb8d34d8ee4cab40e82984fcf7e5f3d54da2a810928
SHA512063eccdd21a0810573719285a17484b5f7c3704b219829b0ee0d55ffb6d94643e94bdd4aad06e5e536c4d5173313da9f8b05e2c00cd43204298bdd3371e78c04
-
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\PDFShaper\PDFShaper.exeFilesize
8.9MB
MD5dc61074e15febd61fc327a71fd5fd828
SHA1dfbeb8f183890361de4a83aaf7b4ed5990db220d
SHA25628d8cdb09a23eb63f0c7771b33b28c824e70c22f61732a496d1ee41704e67a10
SHA5127fe2444819cfabcb711e5f09ab40db2dfc129f52066b1ce2c572708c30651391f21b7b5de758a0b7c3207e94d67795363d768aa4c73b6b5421d3158dbd2e14d4
-
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\PDFShaper\pdfspr.dllFilesize
540KB
MD5a7ac79d567b99c4ffe76ff5e8c3eddf6
SHA1d23cd4f3efd015dac51cd74e94e27fd82d6ccee5
SHA2564970fc58e635873136d17cb8d34d8ee4cab40e82984fcf7e5f3d54da2a810928
SHA512063eccdd21a0810573719285a17484b5f7c3704b219829b0ee0d55ffb6d94643e94bdd4aad06e5e536c4d5173313da9f8b05e2c00cd43204298bdd3371e78c04
-
memory/596-56-0x0000000000000000-mapping.dmp
-
memory/596-60-0x0000000074821000-0x0000000074823000-memory.dmpFilesize
8KB
-
memory/596-63-0x0000000004770000-0x0000000004886000-memory.dmpFilesize
1.1MB
-
memory/596-64-0x00000000048F0000-0x0000000004950000-memory.dmpFilesize
384KB
-
memory/1112-54-0x00000000760D1000-0x00000000760D3000-memory.dmpFilesize
8KB