2d2f1012f43bc35fcd7249fb77633e38438d633e5d8b731ef3182670f02a83b0

General

Target

2d2f1012f43bc35fcd7249fb77633e38438d633e5d8b731ef3182670f02a83b0.exe
Size

10.8MB
MD5

3996e7eb17533f55690da2b84ecab7c2
SHA1

2289a4e62cbf99fe87e0e3688123a6afad8f927e
SHA256

2d2f1012f43bc35fcd7249fb77633e38438d633e5d8b731ef3182670f02a83b0
SHA512

f737071daf01ca8aff070e8f5c6d14566ee5af945aae0af9bd825112aef21e58a0ff800550b7764e52f28b4112607d1604dd113a881ffde4e31bbbd89c676ca2
SSDEEP

196608:Lg3Y8UpYCcME8DYz/rJzofv943JES94ND7/iqLFVziAlBwKkZY8LMp5:Lgo8BCc3KYzTJzofV43JEd7DzDBwKgo5

Score

7^/10

aspackv2

Malware Config

Signatures

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\PDFShaper\pdfspr.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\PDFShaper\pdfspr.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\PDFShaper\pdfspr.dll	aspack_v212_v242

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2d2f1012f43bc35fcd7249fb77633e38438d633e5d8b731ef3182670f02a83b0.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	2d2f1012f43bc35fcd7249fb77633e38438d633e5d8b731ef3182670f02a83b0.exe

Executes dropped EXE 1 IoCs

Processes:

PDFShaper.exe

pid process

844 PDFShaper.exe
Loads dropped DLL 2 IoCs

Processes:

PDFShaper.exe

pid process

844 PDFShaper.exe
844 PDFShaper.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
844	PDFShaper.exe

pid	process
844	PDFShaper.exe
844	PDFShaper.exe

Modifies registry class 29 IoCs

Processes:

PDFShaper.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E7C95636-9E1A-43FC-04A6-83309AD2E4A4}\Programmable	PDFShaper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F8F2813D-1B5A-1F1B-5DA7-05AC27255164}\1.0\FLAGS	PDFShaper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F8F2813D-1B5A-1F1B-5DA7-05AC27255164}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\dmocx.dll"	PDFShaper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F8F2813D-1B5A-1F1B-5DA7-05AC27255164}\1.0\FLAGS\ = "2"	PDFShaper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E7C95636-9E1A-43FC-04A6-83309AD2E4A4}\ = "Wevini.Avatofa.Iqita Class"	PDFShaper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E7C95636-9E1A-43FC-04A6-83309AD2E4A4}\InprocServer32\	PDFShaper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F8F2813D-1B5A-1F1B-5DA7-05AC27255164}\1.0\0	PDFShaper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F8F2813D-1B5A-1F1B-5DA7-05AC27255164}\1.0\	PDFShaper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F8F2813D-1B5A-1F1B-5DA7-05AC27255164}\1.0\HELPDIR\ = "C:\\Windows\\System32"	PDFShaper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F8F2813D-1B5A-1F1B-5DA7-05AC27255164}\1.0\HELPDIR	PDFShaper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F8F2813D-1B5A-1F1B-5DA7-05AC27255164}\1.0\HELPDIR\	PDFShaper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E7C95636-9E1A-43FC-04A6-83309AD2E4A4}\Version\ = "1.0"	PDFShaper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E7C95636-9E1A-43FC-04A6-83309AD2E4A4}	PDFShaper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F8F2813D-1B5A-1F1B-5DA7-05AC27255164}	PDFShaper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F8F2813D-1B5A-1F1B-5DA7-05AC27255164}\1.0\ = "ctv OLE Control module"	PDFShaper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F8F2813D-1B5A-1F1B-5DA7-05AC27255164}\	PDFShaper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E7C95636-9E1A-43FC-04A6-83309AD2E4A4}\Version	PDFShaper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F8F2813D-1B5A-1F1B-5DA7-05AC27255164}\1.0\0\win32\	PDFShaper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F8F2813D-1B5A-1F1B-5DA7-05AC27255164}\1.0\FLAGS\	PDFShaper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E7C95636-9E1A-43FC-04A6-83309AD2E4A4}\TypeLib\ = "{F8F2813D-1B5A-1F1B-5DA7-05AC27255164}"	PDFShaper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E7C95636-9E1A-43FC-04A6-83309AD2E4A4}\Version\	PDFShaper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E7C95636-9E1A-43FC-04A6-83309AD2E4A4}\InprocServer32	PDFShaper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E7C95636-9E1A-43FC-04A6-83309AD2E4A4}\InprocServer32\ = "C:\\Windows\\SysWOW64\\AppIdPolicyEngineApi.dll"	PDFShaper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F8F2813D-1B5A-1F1B-5DA7-05AC27255164}\1.0\0\win32	PDFShaper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E7C95636-9E1A-43FC-04A6-83309AD2E4A4}\TypeLib	PDFShaper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E7C95636-9E1A-43FC-04A6-83309AD2E4A4}\TypeLib\	PDFShaper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E7C95636-9E1A-43FC-04A6-83309AD2E4A4}\Programmable\	PDFShaper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F8F2813D-1B5A-1F1B-5DA7-05AC27255164}\1.0	PDFShaper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F8F2813D-1B5A-1F1B-5DA7-05AC27255164}\1.0\0\	PDFShaper.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

PDFShaper.exe

pid process

844 PDFShaper.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

PDFShaper.exe

pid process

844 PDFShaper.exe

pid	process
844	PDFShaper.exe

pid	process
844	PDFShaper.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

2d2f1012f43bc35fcd7249fb77633e38438d633e5d8b731ef3182670f02a83b0.exe

description	pid	process	target process
PID 992 wrote to memory of 844	992	2d2f1012f43bc35fcd7249fb77633e38438d633e5d8b731ef3182670f02a83b0.exe	PDFShaper.exe
PID 992 wrote to memory of 844	992	2d2f1012f43bc35fcd7249fb77633e38438d633e5d8b731ef3182670f02a83b0.exe	PDFShaper.exe
PID 992 wrote to memory of 844	992	2d2f1012f43bc35fcd7249fb77633e38438d633e5d8b731ef3182670f02a83b0.exe	PDFShaper.exe

C:\Users\Admin\AppData\Local\Temp\2d2f1012f43bc35fcd7249fb77633e38438d633e5d8b731ef3182670f02a83b0.exe
"C:\Users\Admin\AppData\Local\Temp\2d2f1012f43bc35fcd7249fb77633e38438d633e5d8b731ef3182670f02a83b0.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:992

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\PDFShaper\PDFShaper.exe
"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\PDFShaper\PDFShaper.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:844

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\PDFShaper\Chinese.lng
Filesize
14KB

MD5
ca8c4f1166b5ac32316839b37af29a92

SHA1
e36ed0f83ddf057415b2f0c060ddd8f330efc9c2

SHA256
5dc6b984d188dc50a5cf30a16748e7b7d3a63ce1c5ed3efb8b412bbda27b2b10

SHA512
c4eea1a2deb9039a381dcd0c9ba58fe9967f48d00e4637e96c08e6c27d38153b27df2070e1686a5bc7f0cf2ad6c6dcf0a6ed2ca209d51e7071141c4965cd8f33

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\PDFShaper\PDFShaper.exe
Filesize
8.9MB

MD5
dc61074e15febd61fc327a71fd5fd828

SHA1
dfbeb8f183890361de4a83aaf7b4ed5990db220d

SHA256
28d8cdb09a23eb63f0c7771b33b28c824e70c22f61732a496d1ee41704e67a10

SHA512
7fe2444819cfabcb711e5f09ab40db2dfc129f52066b1ce2c572708c30651391f21b7b5de758a0b7c3207e94d67795363d768aa4c73b6b5421d3158dbd2e14d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\PDFShaper\PDFShaper.exe
Filesize
8.9MB

MD5
dc61074e15febd61fc327a71fd5fd828

SHA1
dfbeb8f183890361de4a83aaf7b4ed5990db220d

SHA256
28d8cdb09a23eb63f0c7771b33b28c824e70c22f61732a496d1ee41704e67a10

SHA512
7fe2444819cfabcb711e5f09ab40db2dfc129f52066b1ce2c572708c30651391f21b7b5de758a0b7c3207e94d67795363d768aa4c73b6b5421d3158dbd2e14d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\PDFShaper\PDFShaper.exe
Filesize
8.9MB

MD5
dc61074e15febd61fc327a71fd5fd828

SHA1
dfbeb8f183890361de4a83aaf7b4ed5990db220d

SHA256
28d8cdb09a23eb63f0c7771b33b28c824e70c22f61732a496d1ee41704e67a10

SHA512
7fe2444819cfabcb711e5f09ab40db2dfc129f52066b1ce2c572708c30651391f21b7b5de758a0b7c3207e94d67795363d768aa4c73b6b5421d3158dbd2e14d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\PDFShaper\pdfspr.dll
Filesize
540KB

MD5
a7ac79d567b99c4ffe76ff5e8c3eddf6

SHA1
d23cd4f3efd015dac51cd74e94e27fd82d6ccee5

SHA256
4970fc58e635873136d17cb8d34d8ee4cab40e82984fcf7e5f3d54da2a810928

SHA512
063eccdd21a0810573719285a17484b5f7c3704b219829b0ee0d55ffb6d94643e94bdd4aad06e5e536c4d5173313da9f8b05e2c00cd43204298bdd3371e78c04

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\PDFShaper\pdfspr.dll
Filesize
540KB

MD5
a7ac79d567b99c4ffe76ff5e8c3eddf6

SHA1
d23cd4f3efd015dac51cd74e94e27fd82d6ccee5

SHA256
4970fc58e635873136d17cb8d34d8ee4cab40e82984fcf7e5f3d54da2a810928

SHA512
063eccdd21a0810573719285a17484b5f7c3704b219829b0ee0d55ffb6d94643e94bdd4aad06e5e536c4d5173313da9f8b05e2c00cd43204298bdd3371e78c04

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\PDFShaper\pdfspr.dll
Filesize
540KB

MD5
a7ac79d567b99c4ffe76ff5e8c3eddf6

SHA1
d23cd4f3efd015dac51cd74e94e27fd82d6ccee5

SHA256
4970fc58e635873136d17cb8d34d8ee4cab40e82984fcf7e5f3d54da2a810928

SHA512
063eccdd21a0810573719285a17484b5f7c3704b219829b0ee0d55ffb6d94643e94bdd4aad06e5e536c4d5173313da9f8b05e2c00cd43204298bdd3371e78c04

Download Submit
memory/844-186-0x0000000003820000-0x0000000003821000-memory.dmp

Filesize
4KB

Download
memory/844-191-0x0000000003800000-0x0000000003801000-memory.dmp

Filesize
4KB

Download
memory/844-185-0x0000000003620000-0x0000000003680000-memory.dmp

Filesize
384KB

Download
memory/844-180-0x0000000002D40000-0x0000000002D41000-memory.dmp

Filesize
4KB

Download
memory/844-188-0x00000000057C0000-0x00000000057C1000-memory.dmp

Filesize
4KB

Download
memory/844-189-0x0000000005780000-0x0000000005781000-memory.dmp

Filesize
4KB

Download
memory/844-187-0x0000000003810000-0x0000000003811000-memory.dmp

Filesize
4KB

Download
memory/844-184-0x00000000034A0000-0x00000000035B6000-memory.dmp

Filesize
1.1MB

Download
memory/844-190-0x0000000005790000-0x0000000005791000-memory.dmp

Filesize
4KB

Download
memory/844-192-0x0000000000400000-0x0000000000EB6000-memory.dmp

Filesize
10.7MB

Download
memory/844-193-0x0000000003620000-0x0000000003680000-memory.dmp

Filesize
384KB

Download
memory/844-195-0x0000000003810000-0x0000000003811000-memory.dmp

Filesize
4KB

Download
memory/844-196-0x00000000057C0000-0x00000000057C1000-memory.dmp

Filesize
4KB

Download
memory/844-194-0x0000000003820000-0x0000000003821000-memory.dmp

Filesize
4KB

Download
memory/844-197-0x0000000003800000-0x0000000003801000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads