Analysis
-
max time kernel
142s -
max time network
31s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
30-05-2023 00:53
Static task
static1
Behavioral task
behavioral1
Sample
dbb8be0df01791788b072377eb303d74f66c5ed5951fb8d7071011ab50f27f15.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
dbb8be0df01791788b072377eb303d74f66c5ed5951fb8d7071011ab50f27f15.exe
Resource
win10v2004-20230221-en
General
-
Target
dbb8be0df01791788b072377eb303d74f66c5ed5951fb8d7071011ab50f27f15.exe
-
Size
9.7MB
-
MD5
16580c434b7083e7da7fdc22f2d16065
-
SHA1
db9561a05664246e6f48099a8c3cfd84be651225
-
SHA256
dbb8be0df01791788b072377eb303d74f66c5ed5951fb8d7071011ab50f27f15
-
SHA512
9a4aba470c5e08be5669ea2642aebb26e2ef6a720d00845fe8ecacfc102e737f632087aca845e3f0a928537747ba1452d1e099760f2473f1676dba6934497516
-
SSDEEP
196608:9gUZI+hwgToID8BSbPn2yE805Kv8E2XN1gEFmqt05j1i44h6/Tk+9WB:9gUZIgcqbK8NvAXN1grSLMTF9c
Malware Config
Signatures
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\PDFShaper\pdfspr.dll aspack_v212_v242 -
Executes dropped EXE 1 IoCs
Processes:
PDFShaper.exepid process 1768 PDFShaper.exe -
Loads dropped DLL 1 IoCs
Processes:
dbb8be0df01791788b072377eb303d74f66c5ed5951fb8d7071011ab50f27f15.exepid process 1344 dbb8be0df01791788b072377eb303d74f66c5ed5951fb8d7071011ab50f27f15.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
PDFShaper.exepid process 1768 PDFShaper.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
PDFShaper.exepid process 1768 PDFShaper.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
dbb8be0df01791788b072377eb303d74f66c5ed5951fb8d7071011ab50f27f15.exedescription pid process target process PID 1344 wrote to memory of 1768 1344 dbb8be0df01791788b072377eb303d74f66c5ed5951fb8d7071011ab50f27f15.exe PDFShaper.exe PID 1344 wrote to memory of 1768 1344 dbb8be0df01791788b072377eb303d74f66c5ed5951fb8d7071011ab50f27f15.exe PDFShaper.exe PID 1344 wrote to memory of 1768 1344 dbb8be0df01791788b072377eb303d74f66c5ed5951fb8d7071011ab50f27f15.exe PDFShaper.exe PID 1344 wrote to memory of 1768 1344 dbb8be0df01791788b072377eb303d74f66c5ed5951fb8d7071011ab50f27f15.exe PDFShaper.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dbb8be0df01791788b072377eb303d74f66c5ed5951fb8d7071011ab50f27f15.exe"C:\Users\Admin\AppData\Local\Temp\dbb8be0df01791788b072377eb303d74f66c5ed5951fb8d7071011ab50f27f15.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\PDFShaper\PDFShaper.exe"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\PDFShaper\PDFShaper.exe"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1768
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\PDFShaper\Chinese.lngFilesize
14KB
MD5a4e8d507a6be3e9d64060aaef22f36f9
SHA189c89a2de7bf05037c9c19c9b9fd5cbabf02c5c6
SHA2562fd8a2ed2ae09c56625a1f47c1bb70abd1fccff56751b4ec4201fe9854ac8622
SHA51297229ca4846e04719b436ee63d501c3d5f1ebaedc26e6bc6746200aae2548e5a585cb0d87337654f40165fc3ae0c5ce6cf8a2b3b66e9139fd89cd27aecae9529
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\PDFShaper\PDFShaper.exeFilesize
9.0MB
MD583883342a32f298ebf9d11bb5e493e91
SHA1d57a956650f6f3cb150a124adfd98d92d343957a
SHA25670d11dcf00b1e21e5aeef8c04e36b9e562ecd0ca7c89de206d73b2014ee664f9
SHA5123641bb0a4da4ac173e305b57e3423c00bebd190c663792433be985621970cfa551be467f33e3cd05824313bb6dc3ff428fad74829e7b9efe9447f3a536a5d89d
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\PDFShaper\PDFShaper.exeFilesize
9.0MB
MD583883342a32f298ebf9d11bb5e493e91
SHA1d57a956650f6f3cb150a124adfd98d92d343957a
SHA25670d11dcf00b1e21e5aeef8c04e36b9e562ecd0ca7c89de206d73b2014ee664f9
SHA5123641bb0a4da4ac173e305b57e3423c00bebd190c663792433be985621970cfa551be467f33e3cd05824313bb6dc3ff428fad74829e7b9efe9447f3a536a5d89d
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\PDFShaper\pdfspr.dllFilesize
539KB
MD5e7a92c669e040b925210d2afee5843d1
SHA189bbc47bf1f8f3873c09d37f12209d3fa5cc8590
SHA2567d321b6919b08028ede3c3a7a6f42a85ba578569ffa8f5556fa40929784676a2
SHA5122e1547580129ea2b6fc1dc450c5d3a33483a7dcd4d1be7322f2f6d063d1f3cba20a042c6af2a5cede0051bbd0d361b7054efd5f48388c05a4b9cbe9b011fc009
-
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\PDFShaper\PDFShaper.exeFilesize
9.0MB
MD583883342a32f298ebf9d11bb5e493e91
SHA1d57a956650f6f3cb150a124adfd98d92d343957a
SHA25670d11dcf00b1e21e5aeef8c04e36b9e562ecd0ca7c89de206d73b2014ee664f9
SHA5123641bb0a4da4ac173e305b57e3423c00bebd190c663792433be985621970cfa551be467f33e3cd05824313bb6dc3ff428fad74829e7b9efe9447f3a536a5d89d
-
memory/1768-97-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/1768-100-0x0000000000400000-0x0000000000EB6000-memory.dmpFilesize
10.7MB