dbb8be0df01791788b072377eb303d74f66c5ed5951fb8d7071011ab50f27f15

Analysis

max time kernel
143s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
30-05-2023 00:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dbb8be0df01791788b072377eb303d74f66c5ed5951fb8d7071011ab50f27f15.exe
Size

9.7MB
MD5

16580c434b7083e7da7fdc22f2d16065
SHA1

db9561a05664246e6f48099a8c3cfd84be651225
SHA256

dbb8be0df01791788b072377eb303d74f66c5ed5951fb8d7071011ab50f27f15
SHA512

9a4aba470c5e08be5669ea2642aebb26e2ef6a720d00845fe8ecacfc102e737f632087aca845e3f0a928537747ba1452d1e099760f2473f1676dba6934497516
SSDEEP

196608:9gUZI+hwgToID8BSbPn2yE805Kv8E2XN1gEFmqt05j1i44h6/Tk+9WB:9gUZIgcqbK8NvAXN1grSLMTF9c

Score

7^/10

aspackv2

Malware Config

Signatures

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\PDFShaper\pdfspr.dll	aspack_v212_v242

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dbb8be0df01791788b072377eb303d74f66c5ed5951fb8d7071011ab50f27f15.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	dbb8be0df01791788b072377eb303d74f66c5ed5951fb8d7071011ab50f27f15.exe

Executes dropped EXE 1 IoCs

Processes:

PDFShaper.exe

pid process

3784 PDFShaper.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

PDFShaper.exe

pid process

3784 PDFShaper.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

PDFShaper.exe

pid process

3784 PDFShaper.exe

pid	process
3784	PDFShaper.exe

pid	process
3784	PDFShaper.exe

pid	process
3784	PDFShaper.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

dbb8be0df01791788b072377eb303d74f66c5ed5951fb8d7071011ab50f27f15.exe

description	pid	process	target process
PID 4616 wrote to memory of 3784	4616	dbb8be0df01791788b072377eb303d74f66c5ed5951fb8d7071011ab50f27f15.exe	PDFShaper.exe
PID 4616 wrote to memory of 3784	4616	dbb8be0df01791788b072377eb303d74f66c5ed5951fb8d7071011ab50f27f15.exe	PDFShaper.exe
PID 4616 wrote to memory of 3784	4616	dbb8be0df01791788b072377eb303d74f66c5ed5951fb8d7071011ab50f27f15.exe	PDFShaper.exe

C:\Users\Admin\AppData\Local\Temp\dbb8be0df01791788b072377eb303d74f66c5ed5951fb8d7071011ab50f27f15.exe
"C:\Users\Admin\AppData\Local\Temp\dbb8be0df01791788b072377eb303d74f66c5ed5951fb8d7071011ab50f27f15.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4616

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\PDFShaper\PDFShaper.exe
"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\PDFShaper\PDFShaper.exe"
2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3784

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\PDFShaper\Chinese.lng
Filesize
14KB

MD5
a4e8d507a6be3e9d64060aaef22f36f9

SHA1
89c89a2de7bf05037c9c19c9b9fd5cbabf02c5c6

SHA256
2fd8a2ed2ae09c56625a1f47c1bb70abd1fccff56751b4ec4201fe9854ac8622

SHA512
97229ca4846e04719b436ee63d501c3d5f1ebaedc26e6bc6746200aae2548e5a585cb0d87337654f40165fc3ae0c5ce6cf8a2b3b66e9139fd89cd27aecae9529

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\PDFShaper\PDFShaper.exe
Filesize
9.0MB

MD5
83883342a32f298ebf9d11bb5e493e91

SHA1
d57a956650f6f3cb150a124adfd98d92d343957a

SHA256
70d11dcf00b1e21e5aeef8c04e36b9e562ecd0ca7c89de206d73b2014ee664f9

SHA512
3641bb0a4da4ac173e305b57e3423c00bebd190c663792433be985621970cfa551be467f33e3cd05824313bb6dc3ff428fad74829e7b9efe9447f3a536a5d89d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\PDFShaper\PDFShaper.exe
Filesize
9.0MB

MD5
83883342a32f298ebf9d11bb5e493e91

SHA1
d57a956650f6f3cb150a124adfd98d92d343957a

SHA256
70d11dcf00b1e21e5aeef8c04e36b9e562ecd0ca7c89de206d73b2014ee664f9

SHA512
3641bb0a4da4ac173e305b57e3423c00bebd190c663792433be985621970cfa551be467f33e3cd05824313bb6dc3ff428fad74829e7b9efe9447f3a536a5d89d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\PDFShaper\PDFShaper.exe
Filesize
9.0MB

MD5
83883342a32f298ebf9d11bb5e493e91

SHA1
d57a956650f6f3cb150a124adfd98d92d343957a

SHA256
70d11dcf00b1e21e5aeef8c04e36b9e562ecd0ca7c89de206d73b2014ee664f9

SHA512
3641bb0a4da4ac173e305b57e3423c00bebd190c663792433be985621970cfa551be467f33e3cd05824313bb6dc3ff428fad74829e7b9efe9447f3a536a5d89d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\PDFShaper\pdfspr.dll
Filesize
539KB

MD5
e7a92c669e040b925210d2afee5843d1

SHA1
89bbc47bf1f8f3873c09d37f12209d3fa5cc8590

SHA256
7d321b6919b08028ede3c3a7a6f42a85ba578569ffa8f5556fa40929784676a2

SHA512
2e1547580129ea2b6fc1dc450c5d3a33483a7dcd4d1be7322f2f6d063d1f3cba20a042c6af2a5cede0051bbd0d361b7054efd5f48388c05a4b9cbe9b011fc009

Download Submit
memory/3784-181-0x0000000002DA0000-0x0000000002DA1000-memory.dmp

Filesize
4KB

Download
memory/3784-184-0x0000000000400000-0x0000000000EB6000-memory.dmp

Filesize
10.7MB

Download