Overview

overview

3

Static

static

3

0670HJ571bo77.pdf

windows7-x64

3

0670HJ571bo77.pdf

windows10-2004-x64

1

Analysis

  • max time kernel
    111s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20230703-en
  • resource tags

    arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
  • submitted
    07/07/2023, 20:14

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    0670HJ571bo77.pdf

  • Size

    354KB

  • MD5

    d4e45135d318247b0db5f7a66b886dae

  • SHA1

    c21412e7242999d5e0d89f7a260012688ee2f49c

  • SHA256

    5c99ca9a1667785e1299d3d5539bc2f87bf3b932e4f85498009eff9ea9737222

  • SHA512

    e0ff6c244779409534fa13da55cd86fe9c3ce30cb2dc5fcf6356a48f98ad22c441e532a37b69644eb58b2aca58b2c74418df30c3dd407fd4520d22c3c43ccfb5

  • SSDEEP

    3072:G2jex3TK0GZ845NL7pOjKaajWuP7xd4p9G4hoMSRETHtq4QF89OfkM8kDWD83M6p:s94eEFCXGyaRqHY4QK9W87ZJArNcY

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 27 IoCs
    adwarespyware
  • Modifies registry class 12 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\0670HJ571bo77.pdf"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2176
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://webmail.une.net.co/home/[email protected]/Briefcase/factura_electronica40368715.7z
      2⤵
      • Modifies Internet Explorer Phishing Filter
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2248
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2248 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2228
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XZEULFN0\factura_electronica40368715.7z
        3⤵
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of WriteProcessMemory
        PID:2804
        • C:\Windows\system32\NOTEPAD.EXE
          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XZEULFN0\factura_electronica40368715.7z
          4⤵
            PID:2596

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XZEULFN0\factura_electronica40368715.7z.0yerxsf.partial
            Filesize

            2KB

            MD5

            b05c48fc2e3aef3b1f82a8da79faf089

            SHA1

            d75c8028d794c067f2799e126ea962cf4c2ac005

            SHA256

            a1d48692b9dc3ed7707f97c39f354ce25a9be11392583ef894ef189f6e550831

            SHA512

            ab4ca0aae10895c7f97365f22e6e6d93ea46a124083d648099a73e22dde74979726764e7b46ad74aa2aeb3252103d3af5f7353fbc316de11ccde0b4b65f06e22

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XZEULFN0\factura_electronica40368715[1].7z
            Filesize

            2KB

            MD5

            b05c48fc2e3aef3b1f82a8da79faf089

            SHA1

            d75c8028d794c067f2799e126ea962cf4c2ac005

            SHA256

            a1d48692b9dc3ed7707f97c39f354ce25a9be11392583ef894ef189f6e550831

            SHA512

            ab4ca0aae10895c7f97365f22e6e6d93ea46a124083d648099a73e22dde74979726764e7b46ad74aa2aeb3252103d3af5f7353fbc316de11ccde0b4b65f06e22

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
            Filesize

            3KB

            MD5

            fa0991225d1790a463b43fdb4ea47c3a

            SHA1

            305101ec8f9f314e8553919fd73121e24f682936

            SHA256

            b4eb8e73356916a150b900a76fac15e03ccb5a44369dca098ce8df9a99b9f106

            SHA512

            330e08327f2924a30736664ec510e63dee3decea606869a7aca5cc99e55cd478a3c399541b38c8952aeeb00c5c6a829004c9cea1820ca42609869bc85751501f

            Download Submit