Overview
overview
7Static
static
4var www ht...r.html
windows10-2004-x64
1var www ht...a.html
windows10-2004-x64
1var www ht...x.html
windows10-2004-x64
1var www ht...g.html
windows10-2004-x64
1var www ht...3.html
windows10-2004-x64
1var www ht...e3.xml
windows10-2004-x64
3var www ht...ase.js
windows10-2004-x64
1var www ht...b5a.js
windows10-2004-x64
1var www ht...b5a.js
windows10-2004-x64
1var www ht...b5a.js
windows10-2004-x64
1var www ht...b5a.js
windows10-2004-x64
1var www ht...b5a.js
windows10-2004-x64
1var www ht...b5a.js
windows10-2004-x64
1var www ht...b5a.js
windows10-2004-x64
1var www ht...b5a.js
windows10-2004-x64
1var www ht...b5a.js
windows10-2004-x64
1var www ht...-1.pdf
windows10-2004-x64
1var www ht...ed.pdf
windows10-2004-x64
1var www ht...ka.pdf
windows10-2004-x64
1var www ht...CH.exe
windows10-2004-x64
7var www ht...is.exe
windows10-2004-x64
1var www ht...des.js
windows10-2004-x64
1var www ht...css.js
windows10-2004-x64
1var www ht...js/.js
windows10-2004-x64
1var www ht...30a.js
windows10-2004-x64
1var www ht...a5f.js
windows10-2004-x64
1var www ht...b5a.js
windows10-2004-x64
1var www ht...son.js
windows10-2004-x64
1var www ht...x.html
windows10-2004-x64
1var www ht...bed.js
windows10-2004-x64
1var www ht...c.html
windows10-2004-x64
1var www ht...0.html
windows10-2004-x64
1Analysis
-
max time kernel
148s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
19-07-2023 21:09
Behavioral task
behavioral1
Sample
var www html kemhan/wp-content/themes/menhan/css/AjaxLoader.html
Resource
win10v2004-20230703-en
Behavioral task
behavioral2
Sample
var www html kemhan/wp-content/themes/menhan/css/fotorama.html
Resource
win10v2004-20230703-en
Behavioral task
behavioral3
Sample
var www html kemhan/wp-content/themes/menhan/css/[email protected]
Resource
win10v2004-20230703-en
Behavioral task
behavioral4
Sample
var www html kemhan/wp-content/themes/menhan/css/grabbing.html
Resource
win10v2004-20230703-en
Behavioral task
behavioral5
Sample
var www html kemhan/wp-content/themes/menhan/fonts/fontawesome-webfont93e3.html
Resource
win10v2004-20230703-en
Behavioral task
behavioral6
Sample
var www html kemhan/wp-content/themes/menhan/fonts/fontawesome-webfont93e3.xml
Resource
win10v2004-20230703-en
Behavioral task
behavioral7
Sample
var www html kemhan/wp-content/themes/menhan/gallery/jquery.aw-showcase.js
Resource
win10v2004-20230703-en
Behavioral task
behavioral8
Sample
var www html kemhan/wp-content/themes/menhan/js/accordion6b5a.js
Resource
win10v2004-20230703-en
Behavioral task
behavioral9
Sample
var www html kemhan/wp-content/themes/menhan/js/fotorama6b5a.js
Resource
win10v2004-20230703-en
Behavioral task
behavioral10
Sample
var www html kemhan/wp-content/themes/menhan/js/jquery.bxslider6b5a.js
Resource
win10v2004-20230703-en
Behavioral task
behavioral11
Sample
var www html kemhan/wp-content/themes/menhan/js/jquery.min6b5a.js
Resource
win10v2004-20230703-en
Behavioral task
behavioral12
Sample
var www html kemhan/wp-content/themes/menhan/js/main6b5a.js
Resource
win10v2004-20230703-en
Behavioral task
behavioral13
Sample
var www html kemhan/wp-content/themes/menhan/js/modal/js/basic6b5a.js
Resource
win10v2004-20230703-en
Behavioral task
behavioral14
Sample
var www html kemhan/wp-content/themes/menhan/js/modal/js/jquery.simplemodal6b5a.js
Resource
win10v2004-20230703-en
Behavioral task
behavioral15
Sample
var www html kemhan/wp-content/themes/menhan/js/owl.carousel6b5a.js
Resource
win10v2004-20230703-en
Behavioral task
behavioral16
Sample
var www html kemhan/wp-content/themes/menhan/js/zozo.tabs.min6b5a.js
Resource
win10v2004-20230703-en
Behavioral task
behavioral17
Sample
var www html kemhan/wp-content/uploads/2022/07/WIRA-MASTER-edisi-iI-INDKompelite-1.pdf
Resource
win10v2004-20230703-en
Behavioral task
behavioral18
Sample
var www html kemhan/wp-content/uploads/How-to-Response-Against-Web-Security-Incident-signed.pdf
Resource
win10v2004-20230703-en
Behavioral task
behavioral19
Sample
var www html kemhan/wp-content/uploads/Komponen_Dasar_Elektronika.pdf
Resource
win10v2004-20230703-en
Behavioral task
behavioral20
Sample
var www html kemhan/wp-content/uploads/PDFReader_CRACK_FULL_PATCH.exe
Resource
win10v2004-20230703-en
Behavioral task
behavioral21
Sample
var www html kemhan/wp-content/uploads/slowloris.exe
Resource
win10v2004-20230703-en
Behavioral task
behavioral22
Sample
var www html kemhan/wp-includes/.wp-includes.js
Resource
win10v2004-20230703-en
Behavioral task
behavioral23
Sample
var www html kemhan/wp-includes/css/.css.js
Resource
win10v2004-20230703-en
Behavioral task
behavioral24
Sample
var www html kemhan/wp-includes/js/.js
Resource
win10v2004-20230703-en
Behavioral task
behavioral25
Sample
var www html kemhan/wp-includes/js/jquery/jquery-migrate.min330a.js
Resource
win10v2004-20230703-en
Behavioral task
behavioral26
Sample
var www html kemhan/wp-includes/js/jquery/jquery4a5f.js
Resource
win10v2004-20230703-en
Behavioral task
behavioral27
Sample
var www html kemhan/wp-includes/js/wp-embed.min6b5a.js
Resource
win10v2004-20230703-en
Behavioral task
behavioral28
Sample
var www html kemhan/wp-json/.wp-json.js
Resource
win10v2004-20230703-en
Behavioral task
behavioral29
Sample
var www html kemhan/wp-json/index.html
Resource
win10v2004-20230703-en
Behavioral task
behavioral30
Sample
var www html kemhan/wp-json/oembed/.oembed.js
Resource
win10v2004-20230703-en
Behavioral task
behavioral31
Sample
var www html kemhan/xmlrpc.html
Resource
win10v2004-20230703-en
Behavioral task
behavioral32
Sample
var www html kemhan/xmlrpc0db0.html
Resource
win10v2004-20230703-en
General
-
Target
var www html kemhan/wp-content/uploads/PDFReader_CRACK_FULL_PATCH.exe
-
Size
1.4MB
-
MD5
4d99ea28d2e65ab6090763f3e0b5890c
-
SHA1
b26f5210d2d8cd04df9b3ab3e6406bc54ad1af60
-
SHA256
db11ecd33f37fc86c233b9d972e9b9d877eec3d491c764b3eb3784feca757a54
-
SHA512
37cff1b0361f56b079752a0e9d62c6226cd7abaf582b8e4cf9c059968e75ccfccaf021bee03c636205380abf562a4f16ea73232b45f18ecbf56a13c0eb3388da
-
SSDEEP
24576:5y5f33KIXMojSzsTxYqdVV2JM1vTzs7MJZ8U0tirJNq4oCMY1gb//:oVHK+HjNTxmmLznKoS4dL1e
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3272 READER~1.EXE -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce PDFReader_CRACK_FULL_PATCH.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" PDFReader_CRACK_FULL_PATCH.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3272 READER~1.EXE 3272 READER~1.EXE 3272 READER~1.EXE 3272 READER~1.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3232 wrote to memory of 3272 3232 PDFReader_CRACK_FULL_PATCH.exe 87 PID 3232 wrote to memory of 3272 3232 PDFReader_CRACK_FULL_PATCH.exe 87 PID 3232 wrote to memory of 3272 3232 PDFReader_CRACK_FULL_PATCH.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\var www html kemhan\wp-content\uploads\PDFReader_CRACK_FULL_PATCH.exe"C:\Users\Admin\AppData\Local\Temp\var www html kemhan\wp-content\uploads\PDFReader_CRACK_FULL_PATCH.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\READER~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\READER~1.EXE2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3272
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD5a2e37f954986af9f88342b20b2965646
SHA1b298ce01bc93e8391acca3a07c0d06021df30dd6
SHA2568bc36f61610304148652cc7748ac1a215290f720d9e5e8df53d1d3b2c3c0e5fd
SHA512a492235f0e6de5f93200e0886bf4d3d77629777f28a5d517e87c3bb45e4266f339ab6a66d889434e617a3e4cec7248b488fb1e5aa0a73b6498ed7ec2d4073e7a
-
Filesize
1.2MB
MD5a2e37f954986af9f88342b20b2965646
SHA1b298ce01bc93e8391acca3a07c0d06021df30dd6
SHA2568bc36f61610304148652cc7748ac1a215290f720d9e5e8df53d1d3b2c3c0e5fd
SHA512a492235f0e6de5f93200e0886bf4d3d77629777f28a5d517e87c3bb45e4266f339ab6a66d889434e617a3e4cec7248b488fb1e5aa0a73b6498ed7ec2d4073e7a