Analysis Overview
SHA256
e7108827841a79e82b3ed9f3e54a628f380560c618e0a3769240c2eaec143e54
Threat Level: Known bad
The file tmp was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateUserProcessOtherParentProcess
SystemBC
Executes dropped EXE
Loads dropped DLL
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-08-14 10:13
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-08-14 10:13
Reported
2023-08-14 10:15
Platform
win7-20230712-en
Max time kernel
144s
Max time network
147s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | mayo.edu | udp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
Files
memory/2568-54-0x0000000000400000-0x00000000007F2000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-08-14 10:13
Reported
2023-08-14 10:15
Platform
win10v2004-20230703-en
Max time kernel
141s
Max time network
153s
Command Line
Signatures
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 3448 created 3188 | N/A | C:\Users\Admin\AppData\Local\Temp\tmp.exe | C:\Windows\Explorer.EXE |
SystemBC
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\KBDINDEV\pdfreader.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\KBDINDEV\pdfreader.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4372 set thread context of 2988 | N/A | C:\Users\Admin\AppData\Roaming\KBDINDEV\pdfreader.exe | C:\Windows\SysWOW64\cmd.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\KBDINDEV\pdfreader.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\KBDINDEV\pdfreader.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\KBDINDEV\pdfreader.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
C:\Users\Admin\AppData\Roaming\KBDINDEV\pdfreader.exe
"C:\Users\Admin\AppData\Roaming\KBDINDEV\pdfreader.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | mayo.edu | udp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.mayo.edu | udp |
| US | 52.162.245.23:443 | www.mayo.edu | tcp |
| US | 8.8.8.8:53 | 88.1.176.129.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.245.162.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| NL | 199.232.148.193:443 | i.imgur.com | tcp |
| US | 8.8.8.8:53 | 193.148.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.173.189.20.in-addr.arpa | udp |
Files
memory/3448-134-0x00007FFAF2500000-0x00007FFAF282D000-memory.dmp
C:\Users\Admin\AppData\Roaming\KBDINDEV\pdfreader.exe
| MD5 | b43b96e4483dce09976dc250f87ecf1a |
| SHA1 | 4290076db1e87a46b73e8391186025f1f5b492bb |
| SHA256 | 5eaf95ad5163607ea220e439f13e58ae1bd9b408d94e06d5d721e8daca911c12 |
| SHA512 | 383b723d2d547f775a661bf6990e834b0233849822c7cbc3f0aaf0f276b1c05b0f7bde754dae3da133f7a8aae669b31547889495e5370a6617c09a2a3b61c438 |
memory/3448-140-0x0000000000400000-0x00000000007F2000-memory.dmp
memory/4372-141-0x0000000002DD0000-0x0000000002DD1000-memory.dmp
C:\Users\Admin\AppData\Roaming\KBDINDEV\pdfium.dll
| MD5 | 5253296effaf275e7239e52a6e3c76be |
| SHA1 | 3a07d2f3e83359d8998c7e11ee6e256e2cabdd7b |
| SHA256 | bc7defe6891b955f977ae0d28036cea440e849209deeb9b58a693a11d359ee17 |
| SHA512 | 669d549eba49e3d9fbaa1cf9775f5b4dc89784f336d14382389c1efb5a64b362bfea7a3e661bbdb816f5517acd66ebc0e8d3c9020f86b5a5dfc0774aa61a99f9 |
C:\Users\Admin\AppData\Roaming\KBDINDEV\pdfium.dll
| MD5 | 5253296effaf275e7239e52a6e3c76be |
| SHA1 | 3a07d2f3e83359d8998c7e11ee6e256e2cabdd7b |
| SHA256 | bc7defe6891b955f977ae0d28036cea440e849209deeb9b58a693a11d359ee17 |
| SHA512 | 669d549eba49e3d9fbaa1cf9775f5b4dc89784f336d14382389c1efb5a64b362bfea7a3e661bbdb816f5517acd66ebc0e8d3c9020f86b5a5dfc0774aa61a99f9 |
C:\Users\Admin\AppData\Roaming\KBDINDEV\ail.html
| MD5 | 5bb10ce2d154345099373f632594b49a |
| SHA1 | bdb91eb50e5dd610d00a8a9c8aa69c91ed063015 |
| SHA256 | b7dba474ec7726fcbf7ee3acb24a8ee08e808b57e44bfb5d5a91d74f475cba1c |
| SHA512 | cb5729643ceb6d51c66f555bcd6fbaefcfa74b3309bafd22daf5c7dbbb4bf1df49d5539001fe21b5c29421ed9d3b1b7dbd375fb3de710e375839cbf878d7ebef |
memory/4372-145-0x0000000073800000-0x0000000074A54000-memory.dmp
memory/4372-146-0x0000000000400000-0x0000000000C88000-memory.dmp
memory/4372-147-0x0000000002DD0000-0x0000000002DD1000-memory.dmp
memory/2988-150-0x0000000073800000-0x0000000074A54000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\189e2914
| MD5 | 61654e07b3102376adbc8597477d2e9a |
| SHA1 | a682e2e399ec9f0b2574b8a17ec3cb1b67113ef2 |
| SHA256 | f4347fb82031dd9b039cd012d45062d756c8f7a3d1a9746861b000bfcba84847 |
| SHA512 | fbdebd1d48f469fab12672f419affc659823385a19764ea5112ceec16cdb081eb747d6e5297f1c71faa9130b734569e86b195864c020bd3ec71571d7403affc7 |
memory/2988-152-0x00007FFB028F0000-0x00007FFB02AE5000-memory.dmp
C:\Users\Admin\AppData\Roaming\KBDINDEV\pdfreader.exe
| MD5 | b43b96e4483dce09976dc250f87ecf1a |
| SHA1 | 4290076db1e87a46b73e8391186025f1f5b492bb |
| SHA256 | 5eaf95ad5163607ea220e439f13e58ae1bd9b408d94e06d5d721e8daca911c12 |
| SHA512 | 383b723d2d547f775a661bf6990e834b0233849822c7cbc3f0aaf0f276b1c05b0f7bde754dae3da133f7a8aae669b31547889495e5370a6617c09a2a3b61c438 |
memory/2988-155-0x0000000073800000-0x0000000074A54000-memory.dmp
memory/2988-156-0x0000000073800000-0x0000000074A54000-memory.dmp
memory/2988-158-0x0000000073800000-0x0000000074A54000-memory.dmp
memory/4632-159-0x00000000007F0000-0x00000000007F8000-memory.dmp
memory/4632-160-0x00007FFB028F0000-0x00007FFB02AE5000-memory.dmp
memory/4632-161-0x00000000007F0000-0x00000000007F8000-memory.dmp
memory/4632-162-0x0000000000020000-0x0000000000453000-memory.dmp
memory/4632-163-0x00000000007F0000-0x00000000007F8000-memory.dmp
memory/4632-165-0x00000000007F0000-0x00000000007F8000-memory.dmp