Analysis Overview
SHA256
3a7c97b376896da090d87dc501625425514cdcf7590825a8ca41346d7c6592c3
Threat Level: Known bad
The file tmp was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateUserProcessOtherParentProcess
SystemBC
Loads dropped DLL
Executes dropped EXE
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-08-14 16:35
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-08-14 16:35
Reported
2023-08-14 16:38
Platform
win7-20230712-en
Max time kernel
145s
Max time network
148s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | mayo.edu | udp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
Files
memory/2264-53-0x0000000000400000-0x00000000007F2000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-08-14 16:35
Reported
2023-08-14 16:38
Platform
win10v2004-20230703-en
Max time kernel
145s
Max time network
129s
Command Line
Signatures
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 4912 created 3164 | N/A | C:\Users\Admin\AppData\Local\Temp\tmp.exe | C:\Windows\Explorer.EXE |
SystemBC
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\KBDINDEV\pdfreader.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\KBDINDEV\pdfreader.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3840 set thread context of 1936 | N/A | C:\Users\Admin\AppData\Roaming\KBDINDEV\pdfreader.exe | C:\Windows\SysWOW64\cmd.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\KBDINDEV\pdfreader.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\KBDINDEV\pdfreader.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\KBDINDEV\pdfreader.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
C:\Users\Admin\AppData\Roaming\KBDINDEV\pdfreader.exe
"C:\Users\Admin\AppData\Roaming\KBDINDEV\pdfreader.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | mayo.edu | udp |
| US | 129.176.1.88:443 | mayo.edu | tcp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.1.176.129.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.mayo.edu | udp |
| US | 52.162.245.23:443 | www.mayo.edu | tcp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.245.162.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | i.imgur.com | udp |
| NL | 199.232.148.193:443 | i.imgur.com | tcp |
| US | 8.8.8.8:53 | 193.148.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.136.241.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.112.168.52.in-addr.arpa | udp |
Files
memory/4912-134-0x00007FF9275E0000-0x00007FF92790D000-memory.dmp
C:\Users\Admin\AppData\Roaming\KBDINDEV\pdfreader.exe
| MD5 | b43b96e4483dce09976dc250f87ecf1a |
| SHA1 | 4290076db1e87a46b73e8391186025f1f5b492bb |
| SHA256 | 5eaf95ad5163607ea220e439f13e58ae1bd9b408d94e06d5d721e8daca911c12 |
| SHA512 | 383b723d2d547f775a661bf6990e834b0233849822c7cbc3f0aaf0f276b1c05b0f7bde754dae3da133f7a8aae669b31547889495e5370a6617c09a2a3b61c438 |
memory/4912-140-0x0000000000400000-0x00000000007F2000-memory.dmp
memory/3840-141-0x0000000002DD0000-0x0000000002DD1000-memory.dmp
C:\Users\Admin\AppData\Roaming\KBDINDEV\pdfium.dll
| MD5 | 5253296effaf275e7239e52a6e3c76be |
| SHA1 | 3a07d2f3e83359d8998c7e11ee6e256e2cabdd7b |
| SHA256 | bc7defe6891b955f977ae0d28036cea440e849209deeb9b58a693a11d359ee17 |
| SHA512 | 669d549eba49e3d9fbaa1cf9775f5b4dc89784f336d14382389c1efb5a64b362bfea7a3e661bbdb816f5517acd66ebc0e8d3c9020f86b5a5dfc0774aa61a99f9 |
C:\Users\Admin\AppData\Roaming\KBDINDEV\pdfium.dll
| MD5 | 5253296effaf275e7239e52a6e3c76be |
| SHA1 | 3a07d2f3e83359d8998c7e11ee6e256e2cabdd7b |
| SHA256 | bc7defe6891b955f977ae0d28036cea440e849209deeb9b58a693a11d359ee17 |
| SHA512 | 669d549eba49e3d9fbaa1cf9775f5b4dc89784f336d14382389c1efb5a64b362bfea7a3e661bbdb816f5517acd66ebc0e8d3c9020f86b5a5dfc0774aa61a99f9 |
C:\Users\Admin\AppData\Roaming\KBDINDEV\ail.html
| MD5 | 5bb10ce2d154345099373f632594b49a |
| SHA1 | bdb91eb50e5dd610d00a8a9c8aa69c91ed063015 |
| SHA256 | b7dba474ec7726fcbf7ee3acb24a8ee08e808b57e44bfb5d5a91d74f475cba1c |
| SHA512 | cb5729643ceb6d51c66f555bcd6fbaefcfa74b3309bafd22daf5c7dbbb4bf1df49d5539001fe21b5c29421ed9d3b1b7dbd375fb3de710e375839cbf878d7ebef |
memory/3840-145-0x0000000074260000-0x00000000754B4000-memory.dmp
memory/3840-146-0x0000000000400000-0x0000000000C88000-memory.dmp
memory/3840-147-0x0000000002DD0000-0x0000000002DD1000-memory.dmp
memory/1936-150-0x0000000074260000-0x00000000754B4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2c390414
| MD5 | 8bd06a484159c5b1505d62f144c1ae2b |
| SHA1 | dfa3d37b46c429224a696255d9e5dd97f8835b6e |
| SHA256 | b3290df1d7996e9b1b6d881c09040ad8e228a0814dd376a09619d9f399760f58 |
| SHA512 | 67c4f8476075592cb62684b2b61148567ff86687d5b2018e3bfdc3d94c20751103555049ffd63e57f6f62ddad61a65c4687af85b03d10a32c10a4bf28814fa67 |
memory/1936-152-0x00007FF937ED0000-0x00007FF9380C5000-memory.dmp
C:\Users\Admin\AppData\Roaming\KBDINDEV\pdfreader.exe
| MD5 | b43b96e4483dce09976dc250f87ecf1a |
| SHA1 | 4290076db1e87a46b73e8391186025f1f5b492bb |
| SHA256 | 5eaf95ad5163607ea220e439f13e58ae1bd9b408d94e06d5d721e8daca911c12 |
| SHA512 | 383b723d2d547f775a661bf6990e834b0233849822c7cbc3f0aaf0f276b1c05b0f7bde754dae3da133f7a8aae669b31547889495e5370a6617c09a2a3b61c438 |
memory/1936-156-0x0000000074260000-0x00000000754B4000-memory.dmp
memory/1936-157-0x0000000074260000-0x00000000754B4000-memory.dmp
memory/1936-160-0x0000000074260000-0x00000000754B4000-memory.dmp
memory/4944-161-0x0000000000400000-0x0000000000408000-memory.dmp
memory/4944-162-0x00007FF937ED0000-0x00007FF9380C5000-memory.dmp
memory/4944-163-0x0000000000400000-0x0000000000408000-memory.dmp
memory/4944-164-0x0000000000B80000-0x0000000000FB3000-memory.dmp
memory/4944-165-0x0000000000400000-0x0000000000408000-memory.dmp
memory/4944-166-0x0000000000400000-0x0000000000408000-memory.dmp