b6269018ac32484bdc093a6bec324fc9aa7990104a297f55600d31bff95ed6fd

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
04-10-2023 16:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WX.pdf.lnk
Size

1KB
MD5

4081b99306478e563fcb8737ea368029
SHA1

49a54cbbd519c1a10835542f704ba174e65d078f
SHA256

77dc2c45251101c6967d9368de8750fff2c5981e5452c8539e85dfae2373703b
SHA512

6b0e0a44d8cd13af1788c961090a4b6d895f233158917f6c06521081d74cca9509882ff0fe1cc4a1dd64d5c491bced52e5f45eacef0943e993d85b1b8936eefb

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2764	regsvr32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2356	AcroRd32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2356	AcroRd32.exe
2356	AcroRd32.exe
2356	AcroRd32.exe
2356	AcroRd32.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1944 wrote to memory of 2764	1944	cmd.exe	29
PID 1944 wrote to memory of 2764	1944	cmd.exe	29
PID 1944 wrote to memory of 2764	1944	cmd.exe	29
PID 1944 wrote to memory of 2764	1944	cmd.exe	29
PID 1944 wrote to memory of 2764	1944	cmd.exe	29
PID 2764 wrote to memory of 2824	2764	regsvr32.exe	30
PID 2764 wrote to memory of 2824	2764	regsvr32.exe	30
PID 2764 wrote to memory of 2824	2764	regsvr32.exe	30
PID 2824 wrote to memory of 2532	2824	rundll32.exe	31
PID 2824 wrote to memory of 2532	2824	rundll32.exe	31
PID 2824 wrote to memory of 2532	2824	rundll32.exe	31
PID 2824 wrote to memory of 2532	2824	rundll32.exe	31
PID 2824 wrote to memory of 2532	2824	rundll32.exe	31
PID 2824 wrote to memory of 2532	2824	rundll32.exe	31
PID 2824 wrote to memory of 2532	2824	rundll32.exe	31
PID 2764 wrote to memory of 2356	2764	regsvr32.exe	32
PID 2764 wrote to memory of 2356	2764	regsvr32.exe	32
PID 2764 wrote to memory of 2356	2764	regsvr32.exe	32
PID 2764 wrote to memory of 2356	2764	regsvr32.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\WX.pdf.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Windows\System32\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s /u /i:i1v\zN\JI\eWJM\MVst\qI\1Q52\uURq\QIPJ\J4Xw\J6V\CO\bOs8\GMV\N53B\bow.sct scrobj.dll
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\System32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" i1v\zN\JI\eWJM\MVst\qI\1Q52\uURq\QIPJ\J4Xw\J6V\CO\bOs8\GMV\N53B\xSa.log, HUF_inc_var
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" i1v\zN\JI\eWJM\MVst\qI\1Q52\uURq\QIPJ\J4Xw\J6V\CO\bOs8\GMV\N53B\xSa.log, HUF_inc_var
      4⤵
      PID:2532
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\i1v\zN\JI\eWJM\MVst\qI\1Q52\uURq\QIPJ\J4Xw\J6V\CO\bOs8\GMV\N53B\Abqd.pdf"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
4844c3787cc196d6be33fd898fb5a64d

SHA1
91c6645929d95a03df8fde7ae3713924f8bdffcf

SHA256
4b0095629a75178f2117816802ab1d909da25e92fc1ca7adae7a37c006c7d29d

SHA512
91a90ed7af4768c3499325083597c038a1b5f4c08ce61ab0b18255c82f93fa32c04ca456bcf98d16b0de048baf1dd8aebecbfb8006d7eb44e1e892765a88c67d

Download Submit
memory/2532-36-0x0000000000AE0000-0x0000000000BA3000-memory.dmp

Filesize
780KB

Download
memory/2532-37-0x0000000000C90000-0x0000000000D61000-memory.dmp

Filesize
836KB

Download
memory/2532-38-0x0000000000C90000-0x0000000000D61000-memory.dmp

Filesize
836KB

Download