ba9ab41442d061eb787066fb77b0f1613657a3a73f2c50aaab06dfd1532213a8

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 04:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05048a6799be8ea6da0e2f65c37807ec.pdf
Size

244KB
MD5

05048a6799be8ea6da0e2f65c37807ec
SHA1

6cf614dbea69f4d1721796c57d2de77a5ddd17ba
SHA256

ba9ab41442d061eb787066fb77b0f1613657a3a73f2c50aaab06dfd1532213a8
SHA512

17d8b63bd0c2cd323fc73697c38239a14f8c4e2374793cce4366b89c7544370ec78e360ce34f332a3220c62feb8c0e357a3a452c50a793cde91a0562fdfdb204
SSDEEP

1536:DLK4+34uWqT44JMA4G5bZ3aMSZZ8cOxH/K1M/KL3BAi2TjJlJ/UfFOz9g5wyV7Jl:D3+bTVJHP3QZCs2lbJWwyhJdhAzdi

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2484	ccapp.exe

Loads dropped DLL 4 IoCs

pid	Process
1900	AcroRd32.exe
2484	ccapp.exe
2484	ccapp.exe
2484	ccapp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\wmiApSrv = "C:\\Users\\Admin\\AppData\\Local\\wmiApSrv.exe"	regedit.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2484 set thread context of 2476	2484	ccapp.exe	29

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Runs .reg file with regedit 1 IoCs

pid	Process
984	regedit.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3068	AcroRd32.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1900	AcroRd32.exe
1900	AcroRd32.exe
1900	AcroRd32.exe
3068	AcroRd32.exe
3068	AcroRd32.exe
3068	AcroRd32.exe
3068	AcroRd32.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 2484	1900	AcroRd32.exe	28
PID 1900 wrote to memory of 2484	1900	AcroRd32.exe	28
PID 1900 wrote to memory of 2484	1900	AcroRd32.exe	28
PID 1900 wrote to memory of 2484	1900	AcroRd32.exe	28
PID 1900 wrote to memory of 2484	1900	AcroRd32.exe	28
PID 1900 wrote to memory of 2484	1900	AcroRd32.exe	28
PID 1900 wrote to memory of 2484	1900	AcroRd32.exe	28
PID 2484 wrote to memory of 2476	2484	ccapp.exe	29
PID 2484 wrote to memory of 2476	2484	ccapp.exe	29
PID 2484 wrote to memory of 2476	2484	ccapp.exe	29
PID 2484 wrote to memory of 2476	2484	ccapp.exe	29
PID 2484 wrote to memory of 2476	2484	ccapp.exe	29
PID 2484 wrote to memory of 2476	2484	ccapp.exe	29
PID 2484 wrote to memory of 2476	2484	ccapp.exe	29
PID 2484 wrote to memory of 2476	2484	ccapp.exe	29
PID 2484 wrote to memory of 2476	2484	ccapp.exe	29
PID 2484 wrote to memory of 2476	2484	ccapp.exe	29
PID 2484 wrote to memory of 2476	2484	ccapp.exe	29
PID 2484 wrote to memory of 2476	2484	ccapp.exe	29
PID 1900 wrote to memory of 3068	1900	AcroRd32.exe	30
PID 1900 wrote to memory of 3068	1900	AcroRd32.exe	30
PID 1900 wrote to memory of 3068	1900	AcroRd32.exe	30
PID 1900 wrote to memory of 3068	1900	AcroRd32.exe	30
PID 2476 wrote to memory of 984	2476	svchost.exe	31
PID 2476 wrote to memory of 984	2476	svchost.exe	31
PID 2476 wrote to memory of 984	2476	svchost.exe	31
PID 2476 wrote to memory of 984	2476	svchost.exe	31
PID 2476 wrote to memory of 984	2476	svchost.exe	31
PID 2476 wrote to memory of 984	2476	svchost.exe	31
PID 2476 wrote to memory of 984	2476	svchost.exe	31

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\05048a6799be8ea6da0e2f65c37807ec.pdf"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Users\Admin\AppData\Local\Temp\ccapp.exe
  C:\Users\Admin\AppData\Local\Temp\ccapp.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2484
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe "C:\Users\Admin\AppData\Local\Temp\ccapp.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2476
  - - C:\Windows\SysWOW64\regedit.exe
      regedit.exe /s C:\Users\Admin\AppData\Local\Temp\~dfds3.reg
      4⤵
      Adds Run key to start application
      Runs .reg file with regedit
      PID:984
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\11.pdf"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\11.pdf

Filesize
188KB

MD5
29aa5cabe313e392c69a1900de1d6604

SHA1
0ed5c7850973e86c6ab468e74e5f74c17f363b8a

SHA256
297e1da68288da0c7a9a2b14c7bdc85827c082afc49652729df0193582701659

SHA512
2a48db93b0ca6d3ad4137e5ca1c7add74411daf564272409b7062aaad961d07bc435c6c73cb610a04636aab5d996fa04a3724aeb402b13857eaa0d7d20f84339

Download Submit
C:\Users\Admin\AppData\Local\Temp\A9R1621.tmp

Filesize
358B

MD5
0cd589fef4bf379e5cd28aedab36f63f

SHA1
75d1894a13d6e1ddfc0c96f645a73bcfb16a0dd8

SHA256
4704d15e4cc43794423e28f790cf092cdd848133444b2f286b4c1b885b784778

SHA512
f0fa7dadcb4de79e417216188a032373a918515aff13d0ebc0dceb9e01a5ebf794a8ed1f8f0d82d4af113e448118afbbd8c8098dce6ec0d480ac34fcb063c7ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\~dfds3.reg

Filesize
168B

MD5
4e4163dc5382221cea72ea60aa98e99b

SHA1
c9d56c8d87e60ad485abec0cee3ef2016c078583

SHA256
ce30a4fa3794a4e5af7d75146acfcd93f71cfb8566626bc45bfb709b48bdfd54

SHA512
c685f289856e3420b6da7ac90d4611343c181eeaedfffef1e914c52db03156ad2586dd7533c5220abc9d4996bae3fbdb875654202850a6a8fc060e0ed88ea872

Download Submit
\Users\Admin\AppData\Local\Temp\ccapp.exe

Filesize
21KB

MD5
35dd9c932d746a6cd078222dc6b04a58

SHA1
bf5d3e948d1f4870ed9147f2acd1bf0f0c0a8013

SHA256
faeb4579a64294674f862cf73966b19be3b84ac80beb71a932ffc30cbd967d26

SHA512
2fb3125c5995eecfaf6a8bff1bccfdf6bf59741829108090b48276fa44d4197b6c688511efafabe8cffee5555533db395ec04fff362d30136acc1d60e0dd64ca

Download Submit
memory/1900-81-0x0000000004080000-0x00000000040B5000-memory.dmp

Filesize
212KB

Download
memory/1900-53-0x0000000004080000-0x00000000040B5000-memory.dmp

Filesize
212KB

Download
memory/1900-0-0x0000000003140000-0x00000000031B6000-memory.dmp

Filesize
472KB

Download
memory/1900-56-0x00000000032E0000-0x00000000032E8000-memory.dmp

Filesize
32KB

Download
memory/2476-82-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2476-86-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2476-75-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2476-73-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2476-71-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2476-69-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2476-67-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2476-95-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2476-85-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2476-77-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2484-64-0x0000000000020000-0x0000000000028000-memory.dmp

Filesize
32KB

Download
memory/2484-66-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2484-65-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/2484-63-0x0000000000020000-0x0000000000028000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads