b6428040dcd622d53afb53932a512a9dd36bb5cd6fc15ea43bf5fd0be3063cc1

General

Target

4630b0be7226c9003d34717f7eb092eb51242bd9723d118b4b106c9727503a7b.exe
Size

109.4MB
MD5

6720015dcacecbfd3e14cfa40fb09464
SHA1

e158076552c38ce35f68ad93e292c1c3a1fc4a1c
SHA256

4630b0be7226c9003d34717f7eb092eb51242bd9723d118b4b106c9727503a7b
SHA512

405ac883e0ee92715abc6c0d8a633045b909f29d1346b246c10e1b8271b336002847df0a2f031c6d83469306ecb6246e4881679babccf92d10e953ff0d7919fa
SSDEEP

49152:Cqe3f6iJ+7ZgS9YLPcEcp6NMdFPVGw3mxPo+OOOrWUUFRevTycKArFD0o:bSi0+7ZVObvcpQMVTWxPYPWHFRe2czCo

Score

7^/10

link pdf

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2664	4630b0be7226c9003d34717f7eb092eb51242bd9723d118b4b106c9727503a7b.tmp

Loads dropped DLL 1 IoCs

pid	Process
2876	4630b0be7226c9003d34717f7eb092eb51242bd9723d118b4b106c9727503a7b.exe

HTTP links in PDF interactive object 1 IoCs

Detects HTTP links in interactive objects within PDF files.

pdf link

resource	yara_rule
behavioral1/files/0x0006000000016d3d-13.dat	pdf_with_link_action

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2804	AcroRd32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2804	AcroRd32.exe
2804	AcroRd32.exe
2804	AcroRd32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 2664	2876	4630b0be7226c9003d34717f7eb092eb51242bd9723d118b4b106c9727503a7b.exe	28
PID 2876 wrote to memory of 2664	2876	4630b0be7226c9003d34717f7eb092eb51242bd9723d118b4b106c9727503a7b.exe	28
PID 2876 wrote to memory of 2664	2876	4630b0be7226c9003d34717f7eb092eb51242bd9723d118b4b106c9727503a7b.exe	28
PID 2876 wrote to memory of 2664	2876	4630b0be7226c9003d34717f7eb092eb51242bd9723d118b4b106c9727503a7b.exe	28
PID 2876 wrote to memory of 2664	2876	4630b0be7226c9003d34717f7eb092eb51242bd9723d118b4b106c9727503a7b.exe	28
PID 2876 wrote to memory of 2664	2876	4630b0be7226c9003d34717f7eb092eb51242bd9723d118b4b106c9727503a7b.exe	28
PID 2876 wrote to memory of 2664	2876	4630b0be7226c9003d34717f7eb092eb51242bd9723d118b4b106c9727503a7b.exe	28
PID 2664 wrote to memory of 2804	2664	4630b0be7226c9003d34717f7eb092eb51242bd9723d118b4b106c9727503a7b.tmp	29
PID 2664 wrote to memory of 2804	2664	4630b0be7226c9003d34717f7eb092eb51242bd9723d118b4b106c9727503a7b.tmp	29
PID 2664 wrote to memory of 2804	2664	4630b0be7226c9003d34717f7eb092eb51242bd9723d118b4b106c9727503a7b.tmp	29
PID 2664 wrote to memory of 2804	2664	4630b0be7226c9003d34717f7eb092eb51242bd9723d118b4b106c9727503a7b.tmp	29

C:\Users\Admin\AppData\Local\Temp\4630b0be7226c9003d34717f7eb092eb51242bd9723d118b4b106c9727503a7b.exe
"C:\Users\Admin\AppData\Local\Temp\4630b0be7226c9003d34717f7eb092eb51242bd9723d118b4b106c9727503a7b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Users\Admin\AppData\Local\Temp\is-9TRCF.tmp\4630b0be7226c9003d34717f7eb092eb51242bd9723d118b4b106c9727503a7b.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-9TRCF.tmp\4630b0be7226c9003d34717f7eb092eb51242bd9723d118b4b106c9727503a7b.tmp" /SL5="$7011E,113775430,817152,C:\Users\Admin\AppData\Local\Temp\4630b0be7226c9003d34717f7eb092eb51242bd9723d118b4b106c9727503a7b.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\ICAT - Data Limitations - 24122020_Altered_ed.pdf"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ICAT - Data Limitations - 24122020_Altered_ed.pdf

Filesize
790KB

MD5
b7ea387b801b2209301d5ceeb6b33f91

SHA1
449faa8070486dacfbc824b133d11f7de8ea426e

SHA256
b83f2f0e54e64788edd318911f7e38e72ac3ebadb934854303206af47bfac8e3

SHA512
59ec32d3dbe203c570cf26bc526107928b081db3831796da11d96b4b7d22beb0d764c402f344baf93f5b32961c1b5b93ce7304aea7315d2c0a0f911859562ad4

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
b994a4da9abaa4c1c31978ef700a0466

SHA1
e1526686a8614005973199a8f9d4c1652a0fa31b

SHA256
0514388e8928fbeb8f01510e16b47502158ce1c583f74b797732829cc7cd2641

SHA512
dfa3a0bf505848ef39cb0b3f59c5102d27805e5b3416f9393a50e1fa13f55eba54593a96e3cce77b4ded6c418c8d307d4171949b2dcba3fae25d89f8d5414945

Download Submit
\Users\Admin\AppData\Local\Temp\is-9TRCF.tmp\4630b0be7226c9003d34717f7eb092eb51242bd9723d118b4b106c9727503a7b.tmp

Filesize
3.0MB

MD5
7345a1194982254510d32fade75ac616

SHA1
3d78eb7b18275a826d1d9a0dd85418c40c760caf

SHA256
d40da05d477f2a6a0da575194dd9a693f85440e6b2d08d1687e1415ce0b00df7

SHA512
ac8c2f286eb3b592281cae698d1d5f8767200c40c2e9ee19d6775c0f913374ce37a88b82c12b5e3cc7b214b63f358dcc59a4728f189c50e104b3406c6b8bf70e

Download Submit
memory/2664-7-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2664-32-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/2876-0-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2876-34-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download

Analysis

Sharing