Analysis

  • max time kernel
    120s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    26-01-2024 07:34

General

  • Target

    76c326d9775093059f8008ece92ade0d.pdf

  • Size

    925KB

  • MD5

    76c326d9775093059f8008ece92ade0d

  • SHA1

    1bb0b7e8e7c52dcd5607e487c1be2c848a5790f5

  • SHA256

    3145491338144393805b54bfe6ca840425bcfad7b8c2bee945a5f93ba0a46252

  • SHA512

    ec27c0e83ecbea2cacbcdd70091996ffdbe3e1866965fd43716d295c48b5ee17cad1d969547c5727e787a7349a0dbcd888ceded05a5c681bf14c8f9d5ddc304d

  • SSDEEP

    24576:0PISbzGTjB0IxmSIKoOCeerokFN7hp96rPyT:0Aj1QONQok7h1

Score
8/10

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in System32 directory 3 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs

Processes

  • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\76c326d9775093059f8008ece92ade0d.pdf"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2208
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c ""%temp%\svchost.exe""
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2804
      • C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:2976
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\progra~1\myclear.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2736
          • C:\Windows\SysWOW64\rundll32.exe
            rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\progra~1\ocgen.tx
            5⤵
            • Adds policy Run key to start application
            • Adds Run key to start application
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2572
            • C:\Windows\SysWOW64\runonce.exe
              "C:\Windows\system32\runonce.exe" -r
              6⤵
              • Checks processor information in registry
              • Suspicious use of WriteProcessMemory
              PID:2588
              • C:\Windows\SysWOW64\grpconv.exe
                "C:\Windows\System32\grpconv.exe" -o
                7⤵
                  PID:2648
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2976 -s 292
            4⤵
            • Loads dropped DLL
            • Program crash
            PID:2500
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c ""%temp%\AdobeARM.exe" "C:\Users\Admin\AppData\Local\Temp\TOTAL REPORT Information Security 2010.P""
        2⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2816
        • C:\Users\Admin\AppData\Local\Temp\AdobeARM.exe
          "C:\Users\Admin\AppData\Local\Temp\AdobeARM.exe" "C:\Users\Admin\AppData\Local\Temp\TOTAL REPORT Information Security 2010.P"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2704
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\AdobeARM.exe
            4⤵
              PID:2912

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\PROGRA~1\myclear.bat

        Filesize

        121B

        MD5

        1d7040f59636807a6869c60e6d852e16

        SHA1

        f89b7bd7f0f3ff47d215cec1db700b39d8340f43

        SHA256

        815ded04136f6315bddc41bde68064d3c223815589ba260b9a99589ba30d95ef

        SHA512

        96001609ceb0ee0a1403365f0b5326263165675123a15e00cba0b282d2ab5e72b1807871f4c91582dd31176284be781b2cd894d179d7a667ff037b00d138af44

      • C:\Users\Admin\AppData\Local\Temp\AdobeARM.exe

        Filesize

        3KB

        MD5

        536b8a8b431792b4c81e7c28df1d70db

        SHA1

        deaf80952c98195955900deeb2b44e5f8b0fac41

        SHA256

        4992b5d0808325585ff5495588bc07ca388c96872159d8f956e33f160ac26bc2

        SHA512

        bfbbb1fa69eff5e86349dfdb94494022c332714f5f70b0800b0e3319296b1d96199d6b30dee4adcbfa359485b8d66f4748eb916e83929aacdbfbf7c44d564c64

      • C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE

        Filesize

        40KB

        MD5

        be0e01149d60ce153fad052a8256744b

        SHA1

        6096b378c783777ee270115abe59de56e24af1e6

        SHA256

        c25f0ba0a980237d30ad3eb669a6c1f6b8cbd971b18a737e25057ab12bd13c00

        SHA512

        ef5a8d18addcbe9e4db048ccc7bf521d7377f5cfc7cf7cf7ca2a2358b7559696fa6a005c7de20f8d9f28ab3eac6f21dd8214744f923948d897d81eafb2215c1c

      • C:\progra~1\ocgen.tx

        Filesize

        1KB

        MD5

        4a7ebe5988f2454e48dddf70045f66d9

        SHA1

        6655feb1d4cc08db9e08b8fccf0590ad3f0270c7

        SHA256

        5f570f10b95ef05e22799bf66b8cee9b2e10a5bce0e92d32209dab13925b2a5b

        SHA512

        056a330c06ed9b1d6641e9987106468579641535a4ed4e0f46fc84e5cd1b2a2b3469a6bc9586fb33fbe55f0d2f3135c3d7e2f0065e7925f1e7edf704139420f9

      • memory/2208-0-0x0000000002F80000-0x0000000002FF6000-memory.dmp

        Filesize

        472KB