Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26-01-2024 07:34
Behavioral task
behavioral1
Sample
76c326d9775093059f8008ece92ade0d.pdf
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
76c326d9775093059f8008ece92ade0d.pdf
Resource
win10v2004-20231215-en
General
-
Target
76c326d9775093059f8008ece92ade0d.pdf
-
Size
925KB
-
MD5
76c326d9775093059f8008ece92ade0d
-
SHA1
1bb0b7e8e7c52dcd5607e487c1be2c848a5790f5
-
SHA256
3145491338144393805b54bfe6ca840425bcfad7b8c2bee945a5f93ba0a46252
-
SHA512
ec27c0e83ecbea2cacbcdd70091996ffdbe3e1866965fd43716d295c48b5ee17cad1d969547c5727e787a7349a0dbcd888ceded05a5c681bf14c8f9d5ddc304d
-
SSDEEP
24576:0PISbzGTjB0IxmSIKoOCeerokFN7hp96rPyT:0Aj1QONQok7h1
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wmiprvse = "//com/usrinit.exe" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rundll32.exe -
Executes dropped EXE 2 IoCs
Processes:
SVCHOST.EXEAdobeARM.exepid process 2976 SVCHOST.EXE 2704 AdobeARM.exe -
Loads dropped DLL 7 IoCs
Processes:
cmd.execmd.exeWerFault.exepid process 2816 cmd.exe 2816 cmd.exe 2804 cmd.exe 2804 cmd.exe 2500 WerFault.exe 2500 WerFault.exe 2500 WerFault.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o" rundll32.exe -
Drops file in System32 directory 3 IoCs
Processes:
SVCHOST.EXEdescription ioc process File created C:\Windows\SysWOW64\com\usrinit.exe SVCHOST.EXE File opened for modification C:\Windows\SysWOW64\com\usrinit.exe SVCHOST.EXE File created \??\c:\windows\SysWOW64\ias\comrepl.exe SVCHOST.EXE -
Drops file in Program Files directory 2 IoCs
Processes:
SVCHOST.EXEdescription ioc process File created C:\progra~1\ocgen.tx SVCHOST.EXE File created C:\progra~1\myclear.bat SVCHOST.EXE -
Drops file in Windows directory 1 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Windows\INF\setupapi.app.log rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2500 2976 WerFault.exe SVCHOST.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
runonce.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 runonce.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz runonce.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
AdobeARM.exepid process 2704 AdobeARM.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
rundll32.exedescription pid process Token: SeRestorePrivilege 2572 rundll32.exe Token: SeRestorePrivilege 2572 rundll32.exe Token: SeRestorePrivilege 2572 rundll32.exe Token: SeRestorePrivilege 2572 rundll32.exe Token: SeRestorePrivilege 2572 rundll32.exe Token: SeRestorePrivilege 2572 rundll32.exe Token: SeRestorePrivilege 2572 rundll32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
AcroRd32.exepid process 2208 AcroRd32.exe 2208 AcroRd32.exe 2208 AcroRd32.exe -
Suspicious use of WriteProcessMemory 43 IoCs
Processes:
AcroRd32.execmd.execmd.exeSVCHOST.EXEcmd.exerundll32.exerunonce.exeAdobeARM.exedescription pid process target process PID 2208 wrote to memory of 2804 2208 AcroRd32.exe cmd.exe PID 2208 wrote to memory of 2804 2208 AcroRd32.exe cmd.exe PID 2208 wrote to memory of 2804 2208 AcroRd32.exe cmd.exe PID 2208 wrote to memory of 2804 2208 AcroRd32.exe cmd.exe PID 2208 wrote to memory of 2816 2208 AcroRd32.exe cmd.exe PID 2208 wrote to memory of 2816 2208 AcroRd32.exe cmd.exe PID 2208 wrote to memory of 2816 2208 AcroRd32.exe cmd.exe PID 2208 wrote to memory of 2816 2208 AcroRd32.exe cmd.exe PID 2816 wrote to memory of 2704 2816 cmd.exe AdobeARM.exe PID 2816 wrote to memory of 2704 2816 cmd.exe AdobeARM.exe PID 2816 wrote to memory of 2704 2816 cmd.exe AdobeARM.exe PID 2816 wrote to memory of 2704 2816 cmd.exe AdobeARM.exe PID 2804 wrote to memory of 2976 2804 cmd.exe SVCHOST.EXE PID 2804 wrote to memory of 2976 2804 cmd.exe SVCHOST.EXE PID 2804 wrote to memory of 2976 2804 cmd.exe SVCHOST.EXE PID 2804 wrote to memory of 2976 2804 cmd.exe SVCHOST.EXE PID 2976 wrote to memory of 2736 2976 SVCHOST.EXE cmd.exe PID 2976 wrote to memory of 2736 2976 SVCHOST.EXE cmd.exe PID 2976 wrote to memory of 2736 2976 SVCHOST.EXE cmd.exe PID 2976 wrote to memory of 2736 2976 SVCHOST.EXE cmd.exe PID 2736 wrote to memory of 2572 2736 cmd.exe rundll32.exe PID 2736 wrote to memory of 2572 2736 cmd.exe rundll32.exe PID 2736 wrote to memory of 2572 2736 cmd.exe rundll32.exe PID 2736 wrote to memory of 2572 2736 cmd.exe rundll32.exe PID 2736 wrote to memory of 2572 2736 cmd.exe rundll32.exe PID 2736 wrote to memory of 2572 2736 cmd.exe rundll32.exe PID 2736 wrote to memory of 2572 2736 cmd.exe rundll32.exe PID 2572 wrote to memory of 2588 2572 rundll32.exe runonce.exe PID 2572 wrote to memory of 2588 2572 rundll32.exe runonce.exe PID 2572 wrote to memory of 2588 2572 rundll32.exe runonce.exe PID 2572 wrote to memory of 2588 2572 rundll32.exe runonce.exe PID 2588 wrote to memory of 2648 2588 runonce.exe grpconv.exe PID 2588 wrote to memory of 2648 2588 runonce.exe grpconv.exe PID 2588 wrote to memory of 2648 2588 runonce.exe grpconv.exe PID 2588 wrote to memory of 2648 2588 runonce.exe grpconv.exe PID 2976 wrote to memory of 2500 2976 SVCHOST.EXE WerFault.exe PID 2976 wrote to memory of 2500 2976 SVCHOST.EXE WerFault.exe PID 2976 wrote to memory of 2500 2976 SVCHOST.EXE WerFault.exe PID 2976 wrote to memory of 2500 2976 SVCHOST.EXE WerFault.exe PID 2704 wrote to memory of 2912 2704 AdobeARM.exe cmd.exe PID 2704 wrote to memory of 2912 2704 AdobeARM.exe cmd.exe PID 2704 wrote to memory of 2912 2704 AdobeARM.exe cmd.exe PID 2704 wrote to memory of 2912 2704 AdobeARM.exe cmd.exe
Processes
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\76c326d9775093059f8008ece92ade0d.pdf"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ""%temp%\svchost.exe""2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\progra~1\myclear.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\rundll32.exerundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\progra~1\ocgen.tx5⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\runonce.exe"C:\Windows\system32\runonce.exe" -r6⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\grpconv.exe"C:\Windows\System32\grpconv.exe" -o7⤵PID:2648
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2976 -s 2924⤵
- Loads dropped DLL
- Program crash
PID:2500 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ""%temp%\AdobeARM.exe" "C:\Users\Admin\AppData\Local\Temp\TOTAL REPORT Information Security 2010.P""2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Users\Admin\AppData\Local\Temp\AdobeARM.exe"C:\Users\Admin\AppData\Local\Temp\AdobeARM.exe" "C:\Users\Admin\AppData\Local\Temp\TOTAL REPORT Information Security 2010.P"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\AdobeARM.exe4⤵PID:2912
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
121B
MD51d7040f59636807a6869c60e6d852e16
SHA1f89b7bd7f0f3ff47d215cec1db700b39d8340f43
SHA256815ded04136f6315bddc41bde68064d3c223815589ba260b9a99589ba30d95ef
SHA51296001609ceb0ee0a1403365f0b5326263165675123a15e00cba0b282d2ab5e72b1807871f4c91582dd31176284be781b2cd894d179d7a667ff037b00d138af44
-
Filesize
3KB
MD5536b8a8b431792b4c81e7c28df1d70db
SHA1deaf80952c98195955900deeb2b44e5f8b0fac41
SHA2564992b5d0808325585ff5495588bc07ca388c96872159d8f956e33f160ac26bc2
SHA512bfbbb1fa69eff5e86349dfdb94494022c332714f5f70b0800b0e3319296b1d96199d6b30dee4adcbfa359485b8d66f4748eb916e83929aacdbfbf7c44d564c64
-
Filesize
40KB
MD5be0e01149d60ce153fad052a8256744b
SHA16096b378c783777ee270115abe59de56e24af1e6
SHA256c25f0ba0a980237d30ad3eb669a6c1f6b8cbd971b18a737e25057ab12bd13c00
SHA512ef5a8d18addcbe9e4db048ccc7bf521d7377f5cfc7cf7cf7ca2a2358b7559696fa6a005c7de20f8d9f28ab3eac6f21dd8214744f923948d897d81eafb2215c1c
-
Filesize
1KB
MD54a7ebe5988f2454e48dddf70045f66d9
SHA16655feb1d4cc08db9e08b8fccf0590ad3f0270c7
SHA2565f570f10b95ef05e22799bf66b8cee9b2e10a5bce0e92d32209dab13925b2a5b
SHA512056a330c06ed9b1d6641e9987106468579641535a4ed4e0f46fc84e5cd1b2a2b3469a6bc9586fb33fbe55f0d2f3135c3d7e2f0065e7925f1e7edf704139420f9