Analysis

  • max time kernel
    122s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    06-02-2024 02:23

General

  • Target

    0d711f2049a6004cffe447dab78cd7e5.pdf

  • Size

    925KB

  • MD5

    0d711f2049a6004cffe447dab78cd7e5

  • SHA1

    c28fd9c35d97293b7e9b0eaf2032e83e23ca78a4

  • SHA256

    2ac705860b71aed9b7528a62ed1042723f6f7b4c16fb0edf4cddcf09a709c9f7

  • SHA512

    1bfbde72eceb1055cd2a077e74972d1490bf6cf79f2687494bd1ad12934ff6385b1cb729e43f8ab82bbf44082c972f0abb0eda78fec4611633376b87b0378593

  • SSDEEP

    24576:qSbzGTjB0IxmSIKoOCeerokFN7hp96rPyT:qj1QONQok7h1

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\0d711f2049a6004cffe447dab78cd7e5.pdf"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1752
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c ""%temp%\svchost.exe""
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2664
      • C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2784
        • C:\Windows\SysWOW64\explorer.exe
          explorer
          4⤵
            PID:2676
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c del /F C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
            4⤵
              PID:2600
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c ""%temp%\AdobeARM.exe" "C:\Users\Admin\AppData\Local\Temp\----Amph Ops - AF aspects.pdf""
          2⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2852
          • C:\Users\Admin\AppData\Local\Temp\AdobeARM.exe
            "C:\Users\Admin\AppData\Local\Temp\AdobeARM.exe" "C:\Users\Admin\AppData\Local\Temp\----Amph Ops - AF aspects.pdf"
            3⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2860
            • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
              "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\----Amph Ops - AF aspects.pdf"
              4⤵
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of SetWindowsHookEx
              PID:2672
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\AdobeARM.exe
              4⤵
                PID:2560

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\----Amph Ops - AF aspects.pdf

          Filesize

          61KB

          MD5

          00582f6aa1a0504c44b2901200eeb6a1

          SHA1

          e8349eae0935bb8acb4de9fe5555b29a2e7fc60e

          SHA256

          f6524bb1ab9e115c8fdf3fe799cc96e4590056585e53a9a0d6dd6761b6130e17

          SHA512

          43a75911559d54468af171b8efda0a6febb543b40338962e66557a85ff39b7c7b81cc48579bfb6380f09860e4618be9d30b50d38159bfac221c2f1c501ebaa92

        • C:\Users\Admin\AppData\Local\Temp\A9R5AFD.tmp

          Filesize

          358B

          MD5

          75a3f7b9446ac3c6c09c1620b40fe0fa

          SHA1

          90000854aaefa91d5da41e891dda8784c6c426ae

          SHA256

          6f87f2822ca85568cdf51bfe6e97fe88eb1886800bc1e0e535f7b94d7422e5fc

          SHA512

          78940200ef884c325d9dc42453e2e916616d26017042f51de0d90a2c4e66f228e558549e82724b65383cd6517cfc2d2dcc26df1d351ab48901b14f9674e2653c

        • C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE

          Filesize

          28KB

          MD5

          de619081e22b3ed7372f3148e18cac66

          SHA1

          13a5744c2e5da6f9bddefd965d3476ec43aa9df1

          SHA256

          b704057cff16ac3e7045383680551966a921e1f26f9fd86308a2e5c5aca89850

          SHA512

          0febf14fe2ce63266758ff7279cb8959ea4cc59df6fc3e59e2bcc3e465395a8e7a83de093563f141db498873aa3ddded3e3831a7344a69f128fd368e54937e66

        • \Users\Admin\AppData\Local\Temp\AdobeARM.exe

          Filesize

          3KB

          MD5

          536b8a8b431792b4c81e7c28df1d70db

          SHA1

          deaf80952c98195955900deeb2b44e5f8b0fac41

          SHA256

          4992b5d0808325585ff5495588bc07ca388c96872159d8f956e33f160ac26bc2

          SHA512

          bfbbb1fa69eff5e86349dfdb94494022c332714f5f70b0800b0e3319296b1d96199d6b30dee4adcbfa359485b8d66f4748eb916e83929aacdbfbf7c44d564c64

        • memory/1752-0-0x0000000002E20000-0x0000000002E96000-memory.dmp

          Filesize

          472KB

        • memory/2784-15-0x0000000000400000-0x000000000040E000-memory.dmp

          Filesize

          56KB