Overview
overview
8Static
static
8sample.tar
windows7-x64
3sample.tar
windows10-2004-x64
7001e271055...89.pdf
windows7-x64
3001e271055...89.pdf
windows10-2004-x64
4004e74d54d...a0.pdf
windows7-x64
3004e74d54d...a0.pdf
windows10-2004-x64
10106fb569e...f19.js
windows7-x64
10106fb569e...f19.js
windows10-2004-x64
102bfe34bea...33.pdf
windows7-x64
302bfe34bea...33.pdf
windows10-2004-x64
4030423da29...aeb.js
windows7-x64
1030423da29...aeb.js
windows10-2004-x64
103042cc378...3e.pdf
windows7-x64
303042cc378...3e.pdf
windows10-2004-x64
104095314d5...c1.pdf
windows7-x64
104095314d5...c1.pdf
windows10-2004-x64
1049675afd5...89.pdf
windows7-x64
1049675afd5...89.pdf
windows10-2004-x64
10733c4e212...40.pdf
windows7-x64
10733c4e212...40.pdf
windows10-2004-x64
408da26158b...ff.pdf
windows7-x64
108da26158b...ff.pdf
windows10-2004-x64
10d711f2049...e5.pdf
windows7-x64
70d711f2049...e5.pdf
windows10-2004-x64
10e0c3a177b...077.js
windows7-x64
10e0c3a177b...077.js
windows10-2004-x64
10f24780097...37.pdf
windows7-x64
10f24780097...37.pdf
windows10-2004-x64
10f5d42aa99...7b.pdf
windows7-x64
30f5d42aa99...7b.pdf
windows10-2004-x64
10fc9c4e1e2...9e.pdf
windows7-x64
10fc9c4e1e2...9e.pdf
windows10-2004-x64
1Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
06-02-2024 02:23
Behavioral task
behavioral1
Sample
sample.tar
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
sample.tar
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
001e2710555613a82e94156d3ed9c289.pdf
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
001e2710555613a82e94156d3ed9c289.pdf
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
004e74d54dcf79c641d5cf8a615488a0.pdf
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
004e74d54dcf79c641d5cf8a615488a0.pdf
Resource
win10v2004-20231222-en
Behavioral task
behavioral7
Sample
0106fb569e87e02fc88d496064abdf19.js
Resource
win7-20231215-en
Behavioral task
behavioral8
Sample
0106fb569e87e02fc88d496064abdf19.js
Resource
win10v2004-20231222-en
Behavioral task
behavioral9
Sample
02bfe34bea55e327cfdead9cff215f33.pdf
Resource
win7-20231215-en
Behavioral task
behavioral10
Sample
02bfe34bea55e327cfdead9cff215f33.pdf
Resource
win10v2004-20231215-en
Behavioral task
behavioral11
Sample
030423da29e1e6f4a527518126de4aeb.js
Resource
win7-20231215-en
Behavioral task
behavioral12
Sample
030423da29e1e6f4a527518126de4aeb.js
Resource
win10v2004-20231215-en
Behavioral task
behavioral13
Sample
03042cc3786dafdb941019488d4cad3e.pdf
Resource
win7-20231215-en
Behavioral task
behavioral14
Sample
03042cc3786dafdb941019488d4cad3e.pdf
Resource
win10v2004-20231222-en
Behavioral task
behavioral15
Sample
04095314d51057a13e21908de1266fc1.pdf
Resource
win7-20231129-en
Behavioral task
behavioral16
Sample
04095314d51057a13e21908de1266fc1.pdf
Resource
win10v2004-20231215-en
Behavioral task
behavioral17
Sample
049675afd5c9505b9715872d499b9389.pdf
Resource
win7-20231215-en
Behavioral task
behavioral18
Sample
049675afd5c9505b9715872d499b9389.pdf
Resource
win10v2004-20231215-en
Behavioral task
behavioral19
Sample
0733c4e2122cdfcfdd4699a3cbdc8b40.pdf
Resource
win7-20231215-en
Behavioral task
behavioral20
Sample
0733c4e2122cdfcfdd4699a3cbdc8b40.pdf
Resource
win10v2004-20231222-en
Behavioral task
behavioral21
Sample
08da26158b76ca38e0ddb740aaf9b4ff.pdf
Resource
win7-20231215-en
Behavioral task
behavioral22
Sample
08da26158b76ca38e0ddb740aaf9b4ff.pdf
Resource
win10v2004-20231215-en
Behavioral task
behavioral23
Sample
0d711f2049a6004cffe447dab78cd7e5.pdf
Resource
win7-20231215-en
Behavioral task
behavioral24
Sample
0d711f2049a6004cffe447dab78cd7e5.pdf
Resource
win10v2004-20231222-en
Behavioral task
behavioral25
Sample
0e0c3a177b898c523e8303940ae99077.js
Resource
win7-20231215-en
Behavioral task
behavioral26
Sample
0e0c3a177b898c523e8303940ae99077.js
Resource
win10v2004-20231215-en
Behavioral task
behavioral27
Sample
0f24780097467c4c54f8f306346dff37.pdf
Resource
win7-20231129-en
Behavioral task
behavioral28
Sample
0f24780097467c4c54f8f306346dff37.pdf
Resource
win10v2004-20231215-en
Behavioral task
behavioral29
Sample
0f5d42aa99b17eabddc19a46013b517b.pdf
Resource
win7-20231215-en
Behavioral task
behavioral30
Sample
0f5d42aa99b17eabddc19a46013b517b.pdf
Resource
win10v2004-20231222-en
Behavioral task
behavioral31
Sample
0fc9c4e1e2148912188dd913ff95149e.pdf
Resource
win7-20231215-en
Behavioral task
behavioral32
Sample
0fc9c4e1e2148912188dd913ff95149e.pdf
Resource
win10v2004-20231215-en
General
-
Target
0d711f2049a6004cffe447dab78cd7e5.pdf
-
Size
925KB
-
MD5
0d711f2049a6004cffe447dab78cd7e5
-
SHA1
c28fd9c35d97293b7e9b0eaf2032e83e23ca78a4
-
SHA256
2ac705860b71aed9b7528a62ed1042723f6f7b4c16fb0edf4cddcf09a709c9f7
-
SHA512
1bfbde72eceb1055cd2a077e74972d1490bf6cf79f2687494bd1ad12934ff6385b1cb729e43f8ab82bbf44082c972f0abb0eda78fec4611633376b87b0378593
-
SSDEEP
24576:qSbzGTjB0IxmSIKoOCeerokFN7hp96rPyT:qj1QONQok7h1
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
SVCHOST.EXEAdobeARM.exepid process 2784 SVCHOST.EXE 2860 AdobeARM.exe -
Loads dropped DLL 4 IoCs
Processes:
cmd.execmd.exepid process 2664 cmd.exe 2664 cmd.exe 2852 cmd.exe 2852 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
AdobeARM.exepid process 2860 AdobeARM.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2672 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
AcroRd32.exeAcroRd32.exepid process 1752 AcroRd32.exe 1752 AcroRd32.exe 1752 AcroRd32.exe 2672 AcroRd32.exe 2672 AcroRd32.exe 2672 AcroRd32.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
AcroRd32.execmd.exeSVCHOST.EXEcmd.exeAdobeARM.exedescription pid process target process PID 1752 wrote to memory of 2664 1752 AcroRd32.exe cmd.exe PID 1752 wrote to memory of 2664 1752 AcroRd32.exe cmd.exe PID 1752 wrote to memory of 2664 1752 AcroRd32.exe cmd.exe PID 1752 wrote to memory of 2664 1752 AcroRd32.exe cmd.exe PID 1752 wrote to memory of 2852 1752 AcroRd32.exe cmd.exe PID 1752 wrote to memory of 2852 1752 AcroRd32.exe cmd.exe PID 1752 wrote to memory of 2852 1752 AcroRd32.exe cmd.exe PID 1752 wrote to memory of 2852 1752 AcroRd32.exe cmd.exe PID 2664 wrote to memory of 2784 2664 cmd.exe SVCHOST.EXE PID 2664 wrote to memory of 2784 2664 cmd.exe SVCHOST.EXE PID 2664 wrote to memory of 2784 2664 cmd.exe SVCHOST.EXE PID 2664 wrote to memory of 2784 2664 cmd.exe SVCHOST.EXE PID 2784 wrote to memory of 2676 2784 SVCHOST.EXE explorer.exe PID 2784 wrote to memory of 2676 2784 SVCHOST.EXE explorer.exe PID 2784 wrote to memory of 2676 2784 SVCHOST.EXE explorer.exe PID 2784 wrote to memory of 2676 2784 SVCHOST.EXE explorer.exe PID 2852 wrote to memory of 2860 2852 cmd.exe AdobeARM.exe PID 2852 wrote to memory of 2860 2852 cmd.exe AdobeARM.exe PID 2852 wrote to memory of 2860 2852 cmd.exe AdobeARM.exe PID 2852 wrote to memory of 2860 2852 cmd.exe AdobeARM.exe PID 2784 wrote to memory of 2600 2784 SVCHOST.EXE cmd.exe PID 2784 wrote to memory of 2600 2784 SVCHOST.EXE cmd.exe PID 2784 wrote to memory of 2600 2784 SVCHOST.EXE cmd.exe PID 2784 wrote to memory of 2600 2784 SVCHOST.EXE cmd.exe PID 2860 wrote to memory of 2672 2860 AdobeARM.exe AcroRd32.exe PID 2860 wrote to memory of 2672 2860 AdobeARM.exe AcroRd32.exe PID 2860 wrote to memory of 2672 2860 AdobeARM.exe AcroRd32.exe PID 2860 wrote to memory of 2672 2860 AdobeARM.exe AcroRd32.exe PID 2860 wrote to memory of 2560 2860 AdobeARM.exe cmd.exe PID 2860 wrote to memory of 2560 2860 AdobeARM.exe cmd.exe PID 2860 wrote to memory of 2560 2860 AdobeARM.exe cmd.exe PID 2860 wrote to memory of 2560 2860 AdobeARM.exe cmd.exe
Processes
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\0d711f2049a6004cffe447dab78cd7e5.pdf"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ""%temp%\svchost.exe""2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\explorer.exeexplorer4⤵PID:2676
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del /F C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE4⤵PID:2600
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ""%temp%\AdobeARM.exe" "C:\Users\Admin\AppData\Local\Temp\----Amph Ops - AF aspects.pdf""2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Users\Admin\AppData\Local\Temp\AdobeARM.exe"C:\Users\Admin\AppData\Local\Temp\AdobeARM.exe" "C:\Users\Admin\AppData\Local\Temp\----Amph Ops - AF aspects.pdf"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\----Amph Ops - AF aspects.pdf"4⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2672 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\AdobeARM.exe4⤵PID:2560
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
61KB
MD500582f6aa1a0504c44b2901200eeb6a1
SHA1e8349eae0935bb8acb4de9fe5555b29a2e7fc60e
SHA256f6524bb1ab9e115c8fdf3fe799cc96e4590056585e53a9a0d6dd6761b6130e17
SHA51243a75911559d54468af171b8efda0a6febb543b40338962e66557a85ff39b7c7b81cc48579bfb6380f09860e4618be9d30b50d38159bfac221c2f1c501ebaa92
-
Filesize
358B
MD575a3f7b9446ac3c6c09c1620b40fe0fa
SHA190000854aaefa91d5da41e891dda8784c6c426ae
SHA2566f87f2822ca85568cdf51bfe6e97fe88eb1886800bc1e0e535f7b94d7422e5fc
SHA51278940200ef884c325d9dc42453e2e916616d26017042f51de0d90a2c4e66f228e558549e82724b65383cd6517cfc2d2dcc26df1d351ab48901b14f9674e2653c
-
Filesize
28KB
MD5de619081e22b3ed7372f3148e18cac66
SHA113a5744c2e5da6f9bddefd965d3476ec43aa9df1
SHA256b704057cff16ac3e7045383680551966a921e1f26f9fd86308a2e5c5aca89850
SHA5120febf14fe2ce63266758ff7279cb8959ea4cc59df6fc3e59e2bcc3e465395a8e7a83de093563f141db498873aa3ddded3e3831a7344a69f128fd368e54937e66
-
Filesize
3KB
MD5536b8a8b431792b4c81e7c28df1d70db
SHA1deaf80952c98195955900deeb2b44e5f8b0fac41
SHA2564992b5d0808325585ff5495588bc07ca388c96872159d8f956e33f160ac26bc2
SHA512bfbbb1fa69eff5e86349dfdb94494022c332714f5f70b0800b0e3319296b1d96199d6b30dee4adcbfa359485b8d66f4748eb916e83929aacdbfbf7c44d564c64