Static task
static1
Behavioral task
behavioral1
Sample
CERTIFICATE OF REGISTRY_pdf.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
CERTIFICATE OF REGISTRY_pdf.exe
Resource
win10v2004-20240220-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20231215-en
General
-
Target
CERTIFICATE OF REGISTRY_pdf.exe
-
Size
460KB
-
MD5
efd2341c58bed006e53bbcf970c92b93
-
SHA1
034361cf57a6077bc3785ce04ad74c4cf47ffb8d
-
SHA256
9357549c331375bcbeeacd3a7d53568b022aef27b40a6cd1b6541d6b5fd2396c
-
SHA512
c99725a7d56fec8540eaf556a5c7c40b6eb03018d2e87b1c290c345c0acdd0b818f7c1b12cac29db0093038ee3bfb09182614167fd7d17d91383df0748230175
-
SSDEEP
12288:vnC8k9GeTr65r39rqJCBKYwNkTZuuG5KI:vCzc+62+TZzGEI
Malware Config
Signatures
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource unpack001/$PLUGINSDIR/System.dll
Files
-
CERTIFICATE OF REGISTRY_pdf.exe.exe windows:4 windows x86 arch:x86
1f23f452093b5c1ff091a2f9fb4fa3e9
Code Sign
3c:12:4d:87:56:2e:dd:25:32:23:f9:38:25:9c:0f:0a:65:17:11:20Certificate
IssuerCN=Phenolics,OU=Cruentous Knaldhytter Bogsamlers\ ,O=Phenolics,L=Purslow,ST=England,C=GB,1.2.840.113549.1.9.1=#0c1d56616e64666f7273796e696e67657273404d657468796c6174652e4b65Not Before17/06/2023, 00:27Not After16/06/2026, 00:27SubjectCN=Phenolics,OU=Cruentous Knaldhytter Bogsamlers\ ,O=Phenolics,L=Purslow,ST=England,C=GB,1.2.840.113549.1.9.1=#0c1d56616e64666f7273796e696e67657273404d657468796c6174652e4b657b:05:b1:d4:49:68:51:44:f7:c9:89:d2:9c:19:9d:12Certificate
IssuerCN=VeriSign Universal Root Certification Authority,OU=VeriSign Trust Network+OU=(c) 2008 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=USNot Before12/01/2016, 00:00Not After11/01/2031, 23:59SubjectCN=Symantec SHA256 TimeStamping CA,OU=Symantec Trust Network,O=Symantec Corporation,C=USExtended Key Usages
ExtKeyUsageTimeStamping
Key Usages
KeyUsageCertSign
KeyUsageCRLSign
7b:d4:e5:af:ba:cc:07:3f:a1:01:23:04:22:41:4d:12Certificate
IssuerCN=Symantec SHA256 TimeStamping CA,OU=Symantec Trust Network,O=Symantec Corporation,C=USNot Before23/12/2017, 00:00Not After22/03/2029, 23:59SubjectCN=Symantec SHA256 TimeStamping Signer - G3,OU=Symantec Trust Network,O=Symantec Corporation,C=USExtended Key Usages
ExtKeyUsageTimeStamping
Key Usages
KeyUsageDigitalSignature
e7:dc:87:cd:ea:0f:7b:fb:21:54:25:17:22:49:07:51:be:42:2d:43:77:1c:71:72:e6:f4:1b:a7:7a:70:97:d2Signer
Actual PE Digeste7:dc:87:cd:ea:0f:7b:fb:21:54:25:17:22:49:07:51:be:42:2d:43:77:1c:71:72:e6:f4:1b:a7:7a:70:97:d2Digest Algorithmsha256PE Digest MatchestrueHeaders
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
Imports
kernel32
ExitProcess
SetFileAttributesW
Sleep
GetTickCount
CreateFileW
GetFileSize
GetModuleFileNameW
GetCurrentProcess
SetCurrentDirectoryW
GetFileAttributesW
SetEnvironmentVariableW
GetWindowsDirectoryW
GetTempPathW
GetCommandLineW
GetVersion
SetErrorMode
lstrlenW
lstrcpynW
CopyFileW
GetShortPathNameW
GlobalLock
CreateThread
GetLastError
CreateDirectoryW
CreateProcessW
RemoveDirectoryW
lstrcmpiA
GetTempFileNameW
WriteFile
lstrcpyA
MoveFileExW
lstrcatW
GetSystemDirectoryW
GetProcAddress
GetModuleHandleA
GetExitCodeProcess
WaitForSingleObject
lstrcmpiW
MoveFileW
GetFullPathNameW
SetFileTime
SearchPathW
CompareFileTime
lstrcmpW
CloseHandle
ExpandEnvironmentStringsW
GlobalFree
GlobalUnlock
GetDiskFreeSpaceW
GlobalAlloc
FindFirstFileW
FindNextFileW
DeleteFileW
SetFilePointer
ReadFile
FindClose
lstrlenA
MulDiv
MultiByteToWideChar
WideCharToMultiByte
GetPrivateProfileStringW
WritePrivateProfileStringW
FreeLibrary
LoadLibraryExW
GetModuleHandleW
user32
GetSystemMenu
SetClassLongW
EnableMenuItem
IsWindowEnabled
SetWindowPos
GetSysColor
GetWindowLongW
SetCursor
LoadCursorW
CheckDlgButton
GetMessagePos
LoadBitmapW
CallWindowProcW
IsWindowVisible
CloseClipboard
SetClipboardData
EmptyClipboard
OpenClipboard
ScreenToClient
GetWindowRect
GetDlgItem
GetSystemMetrics
SetDlgItemTextW
GetDlgItemTextW
MessageBoxIndirectW
CharPrevW
CharNextA
wsprintfA
DispatchMessageW
PeekMessageW
ReleaseDC
EnableWindow
InvalidateRect
SendMessageW
DefWindowProcW
BeginPaint
GetClientRect
FillRect
DrawTextW
EndDialog
RegisterClassW
SystemParametersInfoW
CreateWindowExW
GetClassInfoW
DialogBoxParamW
CharNextW
ExitWindowsEx
DestroyWindow
GetDC
SetTimer
SetWindowTextW
LoadImageW
SetForegroundWindow
ShowWindow
IsWindow
SetWindowLongW
FindWindowExW
TrackPopupMenu
AppendMenuW
CreatePopupMenu
EndPaint
CreateDialogParamW
SendMessageTimeoutW
wsprintfW
PostQuitMessage
gdi32
SelectObject
SetBkMode
CreateFontIndirectW
SetTextColor
DeleteObject
GetDeviceCaps
CreateBrushIndirect
SetBkColor
shell32
SHGetSpecialFolderLocation
ShellExecuteExW
SHGetPathFromIDListW
SHBrowseForFolderW
SHGetFileInfoW
SHFileOperationW
advapi32
AdjustTokenPrivileges
RegCreateKeyExW
RegOpenKeyExW
SetFileSecurityW
OpenProcessToken
LookupPrivilegeValueW
RegEnumValueW
RegDeleteKeyW
RegDeleteValueW
RegCloseKey
RegSetValueExW
RegQueryValueExW
RegEnumKeyW
comctl32
ImageList_Create
ImageList_AddMasked
ImageList_Destroy
ord17
ole32
OleUninitialize
OleInitialize
CoTaskMemFree
CoCreateInstance
Sections
.text Size: 25KB - Virtual size: 25KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 5KB - Virtual size: 4KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 1KB - Virtual size: 128KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.ndata Size: - Virtual size: 108KB
IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.rsrc Size: 176KB - Virtual size: 175KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
-
$PLUGINSDIR/System.dll.dll windows:4 windows x86 arch:x86
fc0224e99e736751432961db63a41b76
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL
Imports
kernel32
GetModuleHandleW
GlobalFree
GlobalSize
lstrcpynW
lstrcpyW
GetProcAddress
WideCharToMultiByte
VirtualFree
FreeLibrary
lstrlenW
LoadLibraryW
GlobalAlloc
MultiByteToWideChar
VirtualAlloc
VirtualProtect
GetLastError
user32
wsprintfW
ole32
StringFromGUID2
CLSIDFromString
Exports
Exports
Alloc
Call
Copy
Free
Get
Int64Op
Store
StrAlloc
Sections
.text Size: 8KB - Virtual size: 8KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 1024B - Virtual size: 867B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 512B - Virtual size: 120B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.reloc Size: 1024B - Virtual size: 648B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
-
Louis/Celleslimen/Revete/Finitesimal/Anamneserne36.Pha
-
Louis/Celleslimen/Revete/Finitesimal/Antiempirically.inj
-
Louis/Celleslimen/Revete/Finitesimal/Bldes.Mug
-
Louis/Celleslimen/Revete/Finitesimal/enshielded.txt