Overview

overview

8

Static

static

1

08032024_0...PDF.js

windows10-2004-x64

8

Resubmissions

07/03/2024, 18:42

240307-xcfamsbf7z 8

07/03/2024, 16:34

240307-t23wfsff58 8

Analysis

  • max time kernel
    404s
  • max time network
    411s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/03/2024, 18:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    08032024_0034_Open_Document.PDF.js

  • Size

    42KB

  • MD5

    c547de465c47116ac5b98e8c0d76ecf4

  • SHA1

    416b551c075d9299b7d1ecd1462f4376bbbead1f

  • SHA256

    c66e705f800b30f591505be1c429c2e01b7851eb60bda14767d9d871151822e5

  • SHA512

    305185c5ccb6e39016d9d6e1270e7639956a9f973dc2b74cb7c01569715f19ae918c965d48ad150938e3b60c58f038d01f9bc3116a8c95d9317cae4a9e148d7d

  • SSDEEP

    768:m6F9Zr0PxSR0He2Ut6+HgyrO/ubZQIoy7WHIcvp+EZvQAhXLNqYfDI:m6bd0ZSR0H6t6+AyOWbbTSH5vp+EZv7M

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 4 IoCs
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\08032024_0034_Open_Document.PDF.js
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:5548
    • C:\windows\system32\control.exe
      "C:\windows\system32\control.exe" C:\Users\Admin\AppData\Local\Temp\50.cpl
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3576
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL C:\Users\Admin\AppData\Local\Temp\50.cpl
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2512
        • C:\Windows\SysWOW64\rundll32.exe
          "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 C:\Users\Admin\AppData\Local\Temp\50.cpl
          4⤵
          • Loads dropped DLL
          PID:5476
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1324 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:4276

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\50.cpl
      Filesize

      401KB

      MD5

      a6a50b9ebbd177626ff34ef605390f36

      SHA1

      f6b11f0aedde6230c1af7f473c1176752b60fcbb

      SHA256

      1ca1315f03f4d1bca5867ad1c7a661033c49bbb16c4b84bea72caa9bc36bd98b

      SHA512

      471b9acf97d8914c1fe5bd0516fff27619baf3121f54ac8bc65b24c30b0a038831ca9c3ddb7a0a6ccadb7a6d9382f5ea7d582fbbb5a1d17bcc201f66cf33add5

      Download Submit