Overview
overview
7Static
static
3(03) PDF R....2.exe
windows7-x64
7(03) PDF R....2.exe
windows10-2004-x64
7PDFR_Print...00.exe
windows7-x64
1PDFR_Print...00.exe
windows10-2004-x64
1PDF_reDirect.exe
windows7-x64
1PDF_reDirect.exe
windows10-2004-x64
1Stamps/APPROVED.pdf
windows7-x64
1Stamps/APPROVED.pdf
windows10-2004-x64
1Stamps/COMPLETED.pdf
windows7-x64
1Stamps/COMPLETED.pdf
windows10-2004-x64
1Stamps/CON...AL.pdf
windows7-x64
1Stamps/CON...AL.pdf
windows10-2004-x64
1Stamps/DRAFT BLUE.pdf
windows7-x64
1Stamps/DRAFT BLUE.pdf
windows10-2004-x64
1Stamps/DRAFT_ULH.pdf
windows7-x64
1Stamps/DRAFT_ULH.pdf
windows10-2004-x64
1Stamps/E-Mail.pdf
windows7-x64
1Stamps/E-Mail.pdf
windows10-2004-x64
1Stamps/EXP...rd.pdf
windows7-x64
1Stamps/EXP...rd.pdf
windows10-2004-x64
1Stamps/FINAL.pdf
windows7-x64
1Stamps/FINAL.pdf
windows10-2004-x64
1Stamps/FOR...NT.pdf
windows7-x64
1Stamps/FOR...NT.pdf
windows10-2004-x64
1Stamps/FOR...SE.pdf
windows7-x64
1Stamps/FOR...SE.pdf
windows10-2004-x64
1Stamps/INF...LY.pdf
windows7-x64
1Stamps/INF...LY.pdf
windows10-2004-x64
1Stamps/NOT...ED.pdf
windows7-x64
1Stamps/NOT...ED.pdf
windows10-2004-x64
1Stamps/NOT...SE.pdf
windows7-x64
1Stamps/NOT...SE.pdf
windows10-2004-x64
1Analysis
-
max time kernel
162s -
max time network
176s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
14/03/2024, 03:42
Static task
static1
Behavioral task
behavioral1
Sample
(03) PDF ReDirect v2.5.2.exe
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral2
Sample
(03) PDF ReDirect v2.5.2.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
PDFR_Printer_Cmds_v25000.exe
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral4
Sample
PDFR_Printer_Cmds_v25000.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
PDF_reDirect.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral6
Sample
PDF_reDirect.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
Stamps/APPROVED.pdf
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral8
Sample
Stamps/APPROVED.pdf
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
Stamps/COMPLETED.pdf
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral10
Sample
Stamps/COMPLETED.pdf
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
Stamps/CONFIDENTIAL.pdf
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral12
Sample
Stamps/CONFIDENTIAL.pdf
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
Stamps/DRAFT BLUE.pdf
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral14
Sample
Stamps/DRAFT BLUE.pdf
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
Stamps/DRAFT_ULH.pdf
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral16
Sample
Stamps/DRAFT_ULH.pdf
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
Stamps/E-Mail.pdf
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral18
Sample
Stamps/E-Mail.pdf
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
Stamps/EXP Business Card.pdf
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral20
Sample
Stamps/EXP Business Card.pdf
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
Stamps/FINAL.pdf
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral22
Sample
Stamps/FINAL.pdf
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
Stamps/FOR COMMENT.pdf
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral24
Sample
Stamps/FOR COMMENT.pdf
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
Stamps/FOR PUBLIC RELEASE.pdf
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral26
Sample
Stamps/FOR PUBLIC RELEASE.pdf
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
Stamps/INFORMATION_ONLY.pdf
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral28
Sample
Stamps/INFORMATION_ONLY.pdf
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
Stamps/NOT APPROVED.pdf
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral30
Sample
Stamps/NOT APPROVED.pdf
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
Stamps/NOT FOR PUBLIC RELEASE.pdf
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral32
Sample
Stamps/NOT FOR PUBLIC RELEASE.pdf
Resource
win10v2004-20240226-en
windows10-2004-x64
General
-
Target
PDFR_Printer_Cmds_v25000.exe
-
Size
75KB
-
MD5
c0ce60a08b267f102b8cabb882f3ea0e
-
SHA1
fa819a99e432c9b6f8cdbf63dfbd5ab36f5ba3a0
-
SHA256
d9a174775710b606c25d160d1f859e9f7f9a67fecc3612627bf7cd1a3039434f
-
SHA512
23b0d8b64be9b938ff0e3b16b6256269dc66b3a8d1a4ba6c05a090fc8b8004b227fb3c3da23de66f354745aae301ff00d5d4980e09be180567f6baee695aa62d
-
SSDEEP
1536:bKfjvC6V9VN1fKXMiboLtQzAPwMw7xKhlmM:uLvCnNoLtQz6jw7xKeM
Malware Config
Signatures
-
Modifies registry class 44 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{34066144-EF0C-4354-8EA4-5AB1705DE938}\ = "Printer_Cmds_AxExe" PDFR_Printer_Cmds_v25000.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC64A2F9-F186-4E64-867D-9BD1E775EC2A}\ProgID PDFR_Printer_Cmds_v25000.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PDF_reDirect_v2500.Printer_Cmds_AxExe\Clsid\ = "{AC64A2F9-F186-4E64-867D-9BD1E775EC2A}" PDFR_Printer_Cmds_v25000.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2545E144-0260-4741-A33E-66C70C60870E}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PDFR_Printer_Cmds_v25000.exe" PDFR_Printer_Cmds_v25000.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2545E144-0260-4741-A33E-66C70C60870E}\2.0\HELPDIR PDFR_Printer_Cmds_v25000.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2545E144-0260-4741-A33E-66C70C60870E}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp" PDFR_Printer_Cmds_v25000.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{34066144-EF0C-4354-8EA4-5AB1705DE938}\ProxyStubClsid32 PDFR_Printer_Cmds_v25000.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34066144-EF0C-4354-8EA4-5AB1705DE938}\ProxyStubClsid32 PDFR_Printer_Cmds_v25000.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC64A2F9-F186-4E64-867D-9BD1E775EC2A}\ = "PDF_reDirect_v2500.Printer_Cmds_AxExe" PDFR_Printer_Cmds_v25000.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC64A2F9-F186-4E64-867D-9BD1E775EC2A}\Implemented Categories PDFR_Printer_Cmds_v25000.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC64A2F9-F186-4E64-867D-9BD1E775EC2A}\Programmable PDFR_Printer_Cmds_v25000.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2545E144-0260-4741-A33E-66C70C60870E}\2.0\ = "PDF_reDirect_v2500" PDFR_Printer_Cmds_v25000.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2545E144-0260-4741-A33E-66C70C60870E}\2.0\FLAGS PDFR_Printer_Cmds_v25000.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2545E144-0260-4741-A33E-66C70C60870E}\2.0\0 PDFR_Printer_Cmds_v25000.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34066144-EF0C-4354-8EA4-5AB1705DE938}\TypeLib\ = "{2545E144-0260-4741-A33E-66C70C60870E}" PDFR_Printer_Cmds_v25000.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC64A2F9-F186-4E64-867D-9BD1E775EC2A} PDFR_Printer_Cmds_v25000.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PDF_reDirect_v2500.Printer_Cmds_AxExe PDFR_Printer_Cmds_v25000.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2545E144-0260-4741-A33E-66C70C60870E} PDFR_Printer_Cmds_v25000.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{34066144-EF0C-4354-8EA4-5AB1705DE938}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" PDFR_Printer_Cmds_v25000.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{34066144-EF0C-4354-8EA4-5AB1705DE938}\TypeLib\Version = "2.0" PDFR_Printer_Cmds_v25000.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC64A2F9-F186-4E64-867D-9BD1E775EC2A}\LocalServer32 PDFR_Printer_Cmds_v25000.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC64A2F9-F186-4E64-867D-9BD1E775EC2A}\TypeLib PDFR_Printer_Cmds_v25000.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{34066144-EF0C-4354-8EA4-5AB1705DE938}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" PDFR_Printer_Cmds_v25000.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34066144-EF0C-4354-8EA4-5AB1705DE938}\ = "_Printer_Cmds_AxExe" PDFR_Printer_Cmds_v25000.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC64A2F9-F186-4E64-867D-9BD1E775EC2A}\ProgID\ = "PDF_reDirect_v2500.Printer_Cmds_AxExe" PDFR_Printer_Cmds_v25000.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC64A2F9-F186-4E64-867D-9BD1E775EC2A}\VERSION\ = "2.0" PDFR_Printer_Cmds_v25000.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PDF_reDirect_v2500.Printer_Cmds_AxExe\Clsid PDFR_Printer_Cmds_v25000.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{34066144-EF0C-4354-8EA4-5AB1705DE938}\ProxyStubClsid PDFR_Printer_Cmds_v25000.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{34066144-EF0C-4354-8EA4-5AB1705DE938} PDFR_Printer_Cmds_v25000.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{34066144-EF0C-4354-8EA4-5AB1705DE938}\TypeLib\ = "{2545E144-0260-4741-A33E-66C70C60870E}" PDFR_Printer_Cmds_v25000.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34066144-EF0C-4354-8EA4-5AB1705DE938}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" PDFR_Printer_Cmds_v25000.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC64A2F9-F186-4E64-867D-9BD1E775EC2A}\VERSION PDFR_Printer_Cmds_v25000.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PDF_reDirect_v2500.Printer_Cmds_AxExe\ = "PDF_reDirect_v2500.Printer_Cmds_AxExe" PDFR_Printer_Cmds_v25000.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC64A2F9-F186-4E64-867D-9BD1E775EC2A}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502} PDFR_Printer_Cmds_v25000.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2545E144-0260-4741-A33E-66C70C60870E}\2.0\0\win32 PDFR_Printer_Cmds_v25000.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{34066144-EF0C-4354-8EA4-5AB1705DE938}\ = "_Printer_Cmds_AxExe" PDFR_Printer_Cmds_v25000.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC64A2F9-F186-4E64-867D-9BD1E775EC2A}\TypeLib\ = "{2545E144-0260-4741-A33E-66C70C60870E}" PDFR_Printer_Cmds_v25000.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC64A2F9-F186-4E64-867D-9BD1E775EC2A}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PDFR_Printer_Cmds_v25000.exe" PDFR_Printer_Cmds_v25000.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2545E144-0260-4741-A33E-66C70C60870E}\2.0 PDFR_Printer_Cmds_v25000.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2545E144-0260-4741-A33E-66C70C60870E}\2.0\FLAGS\ = "0" PDFR_Printer_Cmds_v25000.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{34066144-EF0C-4354-8EA4-5AB1705DE938}\TypeLib PDFR_Printer_Cmds_v25000.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34066144-EF0C-4354-8EA4-5AB1705DE938} PDFR_Printer_Cmds_v25000.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34066144-EF0C-4354-8EA4-5AB1705DE938}\TypeLib PDFR_Printer_Cmds_v25000.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34066144-EF0C-4354-8EA4-5AB1705DE938}\TypeLib\Version = "2.0" PDFR_Printer_Cmds_v25000.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2392 PDFR_Printer_Cmds_v25000.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PDFR_Printer_Cmds_v25000.exe"C:\Users\Admin\AppData\Local\Temp\PDFR_Printer_Cmds_v25000.exe"1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2392
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1412 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:81⤵PID:2340