1024b5fa915768f1b8d83eea9be01dcd664401b8c4732223733f2bc2689c78d5

Analysis

max time kernel
158s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15/04/2024, 11:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PDFCreator-1_7_1_setup [1].exe
Size

17.0MB
MD5

2b0cbab7d9dbb405421f2397967d021c
SHA1

9434866971dd357600c9f2b1e31b7893c3a070f0
SHA256

1024b5fa915768f1b8d83eea9be01dcd664401b8c4732223733f2bc2689c78d5
SHA512

423d7656799a96033f336cadcbb70ca52dacd22fe23fb41197105011809e89aaaec9a9f38fa007cf4091debc3c83e54347bd02f8d3ca4d18df39ee48a7823e88
SSDEEP

393216:6D7co9AY9qIV0vZas83lfwu9GI7tmbL7aGe1Vsn:6D7coWIPs83lfDGXraG2Vsn

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	PDFCreator-1_7_1_setup [1].tmp

Executes dropped EXE 3 IoCs

pid	Process
3124	PDFCreator-1_7_1_setup [1].tmp
3652	DownloadUpdateInfo.exe
4452	DownloadUpdateInfo.tmp

Loads dropped DLL 7 IoCs

pid	Process
3124	PDFCreator-1_7_1_setup [1].tmp
3124	PDFCreator-1_7_1_setup [1].tmp
4452	DownloadUpdateInfo.tmp
4452	DownloadUpdateInfo.tmp
3124	PDFCreator-1_7_1_setup [1].tmp
4060	RunDll32.exe
2060	RunDll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4060	RunDll32.exe
4060	RunDll32.exe
2060	RunDll32.exe
2060	RunDll32.exe
4060	RunDll32.exe
4060	RunDll32.exe
2060	RunDll32.exe
2060	RunDll32.exe
4060	RunDll32.exe
4060	RunDll32.exe
2060	RunDll32.exe
2060	RunDll32.exe
4060	RunDll32.exe
4060	RunDll32.exe
2060	RunDll32.exe
2060	RunDll32.exe
4060	RunDll32.exe
4060	RunDll32.exe
2060	RunDll32.exe
2060	RunDll32.exe
4060	RunDll32.exe
4060	RunDll32.exe
2060	RunDll32.exe
2060	RunDll32.exe
4060	RunDll32.exe
4060	RunDll32.exe
2060	RunDll32.exe
2060	RunDll32.exe
4060	RunDll32.exe
4060	RunDll32.exe
2060	RunDll32.exe
2060	RunDll32.exe
4060	RunDll32.exe
4060	RunDll32.exe
2060	RunDll32.exe
2060	RunDll32.exe
4060	RunDll32.exe
4060	RunDll32.exe
2060	RunDll32.exe
2060	RunDll32.exe
4060	RunDll32.exe
4060	RunDll32.exe
2060	RunDll32.exe
2060	RunDll32.exe
4060	RunDll32.exe
4060	RunDll32.exe
2060	RunDll32.exe
2060	RunDll32.exe
4060	RunDll32.exe
4060	RunDll32.exe
2060	RunDll32.exe
2060	RunDll32.exe
4060	RunDll32.exe
4060	RunDll32.exe
2060	RunDll32.exe
2060	RunDll32.exe
4060	RunDll32.exe
4060	RunDll32.exe
2060	RunDll32.exe
2060	RunDll32.exe
4060	RunDll32.exe
4060	RunDll32.exe
2060	RunDll32.exe
2060	RunDll32.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 648 wrote to memory of 3124	648	PDFCreator-1_7_1_setup [1].exe	91
PID 648 wrote to memory of 3124	648	PDFCreator-1_7_1_setup [1].exe	91
PID 648 wrote to memory of 3124	648	PDFCreator-1_7_1_setup [1].exe	91
PID 3124 wrote to memory of 3652	3124	PDFCreator-1_7_1_setup [1].tmp	92
PID 3124 wrote to memory of 3652	3124	PDFCreator-1_7_1_setup [1].tmp	92
PID 3124 wrote to memory of 3652	3124	PDFCreator-1_7_1_setup [1].tmp	92
PID 3652 wrote to memory of 4452	3652	DownloadUpdateInfo.exe	93
PID 3652 wrote to memory of 4452	3652	DownloadUpdateInfo.exe	93
PID 3652 wrote to memory of 4452	3652	DownloadUpdateInfo.exe	93
PID 3124 wrote to memory of 4060	3124	PDFCreator-1_7_1_setup [1].tmp	103
PID 3124 wrote to memory of 4060	3124	PDFCreator-1_7_1_setup [1].tmp	103
PID 3124 wrote to memory of 4060	3124	PDFCreator-1_7_1_setup [1].tmp	103
PID 3124 wrote to memory of 2060	3124	PDFCreator-1_7_1_setup [1].tmp	104
PID 3124 wrote to memory of 2060	3124	PDFCreator-1_7_1_setup [1].tmp	104
PID 3124 wrote to memory of 2060	3124	PDFCreator-1_7_1_setup [1].tmp	104

C:\Users\Admin\AppData\Local\Temp\PDFCreator-1_7_1_setup [1].exe
"C:\Users\Admin\AppData\Local\Temp\PDFCreator-1_7_1_setup [1].exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:648
- C:\Users\Admin\AppData\Local\Temp\is-HHN2K.tmp\PDFCreator-1_7_1_setup [1].tmp
  "C:\Users\Admin\AppData\Local\Temp\is-HHN2K.tmp\PDFCreator-1_7_1_setup [1].tmp" /SL5="$5017E,17272099,56832,C:\Users\Admin\AppData\Local\Temp\PDFCreator-1_7_1_setup [1].exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3124
- - C:\Users\Admin\AppData\Local\Temp\is-VUBML.tmp\DownloadUpdateInfo.exe
    "C:\Users\Admin\AppData\Local\Temp\is-VUBML.tmp\DownloadUpdateInfo.exe" /verysilent /URL=http://update.pdfforge.org/pdfcreator/update-info.txt /Filename="C:\Users\Admin\AppData\Local\Temp\is-VUBML.tmp\update-info.txt" /TimeOut=7000
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3652
  - - C:\Users\Admin\AppData\Local\Temp\is-RC6V1.tmp\DownloadUpdateInfo.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-RC6V1.tmp\DownloadUpdateInfo.tmp" /SL5="$7017C,262148,56832,C:\Users\Admin\AppData\Local\Temp\is-VUBML.tmp\DownloadUpdateInfo.exe" /verysilent /URL=http://update.pdfforge.org/pdfcreator/update-info.txt /Filename="C:\Users\Admin\AppData\Local\Temp\is-VUBML.tmp\update-info.txt" /TimeOut=7000
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4452
- - C:\Windows\SysWOW64\RunDll32.exe
    RunDll32.exe "C:\Users\Admin\AppData\Local\Temp\is-VUBML.tmp\OCSetupHlp.dll",_OCPRD68OpenCandy2@16 3124,13A173C1033D459ABA86BA9F618F5104,64BF9390D5F949BFA24106A53A90D7F9
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:4060
- - C:\Windows\SysWOW64\RunDll32.exe
    RunDll32.exe "C:\Users\Admin\AppData\Local\Temp\is-VUBML.tmp\OCSetupHlp.dll",_OCPRD68OpenCandy2@16 3124,23D423C0C3404210AA239BFA891EFD82,485DF1FC6B004FBFA954BD9BB9C7B3AF
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:2060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4068 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:8
1⤵
PID:3740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-HHN2K.tmp\PDFCreator-1_7_1_setup [1].tmp

Filesize
690KB

MD5
a2c4d52c66b4b399facadb8cc8386745

SHA1
c326304c56a52a3e5bfbdce2fef54604a0c653e0

SHA256
6c0465ce64c07e729c399a338705941d77727c7d089430957df3e91a416e9d2a

SHA512
2a66256ff8535e2b300aa0ca27b76e85d42422b0aaf5e7e6d055f7abb9e338929c979e185c6be8918d920fb134b7f28a76b714579cacb8ace09000c046dd34d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JU3L8.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VUBML.tmp\DownloadUpdateInfo.exe

Filesize
501KB

MD5
b63e279da8d345f8d4cfd6ec83cacc90

SHA1
342527cdef8bb1ba44baa3c26ae10d5cb573b3fb

SHA256
00afc88cf2db1260aed13fa928630bea4ac82788e1ae6abd26168349940b77ed

SHA512
320819aedd2b71b4bfb40b9d3d49381de2a99413b89db0ee6429f2c31dd1d7fa0d2a639380bd4faa20556b9818299933429ccd7d2d118ea7f8c2658bd4072115

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VUBML.tmp\OCSetupHlp.dll

Filesize
788KB

MD5
ba9e5cf333329a7384ab31452c8f0b2a

SHA1
6dc0348d61f92f224e23f31dcbc4d78003e6f205

SHA256
549ede6c031a255d595b66b5b784a6fccfbe128933a165a2e9a292f5f4fd7068

SHA512
dd2a02b397c0ac92f09f83771ed6b9db482bbcc197e17f5c9c6e6b621364a5032643cbeb53fe7541b38dbfb492407375c94001dff28423272a9e32c2016ae306

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VUBML.tmp\PDFArchitectAd1_english.bmp

Filesize
123KB

MD5
ebd5aedf84bada7df017f3d112d16aec

SHA1
f42f705ae59d1d6eeecc0ce7875151c410746e5c

SHA256
bd1c1e0f09961b063143cc13c1e1fda72b9474d2bf9e5b1e94ea09d6a228b118

SHA512
d53f068db77eabda54dc0034e52aef727ccfad2ecd5e6f56725bb31a3bce0d9627150eff4798d6f7f3c82f5213a8be9550b988e95a36f684522ff89d8521a08f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VUBML.tmp\itdownload.dll

Filesize
200KB

MD5
d82a429efd885ca0f324dd92afb6b7b8

SHA1
86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

SHA256
b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

SHA512
5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

Download Submit
memory/648-2-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/648-8-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/648-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2060-69-0x0000000002770000-0x0000000002771000-memory.dmp

Filesize
4KB

Download
memory/3124-56-0x0000000004870000-0x00000000048AC000-memory.dmp

Filesize
240KB

Download
memory/3124-100-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3124-122-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/3124-27-0x0000000004870000-0x00000000048AC000-memory.dmp

Filesize
240KB

Download
memory/3124-123-0x0000000000810000-0x0000000000811000-memory.dmp

Filesize
4KB

Download
memory/3124-121-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/3124-120-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/3124-51-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3124-53-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/3124-55-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3124-26-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3124-119-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/3124-118-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3124-17-0x0000000004870000-0x00000000048AC000-memory.dmp

Filesize
240KB

Download
memory/3124-73-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3124-117-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/3124-103-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3124-7-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/3124-112-0x00000000004F0000-0x00000000004F1000-memory.dmp

Filesize
4KB

Download
memory/3124-111-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/3124-113-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/3124-114-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/3124-108-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/3124-115-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/3124-116-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/3652-29-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3652-24-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3652-49-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4060-67-0x0000000001370000-0x0000000001371000-memory.dmp

Filesize
4KB

Download
memory/4452-48-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4452-42-0x0000000003130000-0x000000000316C000-memory.dmp

Filesize
240KB

Download
memory/4452-33-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download