ec5c3420cfb120442b655cefbeba07d4dd5da3a4c3528d0584a45bb342a1e882

Analysis

max time kernel
119s
max time network
128s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15/04/2024, 16:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

69.8MB
MD5

dabe0e2b2f4e649d2fd3b6f6a70598ae
SHA1

d9063f4b80865ab39dff5bb6fa6563093ec755fe
SHA256

ec5c3420cfb120442b655cefbeba07d4dd5da3a4c3528d0584a45bb342a1e882
SHA512

3dbbae4d36b8001583e60880bec0ca53383bfa5758f79b82560c2af098866128ce74aaee7a1fc5bc62de60ccfe00d8434a97d36186f9ae53875cfb3e44933b55
SSDEEP

1572864:4EElPoG/DteDYfOD4qDGAvn7Bo7MyDT+dEHUQvshLBs51o076JkDCJ:4FPoG/BemORB1ydGE0Q0BO5q07s

Score

7^/10

link pdf pyinstaller

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3068	Windows.exe
2120	Windows.exe

Loads dropped DLL 10 IoCs

pid	Process
1772	tmp.exe
2164	Process not Found
3068	Windows.exe
2120	Windows.exe
2120	Windows.exe
2120	Windows.exe
2120	Windows.exe
2120	Windows.exe
2120	Windows.exe
2120	Windows.exe

HTTP links in PDF interactive object 1 IoCs

Detects HTTP links in interactive objects within PDF files.

pdf link

resource	yara_rule
behavioral1/files/0x000c00000001224c-130.dat	pdf_with_link_action

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0028000000016b5e-10.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2420	AcroRd32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2420	AcroRd32.exe
2420	AcroRd32.exe
2420	AcroRd32.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1772 wrote to memory of 3068	1772	tmp.exe	28
PID 1772 wrote to memory of 3068	1772	tmp.exe	28
PID 1772 wrote to memory of 3068	1772	tmp.exe	28
PID 1772 wrote to memory of 2420	1772	tmp.exe	31
PID 1772 wrote to memory of 2420	1772	tmp.exe	31
PID 1772 wrote to memory of 2420	1772	tmp.exe	31
PID 1772 wrote to memory of 2420	1772	tmp.exe	31
PID 3068 wrote to memory of 2120	3068	Windows.exe	32
PID 3068 wrote to memory of 2120	3068	Windows.exe	32
PID 3068 wrote to memory of 2120	3068	Windows.exe	32

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1772
- C:\Users\Admin\AppData\Local\Temp\Windows.exe
  "C:\Users\Admin\AppData\Local\Temp\Windows.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Users\Admin\AppData\Local\Temp\Windows.exe
    "C:\Users\Admin\AppData\Local\Temp\Windows.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2120
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\HEATHROW OUTSOURCING COMPANIES LTD.pdf"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HEATHROW OUTSOURCING COMPANIES LTD.pdf

Filesize
55KB

MD5
87c136267ab6577cbc2af8352818edeb

SHA1
de6d15b6f100a3d45ea501583c9fc75fd613e697

SHA256
9c40c03405355394617e12ee6a65d8ea63c20e76e8ae0f2c5a8283cfb616531b

SHA512
ca6c3995db2551e4eb549d3832d1b193a0dd773bcbf0185664ef703d80241aa1738aa0a53fb0f2ade0bc24801c03ad29141b78e1cc96efed99600d92ceb4f2c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows.exe

Filesize
69.9MB

MD5
5791334672fdee023d825d65b3a761e6

SHA1
30e7c3f1c14c8accc472b4351a2de2ce97aeab34

SHA256
03940fb528161993d3c6234d8a9e35e0803ad8be2c36583b9a82643e14c6362b

SHA512
0503378b9156d147aa2c8f8d819d5d31ad79f6559e9eea5b91ae2f8282fe0d8072459320fa3d32d711e1c83b66091ba825baca3b301d3fc1c3a1aa7529f78bb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30682\api-ms-win-core-file-l2-1-0.dll

Filesize
18KB

MD5
bfffa7117fd9b1622c66d949bac3f1d7

SHA1
402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2

SHA256
1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e

SHA512
b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30682\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
21KB

MD5
4380d56a3b83ca19ea269747c9b8302b

SHA1
0c4427f6f0f367d180d37fc10ecbe6534ef6469c

SHA256
a79c7f86462d8ab8a7b73a3f9e469514f57f9fe456326be3727352b092b6b14a

SHA512
1c29c335c55f5f896526c8ee0f7160211fd457c1f1b98915bcc141112f8a730e1a92391ab96688cbb7287e81e6814cc86e3b057e0a6129cbb02892108bfafaf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30682\python312.dll

Filesize
6.7MB

MD5
48ebfefa21b480a9b0dbfc3364e1d066

SHA1
b44a3a9b8c585b30897ddc2e4249dfcfd07b700a

SHA256
0cc4e557972488eb99ea4aeb3d29f3ade974ef3bcd47c211911489a189a0b6f2

SHA512
4e6194f1c55b82ee41743b35d749f5d92a955b219decacf9f1396d983e0f92ae02089c7f84a2b8296a3062afa3f9c220da9b7cd9ed01b3315ea4a953b4ecc6ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30682\ucrtbase.dll

Filesize
992KB

MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef

SHA1
4189f4459c54e69c6d3155a82524bda7549a75a6

SHA256
8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

SHA512
a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
0de814b2b893ae5d92a26faf9f6fbae3

SHA1
1fae6d11389af2bdc74b3fec00c27e7da0ef7d43

SHA256
66b395738de92da68b07bace5ba3c97d3e1d0dcd434f9bd22759860e17159026

SHA512
cd1838016ee6112b4827346f90e9ce3bc1c9667ead9e4614dda13bfa2dade1fe29d21dbd2e2513ae4eccbd0488a9c14c4f7133ccb1f4af399537bb4dd31bb847

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI30682\api-ms-win-core-file-l1-2-0.dll

Filesize
21KB

MD5
bcb8b9f6606d4094270b6d9b2ed92139

SHA1
bd55e985db649eadcb444857beed397362a2ba7b

SHA256
fa18d63a117153e2ace5400ed89b0806e96f0627d9db935906be9294a3038118

SHA512
869b2b38fd528b033b3ec17a4144d818e42242b83d7be48e2e6da6992111758b302f48f52e0dd76becb526a90a2b040ce143c6d4f0e009a513017f06b9a8f2b9

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI30682\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
20ddf543a1abe7aee845de1ec1d3aa8e

SHA1
0eaf5de57369e1db7f275a2fffd2d2c9e5af65bf

SHA256
d045a72c3e4d21165e9372f76b44ff116446c1e0c221d9cea3ab0a1134a310e8

SHA512
96dd48df315a7eea280ca3da0965a937a649ee77a82a1049e3d09b234439f7d927d7fb749073d7af1b23dadb643978b70dcdadc6c503fe850b512b0c9c1c78dd

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI30682\api-ms-win-core-timezone-l1-1-0.dll

Filesize
21KB

MD5
2554060f26e548a089cab427990aacdf

SHA1
8cc7a44a16d6b0a6b7ed444e68990ff296d712fe

SHA256
5ab003e899270b04abc7f67be953eaccf980d5bbe80904c47f9aaf5d401bb044

SHA512
fd4d5a7fe4da77b0222b040dc38e53f48f7a3379f69e2199639b9f330b2e55939d89ce8361d2135182b607ad75e58ee8e34b90225143927b15dcc116b994c506

Download Submit
memory/1772-16-0x0000000002F70000-0x0000000002F80000-memory.dmp

Filesize
64KB

Download