1fceac75dcaf47add663cf2abab5d1728e8bb2f65c7f4c6d6e8d0f06af806060

General

Target

2343220820185117653724284721341YRWYRRRET56556U P1DF.exe
Size

1.6MB
MD5

c199e8c1d6d78839bbe8c246fe1189fa
SHA1

2751846150be33e07814bffbb93f17cd75976067
SHA256

c98348acfaf93dc66a8b44cd00303670222fcdf59ad3eb1d3ab5ad1d3b1ef92a
SHA512

67ee203a202e1db3068a22839cf7f8ff1c932fb706a9baae6ce252d10fbe0e600647703ccbfe25b08710b14c96203f2d52f57e2310926ca96b8ef31fbbd307e9
SSDEEP

24576:CoI3PGDYjSaOdiSFQY8ncjr5yKg7VwmhXtqh2wQK:+pjaiao4XghZhPwQ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2324	CrModMngr.exe

Loads dropped DLL 1 IoCs

pid	Process
2360	2343220820185117653724284721341YRWYRRRET56556U P1DF.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\CrModMngr = "C:\\Users\\Admin\\AppData\\Roaming\\CrModMngr.exe"	2343220820185117653724284721341YRWYRRRET56556U P1DF.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2628	AcroRd32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2628	AcroRd32.exe
2628	AcroRd32.exe
2628	AcroRd32.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 2324	2360	2343220820185117653724284721341YRWYRRRET56556U P1DF.exe	28
PID 2360 wrote to memory of 2324	2360	2343220820185117653724284721341YRWYRRRET56556U P1DF.exe	28
PID 2360 wrote to memory of 2324	2360	2343220820185117653724284721341YRWYRRRET56556U P1DF.exe	28
PID 2360 wrote to memory of 2324	2360	2343220820185117653724284721341YRWYRRRET56556U P1DF.exe	28
PID 2360 wrote to memory of 2628	2360	2343220820185117653724284721341YRWYRRRET56556U P1DF.exe	29
PID 2360 wrote to memory of 2628	2360	2343220820185117653724284721341YRWYRRRET56556U P1DF.exe	29
PID 2360 wrote to memory of 2628	2360	2343220820185117653724284721341YRWYRRRET56556U P1DF.exe	29
PID 2360 wrote to memory of 2628	2360	2343220820185117653724284721341YRWYRRRET56556U P1DF.exe	29

C:\Users\Admin\AppData\Local\Temp\2343220820185117653724284721341YRWYRRRET56556U P1DF.exe
"C:\Users\Admin\AppData\Local\Temp\2343220820185117653724284721341YRWYRRRET56556U P1DF.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Users\Admin\AppData\Roaming\CrModMngr.exe
  "C:\Users\Admin\AppData\Roaming\CrModMngr.exe"
  2⤵
  - Executes dropped EXE
  PID:2324
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\doc13454.pdf"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
c883f5cc4bbbe4a2224e7a044d841fe0

SHA1
1b595dddad40e7978516f7b346baaf106460f868

SHA256
7ca096dca61df90a002a9a59fa3c369362c8c58d45facd8f5a6f3df949863dd1

SHA512
46087bd9003fcd55282b856d287c263ead10bcf6bb3854c583b44fac0f54f3da557577879140fa12631bdbe72859f629afcb8c3b04ffaedd3f8681ffe04b1b0b

Download Submit
C:\Users\Admin\AppData\Roaming\CrModMngr.exe

Filesize
1.1MB

MD5
f7f6937a9072aa2976e7bb39b08c510a

SHA1
79016574086491fbd4b05139f8abbc8cc4b085c5

SHA256
de1649e56593a2afb34c45ac9c18bc4d528df8d2d6795454dbc95e6e0f689144

SHA512
89f192fa07e573200ed8a3c6c2990e2487fe33e119e3a137f2d241b754ecd338e3d59cf1cb8c7d37b7077a8bb36952209b56a90e77be6cc927687d2e157c963b

Download Submit
C:\Users\Admin\AppData\Roaming\doc13454.pdf

Filesize
45KB

MD5
78a4cb6670178725b4c5c226a2f7202d

SHA1
cc79240cdaf864f64caec599f72244c307957dfa

SHA256
94696530bb898d9e0990eb837e3e4809c57e170e5973d1d2889b7ef9283c2ffb

SHA512
6b2c35d7caffb6a2c20ce9fe863c07029498dd9c1cfbe4556266449490b669242008ec274e24de397b5488e4c51e7c369e70aecdf1df268cabcd0cc7c5ab7028

Download Submit
memory/2324-11-0x00000000748A0000-0x0000000074E4B000-memory.dmp

Filesize
5.7MB

Download
memory/2324-12-0x00000000748A0000-0x0000000074E4B000-memory.dmp

Filesize
5.7MB

Download
memory/2324-32-0x00000000748A0000-0x0000000074E4B000-memory.dmp

Filesize
5.7MB

Download
memory/2360-0-0x00000000748A1000-0x00000000748A2000-memory.dmp

Filesize
4KB

Download
memory/2360-1-0x00000000748A0000-0x0000000074E4B000-memory.dmp

Filesize
5.7MB

Download
memory/2360-2-0x00000000748A0000-0x0000000074E4B000-memory.dmp

Filesize
5.7MB

Download
memory/2360-13-0x00000000748A0000-0x0000000074E4B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads