Analysis
-
max time kernel
69s -
max time network
69s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
25-05-2024 12:53
Static task
static1
Behavioral task
behavioral1
Sample
Corel Preview 2024/Instruction.docx
Resource
win10v2004-20240508-en
General
-
Target
Corel Preview 2024/Offer.pdf.exe
-
Size
71.1MB
-
MD5
8564c524e183138b878135bfd324a23e
-
SHA1
65fa02423a7af2c25235d89d9cca4c1a2c6d0264
-
SHA256
0e336a760e9b1f32b38c52d0426f48648dec5b5a04f0766482a02a3f152c72fe
-
SHA512
acc51199f6fb23e3dd728e679bcd1178f66547405bc32b6a2240660fdc272a6ea61650e5419d99b69e08a12442e51d1abd4ffbc5e4cb6a91b3d098850e77443f
-
SSDEEP
98304:rEF26EMHK1hM4a3jReUhRny9EFhsViTu1D4KY7EpMWPCTbl5:hQRBXTTut4/oDPqb
Malware Config
Extracted
lumma
https://listenmoutioncow.shop/api
https://museumtespaceorsp.shop/api
https://buttockdecarderwiso.shop/api
https://averageaattractiionsl.shop/api
https://femininiespywageg.shop/api
https://employhabragaomlsp.shop/api
https://stalfbaclcalorieeis.shop/api
https://civilianurinedtsraov.shop/api
https://roomabolishsnifftwk.shop/api
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Offer.pdf.exedescription pid process target process PID 2512 set thread context of 1404 2512 Offer.pdf.exe BitLockerToGo.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Modifies registry class 1 IoCs
Processes:
taskmgr.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 48 IoCs
Processes:
taskmgr.exepid process 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
7zFM.exepid process 4500 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
Processes:
Offer.pdf.exetaskmgr.exesvchost.exe7zFM.exedescription pid process Token: SeDebugPrivilege 2512 Offer.pdf.exe Token: SeDebugPrivilege 4680 taskmgr.exe Token: SeSystemProfilePrivilege 4680 taskmgr.exe Token: SeCreateGlobalPrivilege 4680 taskmgr.exe Token: SeBackupPrivilege 4488 svchost.exe Token: SeRestorePrivilege 4488 svchost.exe Token: SeSecurityPrivilege 4488 svchost.exe Token: SeTakeOwnershipPrivilege 4488 svchost.exe Token: 35 4488 svchost.exe Token: SeRestorePrivilege 4500 7zFM.exe Token: 35 4500 7zFM.exe Token: 33 4680 taskmgr.exe Token: SeIncBasePriorityPrivilege 4680 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exe7zFM.exepid process 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4500 7zFM.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid process 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe 4680 taskmgr.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
Offer.pdf.exedescription pid process target process PID 2512 wrote to memory of 1404 2512 Offer.pdf.exe BitLockerToGo.exe PID 2512 wrote to memory of 1404 2512 Offer.pdf.exe BitLockerToGo.exe PID 2512 wrote to memory of 1404 2512 Offer.pdf.exe BitLockerToGo.exe PID 2512 wrote to memory of 1404 2512 Offer.pdf.exe BitLockerToGo.exe PID 2512 wrote to memory of 1404 2512 Offer.pdf.exe BitLockerToGo.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Corel Preview 2024\Offer.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Corel Preview 2024\Offer.pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeC:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe2⤵PID:1404
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4680
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:924
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SDRSVC1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4488
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Windows\System32\t4pfwd.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4500