b24383ce4aab8beb5478d11371c9871e3bc310677bd4dd279c69f15a3af6f01e

General

Target

COPY180921348283848482293942938492929440293482828484-PlDF.exe
Size

1.6MB
MD5

f642324ae68a28add963391319efbf95
SHA1

eaab9e1b9a17dc8f8ea06df13422d851c44ec931
SHA256

f01dbb3e35f1231d4bf6fcdabfe7184950c78f9e8f61b9ba6163a16083e0e1da
SHA512

4037d00a181b651aaa5dd0e2a94e1994475d9e3f490807a4ffaa0c8d3083036db831abeba245bbaac02923cb790607747f5d38d8e3a33ca01e5af882f45ec321
SSDEEP

24576:vFLWY02cjr5yKg7VwmhXt6W6LfJWyvnD19CtSrBFmr7eH:R4XghZhH6z5DGtY

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2932	ToolBoxMng.exe

Loads dropped DLL 1 IoCs

pid	Process
2928	COPY180921348283848482293942938492929440293482828484-PlDF.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\ToolBoxMng = "C:\\Users\\Admin\\AppData\\Roaming\\ToolBoxMng.exe"	COPY180921348283848482293942938492929440293482828484-PlDF.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1088	AcroRd32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1088	AcroRd32.exe
1088	AcroRd32.exe
1088	AcroRd32.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 2932	2928	COPY180921348283848482293942938492929440293482828484-PlDF.exe	28
PID 2928 wrote to memory of 2932	2928	COPY180921348283848482293942938492929440293482828484-PlDF.exe	28
PID 2928 wrote to memory of 2932	2928	COPY180921348283848482293942938492929440293482828484-PlDF.exe	28
PID 2928 wrote to memory of 2932	2928	COPY180921348283848482293942938492929440293482828484-PlDF.exe	28
PID 2928 wrote to memory of 1088	2928	COPY180921348283848482293942938492929440293482828484-PlDF.exe	29
PID 2928 wrote to memory of 1088	2928	COPY180921348283848482293942938492929440293482828484-PlDF.exe	29
PID 2928 wrote to memory of 1088	2928	COPY180921348283848482293942938492929440293482828484-PlDF.exe	29
PID 2928 wrote to memory of 1088	2928	COPY180921348283848482293942938492929440293482828484-PlDF.exe	29

C:\Users\Admin\AppData\Local\Temp\COPY180921348283848482293942938492929440293482828484-PlDF.exe
"C:\Users\Admin\AppData\Local\Temp\COPY180921348283848482293942938492929440293482828484-PlDF.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Users\Admin\AppData\Roaming\ToolBoxMng.exe
  "C:\Users\Admin\AppData\Roaming\ToolBoxMng.exe"
  2⤵
  - Executes dropped EXE
  PID:2932
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\doc5454.pdf"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:1088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\Security\addressbook.acrodata

Filesize
5KB

MD5
4618312ec50b52c81043bb6ff393cfc3

SHA1
80537497d939529b34de993b14d96510068bf075

SHA256
e8e27396e2a043abd283eed4fd5b8fa256cc22e741defd522158fc9e29205839

SHA512
fc589a974f35ee83c297784c7d7cc62826854422ceec2d5ff46aa6575f5b2bade27d26c1dfc0686602c81e5c14f75f7abd23e6c19fd90a2dbe70e0f5c09251e9

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
a6a05812d2aa2251fb73c2a6ef6657f1

SHA1
3db3378344f37bdb5e1803a277e94b711617cb9b

SHA256
717d40b9512f9a15cf85bbd3f1fd355b830cc172c07772e0ed5b862099f5eeae

SHA512
c005d611c60d2173f69da5d99ff9a212e54f8e3b011fddb8d042f07fb94cca67aa91dbb59e6d163bdb3977efc6c397156479f9e7264857eababce1c61785a524

Download Submit
C:\Users\Admin\AppData\Roaming\doc5454.pdf

Filesize
46KB

MD5
9855f780e442620ea1f8eaab59949581

SHA1
56e57c94960f0dbdf7cc6dacdac2ad9d8f0f52fe

SHA256
23c611b5476cf9962f8ec3b15e89c677c2cec39580504ba94d9aa0425b476d2e

SHA512
62bfe970daece2ddd6c593ab79ec3cf8b79e492095bde3b0cf26fb33dfa5f7c0b1b2a12a0796dce64d1f1634e2efd11655f9bd4c60486d3cefc0afe3669d7508

Download Submit
\Users\Admin\AppData\Roaming\ToolBoxMng.exe

Filesize
1.1MB

MD5
d6f8c3bd564842a238479599492c5d5f

SHA1
37878ee82cda9137cd1b596d7addcf0c2eccbf2d

SHA256
4b5d6b33a194e5e476bfae34b84efc652dbcc95793ccfdf695a4b018d53f00aa

SHA512
c9d33d2ef5f57d81549e34907012db62df28586ef314004b936838ef0a8951b8d83758ebbd43d9f9b63399f8cd9c26f70d7bc128534617620fc563b334ee266c

Download Submit
memory/1088-16-0x0000000002E30000-0x0000000002EA6000-memory.dmp

Filesize
472KB

Download
memory/2928-12-0x00000000742D0000-0x000000007487B000-memory.dmp

Filesize
5.7MB

Download
memory/2928-0-0x00000000742D1000-0x00000000742D2000-memory.dmp

Filesize
4KB

Download
memory/2928-2-0x00000000742D0000-0x000000007487B000-memory.dmp

Filesize
5.7MB

Download
memory/2928-1-0x00000000742D0000-0x000000007487B000-memory.dmp

Filesize
5.7MB

Download
memory/2932-14-0x00000000742D0000-0x000000007487B000-memory.dmp

Filesize
5.7MB

Download
memory/2932-13-0x00000000742D0000-0x000000007487B000-memory.dmp

Filesize
5.7MB

Download
memory/2932-11-0x00000000742D0000-0x000000007487B000-memory.dmp

Filesize
5.7MB

Download
memory/2932-67-0x00000000742D0000-0x000000007487B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads