Analysis

  • max time kernel
    117s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    05-07-2024 09:57

General

  • Target

    4364c9f9ec2c341b6cb2f2d819f1ccc3ac5e6557107d9fe61ba28c92e9471262.exe

  • Size

    12.2MB

  • MD5

    2da4a662413b692bab75791b9928131f

  • SHA1

    ff73b791fcb6dd47a453ce6c55e6559764740ac5

  • SHA256

    4364c9f9ec2c341b6cb2f2d819f1ccc3ac5e6557107d9fe61ba28c92e9471262

  • SHA512

    a16ec27e37ab62b308a1866dead2c43eae569714b88bff1b4dbe91424188bc10fc0c54416ed67380119fc38042529e640cd658ce2e6a8805261d54c23414b2f9

  • SSDEEP

    196608:jPg2CWhGuZvjwQklner7/0S+6JfRbkebsN/cJ67DgKEl9sMvrrqNH2R71:jYgGG7wFln+3fRb0V7El9s+rqNe1

Score
1/10

Malware Config

Signatures

  • Modifies registry class 3 IoCs
  • Modifies system certificate store 2 TTPs 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4364c9f9ec2c341b6cb2f2d819f1ccc3ac5e6557107d9fe61ba28c92e9471262.exe
    "C:\Users\Admin\AppData\Local\Temp\4364c9f9ec2c341b6cb2f2d819f1ccc3ac5e6557107d9fe61ba28c92e9471262.exe"
    1⤵
    • Modifies registry class
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    PID:2940

Network

  • flag-us
    DNS
    wsgeoip.pdf-suite.com
    4364c9f9ec2c341b6cb2f2d819f1ccc3ac5e6557107d9fe61ba28c92e9471262.exe
    Remote address:
    8.8.8.8:53
    Request
    wsgeoip.pdf-suite.com
    IN A
    Response
    wsgeoip.pdf-suite.com
    IN A
    172.67.158.191
    wsgeoip.pdf-suite.com
    IN A
    104.21.57.28
  • flag-us
    POST
    https://wsgeoip.pdf-suite.com/ipservice.asmx
    4364c9f9ec2c341b6cb2f2d819f1ccc3ac5e6557107d9fe61ba28c92e9471262.exe
    Remote address:
    172.67.158.191:443
    Request
    POST /ipservice.asmx HTTP/1.1
    Accept: text/*
    SOAPAction: "http://upclick.com/GetLocationInfo"
    Content-Type: text/xml; charset=utf-8
    User-Agent: VCSoapClient
    Host: wsgeoip.pdf-suite.com
    Content-Length: 346
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Fri, 05 Jul 2024 09:57:12 GMT
    Content-Type: text/xml; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    strict-transport-security: max-age=31536000; includeSubDomains
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AtwrD%2Fb1pLDjx%2B8qKkawenZoVKsp%2F0CstARdhiJcUmzQRdsYraQZ6OcqxyaJ3ewWBnMEYsHYL6iUXsIrs1zE2gHmO%2BRRqM2Ie%2FVN40tpcGrrs1E6jSDNYSswjgb5RULlK2kWUhqHd3Y%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 89e67d4d8c4b23bf-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    DNS
    apps.identrust.com
    4364c9f9ec2c341b6cb2f2d819f1ccc3ac5e6557107d9fe61ba28c92e9471262.exe
    Remote address:
    8.8.8.8:53
    Request
    apps.identrust.com
    IN A
    Response
    apps.identrust.com
    IN CNAME
    identrust.edgesuite.net
    identrust.edgesuite.net
    IN CNAME
    a1952.dscq.akamai.net
    a1952.dscq.akamai.net
    IN A
    95.101.128.209
    a1952.dscq.akamai.net
    IN A
    95.101.129.43
  • flag-gb
    GET
    http://apps.identrust.com/roots/dstrootcax3.p7c
    4364c9f9ec2c341b6cb2f2d819f1ccc3ac5e6557107d9fe61ba28c92e9471262.exe
    Remote address:
    95.101.128.209:80
    Request
    GET /roots/dstrootcax3.p7c HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: apps.identrust.com
    Response
    HTTP/1.1 200 OK
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: SAMEORIGIN
    X-Content-Type-Options: nosniff
    X-Robots-Tag: noindex
    Referrer-Policy: same-origin
    Last-Modified: Fri, 13 Oct 2023 16:28:31 GMT
    ETag: "37d-6079b8c0929c0"
    Accept-Ranges: bytes
    Content-Length: 893
    X-Content-Type-Options: nosniff
    X-Frame-Options: sameorigin
    Content-Type: application/pkcs7-mime
    Cache-Control: max-age=3600
    Expires: Fri, 05 Jul 2024 10:57:11 GMT
    Date: Fri, 05 Jul 2024 09:57:11 GMT
    Connection: keep-alive
  • flag-us
    DNS
    x2.c.lencr.org
    4364c9f9ec2c341b6cb2f2d819f1ccc3ac5e6557107d9fe61ba28c92e9471262.exe
    Remote address:
    8.8.8.8:53
    Request
    x2.c.lencr.org
    IN A
    Response
    x2.c.lencr.org
    IN CNAME
    crl.root-x1.letsencrypt.org.edgekey.net
    crl.root-x1.letsencrypt.org.edgekey.net
    IN CNAME
    e8652.dscx.akamaiedge.net
    e8652.dscx.akamaiedge.net
    IN A
    184.26.45.61
  • flag-gb
    GET
    http://x2.c.lencr.org/
    4364c9f9ec2c341b6cb2f2d819f1ccc3ac5e6557107d9fe61ba28c92e9471262.exe
    Remote address:
    184.26.45.61:80
    Request
    GET / HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: x2.c.lencr.org
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Content-Type: application/pkix-crl
    Last-Modified: Mon, 12 Feb 2024 22:07:27 GMT
    ETag: "65ca969f-12b"
    Cache-Control: max-age=3600
    Expires: Fri, 05 Jul 2024 10:57:11 GMT
    Date: Fri, 05 Jul 2024 09:57:11 GMT
    Content-Length: 299
    Connection: keep-alive
  • flag-us
    DNS
    avqservice.avanquest.com
    4364c9f9ec2c341b6cb2f2d819f1ccc3ac5e6557107d9fe61ba28c92e9471262.exe
    Remote address:
    8.8.8.8:53
    Request
    avqservice.avanquest.com
    IN A
    Response
    avqservice.avanquest.com
    IN A
    104.18.7.41
    avqservice.avanquest.com
    IN A
    104.18.6.41
  • flag-us
    POST
    https://avqservice.avanquest.com/api/v4/services/installers/socialidupdate/pdfsuite/
    4364c9f9ec2c341b6cb2f2d819f1ccc3ac5e6557107d9fe61ba28c92e9471262.exe
    Remote address:
    104.18.7.41:443
    Request
    POST /api/v4/services/installers/socialidupdate/pdfsuite/ HTTP/1.1
    Host: avqservice.avanquest.com
    User-Agent: PDF Suite 20 Installer 20.0.14.3253
    Connection: TE
    TE: gzip
    Accept-Encoding: deflate, gzip
    Accept: application/json
    Content-Type: application/json
    Content-Length: 90
    Expect: 100-continue
    Response
    HTTP/1.1 404 Not Found
    Date: Fri, 05 Jul 2024 09:57:15 GMT
    Content-Type: application/json; charset=utf-8
    Content-Length: 46
    Connection: keep-alive
    X-Powered-By: Express
    ETag: W/"2e-gVu0x2xvIVh2IxUUTcQtPtuJd9k"
    CF-Cache-Status: DYNAMIC
    Server: cloudflare
    CF-RAY: 89e67d61b8c6bef5-LHR
  • flag-us
    DNS
    api-updateservice.pdf-suite.com
    4364c9f9ec2c341b6cb2f2d819f1ccc3ac5e6557107d9fe61ba28c92e9471262.exe
    Remote address:
    8.8.8.8:53
    Request
    api-updateservice.pdf-suite.com
    IN A
    Response
    api-updateservice.pdf-suite.com
    IN A
    104.21.57.28
    api-updateservice.pdf-suite.com
    IN A
    172.67.158.191
  • flag-us
    POST
    https://api-updateservice.pdf-suite.com/api/v1/products/info
    4364c9f9ec2c341b6cb2f2d819f1ccc3ac5e6557107d9fe61ba28c92e9471262.exe
    Remote address:
    104.21.57.28:443
    Request
    POST /api/v1/products/info HTTP/1.1
    Host: api-updateservice.pdf-suite.com
    User-Agent: PDF Suite 20 Installer 20.0.14.3253
    Connection: TE
    TE: gzip
    Accept-Encoding: deflate, gzip
    Accept: application/json
    Content-Type: application/json
    Content-Length: 369
    Expect: 100-continue
    Response
    HTTP/1.1 200 OK
    Date: Fri, 05 Jul 2024 09:57:15 GMT
    Content-Type: application/json; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    vary: Accept-Encoding
    strict-transport-security: max-age=31536000; includeSubDomains
    Content-Encoding: gzip
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KMHKbNcZGp%2BSLEW%2BCwYO0SKYYGzurN%2Fa9SP3N7m4jFHk%2Fe58ls1TBWWE7yxB2AcqOAjbgLLi49uD8MUM2KdbTGFxeKwncnFTS704b6YGsEU%2FXusuFjaRnghZbW1Y5iXn%2BH1BWomf3sH4El5CEx9CXBXV"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 89e67d65a8d0bd74-LHR
    alt-svc: h3=":443"; ma=86400
  • 172.67.158.191:443
    https://wsgeoip.pdf-suite.com/ipservice.asmx
    tls, http
    4364c9f9ec2c341b6cb2f2d819f1ccc3ac5e6557107d9fe61ba28c92e9471262.exe
    1.5kB
    6.7kB
    12
    12

    HTTP Request

    POST https://wsgeoip.pdf-suite.com/ipservice.asmx

    HTTP Response

    200
  • 95.101.128.209:80
    http://apps.identrust.com/roots/dstrootcax3.p7c
    http
    4364c9f9ec2c341b6cb2f2d819f1ccc3ac5e6557107d9fe61ba28c92e9471262.exe
    369 B
    1.6kB
    5
    4

    HTTP Request

    GET http://apps.identrust.com/roots/dstrootcax3.p7c

    HTTP Response

    200
  • 184.26.45.61:80
    http://x2.c.lencr.org/
    http
    4364c9f9ec2c341b6cb2f2d819f1ccc3ac5e6557107d9fe61ba28c92e9471262.exe
    448 B
    1.4kB
    7
    5

    HTTP Request

    GET http://x2.c.lencr.org/

    HTTP Response

    200
  • 104.18.7.41:443
    https://avqservice.avanquest.com/api/v4/services/installers/socialidupdate/pdfsuite/
    tls, http
    4364c9f9ec2c341b6cb2f2d819f1ccc3ac5e6557107d9fe61ba28c92e9471262.exe
    1.2kB
    3.7kB
    10
    11

    HTTP Request

    POST https://avqservice.avanquest.com/api/v4/services/installers/socialidupdate/pdfsuite/

    HTTP Response

    404
  • 104.21.57.28:443
    https://api-updateservice.pdf-suite.com/api/v1/products/info
    tls, http
    4364c9f9ec2c341b6cb2f2d819f1ccc3ac5e6557107d9fe61ba28c92e9471262.exe
    1.6kB
    7.0kB
    13
    15

    HTTP Request

    POST https://api-updateservice.pdf-suite.com/api/v1/products/info

    HTTP Response

    200
  • 127.0.0.1:49278
    4364c9f9ec2c341b6cb2f2d819f1ccc3ac5e6557107d9fe61ba28c92e9471262.exe
  • 127.0.0.1:49281
    4364c9f9ec2c341b6cb2f2d819f1ccc3ac5e6557107d9fe61ba28c92e9471262.exe
  • 8.8.8.8:53
    wsgeoip.pdf-suite.com
    dns
    4364c9f9ec2c341b6cb2f2d819f1ccc3ac5e6557107d9fe61ba28c92e9471262.exe
    67 B
    99 B
    1
    1

    DNS Request

    wsgeoip.pdf-suite.com

    DNS Response

    172.67.158.191
    104.21.57.28

  • 8.8.8.8:53
    apps.identrust.com
    dns
    4364c9f9ec2c341b6cb2f2d819f1ccc3ac5e6557107d9fe61ba28c92e9471262.exe
    64 B
    165 B
    1
    1

    DNS Request

    apps.identrust.com

    DNS Response

    95.101.128.209
    95.101.129.43

  • 8.8.8.8:53
    x2.c.lencr.org
    dns
    4364c9f9ec2c341b6cb2f2d819f1ccc3ac5e6557107d9fe61ba28c92e9471262.exe
    60 B
    165 B
    1
    1

    DNS Request

    x2.c.lencr.org

    DNS Response

    184.26.45.61

  • 8.8.8.8:53
    avqservice.avanquest.com
    dns
    4364c9f9ec2c341b6cb2f2d819f1ccc3ac5e6557107d9fe61ba28c92e9471262.exe
    70 B
    102 B
    1
    1

    DNS Request

    avqservice.avanquest.com

    DNS Response

    104.18.7.41
    104.18.6.41

  • 8.8.8.8:53
    api-updateservice.pdf-suite.com
    dns
    4364c9f9ec2c341b6cb2f2d819f1ccc3ac5e6557107d9fe61ba28c92e9471262.exe
    77 B
    109 B
    1
    1

    DNS Request

    api-updateservice.pdf-suite.com

    DNS Response

    104.21.57.28
    172.67.158.191

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    213ac301c6b5febcb8ca16b12b59146b

    SHA1

    aae0800a61f441038c2eb3be329243bee4cf282e

    SHA256

    e71d387b55a46549dadf0be99903e2846972511701845e559aa2a9f9092e6389

    SHA512

    ea735b9b9948d48366cfd1ed713efd2690acd3d5d503e5ed310577a7f4eb03f2d137e167b6df0f23d6a7ea378688a82c93f6ec49686e1cc8bb7859809b527575

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    9c711d3b0a7efdc14766a2fd3ee6d6a9

    SHA1

    fe2a32b0ad80e903ef2ecdbf50458033dfad2657

    SHA256

    589221b0c68eac2840ede39b42a5252de46aabdb563d57cd27d14bb3dd9c5017

    SHA512

    02a0f80b7af2bae62b4fcf5cabdf148f60d8b59899d81f862e36aab81a6cb3babdbb1fc43639adcaea7b4a6ba2ce63cf49e11e1aa4a53484c99e90962db5c40b

  • C:\Users\Admin\AppData\Local\Temp\Cab238A.tmp

    Filesize

    65KB

    MD5

    ac05d27423a85adc1622c714f2cb6184

    SHA1

    b0fe2b1abddb97837ea0195be70ab2ff14d43198

    SHA256

    c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

    SHA512

    6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

  • C:\Users\Admin\AppData\Local\Temp\Tar24A9.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.