7d4d682acf1ff95e373d134822560dba1b20c4f0c0da580e8ef8d437fefbd8b4

Analysis

max time kernel
57s
max time network
148s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
01-08-2024 20:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HealthEquity Privacy Supplement to CIO Letter 7.8.24.pdf
Size

238KB
MD5

770e4f276906a68da5f9251d1ca409dd
SHA1

d957fcc21358d1df7a9f922bf5adc56ade278e0c
SHA256

7d4d682acf1ff95e373d134822560dba1b20c4f0c0da580e8ef8d437fefbd8b4
SHA512

e595bebf3147bdcc331c8e7655047f8b1ef60d9c18ce37b86b2eefffdf0236357b57d2c65f246c7399871da20d551440261cb1ebbccf57f7da5ad10a649a77ad
SSDEEP

6144:EI6DAFi4tziNn/A1kqJOBBMmlDpEV2sFbUq+Xk0LVMB:iot4/AaqABL9KPyq+AB

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	AcroRd32.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3888	chrome.exe
3888	chrome.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: 33	2696	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2696	AUDIODG.EXE
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: 33	2696	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2696	AUDIODG.EXE
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
3008	AcroRd32.exe
3008	AcroRd32.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3008	AcroRd32.exe
3008	AcroRd32.exe
3008	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3888 wrote to memory of 2532	3888	chrome.exe	31
PID 3888 wrote to memory of 2532	3888	chrome.exe	31
PID 3888 wrote to memory of 2532	3888	chrome.exe	31
PID 3888 wrote to memory of 1988	3888	chrome.exe	33
PID 3888 wrote to memory of 1988	3888	chrome.exe	33
PID 3888 wrote to memory of 1988	3888	chrome.exe	33
PID 3888 wrote to memory of 1988	3888	chrome.exe	33
PID 3888 wrote to memory of 1988	3888	chrome.exe	33
PID 3888 wrote to memory of 1988	3888	chrome.exe	33
PID 3888 wrote to memory of 1988	3888	chrome.exe	33
PID 3888 wrote to memory of 1988	3888	chrome.exe	33
PID 3888 wrote to memory of 1988	3888	chrome.exe	33
PID 3888 wrote to memory of 1988	3888	chrome.exe	33
PID 3888 wrote to memory of 1988	3888	chrome.exe	33
PID 3888 wrote to memory of 1988	3888	chrome.exe	33
PID 3888 wrote to memory of 1988	3888	chrome.exe	33
PID 3888 wrote to memory of 1988	3888	chrome.exe	33
PID 3888 wrote to memory of 1988	3888	chrome.exe	33
PID 3888 wrote to memory of 1988	3888	chrome.exe	33
PID 3888 wrote to memory of 1988	3888	chrome.exe	33
PID 3888 wrote to memory of 1988	3888	chrome.exe	33
PID 3888 wrote to memory of 1988	3888	chrome.exe	33
PID 3888 wrote to memory of 1988	3888	chrome.exe	33
PID 3888 wrote to memory of 1988	3888	chrome.exe	33
PID 3888 wrote to memory of 1988	3888	chrome.exe	33
PID 3888 wrote to memory of 1988	3888	chrome.exe	33
PID 3888 wrote to memory of 1988	3888	chrome.exe	33
PID 3888 wrote to memory of 1988	3888	chrome.exe	33
PID 3888 wrote to memory of 1988	3888	chrome.exe	33
PID 3888 wrote to memory of 1988	3888	chrome.exe	33
PID 3888 wrote to memory of 1988	3888	chrome.exe	33
PID 3888 wrote to memory of 1988	3888	chrome.exe	33
PID 3888 wrote to memory of 1988	3888	chrome.exe	33
PID 3888 wrote to memory of 1988	3888	chrome.exe	33
PID 3888 wrote to memory of 1988	3888	chrome.exe	33
PID 3888 wrote to memory of 1988	3888	chrome.exe	33
PID 3888 wrote to memory of 1988	3888	chrome.exe	33
PID 3888 wrote to memory of 1988	3888	chrome.exe	33
PID 3888 wrote to memory of 1988	3888	chrome.exe	33
PID 3888 wrote to memory of 1988	3888	chrome.exe	33
PID 3888 wrote to memory of 1988	3888	chrome.exe	33
PID 3888 wrote to memory of 1988	3888	chrome.exe	33
PID 3888 wrote to memory of 3976	3888	chrome.exe	34
PID 3888 wrote to memory of 3976	3888	chrome.exe	34
PID 3888 wrote to memory of 3976	3888	chrome.exe	34
PID 3888 wrote to memory of 3988	3888	chrome.exe	35
PID 3888 wrote to memory of 3988	3888	chrome.exe	35
PID 3888 wrote to memory of 3988	3888	chrome.exe	35
PID 3888 wrote to memory of 3988	3888	chrome.exe	35
PID 3888 wrote to memory of 3988	3888	chrome.exe	35
PID 3888 wrote to memory of 3988	3888	chrome.exe	35
PID 3888 wrote to memory of 3988	3888	chrome.exe	35
PID 3888 wrote to memory of 3988	3888	chrome.exe	35
PID 3888 wrote to memory of 3988	3888	chrome.exe	35
PID 3888 wrote to memory of 3988	3888	chrome.exe	35
PID 3888 wrote to memory of 3988	3888	chrome.exe	35
PID 3888 wrote to memory of 3988	3888	chrome.exe	35
PID 3888 wrote to memory of 3988	3888	chrome.exe	35
PID 3888 wrote to memory of 3988	3888	chrome.exe	35
PID 3888 wrote to memory of 3988	3888	chrome.exe	35
PID 3888 wrote to memory of 3988	3888	chrome.exe	35
PID 3888 wrote to memory of 3988	3888	chrome.exe	35
PID 3888 wrote to memory of 3988	3888	chrome.exe	35
PID 3888 wrote to memory of 3988	3888	chrome.exe	35

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\HealthEquity Privacy Supplement to CIO Letter 7.8.24.pdf"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3008

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x534
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fefab89758,0x7fefab89768,0x7fefab89778
  2⤵
  PID:2532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1136 --field-trial-handle=1360,i,15780027033662634125,14468136472044435183,131072 /prefetch:2
  2⤵
  PID:1988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1524 --field-trial-handle=1360,i,15780027033662634125,14468136472044435183,131072 /prefetch:8
  2⤵
  PID:3976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1612 --field-trial-handle=1360,i,15780027033662634125,14468136472044435183,131072 /prefetch:8
  2⤵
  PID:3988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=1616 --field-trial-handle=1360,i,15780027033662634125,14468136472044435183,131072 /prefetch:1
  2⤵
  PID:1348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2336 --field-trial-handle=1360,i,15780027033662634125,14468136472044435183,131072 /prefetch:1
  2⤵
  PID:4076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1136 --field-trial-handle=1360,i,15780027033662634125,14468136472044435183,131072 /prefetch:2
  2⤵
  PID:2780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1140 --field-trial-handle=1360,i,15780027033662634125,14468136472044435183,131072 /prefetch:1
  2⤵
  PID:688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3992 --field-trial-handle=1360,i,15780027033662634125,14468136472044435183,131072 /prefetch:8
  2⤵
  PID:2712

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:528

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
f910b19cddd3c2bdcb6f4627c5f6d110

SHA1
2406ed003b331ce6a8418064759d65e2eba5fe27

SHA256
6c90921c28672a426cac844e049bb803c03fb0c8dde8a995d869320a14ad9c2b

SHA512
249f7a28c7bc8f38af19d501ddc0e9c645261ba8358a4807ccbab96f2da2ba701bc8f4e168aa3fb116cec9db654af4fdcbac35a457db44015ceeda19b189ec64

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
f0d9ef6691793714d6e165c930b8fa02

SHA1
1461852100e6a17eab03f18f30d989f60358468b

SHA256
cc39b5c8839d869223fd237a9be2f0a1cfa1964a5ea216fadf9b4e55aeeccc63

SHA512
336b38bc903db1c1ffc38de1024fae5873d10d173484fb34f07f9d8730b4acdc1f03f273a52d75fa024737c09f759210084e848ea84f8fcb56b78dbc344a461d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\A9RDFC5.tmp\MicrosoftIRMServices Protected PDF.pdf

Filesize
179KB

MD5
cd0211db9c79d245873ddc4577fab5ad

SHA1
1901f1d3e4077bcc98a867f43579091b6d7f1e78

SHA256
6dde899c1b0038a7c8a68472289f6089071beadb0221658ce798c408d119481e

SHA512
448a2e2f0c1f5ab595cde7f4ecbae59a92f37a6f712af612ffdbfd2b793ad2513beef0aa6a02e423f388d1b55a776b609365be31b08a31aef01cfd75fe3375c0

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
39cbe896e7e64b3c8cbd60099d2d2e5c

SHA1
5b49acc483fef1f4a321fcd5d6fc90e53ae7fff9

SHA256
8b0f170fbeed9ee22ca98545e15a11cf00dde4a7bdfb48b4e57788cbe4592d07

SHA512
0dfd783ab5434e33e8855e8906a42beb6095b26f1bf5f5787e663e3797c20f60b149ab4c7f28a356ecc8ae83ed4fd462b3bd7508849a3e754b29ab15ba8eef55

Download Submit
memory/3008-625-0x0000000002460000-0x000000000246A000-memory.dmp

Filesize
40KB

Download
memory/3008-626-0x0000000002460000-0x000000000246A000-memory.dmp

Filesize
40KB

Download
memory/3008-2504-0x0000000002460000-0x000000000246A000-memory.dmp

Filesize
40KB

Download
memory/3008-2503-0x0000000002460000-0x000000000246A000-memory.dmp

Filesize
40KB

Download
memory/3008-4829-0x0000000000B10000-0x0000000000B12000-memory.dmp

Filesize
8KB

Download