851d1e02b134b222d0e4012c2bbb61828f1219c66ec5ed9ca291c406cb83461f

Analysis

max time kernel
140s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
11-08-2024 21:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test11.pdf
Size

6KB
MD5

13486b57cc3ad49227174f86fd4df606
SHA1

6e42b5372e017f45e6afbeee02bd55dd856c3f21
SHA256

851d1e02b134b222d0e4012c2bbb61828f1219c66ec5ed9ca291c406cb83461f
SHA512

2e9e9d63c274b0eee827a45ada7c2e44675756cf4d4f38eba2b158781a84eb3908039444b24e0b3d7de4511d3042ea6b2c8421dbd60da1e66a8760e3de81c71e
SSDEEP

48:F678q1DRROQk+FQJeG88dDpPRujpk3YGv5v2BrlQqUC+kGInKxI1OVx6zTazBQMJ:Y7dDjNsJn8ob2Mv5eATkxneV/B9Ddh

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE

EICAR Anti-Malware test file 1 IoCs

resource	yara_rule
behavioral1/files/0x0035000000018bec-20.dat	eicar_test_file

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2924	NOTEPAD.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2616	AcroRd32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2616	AcroRd32.exe
2616	AcroRd32.exe
2616	AcroRd32.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2616 wrote to memory of 2924	2616	AcroRd32.exe	29
PID 2616 wrote to memory of 2924	2616	AcroRd32.exe	29
PID 2616 wrote to memory of 2924	2616	AcroRd32.exe	29
PID 2616 wrote to memory of 2924	2616	AcroRd32.exe	29

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\test11.pdf"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2616
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\A9RBC5.tmp\document.txt
  2⤵
  - System Location Discovery: System Language Discovery
  - Opens file in notepad (likely ransom note)
  PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A9RBC5.tmp\document.txt

Filesize
68B

MD5
44d88612fea8a8f36de82e1278abb02f

SHA1
3395856ce81f2b7382dee72602f798b642f14140

SHA256
275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f

SHA512
cc805d5fab1fd71a4ab352a9c533e65fb2d5b885518f4e565e68847223b8e6b85cb48f3afad842726d99239c9e36505c64b0dc9a061d9e507d833277ada336ab

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
5aebfaf42ae23783567c1860429b873b

SHA1
5c1dd1c2eed0a39d495c318b84e72c02bc08f25f

SHA256
47469103b7146ca3171be00526a6b81a3dddbe4edfe6574c196368c0d5c241b3

SHA512
ee6024740146fe0f59c08af0530eb560c5ac70a1826374af74180dcbf02d8488987ef29d1d33ae5cac2a48550048053d30856d1a72e1ea0b140376caaeb6a0b3

Download Submit