ba6d7751a2eb06fc4448f1656a0d99a380fc60b205f8d44b3c04d57ba44acdcd

Analysis

max time kernel
73s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
20-08-2024 00:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PDFXCEportable.exe
Size

173KB
MD5

c25e64ac42f7334b8722a7db14d36b0e
SHA1

735a8b8b28643818cad2647651b08ba3810ba66f
SHA256

ba6d7751a2eb06fc4448f1656a0d99a380fc60b205f8d44b3c04d57ba44acdcd
SHA512

33a988705a1437ddac663a1c12122d59f7048484894cdba74a47151d9ad0abf0357c5735ebc9a3794945b43d4c19aac10a9cd7fb51d36cbc24db5164424f680d
SSDEEP

3072:vNRCywDw1DiJku6f7VfaN8mb600UdM+M3kFqmuEeUg8vbu:vT4Dt+f7AN8m2kzM3gqmj/Du

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PDFXCEportable.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2692	vlc.exe
1608	WINWORD.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2692	vlc.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
2692	vlc.exe
2692	vlc.exe
2692	vlc.exe
2692	vlc.exe
2692	vlc.exe
2692	vlc.exe
2692	vlc.exe
2692	vlc.exe
2692	vlc.exe
2692	vlc.exe
2692	vlc.exe
2692	vlc.exe
2692	vlc.exe
2692	vlc.exe
2692	vlc.exe

Suspicious use of SendNotifyMessage 14 IoCs

pid	Process
2692	vlc.exe
2692	vlc.exe
2692	vlc.exe
2692	vlc.exe
2692	vlc.exe
2692	vlc.exe
2692	vlc.exe
2692	vlc.exe
2692	vlc.exe
2692	vlc.exe
2692	vlc.exe
2692	vlc.exe
2692	vlc.exe
2692	vlc.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2692	vlc.exe
1608	WINWORD.EXE
1608	WINWORD.EXE
1608	WINWORD.EXE

C:\Users\Admin\AppData\Local\Temp\PDFXCEportable.exe
"C:\Users\Admin\AppData\Local\Temp\PDFXCEportable.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:1656

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\UpdateDisconnect.M2T"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2692

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Desktop\RestoreTrace.odt"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
1e6dc5e2306292f7bc5aabb8a4cf523f

SHA1
99acebe4a6cbee852b59fb222a5c3f2a2bc542c4

SHA256
dbaa2853651f356e775079b7e327f65945568594d98e755728fbbfda92b2bdaf

SHA512
739abc70c467dc9ecc99162839a11140de9f81405036d7517d2a397ffb9b0ae7fafdcf56510365a3cff2594703721a0e39d5b41a87ef6b9d86013582fd708924

Download Submit
memory/1608-26-0x000000002F2F1000-0x000000002F2F2000-memory.dmp

Filesize
4KB

Download
memory/1608-27-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1608-28-0x0000000073F2D000-0x0000000073F38000-memory.dmp

Filesize
44KB

Download
memory/1608-46-0x0000000073F2D000-0x0000000073F38000-memory.dmp

Filesize
44KB

Download
memory/1608-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2692-23-0x000007FEFB5D0000-0x000007FEFB604000-memory.dmp

Filesize
208KB

Download
memory/2692-22-0x000000013F600000-0x000000013F6F8000-memory.dmp

Filesize
992KB

Download
memory/2692-24-0x000007FEF7D50000-0x000007FEF8006000-memory.dmp

Filesize
2.7MB

Download
memory/2692-25-0x000007FEF5D00000-0x000007FEF6DB0000-memory.dmp

Filesize
16.7MB

Download