Overview

overview

7

Static

static

3

scan_93746...df.exe

windows7-x64

7

scan_93746...df.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    145s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-08-2024 16:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    scan_9374673_Medoc.pdf.exe

  • Size

    10.3MB

  • MD5

    90e1e4a21bf1331c654d95cfdfa0e8f6

  • SHA1

    91d85cec0975207ad8a18d3f50f29a5e6ad85bb0

  • SHA256

    dda723c5cd12c505c74c66391c9cf5cfaf8a7aab5fbaf5d0b8599a3a7650154c

  • SHA512

    1dff147be6ab5a3b889f20a4fe5b66ac29e4aca89f0b7b90e132a537d620180a75e7f2ba68b23dc4159ef87833853fd08c36946b4ad279c67c0a4a39d4075d51

  • SSDEEP

    196608:UnlKFCFw1qhmCEokhLyjKwh3u709Su4KepxfbWh0nWilcpuwOWnrxwQdK:UnlJ6ShkxyjK2Cbu4DpF6Kn2Okr60K

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 17 IoCs
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 51 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\scan_9374673_Medoc.pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\scan_9374673_Medoc.pdf.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2684
    • C:\Users\Admin\AppData\Local\Temp\is-AQTAQ.tmp\scan_9374673_Medoc.pdf.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-AQTAQ.tmp\scan_9374673_Medoc.pdf.tmp" /SL5="$702C2,10384029,125952,C:\Users\Admin\AppData\Local\Temp\scan_9374673_Medoc.pdf.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2388
      • C:\Users\Admin\AppData\Local\Temp\scan_9374673_Medoc.pdf.exe
        "C:\Users\Admin\AppData\Local\Temp\scan_9374673_Medoc.pdf.exe" /verysilent /password=n3xbi
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4744
        • C:\Users\Admin\AppData\Local\Temp\is-17F0G.tmp\scan_9374673_Medoc.pdf.tmp
          "C:\Users\Admin\AppData\Local\Temp\is-17F0G.tmp\scan_9374673_Medoc.pdf.tmp" /SL5="$A025C,10384029,125952,C:\Users\Admin\AppData\Local\Temp\scan_9374673_Medoc.pdf.exe" /verysilent /password=n3xbi
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:6056
          • C:\Windows\SysWOW64\msiexec.exe
            "msiexec.exe" -i "C:\Users\Admin\AppData\Local\Temp\is-BS31P.tmp\Acrobat.msi" -qn
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:5896
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2004
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding C99DFC40BC5717053923BE8E63C9182E
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:1984
    • C:\Users\Admin\AppData\Local\Programs\Acrobat\Reader\AcroRd.exe
      "C:\Users\Admin\AppData\Local\Programs\Acrobat\Reader\AcroRd.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:4824
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4128,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=944 /prefetch:8
    1⤵
      PID:4124

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\e588ad9.rbs
      Filesize

      2KB

      MD5

      372250d445c35746a1828ab211303a9c

      SHA1

      710b0e1851004f702716c10b1748b33b57645bcf

      SHA256

      edab7e8299ed1b37c749834da8eec03bd1d1ce8d2adffe92643e723ff87587ed

      SHA512

      309c0bd34c63bdbe327135eeefbf76e6f4ef0f93a0729529b2e94919e24dc3503907cc01546fbc3a0ee6c051fb35ed4661120e2da56984aee8fce39bc007c8cc

      Download Submit

    • C:\Users\Admin\AppData\Local\Programs\Acrobat\Reader\AcroRd.exe
      Filesize

      8.6MB

      MD5

      679368412fd482fe978a21313d2a89c5

      SHA1

      6267e3e28881a462d91ec8e558d2988ef8030b6b

      SHA256

      beffe9a402b7721009674866ad773008c90b6af543973abdfb81391af4eb7146

      SHA512

      2f730f6d77d951ede98653b362f8affa331588bf21a60539a60eee23d912ec5d73ca2a05b69e7e7c047b2c264b8b2c260b4f866515238ffbc2b60a1c11b6270c

      Download Submit

    • C:\Users\Admin\AppData\Local\Programs\Acrobat\Reader\AstClient.dll
      Filesize

      675KB

      MD5

      7bf95a14483346eae890e6f4354c74a8

      SHA1

      7de11b13cfe609d454bdd1393ed3d79a127c1b7c

      SHA256

      719f267e41c95e36f99f5da0b9d5d70054d3e9c16e99fb1122948382b976d614

      SHA512

      ef8b24e6079f05b3f1253e4487e1426639ceb5c1e13ca80046debd224353280e921ea765958f5b3f564983992a294e0242fd7bf4753cce24c51caa86557b51fe

      Download Submit

    • C:\Users\Admin\AppData\Local\Programs\Acrobat\Reader\AstCrp.dll
      Filesize

      171KB

      MD5

      dbb4bccfe8fee299d555a19865c41921

      SHA1

      a6c494854ca8bec80c05e259a9d8d9346ec61786

      SHA256

      45e87d7421b6b65c207e8d564a4e54dcdab7b104b83341f63d348f8894bde992

      SHA512

      5b5b6091655801c984e87a5de4b8c3771b7ff8a069206662650ba652711db48a4912a613015c2254215ccbd252c475c4a4f00efcb1e0dfb404c6736746a187a4

      Download Submit

    • C:\Users\Admin\AppData\Local\Programs\Acrobat\Reader\SHFolder.dll
      Filesize

      547KB

      MD5

      b13e5039028ce3be9c913322d787c33e

      SHA1

      866e2607cceb7bedfcc16982bb068b9d1b5510f2

      SHA256

      3da1ed9f54697ca6cd0980d31cb444db863e4a32d7b0a393fabe49791414596b

      SHA512

      ec06d1b9d77516ae477dfec25ce4817ea9288efdc2e4b22e61a36d5099e4c398bdbce650887fb026f0e4ea9cb1c1d9f0761d0bc3df9b7e8628598a446c66da10

      Download Submit

    • C:\Users\Admin\AppData\Local\Programs\Acrobat\Reader\astrct.dll
      Filesize

      1.7MB

      MD5

      59b0561cc13e47a3d7be7947e9b8a4cf

      SHA1

      172663ab62e420cbd46983f5dfacac3b550cdb4f

      SHA256

      e12baf2c64aed23a6d324fd553d5722e5d5d03d50676a0afe97c4090df3cb7c2

      SHA512

      35d3a4739176c81c5e339c5b64411cd0cbb24b2343792e2af302a585b984c158140a20050fd8015a4d49c2a69bbd31aad82a4f58e8279611ec262499dab6bd41

      Download Submit

    • C:\Users\Admin\AppData\Local\Programs\Acrobat\Reader\config.ini
      Filesize

      592B

      MD5

      d0194a86163e4edc6df8d7d18e05e94f

      SHA1

      a6fa3081d4b52ad403cb7e6328323145f825db9d

      SHA256

      bf98bf21fe2e415b0ddcfca143f1470672a621e0b6bf6688c66e0ea32fc38f26

      SHA512

      332dfcb032304b027ba71e9e2f61d828834ee18aca9bd36b3774ee9187550b0b760d2ec9bd55d7bb05c38aa4ea27156dcd56abb302d487dad24cc37338d9856a

      Download Submit

    • C:\Users\Admin\AppData\Local\Programs\Acrobat\Reader\eng.lng
      Filesize

      41KB

      MD5

      a210c2a3609b1c03df6d0219f74fc543

      SHA1

      78888e250c8af963268ebc467319d71a5061db6b

      SHA256

      3a968020e1532ecaffaef3be8f15b6ecbac3d58d129eb92511deca6904d215f5

      SHA512

      7e866eb3aa958d0ba2132044d7569ac97b20d712372b7343215f8383400231a12b502437a5984f376c81e50aa88b56037767514f94cd33f582b6b5c479f70ed5

      Download Submit

    • C:\Users\Admin\AppData\Local\Programs\Acrobat\Reader\fp0gbzv.bmp
      Filesize

      8KB

      MD5

      fef9ab3a8bd18724f8a73e0aef18e8d8

      SHA1

      3e3981f914b2953219f99c3e8e8c89970ba8ead2

      SHA256

      148e2dc77cbf13af26605a7d0d676646b7f264ecb07280c02e23fac4a15c9a60

      SHA512

      24d0a3585421250fd4d83f1c39b7ce9aa84848b91c902884590a7573c40c156ad9461b5f74a8716c1880701d05cf6aa9d9554497703b132073ba2511ce946480

      Download Submit

    • C:\Users\Admin\AppData\Local\Programs\Acrobat\Reader\hatls.dll
      Filesize

      2.1MB

      MD5

      bccf6a5c2595eea84533692bb788d8bb

      SHA1

      24318226f145e52b7633a4e9e844d6ead43b75ac

      SHA256

      abf75de674428e112f90f1c618218ff73ef851f4f09c5f5ba8b69e79a6c74dbf

      SHA512

      78f24f0812aae31e83340adeb1a1ae8c00edfdf483e299706f863cb713bfdc2501b5418ce8f8bd9131e3c704bffb58a8ca05c5e0a75eb19f15e0409c5b74e35b

      Download Submit

    • C:\Users\Admin\AppData\Local\Programs\Acrobat\Reader\hs8cd.cfg
      Filesize

      34B

      MD5

      9ed977c7b91b73b8b5714c26e12ccf90

      SHA1

      88accf91bc79b6c53e3352968483a3c534c280ae

      SHA256

      01c8e16bf8bfe67d7987d96a56d60edc7cf19b828ab537a6e40db863a5b593dc

      SHA512

      4a1df0182ef37789076bfd3528ff7fcf65bef2f208fa640b1ad58decffc69a2cd968f8be1248e811961b774fdfcc4d347df1308c8526aa2819f622b8bb01304f

      Download Submit

    • C:\Users\Admin\AppData\Local\Programs\Acrobat\Reader\libcrypto-1_1.dll
      Filesize

      3.0MB

      MD5

      df54355a82c6ce8fdfc02e1b227410ab

      SHA1

      2e9134150f83eda3a55b7dd73d5faf6bfa9de132

      SHA256

      06d30d8a77bf336c16d50a9c9fbf64dccdda5f4e1f6146f7741cecd5492031d3

      SHA512

      29b0c47dee5a8397b3e4f4e322fed2be60937817a9bc931ba77885bbc2f196bc492cceed8f6eb2706ff4c69c3fdf0a01d2682e2c5d0ec05af21511f3af5b5aad

      Download Submit

    • C:\Users\Admin\AppData\Local\Programs\Acrobat\Reader\libcurl.dll
      Filesize

      534KB

      MD5

      13cd45df8aaa584ebd2a40ede76f1e06

      SHA1

      baa19e6a965621cb315e5f866edc179ef1d6b863

      SHA256

      3ff4e80e327f298a11e116a517be0963a0b3cd376a6a624caffacd586e6b1449

      SHA512

      285d7265ac05cecdd43650e5def9198b5f2f4d63665739baa059598e41f4ce892248d3ca7e793ac274dc05b4c19cfa11c17faea62fc1e3495c94a03851049328

      Download Submit

    • C:\Users\Admin\AppData\Local\Programs\Acrobat\Reader\libssl-1_1.dll
      Filesize

      925KB

      MD5

      cbefd9f5e05bbf57aed04b098e6f499f

      SHA1

      cbac40bfc062e7aa2befcb91687930bab9c4d241

      SHA256

      e07a95378815fbfc3b2ed21bcae5ba43106a4929273f9bbcc26eff437a3c9ab8

      SHA512

      3d0c320683e90f66a9b76613cfc84af87422fb5eee2375e918c63642b7e72faa70a6383b6e43e565d6bbeec4c8060062000bd40321165fc4b5ede8b213bda049

      Download Submit

    • C:\Users\Admin\AppData\Local\Programs\Acrobat\Reader\sqlite3.dll
      Filesize

      815KB

      MD5

      c7f02a62ec2be3e345917640fd9e7502

      SHA1

      828f4df3e2ad0c8b04b06cecb0c539391ba09704

      SHA256

      8e85d370cc83174d34d0d6fd9153c37bb184dc9347e5a3bbfc692f9ded7be520

      SHA512

      d3c33df3e7e06bd2beb638a4e17703498cb49da0ce958beaf268784d802bf6069eac236deb0049b6d5b5b1ba252d15a3a0a4e8585730dc69c4604a88f9d38f8a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\is-7O3Q9.tmp\_isetup\_iscrypt.dll
      Filesize

      2KB

      MD5

      a69559718ab506675e907fe49deb71e9

      SHA1

      bc8f404ffdb1960b50c12ff9413c893b56f2e36f

      SHA256

      2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

      SHA512

      e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\is-AQTAQ.tmp\scan_9374673_Medoc.pdf.tmp
      Filesize

      1.1MB

      MD5

      452380821b3f6e043f60d524eec34e1a

      SHA1

      3ac6f4741741431386124aab4c0961d6822bad84

      SHA256

      06470a4bb9b76b02d58351c923a7c18386f067420bd2cfd651c8ac0d789fd2d0

      SHA512

      8a841558c6ac6ab0191a4f5edd6fa6b13fb471bfd7e1e3b2c7f3924009ed63dbbeb149ee0c80f6c5a4a751ac91472e2daa2f00144a638576ac3ee50eb746fea5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\is-BS31P.tmp\Acrobat.msi
      Filesize

      10.5MB

      MD5

      2c7254a2773123421fd6021e45e044c7

      SHA1

      d18099623f656ec16b1f418e193a66b156d1f7ee

      SHA256

      d97d40be9c47932f0badde7487345b52519fe05895c8fde87eb591423328c8ef

      SHA512

      00d39df5cc1234a6b124ebdd3b5d496306742dbd2ccee934acd717e4447bb6c3e03274e202b8be92e5e1ea0e1abc44414dee14a46486e9649e7d118c55af443f

      Download Submit

    • C:\Windows\Installer\MSI8BE0.tmp
      Filesize

      584KB

      MD5

      8e565fd81ca10a65cc02e7901a78c95b

      SHA1

      1bca3979c233321ae527d4508cfe9b3ba825dbd3

      SHA256

      7b64112c2c534203bb59ce1a9b7d5390448c045dda424fb3cfd5878edb262016

      SHA512

      144bde89eba469b32b59f30e7f4d451329c541ed7b556bc60d118c9e2e5cdf148c2275cca51c4b9355686aefa16a4b86a26d4c8fe0dd2cf318b979863109592e

      Download Submit

    • memory/2388-16-0x0000000000400000-0x000000000052E000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2388-6-0x0000000000400000-0x000000000052E000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2684-0-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/2684-19-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/2684-2-0x0000000000401000-0x0000000000412000-memory.dmp

      Filesize

      68KB

      Download

    • memory/4744-103-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/4744-15-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/4744-13-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/4824-138-0x0000000007000000-0x000000000708D000-memory.dmp

      Filesize

      564KB

      Download

    • memory/4824-285-0x0000000007000000-0x000000000708D000-memory.dmp

      Filesize

      564KB

      Download

    • memory/4824-110-0x0000000073E90000-0x000000007417E000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/4824-150-0x0000000007000000-0x000000000708D000-memory.dmp

      Filesize

      564KB

      Download

    • memory/4824-123-0x0000000007000000-0x000000000708D000-memory.dmp

      Filesize

      564KB

      Download

    • memory/4824-126-0x0000000061E00000-0x0000000061EB8000-memory.dmp

      Filesize

      736KB

      Download

    • memory/4824-125-0x0000000007000000-0x000000000708D000-memory.dmp

      Filesize

      564KB

      Download

    • memory/4824-132-0x0000000002C50000-0x0000000002DF0000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4824-124-0x0000000000400000-0x0000000000D04000-memory.dmp

      Filesize

      9.0MB

      Download

    • memory/4824-162-0x0000000007000000-0x000000000708D000-memory.dmp

      Filesize

      564KB

      Download

    • memory/4824-92-0x0000000007000000-0x000000000708D000-memory.dmp

      Filesize

      564KB

      Download

    • memory/4824-273-0x0000000007000000-0x000000000708D000-memory.dmp

      Filesize

      564KB

      Download

    • memory/4824-136-0x0000000073E90000-0x000000007417E000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/4824-174-0x0000000007000000-0x000000000708D000-memory.dmp

      Filesize

      564KB

      Download

    • memory/4824-187-0x0000000007000000-0x000000000708D000-memory.dmp

      Filesize

      564KB

      Download

    • memory/4824-201-0x0000000007000000-0x000000000708D000-memory.dmp

      Filesize

      564KB

      Download

    • memory/4824-213-0x0000000007000000-0x000000000708D000-memory.dmp

      Filesize

      564KB

      Download

    • memory/4824-225-0x0000000007000000-0x000000000708D000-memory.dmp

      Filesize

      564KB

      Download

    • memory/4824-237-0x0000000007000000-0x000000000708D000-memory.dmp

      Filesize

      564KB

      Download

    • memory/4824-249-0x0000000007000000-0x000000000708D000-memory.dmp

      Filesize

      564KB

      Download

    • memory/4824-261-0x0000000007000000-0x000000000708D000-memory.dmp

      Filesize

      564KB

      Download

    • memory/6056-100-0x0000000000400000-0x000000000052E000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/6056-22-0x0000000000400000-0x000000000052E000-memory.dmp

      Filesize

      1.2MB

      Download