Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
31-08-2024 01:46
Static task
static1
Behavioral task
behavioral1
Sample
2016pdf.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
2016pdf.exe
Resource
win10v2004-20240802-en
General
-
Target
2016pdf.exe
-
Size
965KB
-
MD5
e289bcf6d77230d7fdb4d8a0bf126723
-
SHA1
70880bcc5a8ac31df2dc6aa2e03f8f73965f7812
-
SHA256
98c08e97f88fd09e81a8dc3e3234f89ceed282048a4275c7a2f1b9bc116db41f
-
SHA512
a7883c1644d143c4d8a6384e7b9d0eeaf9e8ce51c76b3c35f2daf89c04944d77be99af095b31f5a1ba46c8bd271f89aa20d963d4d6a61176cb040e01288395eb
-
SSDEEP
24576:pQu+IperrOUj6k7ZqC30kKoreoQSQS4kHHDJ1VnmjSd/EG:pQyk7ZxlK5oAkDJ1ZYSds
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Detected Nirsoft tools 10 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
resource yara_rule behavioral1/memory/1840-28-0x0000000000400000-0x0000000000484000-memory.dmp Nirsoft behavioral1/memory/1840-27-0x0000000000400000-0x0000000000484000-memory.dmp Nirsoft behavioral1/memory/1840-21-0x0000000000400000-0x0000000000484000-memory.dmp Nirsoft behavioral1/memory/2644-38-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/2644-36-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/2644-40-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/2644-44-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/820-46-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/820-47-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/820-53-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
NirSoft MailPassView 7 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral1/memory/1840-28-0x0000000000400000-0x0000000000484000-memory.dmp MailPassView behavioral1/memory/1840-27-0x0000000000400000-0x0000000000484000-memory.dmp MailPassView behavioral1/memory/1840-21-0x0000000000400000-0x0000000000484000-memory.dmp MailPassView behavioral1/memory/2644-38-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/2644-36-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/2644-40-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/2644-44-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 6 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/memory/1840-28-0x0000000000400000-0x0000000000484000-memory.dmp WebBrowserPassView behavioral1/memory/1840-27-0x0000000000400000-0x0000000000484000-memory.dmp WebBrowserPassView behavioral1/memory/1840-21-0x0000000000400000-0x0000000000484000-memory.dmp WebBrowserPassView behavioral1/memory/820-46-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/820-47-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/820-53-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IPNhDLAeKSichGLS.lnk CKMdCEEIZAPIeXJUdWYAR.exe -
Executes dropped EXE 1 IoCs
pid Process 2384 CKMdCEEIZAPIeXJUdWYAR.exe -
Loads dropped DLL 2 IoCs
pid Process 2136 2016pdf.exe 2384 CKMdCEEIZAPIeXJUdWYAR.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 2016pdf.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 whatismyipaddress.com 6 whatismyipaddress.com 7 whatismyipaddress.com -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2384 set thread context of 1840 2384 CKMdCEEIZAPIeXJUdWYAR.exe 31 PID 1840 set thread context of 2644 1840 RegAsm.exe 33 PID 1840 set thread context of 820 1840 RegAsm.exe 35 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2016pdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CKMdCEEIZAPIeXJUdWYAR.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2384 CKMdCEEIZAPIeXJUdWYAR.exe 2384 CKMdCEEIZAPIeXJUdWYAR.exe 2384 CKMdCEEIZAPIeXJUdWYAR.exe 2384 CKMdCEEIZAPIeXJUdWYAR.exe 2384 CKMdCEEIZAPIeXJUdWYAR.exe 2384 CKMdCEEIZAPIeXJUdWYAR.exe 2384 CKMdCEEIZAPIeXJUdWYAR.exe 2384 CKMdCEEIZAPIeXJUdWYAR.exe 2384 CKMdCEEIZAPIeXJUdWYAR.exe 2384 CKMdCEEIZAPIeXJUdWYAR.exe 2384 CKMdCEEIZAPIeXJUdWYAR.exe 2384 CKMdCEEIZAPIeXJUdWYAR.exe 2384 CKMdCEEIZAPIeXJUdWYAR.exe 2384 CKMdCEEIZAPIeXJUdWYAR.exe 2384 CKMdCEEIZAPIeXJUdWYAR.exe 2384 CKMdCEEIZAPIeXJUdWYAR.exe 2384 CKMdCEEIZAPIeXJUdWYAR.exe 2384 CKMdCEEIZAPIeXJUdWYAR.exe 2384 CKMdCEEIZAPIeXJUdWYAR.exe 2384 CKMdCEEIZAPIeXJUdWYAR.exe 2384 CKMdCEEIZAPIeXJUdWYAR.exe 2384 CKMdCEEIZAPIeXJUdWYAR.exe 2384 CKMdCEEIZAPIeXJUdWYAR.exe 2384 CKMdCEEIZAPIeXJUdWYAR.exe 2384 CKMdCEEIZAPIeXJUdWYAR.exe 2384 CKMdCEEIZAPIeXJUdWYAR.exe 2384 CKMdCEEIZAPIeXJUdWYAR.exe 2384 CKMdCEEIZAPIeXJUdWYAR.exe 2384 CKMdCEEIZAPIeXJUdWYAR.exe 2384 CKMdCEEIZAPIeXJUdWYAR.exe 2384 CKMdCEEIZAPIeXJUdWYAR.exe 2384 CKMdCEEIZAPIeXJUdWYAR.exe 2384 CKMdCEEIZAPIeXJUdWYAR.exe 2384 CKMdCEEIZAPIeXJUdWYAR.exe 2384 CKMdCEEIZAPIeXJUdWYAR.exe 2384 CKMdCEEIZAPIeXJUdWYAR.exe 2384 CKMdCEEIZAPIeXJUdWYAR.exe 2384 CKMdCEEIZAPIeXJUdWYAR.exe 2384 CKMdCEEIZAPIeXJUdWYAR.exe 2384 CKMdCEEIZAPIeXJUdWYAR.exe 2384 CKMdCEEIZAPIeXJUdWYAR.exe 2384 CKMdCEEIZAPIeXJUdWYAR.exe 2384 CKMdCEEIZAPIeXJUdWYAR.exe 2384 CKMdCEEIZAPIeXJUdWYAR.exe 2384 CKMdCEEIZAPIeXJUdWYAR.exe 2384 CKMdCEEIZAPIeXJUdWYAR.exe 2384 CKMdCEEIZAPIeXJUdWYAR.exe 2384 CKMdCEEIZAPIeXJUdWYAR.exe 2384 CKMdCEEIZAPIeXJUdWYAR.exe 2384 CKMdCEEIZAPIeXJUdWYAR.exe 2384 CKMdCEEIZAPIeXJUdWYAR.exe 2384 CKMdCEEIZAPIeXJUdWYAR.exe 2384 CKMdCEEIZAPIeXJUdWYAR.exe 2384 CKMdCEEIZAPIeXJUdWYAR.exe 2384 CKMdCEEIZAPIeXJUdWYAR.exe 2384 CKMdCEEIZAPIeXJUdWYAR.exe 2384 CKMdCEEIZAPIeXJUdWYAR.exe 2384 CKMdCEEIZAPIeXJUdWYAR.exe 2384 CKMdCEEIZAPIeXJUdWYAR.exe 2384 CKMdCEEIZAPIeXJUdWYAR.exe 2384 CKMdCEEIZAPIeXJUdWYAR.exe 2384 CKMdCEEIZAPIeXJUdWYAR.exe 2384 CKMdCEEIZAPIeXJUdWYAR.exe 2384 CKMdCEEIZAPIeXJUdWYAR.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1840 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1840 RegAsm.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 2136 wrote to memory of 2384 2136 2016pdf.exe 30 PID 2136 wrote to memory of 2384 2136 2016pdf.exe 30 PID 2136 wrote to memory of 2384 2136 2016pdf.exe 30 PID 2136 wrote to memory of 2384 2136 2016pdf.exe 30 PID 2384 wrote to memory of 1840 2384 CKMdCEEIZAPIeXJUdWYAR.exe 31 PID 2384 wrote to memory of 1840 2384 CKMdCEEIZAPIeXJUdWYAR.exe 31 PID 2384 wrote to memory of 1840 2384 CKMdCEEIZAPIeXJUdWYAR.exe 31 PID 2384 wrote to memory of 1840 2384 CKMdCEEIZAPIeXJUdWYAR.exe 31 PID 2384 wrote to memory of 1840 2384 CKMdCEEIZAPIeXJUdWYAR.exe 31 PID 2384 wrote to memory of 1840 2384 CKMdCEEIZAPIeXJUdWYAR.exe 31 PID 2384 wrote to memory of 1840 2384 CKMdCEEIZAPIeXJUdWYAR.exe 31 PID 2384 wrote to memory of 1840 2384 CKMdCEEIZAPIeXJUdWYAR.exe 31 PID 2384 wrote to memory of 1840 2384 CKMdCEEIZAPIeXJUdWYAR.exe 31 PID 1840 wrote to memory of 2644 1840 RegAsm.exe 33 PID 1840 wrote to memory of 2644 1840 RegAsm.exe 33 PID 1840 wrote to memory of 2644 1840 RegAsm.exe 33 PID 1840 wrote to memory of 2644 1840 RegAsm.exe 33 PID 1840 wrote to memory of 2644 1840 RegAsm.exe 33 PID 1840 wrote to memory of 2644 1840 RegAsm.exe 33 PID 1840 wrote to memory of 2644 1840 RegAsm.exe 33 PID 1840 wrote to memory of 2644 1840 RegAsm.exe 33 PID 1840 wrote to memory of 2644 1840 RegAsm.exe 33 PID 1840 wrote to memory of 2644 1840 RegAsm.exe 33 PID 1840 wrote to memory of 820 1840 RegAsm.exe 35 PID 1840 wrote to memory of 820 1840 RegAsm.exe 35 PID 1840 wrote to memory of 820 1840 RegAsm.exe 35 PID 1840 wrote to memory of 820 1840 RegAsm.exe 35 PID 1840 wrote to memory of 820 1840 RegAsm.exe 35 PID 1840 wrote to memory of 820 1840 RegAsm.exe 35 PID 1840 wrote to memory of 820 1840 RegAsm.exe 35 PID 1840 wrote to memory of 820 1840 RegAsm.exe 35 PID 1840 wrote to memory of 820 1840 RegAsm.exe 35 PID 1840 wrote to memory of 820 1840 RegAsm.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\2016pdf.exe"C:\Users\Admin\AppData\Local\Temp\2016pdf.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CKMdCEEIZAPIeXJUdWYAR.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CKMdCEEIZAPIeXJUdWYAR.exe gYdCdIeaUTRhGRagFgD2⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe- vbc3⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"4⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:2644
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"4⤵
- System Location Discovery: System Language Discovery
PID:820
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
506KB
MD59d7857570d5fdf92e853c4c6cd65a81b
SHA1472a8f79c31ea75738b2a07ada2fe10c4807ee93
SHA2566134cd30e6e0d05553e771e263e8e7b24d71f086d87aa5a2f355e38101314536
SHA51292918612b908fc6cf66070d9613f67d5fe8e56027bdc65ff1c491dbcccc445df98740c10ce9d2de4fa9234acdde86c3115f2aa7a8193273aa116f4104158c043
-
Filesize
38KB
MD5a39dcb345904dddc0c776139b729a243
SHA1db77b63486f0f05c6e14f746bfca7d93b93b0a2a
SHA256c2a31f858f17c64b7a5bd5fe22943733a26d70a89b065aa5b894574eee3ec6b4
SHA512a4d0869d0f90941022e88cd0a71be1b59a467865d437c8253eedbee73becbce56ddda1fd907a88187edad16f3137bf65e8440a02a5123b6d12f89c2ef81696b4
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
732KB
MD571d8f6d5dc35517275bc38ebcc815f9f
SHA1cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA5124826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59