Analysis
-
max time kernel
289s -
max time network
301s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
05-09-2024 13:49
General
-
Target
apowerpdf-setup-light.exe
-
Size
1.8MB
-
MD5
a6df2ff43b6b48cbce156bafa8b45c88
-
SHA1
ddac0778620ade0cb0cf00355ae27d22c9dd91b5
-
SHA256
ff6ac4378e07d703552e45893b0368331fa3a3c671e21b1f552a6ed61220ec7d
-
SHA512
369129de01910c5e86eb1c83c9d93923cbf2b24acbebdbdac1058a2c661693acfc51e73ed447940e05bf7d762dab8815c8f1b0097e9e7daf96a5569a06bcd070
-
SSDEEP
49152:jyIO6XrnRNm5zuXp7jRG6wLvSpDiTEan/DB1d:uIOqrRXG6wL6m1
Malware Config
Signatures
-
Detects Strela Stealer payload 1 IoCs
-
Strela stealer
An info stealer targeting mail credentials first seen in late 2022.
-
Manipulates Digital Signatures 1 TTPs 1 IoCs
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 64 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies Internet Explorer settings 1 TTPs 11 IoCs
-
Modifies registry class 21 IoCs
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 26 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\apowerpdf-setup-light.exe"C:\Users\Admin\AppData\Local\Temp\apowerpdf-setup-light.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\installer.exe"C:\Users\Admin\AppData\Local\Temp\installer.exe" /VERYSILENT /SUPPRESSMSGBOXES /FORCECLOSEAPPLICATIONS /DIR="C:\Program Files (x86)\Apowersoft\ApowerPDF" /LANG=English2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-IJ2TK.tmp\installer.tmp"C:\Users\Admin\AppData\Local\Temp\is-IJ2TK.tmp\installer.tmp" /SL5="$C004E,22442155,1149440,C:\Users\Admin\AppData\Local\Temp\installer.exe" /VERYSILENT /SUPPRESSMSGBOXES /FORCECLOSEAPPLICATIONS /DIR="C:\Program Files (x86)\Apowersoft\ApowerPDF" /LANG=English3⤵
- Manipulates Digital Signatures
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-1SAQ6.tmp\PinTaskbarTool.exe"C:\Users\Admin\AppData\Local\Temp\is-1SAQ6.tmp\PinTaskbarTool.exe" /unpin "C:\Program Files (x86)\Apowersoft\ApowerPDF\ApowerPDF.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://r.aoscdn.com/jumper?type=install&product_id=124&language=en&unique_id=11c5da0dbfc86bc6abb2b7d6641b0b02&apptype=light&appver=5.4.2.5&first_install_ts=1725544342&ts=1725544342&wxga=&ct=0&mt=0&h=&hash=2e65c7a2c0ab2dd851c9becc8c21f7de2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa91de46f8,0x7ffa91de4708,0x7ffa91de47183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,9940678814919444584,1990077438247091326,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2056 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,9940678814919444584,1990077438247091326,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2340 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2040,9940678814919444584,1990077438247091326,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,9940678814919444584,1990077438247091326,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,9940678814919444584,1990077438247091326,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,9940678814919444584,1990077438247091326,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4240 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,9940678814919444584,1990077438247091326,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,9940678814919444584,1990077438247091326,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1756 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
17.0MB
MD5323d0b0530e51a2c52599753a06ab79c
SHA17766c001176396ba9f81c7a9dfd5a8f07135d33c
SHA256b780de97ee4a434ca82fb396133092159a40240394bf9ff52e45f465fa7fd84f
SHA512b6d8d929e4458ba53fe71970703b8a8bc37334fcb3138974427454a36d5134146d4a3374d3f2e47472158272fe774455e73afa9759a564dc0a27d509abdac8e3
-
Filesize
152B
MD5983cbc1f706a155d63496ebc4d66515e
SHA1223d0071718b80cad9239e58c5e8e64df6e2a2fe
SHA256cc34b8f8e3f4bfe4c9a227d88f56ea2dd276ca3ac81df622ff5e9a8ec46b951c
SHA512d9cf2ca46d9379902730c81e615a3eb694873ffd535c6bb3ded2dc97cdbbfb71051ab11a07754ed6f610f04285605b702b5a48a6cfda3ee3287230c41c9c45cd
-
Filesize
152B
MD5111c361619c017b5d09a13a56938bd54
SHA1e02b363a8ceb95751623f25025a9299a2c931e07
SHA256d7be4042a1e3511b0dbf0ab5c493245e4ac314440a4ae0732813db01a21ef8bc
SHA512fc16a4ad0b56899b82d05114d7b0ca8ee610cdba6ff0b6a67dea44faf17b3105109335359b78c0a59c9011a13152744a7f5d4f6a5b66ea519df750ef03f622b2
-
Filesize
408B
MD5fa9747695715ce0c822d744e0460c69f
SHA1d601b8aff21de545bd4e26b97ef3056885fb3520
SHA256626ddd6e931c37cbcfd46d6db92dd43f8c307a4f9b0c3a689088d4135e7f54b4
SHA51265c6cca498f41248ad3bc02bfefb7a9e507237a5aff4768e138bacedca0dbb8431c61e437727e77476a7b00c10bb4fe3b23a6836b8a1f5bbc484c404c0fb499f
-
Filesize
1KB
MD51a7fefc72f539060006c671a514eee17
SHA118d6705d4706db1e63359c93677721ba3e7e0ff2
SHA256bd29a108551777a006245ba30cc744e075037b5d946df34153d2658d552b4fab
SHA51295b66a7a4265b60f7f50cb39c281298e3f5a07cd5e2a19ad2ff54f2ead4360df6330795f90e9a477191e544378d47e66a609df4fdb694958ee88e939e9ba57a7
-
Filesize
5KB
MD51944d0d9fc047ad5114889cb79f11036
SHA1e3d904fe39d9328d294fa4c565500ab9fa6901f4
SHA256901b4da6026236276f1279844c42beeccc0479eea0d05c418e72917c4d890588
SHA5122cde1980bd8ebbf6e4e49f90085b1ee02fffc2b2969a28aef28d893b30ce35cf0b3fa5549fc416e36ee7e9acfdd21ec16eee34d19cab7fd3a42a765ba3d5f065
-
Filesize
6KB
MD529750e6e575f8224bf50fff145973c51
SHA105a1fed7f5e1e558a30df41bc43671969f37c5bf
SHA2561c0aa09147bdfd0699d8fcfc8d886162c78972c0b790f9e8f6e771c9ed9f479d
SHA5128194bafdf95027dac8af7c463e7bbd0df62918e75eae3b5b2f99197794c99f402c0d7e6a37fe0e2f73b39341304697bac034ceb53835b32e69e41cbf3bd5acd9
-
Filesize
10KB
MD5c330ee1bf11295862609f543b2e2bbfd
SHA1a6201ddcaa43869eb7c1ff25059d9d92b2560d1d
SHA256d6fc57d062e9ffcc1d5fed9cde4cb664773ec8241555bd15c4a9070bd6bd0429
SHA512ba0a4c9f0b4ced9daff7532d278ed49edbe2898adedb97f385f4a73df1a0f9309ad075b613a28d8bb6941875a742768018a95e726fde7da7b0fb2b21fe3f083a
-
Filesize
61KB
MD5838cb43bd186fd3a6aae49707ae2d329
SHA165727dd7ca6a77edb79d83686f75e6b8e4aa69bc
SHA2562e00ee1bc1151a538c8f359fecdd19ee98e0ba2b46e86ac44fbb3f6804ca6bb1
SHA51232db166c8d1507be99b88f6ba6cf28458a4c61a1c94dc51597ebed3aa218b5d46b4fae942602beb5f874a956c70112de20b3bf38611789a63a89282bd28fccfd
-
Filesize
22.3MB
MD55ef968622b14a77b8c53883ad3eb6a24
SHA1b1469f74bb6d5824e47f839dd8a8e9bea39e06bf
SHA256a861f2f308748e209ab64f2d626cc8e9d81f5522dd5ac28d85ea3f3c9dbe43a2
SHA512777ee5e768f5b45fd65a2e9bcf7d98da48dd3c0178b8b08289056d6f2c7cfb6cb5d42f766ba82882159a18f5bf3d59b8274a2be06fa5d5c1959d3a5fd863228c
-
Filesize
10KB
MD5c00880561224f037feef7cd3dcd11314
SHA13435536555e29c387fd6f55f9d52381e6287fa94
SHA256114963fc2ad618e25837b6f2d1f55d8e616216fe16c21af99c113889d39e92a7
SHA51263050120886d8432c7632a7b8d4798176714156ce5934ec06971220e117a0ecd8fe76da482b51f95a00de579635db3056a8220493361ba69080f2b26bdf5e941
-
Filesize
130KB
MD5f7b445a6cb2064d7b459451e86ca6b0e
SHA1b05b74a1988c10df8c73eb9ca1a41af2a49647b7
SHA256bd03543c37feb48432e166fe3898abc2a7fe854b1113ee4d5d284633b4605377
SHA5129cf6d791132660d5246f55d25018ad0cf2791de9f6032531b9aca9a6c84396b8aeca7a9c0410f835637659f396817d8ba40f45d3b80c7907cccbe275a345a465
-
Filesize
2.8MB
MD51f6fc3bfe1daa276806fcc73c7d86382
SHA1693f27000432240169b64337da6c996e8afb214c
SHA256b160e959a0a48ee8e3fda85e24eb2661a31bc4942ec5463335250417065bab47
SHA512772f70ab014abff4b6b7c365c4fb83ca69519e336fa4e39b32b61dd2f1003671d6e1acd3e0edaf5fcbfd17f039a1194621c0b5eec9d3e9e20d33a780685f462f
-
Filesize
117B
MD53105d4da52180d24d161000bb1c84c4a
SHA1a05c5b1f821e88cc6aedee84b5c58472a26beaf5
SHA2562cb4c82a7ac807ffd784a9519f6b5b271f28604f5746e3101fb43026afaeec89
SHA5121a3b4992508bb42dc3bc4860fbcc65094a8567abd028deeae85718818239c3e903c96b8993c73ddfdf21210b23859db6f652af2e5c7630657af528a8e7618814
-
Filesize
118B
MD5b9363e0e36168b12216752f1512bbed5
SHA1f60eb628fb08dddfc9e1f10f1f70cad70fce658f
SHA256b065bff6001e2ca0a408704bc984ef8b22abc62996080c821a19a26a4826e690
SHA51227cef51022e3c211a97ab40d8ba725534f043278a945fcaf5e3d094d301b9456847970b94592683a46ad4e0477ac759e1f31315b921563ee7cf51c5ac2c5726d
-
Filesize
120KB
-
Filesize
472KB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
2.9MB
-
Filesize
1.1MB
-
Filesize
672KB
-
Filesize
1.1MB