3af1916fcacd78678b6a2a22061cd3cf9696ea2568ad5ec63cc825ea261b6294

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
06-09-2024 03:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ACFrOgCghmo7t0xFK5CEVtAy2mlGjBBYCP8qWNxFRiuzutPGbxtcYloq%Roads Min. Debris on roads.pdf
Size

667KB
MD5

ef7b03a93ed4c5984af3705c44063822
SHA1

22326d0ccbe60d5196a0fa7003ddd18d737bfcfa
SHA256

bff6647523ca5a3bb1fd36f90b3a81e189808b5df71c495ed01a990caa04ec71
SHA512

a59d65d0d59e2ac19864377f6a3a426c57bbb6a02cd639b5a4188c7c5d01731c2955d7195da311c3256e1b0553e3267a131ac3c800ce9868733090a7524e27ee
SSDEEP

12288:d+YRhIUbzBTNCcvjksMbSs+EMVvDBktYiu+803NIO9Tq1E0CfCzC0lLrzmG:IYRhZxTNCcv5Mz+TVvDOT8iVu1+fCBtd

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1904	AcroRd32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1904	AcroRd32.exe
1904	AcroRd32.exe
1904	AcroRd32.exe
1904	AcroRd32.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1904 wrote to memory of 2788	1904	AcroRd32.exe	31
PID 1904 wrote to memory of 2788	1904	AcroRd32.exe	31
PID 1904 wrote to memory of 2788	1904	AcroRd32.exe	31
PID 1904 wrote to memory of 2788	1904	AcroRd32.exe	31

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\ACFrOgCghmo7t0xFK5CEVtAy2mlGjBBYCP8qWNxFRiuzutPGbxtcYloq%Roads Min. Debris on roads.pdf"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
659fa93d55039de5be295897f4aade5a

SHA1
025c2bd34f5a2d90da53a10d40f36084385b7dac

SHA256
77e0529b98d4826b29f86768706f5f5bde149372b34b40d9e20f3f4594bf4f2e

SHA512
983b8aa997a10f16cc003e2a31d37dce228fa23255a4dbd1d05e4d924ae92d2eff2b07142f13ce87c87d58682e754081b8ebcb6ec88e8b714691b19cc3bab7b8

Download Submit