Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10-10-2024 05:59
Behavioral task
behavioral1
Sample
Rechnung0192839182.pdf
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Rechnung0192839182.pdf
Resource
win10v2004-20241007-en
General
-
Target
Rechnung0192839182.pdf
-
Size
88KB
-
MD5
b42da2c97afc62d51147fb36e96a648e
-
SHA1
ad631d0c4bef6b941bd61ff2860629e654a6c394
-
SHA256
bfd58f9f8557a8f8e8ddf4fad14a8588d1a529647c5aa170c0ed1bcf065fc287
-
SHA512
228db4bb8a54a80a19ac47744acb2bc70125bf73f5974b6cf45644544a1af1864a79a0648676904fd859956892c538e8d65d008cca3a8d9c58d6faa0a760a3fb
-
SSDEEP
1536:oFdBt4uc0o9uqdh+XICvr/HZ9QDUIWEtZgowq8sAsz+2Vb:cfnokwoIar/Htc+sAsz/b
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c400000000020000000000106600000001000020000000f756face06b15caf9085d138b1bff57824ef47c6acd549c89164a9d14c38edf4000000000e8000000002000020000000de6226bae75fa3215c612d4943612dd1d0af5d7833080456afab3981b88c363c900000001fdb873c7289f978c9c15c3d8e26c2b073d74ceda8f7cf8b62760230385968927530ad4daa1cb9a71900110e86939ea3350139ac7e813334e67b19c1de9d2c9dfbd70bf81e2c4b97231fa4f359949b9e50ab08db1dddc1bfd805dcc968a42ad65aa51e00f8162762654485c40b90369a7137c0b9b814f1ff97e37ea7a583a5aad1b98c83c3b157dbc07462742fcaa3da40000000189aab893e7ce60b731f6c6fa16cb3450e18e8c5d8c0e6119e7f649932f176757c581a1d314bac20af78783dbdbdc9508aa33cded1d09e681a7586215434851d iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90ee62bbd91adb01 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E5F65071-86CC-11EF-B2D5-C6DA928D33CD} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c400000000020000000000106600000001000020000000ccd57e1e23552ce13fb5e50251764fa7e52a838bab38ff4caaef8cb9d36a4371000000000e80000000020000200000004092ae7122cdab92c6fdc4c2241cef78cd4d0eb6dc084a58894f6b1a2b84cfb6200000006b3a2863cca77cda041d32180e7ab80f65528f68eef5c205f22cce4af9c1aedf40000000f07c8c21bc2bc46b8c5a031ad4d628d810dde553a1e648ca176c2d741eccec8cba2230b2ede6d32314a8341ca11a151099a876637cf63a960a61b48e0ccef972 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2696 AcroRd32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2804 iexplore.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 2696 AcroRd32.exe 2696 AcroRd32.exe 2696 AcroRd32.exe 2696 AcroRd32.exe 2804 iexplore.exe 2804 iexplore.exe 2620 IEXPLORE.EXE 2620 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2696 wrote to memory of 2804 2696 AcroRd32.exe 30 PID 2696 wrote to memory of 2804 2696 AcroRd32.exe 30 PID 2696 wrote to memory of 2804 2696 AcroRd32.exe 30 PID 2696 wrote to memory of 2804 2696 AcroRd32.exe 30 PID 2804 wrote to memory of 2620 2804 iexplore.exe 31 PID 2804 wrote to memory of 2620 2804 iexplore.exe 31 PID 2804 wrote to memory of 2620 2804 iexplore.exe 31 PID 2804 wrote to memory of 2620 2804 iexplore.exe 31 PID 2804 wrote to memory of 756 2804 iexplore.exe 33 PID 2804 wrote to memory of 756 2804 iexplore.exe 33 PID 2804 wrote to memory of 756 2804 iexplore.exe 33 PID 2804 wrote to memory of 756 2804 iexplore.exe 33
Processes
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Rechnung0192839182.pdf"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://t.co/dZamaKLBX82⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2804 CREDAT:275457 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2620
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2804 CREDAT:472077 /prefetch:23⤵PID:756
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52a93e610b8decc2197cdea8d1d3c3906
SHA184fd64265dc0378a4311a7a427cc2bcdffc5c8c5
SHA256e4cc28c258d07621dedb4d7172945aa02ac5c2cf9ae86a1592ee04a9178d6354
SHA512a076d2cc867b48e2449e21fc080a742c71869666e78cc049d3571a3aae685f120cdd76ebe9a462af1f02f6ae5347360c4ea4a42875a047f64e0a386a5dd3ee8e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD582e2c24071e1f34a37a420b485ea2e8a
SHA1ecfce2dc8d3b701f6e40251e8ca8c26351d06562
SHA256c51988657f11fdb1b779f25e08d9eb727b589b785f27cb4bdc9a7f14c08eb8c1
SHA5127183c304daf7ff7d6a28d8170d6315f95d52ab72093b019339c0033f64fa4e104621a624356ebfa30ef0e4273be5a6242fd6b5edd9fd3209ec45779f3b3caac4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD515fc95b36d55872f480e0d91afbb5dc7
SHA1f713b1686a4a7faf2b01d273ce4f807582ef3d88
SHA25640006e2f78c0e5d6d8b2eeed2cd037529975b6e366e3ee5ec246123a3e987852
SHA51211d7669381611b2ed88e89e226cf4495d253d0a03bf365b41331357675595548fadf61dd621fade361522d8c61debf0af3dc2389fdf867b9c7559c24e94a99a5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ece76060cf3beb32c013564f9acf8c68
SHA184476a18e877f2f3d122065a55574995566bad62
SHA256ca58c01a6c43ab0a2e2d957e2636ab35748140844d5d82bf12edb753057d87bd
SHA5129229ed87400ac60580a000d1b3a029f5e3044c24948e37f42f15ef2eaf0226861b54619550e343783d7f49bb5b7ec4f8570c50669ac40ada875afe975f277f35
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5590bbb8f139c32a6aa4ddc9c820e3783
SHA1467a79fa75522bbde85430ae04c3fb287f5956f6
SHA256c587fa3f163bcdd50574bd30e82e4d3c627c2159be736a3f788c02c846c635cc
SHA512c66a0c55a0e1865d82ffe394612f0d13b5d92cbbac2db40b8fd423bcf6b222b650b084a3776a4180c6579dbc08f7a5e3ba1738d1f1fb0ccd404fee682aa64935
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c00836e070f2a3c41b47e6ae53b3865a
SHA10b2aea334eab2e3564efb320a4df7a762b73b4bf
SHA256994947921f9af4cd1044a02ef0b08a712882be9f19ed56eb6f5739cc93da5d79
SHA51290315dfb0cc060f568ab74adc02f19f7130b7f2f2c52d57d95f076cd661a06654e8d8293958795fa6b897022a148163d4a2d545b3be5d02c4f498caa31b2d682
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5511a4be20db76e778a7562110db7fd40
SHA18a8f3575765090a907c0b990701cb7d820dde190
SHA256b167e69214106eb6f0e3c9306b5e448174124461d9a4901b7710a386ecda4c6e
SHA512449147c3350e79adddd51fe19b67a66778c310f9bc653ac673df0f5df2520f6e163984a65a097b58cd9eccf5a0134e332ae857ba852219beaff621a13849498f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5473ec2984f109238c73a02b2e419d166
SHA135820d0dc28e9fe36792d9c06a2daea72b590ecb
SHA256728fcdf33536f968774d57110cf14720d5b46a2bbab29d7d51028e46af547c8c
SHA5129b6a079126905209d44d9016827ea335b0feb19726d98b10b5ea11be5c1ecb17a9a29da02ea9b392b684e34abde4e2e73638fc691c32963e09f3c78978303e43
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD585cd4cfe0ee45e042b335a3cb29b760b
SHA19c0b2773fd086ef1745fb4cd4999b442f399d2f9
SHA25641c38a4665d110d5cc10df332944cf2cb6c9d9df6fe5e3dbf7e7b0071550d7c1
SHA5125cc0869d16c5ee071e372a189cf49b6a9b9df32affb36ba84865a31fad849658dc296afedfb70706671cb54f72da659c825d80e3c6c34a32cd932a81b7ecf3b3
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
3KB
MD5095c7c463083cff3558d17f94bb60163
SHA1ad728c0e530ae9af25c75a4ff496bd51748d4bc6
SHA256c285a2b62e56c7024765ef76308c37253298035f0e249756928fd47091ecf250
SHA5128f1fdd1c4a92a4c2fb52a77556a70aad80d155a3346e48286c476a7c5f4ffb3bde16473c0218e4c530dcd30956c1ee88a660e875eaf216b61d392ba66c3efd0b