065f3e527b8e8046efc92f372c60c9e9cc0feb5970e8a45a45e81f9828030d81

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20250207-en
resource tags

arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
submitted
14/03/2025, 09:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d711f2049a6004cffe447dab78cd7e5.pdf
Size

925KB
MD5

0d711f2049a6004cffe447dab78cd7e5
SHA1

c28fd9c35d97293b7e9b0eaf2032e83e23ca78a4
SHA256

2ac705860b71aed9b7528a62ed1042723f6f7b4c16fb0edf4cddcf09a709c9f7
SHA512

1bfbde72eceb1055cd2a077e74972d1490bf6cf79f2687494bd1ad12934ff6385b1cb729e43f8ab82bbf44082c972f0abb0eda78fec4611633376b87b0378593
SSDEEP

24576:qSbzGTjB0IxmSIKoOCeerokFN7hp96rPyT:qj1QONQok7h1

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2956	AdobeARM.exe
2776	SVCHOST.EXE

Loads dropped DLL 4 IoCs

pid	Process
2232	cmd.exe
2232	cmd.exe
2164	cmd.exe
2164	cmd.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdobeARM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2956	AdobeARM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3048	AcroRd32.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2988	AcroRd32.exe
2988	AcroRd32.exe
2988	AcroRd32.exe
3048	AcroRd32.exe
3048	AcroRd32.exe
3048	AcroRd32.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 2164	2988	AcroRd32.exe	31
PID 2988 wrote to memory of 2164	2988	AcroRd32.exe	31
PID 2988 wrote to memory of 2164	2988	AcroRd32.exe	31
PID 2988 wrote to memory of 2164	2988	AcroRd32.exe	31
PID 2988 wrote to memory of 2232	2988	AcroRd32.exe	32
PID 2988 wrote to memory of 2232	2988	AcroRd32.exe	32
PID 2988 wrote to memory of 2232	2988	AcroRd32.exe	32
PID 2988 wrote to memory of 2232	2988	AcroRd32.exe	32
PID 2232 wrote to memory of 2956	2232	cmd.exe	35
PID 2232 wrote to memory of 2956	2232	cmd.exe	35
PID 2232 wrote to memory of 2956	2232	cmd.exe	35
PID 2232 wrote to memory of 2956	2232	cmd.exe	35
PID 2164 wrote to memory of 2776	2164	cmd.exe	36
PID 2164 wrote to memory of 2776	2164	cmd.exe	36
PID 2164 wrote to memory of 2776	2164	cmd.exe	36
PID 2164 wrote to memory of 2776	2164	cmd.exe	36
PID 2776 wrote to memory of 2920	2776	SVCHOST.EXE	37
PID 2776 wrote to memory of 2920	2776	SVCHOST.EXE	37
PID 2776 wrote to memory of 2920	2776	SVCHOST.EXE	37
PID 2776 wrote to memory of 2920	2776	SVCHOST.EXE	37
PID 2776 wrote to memory of 3008	2776	SVCHOST.EXE	38
PID 2776 wrote to memory of 3008	2776	SVCHOST.EXE	38
PID 2776 wrote to memory of 3008	2776	SVCHOST.EXE	38
PID 2776 wrote to memory of 3008	2776	SVCHOST.EXE	38
PID 2956 wrote to memory of 3048	2956	AdobeARM.exe	40
PID 2956 wrote to memory of 3048	2956	AdobeARM.exe	40
PID 2956 wrote to memory of 3048	2956	AdobeARM.exe	40
PID 2956 wrote to memory of 3048	2956	AdobeARM.exe	40
PID 2956 wrote to memory of 2964	2956	AdobeARM.exe	41
PID 2956 wrote to memory of 2964	2956	AdobeARM.exe	41
PID 2956 wrote to memory of 2964	2956	AdobeARM.exe	41
PID 2956 wrote to memory of 2964	2956	AdobeARM.exe	41

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\0d711f2049a6004cffe447dab78cd7e5.pdf"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c ""%temp%\svchost.exe""
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2164
- - C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Windows\SysWOW64\explorer.exe
      explorer
      4⤵
      System Location Discovery: System Language Discovery
      PID:2920
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del /F C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
      4⤵
      System Location Discovery: System Language Discovery
      PID:3008
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c ""%temp%\AdobeARM.exe" "C:\Users\Admin\AppData\Local\Temp\----Amph Ops - AF aspects.pdf""
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Users\Admin\AppData\Local\Temp\AdobeARM.exe
    "C:\Users\Admin\AppData\Local\Temp\AdobeARM.exe" "C:\Users\Admin\AppData\Local\Temp\----Amph Ops - AF aspects.pdf"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2956
  - - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
      "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\----Amph Ops - AF aspects.pdf"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:3048
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\AdobeARM.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\----Amph Ops - AF aspects.pdf

Filesize
61KB

MD5
00582f6aa1a0504c44b2901200eeb6a1

SHA1
e8349eae0935bb8acb4de9fe5555b29a2e7fc60e

SHA256
f6524bb1ab9e115c8fdf3fe799cc96e4590056585e53a9a0d6dd6761b6130e17

SHA512
43a75911559d54468af171b8efda0a6febb543b40338962e66557a85ff39b7c7b81cc48579bfb6380f09860e4618be9d30b50d38159bfac221c2f1c501ebaa92

Download Submit
C:\Users\Admin\AppData\Local\Temp\A9RDA2A.tmp

Filesize
358B

MD5
e85a5f934031877e0d5ea964a2aa0fec

SHA1
4af16127d65356a7bc0f1de85ff3d256e0f582fe

SHA256
e0327ad9a1579ca9a7a44903b5cb761f3f6cdda5a726d27b105d41ea88494b78

SHA512
c584d8f162314e5a18b592c7d46adcb9ae4658078f972ba67876211d8b3587aee81ee2c88eeb095c0e805591e26f3aed790e3462ab11b9765833132038239652

Download Submit
\Users\Admin\AppData\Local\Temp\AdobeARM.exe

Filesize
3KB

MD5
536b8a8b431792b4c81e7c28df1d70db

SHA1
deaf80952c98195955900deeb2b44e5f8b0fac41

SHA256
4992b5d0808325585ff5495588bc07ca388c96872159d8f956e33f160ac26bc2

SHA512
bfbbb1fa69eff5e86349dfdb94494022c332714f5f70b0800b0e3319296b1d96199d6b30dee4adcbfa359485b8d66f4748eb916e83929aacdbfbf7c44d564c64

Download Submit
\Users\Admin\AppData\Local\Temp\SVCHOST.EXE

Filesize
28KB

MD5
de619081e22b3ed7372f3148e18cac66

SHA1
13a5744c2e5da6f9bddefd965d3476ec43aa9df1

SHA256
b704057cff16ac3e7045383680551966a921e1f26f9fd86308a2e5c5aca89850

SHA512
0febf14fe2ce63266758ff7279cb8959ea4cc59df6fc3e59e2bcc3e465395a8e7a83de093563f141db498873aa3ddded3e3831a7344a69f128fd368e54937e66

Download Submit
memory/2776-15-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2988-0-0x0000000003300000-0x0000000003376000-memory.dmp

Filesize
472KB

Download