44f41c5b07b60932d37e858316955d482c86162f9c8c249ff71233791da7f2c8

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
30-06-2024 22:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Rechnung.pdf
Size

87KB
MD5

f07abf7ecdd49d5dc741c98b4c0dd6d2
SHA1

779ca1fa1893e71d201e119d547b52620687384a
SHA256

44f41c5b07b60932d37e858316955d482c86162f9c8c249ff71233791da7f2c8
SHA512

b79485304e873b4a6dee21d01eb33aae040342a7197aadf050eeedd8aaddd0af345c442df3cda6561114fb61a53f185e1f319a3557675c7ca5c310e6d6ebab89
SSDEEP

1536:02pEkwQRDE65jOwgdV2Ksp4jcmD3vBB2kjl0yGY9UDQHT8:0wf+aOwgdzrDH0yldHT8

Score

1^/10

Malware Config

Signatures

Modifies registry class 20 IoCs

Processes:

splwow64.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	splwow64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_Classes\Local Settings	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	splwow64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	splwow64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}"	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	splwow64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0"	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	splwow64.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

splwow64.exe

pid process

2980 splwow64.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

AcroRd32.exesplwow64.exe

pid process

1412 AcroRd32.exe
1412 AcroRd32.exe
1412 AcroRd32.exe
1412 AcroRd32.exe
2980 splwow64.exe

pid	process
2980	splwow64.exe

pid	process
1412	AcroRd32.exe
1412	AcroRd32.exe
1412	AcroRd32.exe
1412	AcroRd32.exe
2980	splwow64.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

AcroRd32.exe

description	pid	process	target process
PID 1412 wrote to memory of 2980	1412	AcroRd32.exe	splwow64.exe
PID 1412 wrote to memory of 2980	1412	AcroRd32.exe	splwow64.exe
PID 1412 wrote to memory of 2980	1412	AcroRd32.exe	splwow64.exe
PID 1412 wrote to memory of 2980	1412	AcroRd32.exe	splwow64.exe

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Rechnung.pdf"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1412

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2980

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads