Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
30-06-2024 15:27
Behavioral task
behavioral1
Sample
setup (SLINKY).exe
Resource
win7-20240419-en
General
-
Target
setup (SLINKY).exe
-
Size
687KB
-
MD5
5bfdbb28cc7fed82bf415edac9c9eb83
-
SHA1
c04b108edbb95b75dc1496bed342b937f37fa17a
-
SHA256
12affb37160cf0bb5fe284c7f65ddeea23a788f4d35fbf158a4877c99640e8c3
-
SHA512
ff52df5c58fbee9dd555f373bb1a4b520e36f6a76e1b6ed345015cbd0adf1a3927dd79afe1b92e76b439d1221865b72a34a9023fad3c0c1f849e6a90e4352ae3
-
SSDEEP
12288:XeamasPpcOQZTOK7AXIfaNpcAlZwKXKCzNCFQpZGtK8HtDdoA/LQXvU7gkXeNV:uamasBcVOK75JKo0EtFHt+yQXvU7ze
Malware Config
Signatures
-
HTTP links in PDF interactive object 1 IoCs
Detects HTTP links in interactive objects within PDF files.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Slinky.pdf pdf_with_link_action -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
setup (SLINKY).exeAcroRd32.exepid process 2428 setup (SLINKY).exe 2260 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
AcroRd32.exepid process 2260 AcroRd32.exe 2260 AcroRd32.exe 2260 AcroRd32.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
setup (SLINKY).exedescription pid process target process PID 2428 wrote to memory of 2260 2428 setup (SLINKY).exe AcroRd32.exe PID 2428 wrote to memory of 2260 2428 setup (SLINKY).exe AcroRd32.exe PID 2428 wrote to memory of 2260 2428 setup (SLINKY).exe AcroRd32.exe PID 2428 wrote to memory of 2260 2428 setup (SLINKY).exe AcroRd32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup (SLINKY).exe"C:\Users\Admin\AppData\Local\Temp\setup (SLINKY).exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Slinky.pdf"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Slinky.pdfFilesize
285KB
MD58a651d3c642d4da38c54124b8a045804
SHA18006c155846f5a7a422a84eebd4ac175fc895da5
SHA256ce7e7f6efec617fd75d599ec48a2a162cf2f520dd982d168c6caf596a74567bb
SHA5126a9a40511b8cf13a0f8c147c0cd503bb1584a6178cbeb91a58b6ae1f28ce9fb54f396fd0faeb7cd2c0d369fe349c4e54c27c32252f40092f0391e63fd68ac62b
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEventsFilesize
3KB
MD5e7d1df4c69b79e9a092b6a6106e86b37
SHA1b47b763f4dce911a90983da9cf99d195aae22b70
SHA256bbb88ad539c5b5c0db23178dbdcc7ba42c848ba498dca82d11cfc162863c25c7
SHA512b1c8a5977fc64a7a753f3aa9b6b657eb00b42c8cef93e08278e84831121e9b5681af4f4c5032532119ef0b1915658eb5560d738b943a8f3cce25613d561135e3
-
memory/2428-0-0x000000013FD60000-0x000000013FEE1000-memory.dmpFilesize
1.5MB
-
memory/2428-20-0x000000013FD60000-0x000000013FEE1000-memory.dmpFilesize
1.5MB