| File name: | slavneft.zakaz.pdf |
| Full analysis: | https://app.any.run/tasks/01fc9fc5-836c-4347-8f40-15f00586cbe3 |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | February 11, 2019, 10:10:50 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/pdf |
| File info: | PDF document, version 1.4 |
| MD5: | B04CEE291AF4346FD1FCDFEF94F00409 |
| SHA1: | 395E7542290E77361860D4DC88B872955D3F7E91 |
| SHA256: | 90006916FDBE115E657377803B1C075AE7C972DAC81C1A87BF1BBBA283D06CEF |
| SSDEEP: | 384:SbqCMMH6uLJHnPWkm2r+Xbzy1eX1n6BB9QCX2H90GFCgAQdRtf1utCUSUvt:+HlJ/mi+rzyC16BB9QCXe6pg9zi7 |
MALICIOUS
TROLDESH was detected
- rad92D10.tmp (PID: 2412)
- radB9FD6.tmp (PID: 3980)
Application was dropped or rewritten from another process
- rad92D10.tmp (PID: 2412)
- radB9FD6.tmp (PID: 3980)
Downloads executable files from the Internet
- WScript.exe (PID: 2808)
- WScript.exe (PID: 2832)
Changes the autorun value in the registry
- rad92D10.tmp (PID: 2412)
Actions looks like stealing of personal data
- rad92D10.tmp (PID: 2412)
Modifies files in Chrome extension folder
- rad92D10.tmp (PID: 2412)
SUSPICIOUS
Executable content was dropped or overwritten
- WScript.exe (PID: 2808)
- rad92D10.tmp (PID: 2412)
Starts application with an unusual extension
- cmd.exe (PID: 3436)
- cmd.exe (PID: 3908)
Starts CMD.EXE for commands execution
- WScript.exe (PID: 2808)
- WScript.exe (PID: 2832)
Starts Internet Explorer
- AcroRd32.exe (PID: 2964)
Connects to unusual port
- rad92D10.tmp (PID: 2412)
Creates files in the program directory
- rad92D10.tmp (PID: 2412)
- radB9FD6.tmp (PID: 3980)
- AdobeARM.exe (PID: 3004)
Checks for external IP
- rad92D10.tmp (PID: 2412)
Executes scripts
- WinRAR.exe (PID: 3392)
INFO
Application launched itself
- iexplore.exe (PID: 3208)
- RdrCEF.exe (PID: 3676)
Changes internet zones settings
- iexplore.exe (PID: 3208)
Creates files in the user directory
- iexplore.exe (PID: 3504)
- AcroRd32.exe (PID: 2964)
Reads Internet Cache Settings
- iexplore.exe (PID: 3208)
- iexplore.exe (PID: 3504)
Dropped object may contain URL to Tor Browser
- rad92D10.tmp (PID: 2412)
Dropped object may contain TOR URL's
- rad92D10.tmp (PID: 2412)
Dropped object may contain Bitcoin addresses
- rad92D10.tmp (PID: 2412)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| | | Adobe Portable Document Format (100) |
EXIF
| PDFVersion: | 1.4 |
|---|---|
| Linearized: | No |
| CreateDate: | 2019:01:24 13:16:53+02:00 |
| Creator: | ÿþw(Foxit Advanced PDF Editor) |
| ICNAppName: | Foxit Advanced PDF Editor |
| ICNAppPlatform: | Windows |
| ICNAppVersion: | 3 |
| ModifyDate: | 2019:02:11 10:28:12 |
| Producer: | Qt 4.8.7 |
| Title: | - |
| PageCount: | 1 |
Total processes
53
Monitored processes
18
Malicious processes
7
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2312 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer "C:\Users\admin\AppData\Local\Temp\slavneft.zakaz.pdf" | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | — | AcroRd32.exe | |||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe Acrobat Reader DC Exit code: 0 Version: 15.23.20070.215641 Modules
| |||||||||||||||
| 2412 | C:\Users\admin\AppData\Local\Temp\rad92D10.tmp | C:\Users\admin\AppData\Local\Temp\rad92D10.tmp | cmd.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 2444 | C:\Windows\system32\vssadmin.exe List Shadows | C:\Windows\system32\vssadmin.exe | — | rad92D10.tmp | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Command Line Interface for Microsoft® Volume Shadow Copy Service Exit code: 2 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2704 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe" | C:\Program Files\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe | — | AdobeARM.exe | |||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe Acrobat SpeedLauncher Exit code: 0 Version: 15.23.20053.211670 Modules
| |||||||||||||||
| 2808 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\«ПАО «НГК «Славнефть» подробности заказа.js" | C:\Windows\System32\WScript.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
| |||||||||||||||
| 2832 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa3392.41152\«ПАО «НГК «Славнефть» подробности заказа.js" | C:\Windows\System32\WScript.exe | WinRAR.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
| |||||||||||||||
| 2844 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-3d-apis --disable-databases --disable-direct-npapi-requests --disable-file-system --disable-notifications --disable-shared-workers --disable-direct-write --lang=en-US --lang=en-US --log-severity=disable --product-version="ReaderServices/15.23.20053 Chrome/45.0.2454.85" --device-scale-factor=1 --enable-delegated-renderer --num-raster-threads=2 --gpu-rasterization-msaa-sample-count=8 --content-image-texture-target=3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="3676.0.936549318\481118578" --allow-no-sandbox-job /prefetch:673131151 | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | — | RdrCEF.exe | |||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe RdrCEF Exit code: 0 Version: 15.23.20053.211670 Modules
| |||||||||||||||
| 2964 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\admin\AppData\Local\Temp\slavneft.zakaz.pdf" | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | explorer.exe | ||||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe Acrobat Reader DC Exit code: 0 Version: 15.23.20070.215641 Modules
| |||||||||||||||
| 3004 | "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /PRODUCT:Reader /VERSION:15.0 /MODE:3 | C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe | — | AcroRd32.exe | |||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe Reader and Acrobat Manager Exit code: 0 Version: 1.824.27.2646 Modules
| |||||||||||||||
| 3208 | "C:\Program Files\Internet Explorer\iexplore.exe" -nohome | C:\Program Files\Internet Explorer\iexplore.exe | AcroRd32.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 8.00.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
1 988
Read events
1 764
Write events
220
Delete events
4
Modification events
| (PID) Process: | (2312) AcroRd32.exe | Key: | HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\ExitSection |
| Operation: | write | Name: | bLastExitNormal |
Value: 0 | |||
| (PID) Process: | (3208) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main |
| Operation: | write | Name: | CompatibilityFlags |
Value: 0 | |||
| (PID) Process: | (3208) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
| (PID) Process: | (3208) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 1 | |||
| (PID) Process: | (3208) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones |
| Operation: | write | Name: | SecuritySafe |
Value: 1 | |||
| (PID) Process: | (3208) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
| Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
| (PID) Process: | (3208) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
| Operation: | write | Name: | SavedLegacySettings |
Value: 4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000 | |||
| (PID) Process: | (3208) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active |
| Operation: | write | Name: | {59CE0D2F-2DE5-11E9-91D7-5254004A04AF} |
Value: 0 | |||
| (PID) Process: | (2312) AcroRd32.exe | Key: | HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\AVGeneral |
| Operation: | write | Name: | bExpandRHPInViewer |
Value: 1 | |||
| (PID) Process: | (2312) AcroRd32.exe | Key: | HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\NoTimeOut |
| Operation: | write | Name: | smailto |
Value: 5900 | |||
Executable files
3
Suspicious files
125
Text files
32
Unknown types
18
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2312 | AcroRd32.exe | C:\Users\admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal | — | |
MD5:— | SHA256:— | |||
| 3208 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
| 3208 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
| 3208 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF5B9CE91330E6D4DA.TMP | — | |
MD5:— | SHA256:— | |||
| 2312 | AcroRd32.exe | C:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9Rriwwhs_nyckm1_1s8.tmp | — | |
MD5:— | SHA256:— | |||
| 2312 | AcroRd32.exe | C:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9R1mvn3wu_nyckm0_1s8.tmp | — | |
MD5:— | SHA256:— | |||
| 2312 | AcroRd32.exe | C:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9R9mkvdq_nyckm3_1s8.tmp | — | |
MD5:— | SHA256:— | |||
| 2312 | AcroRd32.exe | C:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9R1gq6jos_nyckm2_1s8.tmp | — | |
MD5:— | SHA256:— | |||
| 2312 | AcroRd32.exe | C:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9Rbwdy6o_nyckm4_1s8.tmp | — | |
MD5:— | SHA256:— | |||
| 3208 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF24F8FA4A09F35277.TMP | — | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
22
TCP/UDP connections
27
DNS requests
11
Threats
49
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2964 | AcroRd32.exe | GET | 304 | 2.16.186.32:80 | http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/280_15_23_20070.zip | unknown | — | — | whitelisted |
2964 | AcroRd32.exe | GET | 304 | 2.16.186.32:80 | http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/277_15_23_20070.zip | unknown | — | — | whitelisted |
2964 | AcroRd32.exe | GET | 304 | 2.16.186.32:80 | http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/278_15_23_20070.zip | unknown | — | — | whitelisted |
2412 | rad92D10.tmp | GET | 403 | 104.16.155.36:80 | http://whatismyipaddress.com/ | US | text | 100 b | shared |
2412 | rad92D10.tmp | GET | 403 | 104.16.155.36:80 | http://whatismyipaddress.com/ | US | text | 100 b | shared |
2808 | WScript.exe | GET | 401 | 85.10.230.160:80 | http://eventbrand.pl/cgi-bin/messg.jpg | DE | html | 624 b | malicious |
2412 | rad92D10.tmp | GET | 403 | 104.16.155.36:80 | http://whatismyipaddress.com/ | US | text | 100 b | shared |
2412 | rad92D10.tmp | GET | 403 | 104.16.155.36:80 | http://whatismyipaddress.com/ | US | text | 100 b | shared |
3504 | iexplore.exe | GET | 200 | 95.213.137.131:80 | http://med-nok.ru/modules/aggregator/slavneft.zakaz.zip | RU | compressed | 3.31 Kb | unknown |
2412 | rad92D10.tmp | GET | 403 | 104.16.155.36:80 | http://whatismyipaddress.com/ | US | text | 100 b | shared |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
3208 | iexplore.exe | 13.107.21.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3504 | iexplore.exe | 95.213.137.131:80 | med-nok.ru | OOO Network of data-centers Selectel | RU | unknown |
2964 | AcroRd32.exe | 2.18.233.74:443 | armmf.adobe.com | Akamai International B.V. | — | whitelisted |
2964 | AcroRd32.exe | 2.16.186.32:80 | acroipm2.adobe.com | Akamai International B.V. | — | whitelisted |
2808 | WScript.exe | 85.10.230.160:80 | eventbrand.pl | Hetzner Online GmbH | DE | suspicious |
2412 | rad92D10.tmp | 192.42.113.102:9001 | — | SURFnet bv | NL | suspicious |
2832 | WScript.exe | 85.10.230.160:80 | eventbrand.pl | Hetzner Online GmbH | DE | suspicious |
2412 | rad92D10.tmp | 104.18.34.131:80 | whatsmyip.net | Cloudflare Inc | US | shared |
2412 | rad92D10.tmp | 80.211.192.151:9001 | — | INTERNET CZ, a.s. | CZ | suspicious |
2832 | WScript.exe | 62.27.5.120:80 | www.galladoria.de | ecotel communication ag | DE | suspicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
www.bing.com |
| whitelisted |
med-nok.ru |
| unknown |
acroipm2.adobe.com |
| whitelisted |
armmf.adobe.com |
| whitelisted |
eventbrand.pl |
| malicious |
www.galladoria.de |
| malicious |
whatismyipaddress.com |
| shared |
whatsmyip.net |
| shared |
ardownload2.adobe.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2808 | WScript.exe | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2 |
2808 | WScript.exe | A Network Trojan was detected | ET TROJAN JS/WSF Downloader Dec 08 2016 M4 |
2808 | WScript.exe | Misc activity | SUSPICIOUS [PTsecurity] PE as Image Content type mismatch |
2412 | rad92D10.tmp | Misc Attack | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 649 |
2412 | rad92D10.tmp | Misc Attack | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 118 |
2412 | rad92D10.tmp | Misc Attack | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 706 |
2412 | rad92D10.tmp | Misc Attack | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 599 |
2412 | rad92D10.tmp | Misc Attack | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 267 |
2412 | rad92D10.tmp | Misc activity | ET POLICY TLS possible TOR SSL traffic |
2412 | rad92D10.tmp | Misc activity | ET POLICY TLS possible TOR SSL traffic |
25 ETPRO signatures available at the full report