Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

37429345.pdf

PDF document, version 1.7, 1 pages

initial sample

C:\Users\user\Downloads\513954456.dps_tax_gov_ua_176226535.rar (copy)

RAR archive data, v5

dropped

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

ASCII text

dropped

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

ASCII text

dropped

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

ASCII text

dropped

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

ASCII text

dropped

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\723d1a5a-4f47-4289-b433-2aa9ad5e2b20.tmp

JSON data

modified

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

JSON data

dropped

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

data

dropped

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

ASCII text

dropped

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

ASCII text

dropped

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-241028142708Z-155.bmp

PC bitmap, Windows 3.x format, 117 x -152 x 32, cbSize 71190, bits offset 54

dropped

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

SQLite 3.x database, last written using SQLite version 3040000, file counter 15, database pages 21, cookie 0x5, schema 4, UTF-8, version-valid-for 15

dropped

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

SQLite Rollback Journal

dropped

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

Certificate, Version=3

dropped

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression

dropped

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

data

dropped

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

data

modified

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING

data

dropped

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json

JSON data

dropped

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

SQLite 3.x database, last written using SQLite version 3040000, file counter 25, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 25

dropped

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

SQLite Rollback Journal

dropped

C:\Users\user\AppData\Local\Temp\MSIad893.LOG

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-10-28 10-27-06-695.log

ASCII text, with very long lines (393)

dropped

C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log

ASCII text, with very long lines (393), with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\acrocef_low\6ee0b094-f2c6-4645-a5a2-9a9df4394ce1.tmp

gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 5111142

dropped

C:\Users\user\AppData\Local\Temp\acrocef_low\87883da0-c82d-407e-a1ea-dd71b0ead875.tmp

gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538

dropped

C:\Users\user\AppData\Local\Temp\acrocef_low\901bea46-0b1e-414e-aaee-395cc5d00d91.tmp

gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1311022

dropped

C:\Users\user\AppData\Local\Temp\acrocef_low\a370874e-bcdd-4bf8-a370-4f8f9141501d.tmp

gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 33081

dropped

C:\Users\user\AppData\Local\Temp\ehbd2um4.twn\dps_tax_gov_ua_0739220983\??????????? ????? ?????????? ?????????? ??????.zip

Zip archive data, at least v1.0 to extract, compression method=store

dropped

C:\Users\user\AppData\Local\Temp\unarchiver.log

ASCII text, with CRLF line terminators

dropped

C:\Users\user\Downloads\043d1ca2-3fb4-42fb-948c-65f223f0ca31.tmp

RAR archive data, v5

dropped

C:\Users\user\Downloads\513954456.dps_tax_gov_ua_176226535.rar.crdownload

RAR archive data, v5

dropped

Chrome Cache Entry: 167

RAR archive data, v5

downloaded

There are 25 hidden files, click here to show them.

Processes

Path

Cmdline

Malicious

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "https://qaz.is/load/sbKAaA/3f17f87a-a234-409b-bbd0-744b84a6a8a2"

Details

Is windows:	true
Is dropped:	false
PID:	4520
Target ID:	9
Parent PID:	6108
Name:	chrome.exe
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "https://qaz.is/load/sbKAaA/3f17f87a-a234-409b-bbd0-744b84a6a8a2"
Size:	3242272
MD5:	45DE480806D1B5D462A7DDE4DCEFC4E4
Time:	10:27:28
Date:	28/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff76e190000
Modulesize:	3325952
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2084 --field-trial-handle=2004,i,17071369610916808375,4185143350945142650,262144 /prefetch:8

Details

Is windows:	true
Is dropped:	false
PID:	2724
Target ID:	10
Parent PID:	4520
Name:	chrome.exe
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2084 --field-trial-handle=2004,i,17071369610916808375,4185143350945142650,262144 /prefetch:8
Size:	3242272
MD5:	45DE480806D1B5D462A7DDE4DCEFC4E4
Time:	10:27:29
Date:	28/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff76e190000
Modulesize:	3325952
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\37429345.pdf"

Details

Is windows:	true
Is dropped:	false
PID:	7416
Target ID:	0
Parent PID:	2580
Name:	Acrobat.exe
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Desktop\37429345.pdf"
Size:	5641176
MD5:	24EAD1C46A47022347DC0F05F6EFBB8C
Time:	10:27:03
Date:	28/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6bc1b0000
Modulesize:	5693440
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe

"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215

Details

Is windows:	true
Is dropped:	false
PID:	7596
Target ID:	1
Parent PID:	7416
Name:	AcroCEF.exe
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Size:	3581912
MD5:	9B38E8E8B6DD9622D24B53E095C5D9BE
Time:	10:27:04
Date:	28/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff74bb60000
Modulesize:	3620864
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe

"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2100 --field-trial-handle=1572,i,1330519624578338231,8165089248166413219,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8

Details

Is windows:	true
Is dropped:	false
PID:	7780
Target ID:	3
Parent PID:	7596
Name:	AcroCEF.exe
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2100 --field-trial-handle=1572,i,1330519624578338231,8165089248166413219,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Size:	3581912
MD5:	9B38E8E8B6DD9622D24B53E095C5D9BE
Time:	10:27:04
Date:	28/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff74bb60000
Modulesize:	3620864
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\unarchiver.exe

"C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\513954456.dps_tax_gov_ua_176226535.rar"

Details

Is windows:	true
Is dropped:	false
PID:	7492
Target ID:	13
Parent PID:	4520
Name:	unarchiver.exe
Path:	C:\Windows\SysWOW64\unarchiver.exe
Commandline:	"C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\513954456.dps_tax_gov_ua_176226535.rar"
Size:	12800
MD5:	16FF3CC6CC330A08EED70CBC1D35F5D2
Time:	10:28:34
Date:	28/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x50000
Modulesize:	40960
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\7za.exe

"C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\ehbd2um4.twn" "C:\Users\user\Downloads\513954456.dps_tax_gov_ua_176226535.rar"

Details

Is windows:	true
Is dropped:	false
PID:	7572
Target ID:	14
Parent PID:	7492
Name:	7za.exe
Path:	C:\Windows\SysWOW64\7za.exe
Commandline:	"C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\ehbd2um4.twn" "C:\Users\user\Downloads\513954456.dps_tax_gov_ua_176226535.rar"
Size:	289792
MD5:	77E556CDFDC5C592F5C46DB4127C6F4C
Time:	10:28:34
Date:	28/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x460000
Modulesize:	315392
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	7472
Target ID:	15
Parent PID:	7572
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	10:28:34
Date:	28/10/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://x1.i.lencr.org/

unknown

https://qaz.is/load/sbKAaA/3f17f87a-a234-409b-bbd0-744b84a6a8a2

80.87.203.251

Details

Name:	https://qaz.is/load/sbKAaA/3f17f87a-a234-409b-bbd0-744b84a6a8a2
IP:	80.87.203.251
TargetID:	10
From Memory:	false
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Clickable URLs found in PDF	System Summary	Spearphishing Link
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

https://qaz.is/load/sbKAaA/3f17f87a-a234-409b-bbd0-744b84a6a8a2)

unknown

Domains

Name

Malicious

bg.microsoft.map.fastly.net

199.232.210.172

www.google.com

142.250.185.100

qaz.is

80.87.203.251

Details

Name:	qaz.is
IP:	80.87.203.251
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Clickable URLs found in PDF	System Summary	Spearphishing Link
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

x1.i.lencr.org

unknown

200.163.202.172.in-addr.arpa

unknown

IPs

Domain

Country

Malicious

142.250.185.100

www.google.com

United States

192.168.2.4

unknown

80.87.203.251

qaz.is

Russian Federation

239.255.255.250

unknown

Reserved

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVGeneral\cRecentFiles\c1

aFS

HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVGeneral\cRecentFiles\c1

tDIText

HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVGeneral\cRecentFiles\c1

tFileName

HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVGeneral\cRecentFiles\c1

tFileSource

HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVGeneral\cRecentFiles\c1

sFileAncestors

HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVGeneral\cRecentFiles\c1

sDI

HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVGeneral\cRecentFiles\c1

sDate

HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVGeneral\cRecentFiles\c1

uFileSize

HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVGeneral\cRecentFiles\c1

uPageCount

HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVGeneral\cRecentFiles\c1

sAssetId

HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVGeneral\cRecentFiles\c1

bisSharedFile

HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVGeneral\cRecentFiles\c2

aFS

HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVGeneral\cRecentFiles\c2

tDIText

HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVGeneral\cRecentFiles\c2

tFileName

HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVGeneral\cRecentFiles\c2

sFileAncestors

HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVGeneral\cRecentFiles\c2

sDI

HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVGeneral\cRecentFiles\c2

sDate

HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVGeneral\cRecentFiles\c2

uFileSize

HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVGeneral\cRecentFiles\c2

uPageCount

HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVGeneral\cRecentFiles\c2

bisSharedFile

There are 10 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

5BA000

heap

page read and write

D1E000

stack

page read and write

263A000

trusted library allocation

page read and write

5D6000

heap

page read and write

2666000

trusted library allocation

page read and write

4C9E000

stack

page read and write

530000

heap

page read and write

962000

trusted library allocation

page execute and read and write

266B000

trusted library allocation

page read and write

9E8000

heap

page read and write

4D9F000

stack

page read and write

266F000

trusted library allocation

page read and write

7AF000

stack

page read and write

7F8E0000

trusted library allocation

page execute and read and write

450000

heap

page read and write

96C000

trusted library allocation

page execute and read and write

5ED000

heap

page read and write

1EB000

stack

page read and write

2669000

trusted library allocation

page read and write

267A000

trusted library allocation

page read and write

EC000

stack

page read and write

930000

heap

page read and write

C1E000

stack

page read and write

228E000

stack

page read and write

95A000

trusted library allocation

page execute and read and write

27D5000

heap

page read and write

2660000

trusted library allocation

page read and write

2630000

trusted library allocation

page read and write

2720000

trusted library allocation

page read and write

982000

trusted library allocation

page execute and read and write

9E0000

heap

page read and write

9D0000

heap

page read and write

1E9000

stack

page read and write

2684000

trusted library allocation

page read and write

997000

trusted library allocation

page execute and read and write

3601000

trusted library allocation

page read and write

560000

heap

page read and write

25E0000

heap

page read and write

1E6000

stack

page read and write

E5F000

stack

page read and write

263C000

trusted library allocation

page read and write

2601000

trusted library allocation

page read and write

BDE000

stack

page read and write

2677000

trusted library allocation

page read and write

550000

heap

page read and write

4A1E000

stack

page read and write

2680000

trusted library allocation

page read and write

53C000

stack

page read and write

9E0000

heap

page execute and read and write

565000

heap

page read and write

4800000

trusted library allocation

page read and write

96A000

trusted library allocation

page execute and read and write

4B5E000

stack

page read and write

940000

trusted library allocation

page read and write

99B000

trusted library allocation

page execute and read and write

49DD000

stack

page read and write

2663000

trusted library allocation

page read and write

27D0000

heap

page read and write

2650000

trusted library allocation

page read and write

5B0000

heap

page read and write

D5E000

stack

page read and write

264A000

trusted library allocation

page read and write

2672000

trusted library allocation

page read and write

47DF000

stack

page read and write

580000

heap

page read and write

4B1E000

stack

page read and write

8FD000

stack

page read and write

910000

heap

page read and write

2620000

heap

page read and write

8EF000

stack

page read and write

4C5E000

stack

page read and write

98A000

trusted library allocation

page execute and read and write

5B0000

heap

page read and write

7EE000

stack

page read and write

9DE000

stack

page read and write

2655000

trusted library allocation

page read and write

4810000

trusted library allocation

page execute and read and write

46DE000

stack

page read and write

5BE000

heap

page read and write

48DE000

stack

page read and write

5AE000

stack

page read and write

5FE000

stack

page read and write

960000

trusted library allocation

page read and write

952000

trusted library allocation

page execute and read and write

2610000

heap

page read and write

There are 75 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
37429345.pdf

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report37429345.pdf

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
37429345.pdf