Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Vanderweil Engineers, LLP..pdf

PDF document, version 1.7, 1 pages

initial sample

C:\Program Files\ChromiumTemp3652_1449008672\model-info.pb

data

dropped

C:\Program Files\ChromiumTemp3652_1449008672\model.tflite

data

dropped

C:\Program Files\ChromiumTemp3652_1961238311\model-info.pb

data

dropped

C:\Program Files\ChromiumTemp3652_1961238311\model.tflite

data

dropped

C:\Program Files\ChromiumTemp3652_392935131\model-info.pb

data

dropped

C:\Program Files\ChromiumTemp3652_392935131\model.tflite

data

dropped

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Cache\data_1

data

modified

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

ASCII text

dropped

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

ASCII text

dropped

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old~RF6cec62.TMP (copy)

ASCII text

dropped

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Visited Links

data

dropped

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-240328193233Z-179.bmp

PC bitmap, Windows 3.x format, 117 x -152 x 32, cbSize 71190, bits offset 54

dropped

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

SQLite 3.x database, last written using SQLite version 3024000, file counter 15, database pages 15, cookie 0x5, schema 4, UTF-8, version-valid-for 15

dropped

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

SQLite Rollback Journal

dropped

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache.bin

data

dropped

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\6ea49823-e825-454f-927c-2ac42bf6c0de\model.tflite (copy)

data

dropped

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\d1abae24-49f9-4f40-93be-6ffe6c203ae7\model.tflite (copy)

data

dropped

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\eea6d789-5259-4f6b-92cd-59ac167f226d\model.tflite (copy)

data

dropped

Chrome Cache Entry: 111

SVG Scalable Vector Graphics image

downloaded

Chrome Cache Entry: 112

HTML document, ASCII text, with very long lines (4020)

downloaded

Chrome Cache Entry: 113

SVG Scalable Vector Graphics image

downloaded

Chrome Cache Entry: 114

SVG Scalable Vector Graphics image

dropped

Chrome Cache Entry: 115

SVG Scalable Vector Graphics image

downloaded

Chrome Cache Entry: 116

ASCII text, with very long lines (32065)

downloaded

Chrome Cache Entry: 117

SVG Scalable Vector Graphics image

downloaded

Chrome Cache Entry: 118

SVG Scalable Vector Graphics image

dropped

Chrome Cache Entry: 119

ASCII text, with no line terminators

downloaded

Chrome Cache Entry: 120

ASCII text, with very long lines (7043), with no line terminators

downloaded

Chrome Cache Entry: 121

ASCII text, with very long lines (50758)

downloaded

Chrome Cache Entry: 122

SVG Scalable Vector Graphics image

dropped

Chrome Cache Entry: 123

ASCII text, with very long lines (65536), with no line terminators

downloaded

Chrome Cache Entry: 124

HTML document, ASCII text

downloaded

Chrome Cache Entry: 125

SVG Scalable Vector Graphics image

dropped

There are 24 hidden files, click here to show them.

Processes

Path

Cmdline

Malicious

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\user\Desktop\Vanderweil Engineers, LLP..pdf"

Details

Is windows:	true
Is dropped:	false
PID:	2856
Target ID:	0
Parent PID:	1244
Name:	AcroRd32.exe
Class:	acrobat
Path:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
Commandline:	"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\user\Desktop\Vanderweil Engineers, LLP..pdf"
Size:	2525680
MD5:	2F8D93826B8CBF9290BC57535C7A6817
Time:	20:32:27
Date:	28/03/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x1a0000
Modulesize:	2539520
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Modification of IE Registry Settings	System Summary
Spawns processes	System Summary	Process Injection

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043

Details

Is windows:	true
Is dropped:	false
PID:	2588
Target ID:	2
Parent PID:	2856
Name:	RdrCEF.exe
Path:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
Commandline:	"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
Size:	9805808
MD5:	326A645391A97C760B60C558A35BB068
Time:	20:32:31
Date:	28/03/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x1240000
Modulesize:	9830400
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --start-maximized "https://prident-group.com/"

Details

Is windows:	true
Is dropped:	false
PID:	3652
Target ID:	4
Parent PID:	1700
Name:	chrome.exe
Path:	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Commandline:	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --start-maximized "https://prident-group.com/"
Size:	3151128
MD5:	FFA2B8E17F645BCC20F0E0201FEF83ED
Time:	20:32:52
Date:	28/03/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x13f570000
Modulesize:	3227648
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1448 --field-trial-handle=1280,i,13602845175421175850,11116694525089090820,131072 /prefetch:8

Details

Is windows:	true
Is dropped:	false
PID:	3828
Target ID:	5
Parent PID:	3652
Name:	chrome.exe
Path:	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Commandline:	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1448 --field-trial-handle=1280,i,13602845175421175850,11116694525089090820,131072 /prefetch:8
Size:	3151128
MD5:	FFA2B8E17F645BCC20F0E0201FEF83ED
Time:	20:32:53
Date:	28/03/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x13f570000
Modulesize:	3227648
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://prident-group.com/77624fc8e83077b92433578af825365d6605c5e808f5dLOG77624fc8e83077b92433578af825365d6605c5e808f5e

https://prident-group.com/1

5.42.65.39

https://prident-group.com/js/c4cb7af9e3c7df1f0ade3b8159ba2d5b6605c5e839892

5.42.65.39

https://prident-group.com/x/c4cb7af9e3c7df1f0ade3b8159ba2d5b6605c5eadf065

5.42.65.39

https://github.com/twbs/bootstrap/graphs/contributors)

unknown

https://prident-group.com/boot/c4cb7af9e3c7df1f0ade3b8159ba2d5b6605c5e839891

5.42.65.39

https://prident-group.com/ASSETS/img/sig-op.svg

5.42.65.39

https://deptwoosinc.com/)

unknown

https://prident-group.com/jq/c4cb7af9e3c7df1f0ade3b8159ba2d5b6605c5e83988d

5.42.65.39

https://prident-group.com/

5.42.65.39

https://github.com/twbs/bootstrap/blob/master/LICENSE)

unknown

https://prident-group.com/o/c4cb7af9e3c7df1f0ade3b8159ba2d5b6605c5eadf419

5.42.65.39

https://prident-group.com/ASSETS/img/m_.svg

5.42.65.39

https://prident-group.com/favicon.ico

5.42.65.39

https://getbootstrap.com/)

unknown

https://prident-group.com/)

unknown

https://prident-group.com/APP-c4cb7af9e3c7df1f0ade3b8159ba2d5b6605c5eadf05f/c4cb7af9e3c7df1f0ade3b8159ba2d5b6605c5eadf060

5.42.65.39

There are 7 hidden URLs, click here to show them.

Domains

Name

Malicious

prident-group.com

5.42.65.39

Details

Name:	prident-group.com
IP:	5.42.65.39
TargetID:	5
Current Path:	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Clickable URLs found in PDF	System Summary	Spearphishing Link
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

www.google.com

142.251.167.147

IPs

Domain

Country

Malicious

239.255.255.250

unknown

Reserved

142.251.167.147

www.google.com

United States

5.42.65.39

prident-group.com

Russian Federation

192.168.2.4

unknown

192.168.2.255

unknown