Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
09.09 10:09
vjgg.exe
09.09 10:09
lnef.exe
09.09 10:09
1.exe
09.09 10:09
oclo.exe
09.09 10:09
pclient.exe
09.09 10:09
lemon.exe
09.09 10:09
responsibilityleadpro.exe
09.09 09:09
Twitch x Loot Lab Even...
09.09 09:09
66dcad8f5f33a_crypted.exe
09.09 09:09
sgf.exe

Latest News
09.09 02:09
국정원, CSK 2024서 주요 사이버안...
09.09 02:09
Mainframe Chip has 360...
09.09 01:09
U.S. Offers $10 Millio...
09.09 01:09
밸롭·웨이든, 24FW 뉴 컬렉션 런칭에...
09.09 01:09
플로리아, 층간소음매트부문 '2024년 ...
09.09 01:09
웹 예능 '기억을 잊는 밤' 누적 조회수...
09.09 01:09
한국장학진흥원, 심리상담사 자격증 24종...
09.09 01:09
코드크레용 'Shortime', 글로벌 ...
09.09 01:09
핀블랙(PINBLACK), 빈티지 '여성...
09.09 01:09
Why ICS Is the Busines...

Summary | ZeroBOX

1.pdf

PDF

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Aug. 5, 2021, 10:31 a.m.	Aug. 5, 2021, 10:34 a.m.

Size	693.6KB
Type	PDF document, version 2.0
MD5	`a0c7e9dc69e439cb431e6dea9f0d5930`
SHA256	`359ab5e0b57da0307ca9472e5b225dcd0f9dc9bf2efd2f15b1ca45b78791b6bc`
CRC32	`308D9976`
ssdeep	`12288:e9wwBpdbie7g84OTKuBqOX1BNVT5m+YH+JARGEwuxkIOcaj/5vDTWjaOyG2:Xkdz7y2DBJ1dYHoARzTkjcwvDTWOL`
Yara	PDF_Format_Z - PDF Format

AcroRd32.exe "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" C:\Users\test22\AppData\Local\Temp\1.pdf
2004
- Adobe_Updater.exe "C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe" -doActionAppID=reader9rdr-en_US
  2460
- Adobe_Updater.exe "C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe" -AU_LAUNCH_MODE=1 -AU_DISPLAY_LANG=en_US -AU_LAUNCH_APPID=reader9rdr-en_US
  2112
explorer.exe C:\Windows\Explorer.EXE
1248

Name	Response	Post-Analysis Lookup
swupmf.adobe.com	CNAME ssl.adobe.com.edgekey.net CNAME e4578.dscb.akamaiedge.net A 23.212.12.57 A 23.40.44.138	104.109.240.143

IP Address	Status	Action
164.124.101.2	Active	Moloch
23.212.12.57	Active	Moloch
23.40.44.138	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 5, 2021, 10:32 a.m.		1	1	0

Performs some HTTP requests (2 events)

request	GET http://swupmf.adobe.com/manifest/60/win/reader9rdr-en_US.upd
request	GET http://swupmf.adobe.com/manifest/60/win/AdobeUpdater.upd

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 5, 2021, 10:31 a.m.	process_identifier: 2004 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fe73000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Aug. 5, 2021, 10:25 a.m.	process_identifier: 1248 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000006c00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0	0
NtProtectVirtualMemory Aug. 5, 2021, 10:33 a.m.	process_identifier: 2112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71b22000 process_handle: 0xffffffff	1	0	0

File has been identified by 7 AntiVirus engines on VirusTotal as malicious (7 events)

ALYac	Trojan.PDF.208091A
Kaspersky	UDS:Trojan-Dropper.PDF.Agent.a
ViRobot	Trojan.Win32.S.FakePDF.710268
McAfee-GW-Edition	Artemis
AhnLab-V3	Exploit/PDF.FakeDocu
McAfee	Artemis!A0C7E9DC69E4
Qihoo-360	susp.pdf.jsexp.gen

One or more non-whitelisted processes were created (2 events)

parent_process	acrord32.exe				martian_process	"C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe" -AU_LAUNCH_MODE=1 -AU_DISPLAY_LANG=en_US -AU_LAUNCH_APPID=reader9rdr-en_US
parent_process	acrord32.exe				martian_process	"C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe" -doActionAppID=reader9rdr-en_US