c8fbdfebce02c75b83f14b5706f8b874435c33d48cc868bf046f13fe3dfad98d

General

Target

INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe
Size

223KB
MD5

0b89e3e11d64e96a9eb841c297c3e795
SHA1

ee91492d04556958af32986a5f235a4c528c9178
SHA256

c8fbdfebce02c75b83f14b5706f8b874435c33d48cc868bf046f13fe3dfad98d
SHA512

d91acd5c4b45ef6b7f5a6a006c74e067e193bbac6beef17f5c8893fbed0e6f40d3cde335b21f1068a48f5ba6e4164616d568dcab58bb306c18a5fada16aed690

Score

8^/10

persistence spyware

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

adobe.exeadobe.exe

pid process

1516 adobe.exe
1908 adobe.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

adobe.exe

pid process

1908 adobe.exe
Drops file in Program Files directory 2 IoCs

Processes:

adobe.exe

description ioc process

File created C:\Program Files\Microsoft DN1\sqlmap.dll adobe.exe
File created C:\Program Files\Microsoft DN1\rdpwrap.ini adobe.exe

pid	process
1516	adobe.exe
1908	adobe.exe

pid	process
1908	adobe.exe

description	ioc	process
File created	C:\Program Files\Microsoft DN1\sqlmap.dll	adobe.exe
File created	C:\Program Files\Microsoft DN1\rdpwrap.ini	adobe.exe

Drops startup file 2 IoCs

Processes:

INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe

NTFS ADS 1 IoCs

Processes:

INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe

description ioc process

File created C:\ProgramData:ApplicationData INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe

description	ioc	process
File created	C:\ProgramData:ApplicationData	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exepowershell.exeadobe.exepowershell.exe

pid	process
608	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe
608	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe
1052	powershell.exe
1052	powershell.exe
1516	adobe.exe
1988	powershell.exe
1988	powershell.exe

Modifies WinLogon 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

adobe.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	adobe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\taxcpId = "0"	adobe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	adobe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	adobe.exe

Drops file in System32 directory 1 IoCs

Processes:

adobe.exe

description ioc process

File created C:\Windows\System32\rfxvmt.dll adobe.exe

description	ioc	process
File created	C:\Windows\System32\rfxvmt.dll	adobe.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

adobe.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\Microsoft DN1\\sqlmap.dll"	adobe.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

452 schtasks.exe

pid	process
452	schtasks.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exepowershell.exeadobe.exepowershell.exeadobe.exe

description	pid	process
Token: SeDebugPrivilege	608	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe
Token: SeDebugPrivilege	1052	powershell.exe
Token: SeDebugPrivilege	1516	adobe.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	1908	adobe.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exeadobe.exe

description	pid	process	target process
PID 608 set thread context of 1160	608	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe
PID 1516 set thread context of 1908	1516	adobe.exe	adobe.exe

Suspicious behavior: LoadsDriver 3 IoCs

Processes:

pid process

296
296
296

pid	process
296
296
296

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exeINV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exeadobe.exeadobe.exe

description	pid	process	target process
PID 608 wrote to memory of 452	608	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe	schtasks.exe
PID 608 wrote to memory of 452	608	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe	schtasks.exe
PID 608 wrote to memory of 452	608	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe	schtasks.exe
PID 608 wrote to memory of 452	608	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe	schtasks.exe
PID 608 wrote to memory of 836	608	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe
PID 608 wrote to memory of 836	608	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe
PID 608 wrote to memory of 836	608	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe
PID 608 wrote to memory of 836	608	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe
PID 608 wrote to memory of 1160	608	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe
PID 608 wrote to memory of 1160	608	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe
PID 608 wrote to memory of 1160	608	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe
PID 608 wrote to memory of 1160	608	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe
PID 608 wrote to memory of 1160	608	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe
PID 608 wrote to memory of 1160	608	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe
PID 608 wrote to memory of 1160	608	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe
PID 608 wrote to memory of 1160	608	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe
PID 608 wrote to memory of 1160	608	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe
PID 608 wrote to memory of 1160	608	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe
PID 608 wrote to memory of 1160	608	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe
PID 608 wrote to memory of 1160	608	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe
PID 1160 wrote to memory of 1052	1160	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe	powershell.exe
PID 1160 wrote to memory of 1052	1160	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe	powershell.exe
PID 1160 wrote to memory of 1052	1160	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe	powershell.exe
PID 1160 wrote to memory of 1052	1160	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe	powershell.exe
PID 1160 wrote to memory of 1516	1160	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe	adobe.exe
PID 1160 wrote to memory of 1516	1160	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe	adobe.exe
PID 1160 wrote to memory of 1516	1160	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe	adobe.exe
PID 1160 wrote to memory of 1516	1160	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe	adobe.exe
PID 1516 wrote to memory of 1908	1516	adobe.exe	adobe.exe
PID 1516 wrote to memory of 1908	1516	adobe.exe	adobe.exe
PID 1516 wrote to memory of 1908	1516	adobe.exe	adobe.exe
PID 1516 wrote to memory of 1908	1516	adobe.exe	adobe.exe
PID 1516 wrote to memory of 1908	1516	adobe.exe	adobe.exe
PID 1516 wrote to memory of 1908	1516	adobe.exe	adobe.exe
PID 1516 wrote to memory of 1908	1516	adobe.exe	adobe.exe
PID 1516 wrote to memory of 1908	1516	adobe.exe	adobe.exe
PID 1516 wrote to memory of 1908	1516	adobe.exe	adobe.exe
PID 1516 wrote to memory of 1908	1516	adobe.exe	adobe.exe
PID 1516 wrote to memory of 1908	1516	adobe.exe	adobe.exe
PID 1516 wrote to memory of 1908	1516	adobe.exe	adobe.exe
PID 1908 wrote to memory of 1988	1908	adobe.exe	powershell.exe
PID 1908 wrote to memory of 1988	1908	adobe.exe	powershell.exe
PID 1908 wrote to memory of 1988	1908	adobe.exe	powershell.exe
PID 1908 wrote to memory of 1988	1908	adobe.exe	powershell.exe
PID 1908 wrote to memory of 1956	1908	adobe.exe	cmd.exe
PID 1908 wrote to memory of 1956	1908	adobe.exe	cmd.exe
PID 1908 wrote to memory of 1956	1908	adobe.exe	cmd.exe
PID 1908 wrote to memory of 1956	1908	adobe.exe	cmd.exe
PID 1908 wrote to memory of 1956	1908	adobe.exe	cmd.exe
PID 1908 wrote to memory of 1956	1908	adobe.exe	cmd.exe

Loads dropped DLL 8 IoCs

Processes:

INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exeadobe.exe

pid	process
1160	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe
296
1908	adobe.exe
1908	adobe.exe
1908	adobe.exe
1908	adobe.exe
1908	adobe.exe
1908	adobe.exe

Adds Run entry to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\microsoft.exe = "C:\\ProgramData\\adobe.exe"	INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe

C:\Users\Admin\AppData\Local\Temp\INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:608

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pIIBrU" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7D1B.tmp"
2⤵
- Creates scheduled task(s)
PID:452

C:\Users\Admin\AppData\Local\Temp\INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe
"{path}"
2⤵
PID:836

C:\Users\Admin\AppData\Local\Temp\INV_QTYD33_of 2020-ASIA CITRA PRATAMA -AIRO 34-20_pdf.exe
"{path}"
2⤵
- Drops startup file
- NTFS ADS
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
- Adds Run entry to start application
PID:1160

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1052

C:\ProgramData\adobe.exe
"C:\ProgramData\adobe.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1516

C:\ProgramData\adobe.exe
"{path}"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Drops file in Program Files directory
- Modifies WinLogon
- Drops file in System32 directory
- Sets DLL path for service in the registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
PID:1908

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1988

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
5⤵
PID:1956

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Winlogon Helper DLL

1

T1004

Registry Run Keys / Startup Folder

2

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\

Download Submit
C:\ProgramData\adobe.exe

Download Submit
C:\ProgramData\adobe.exe

Download Submit
C:\ProgramData\adobe.exe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_231c2208-0720-4eec-b9f1-8bba11abd9fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_235184f8-dcca-4459-ace7-181c154dff79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_57c6647c-75fc-47bb-8ce4-3b8f0921c533

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_66b6971c-c0de-45de-825d-cc7d49ef1716

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6d5fa298-996f-4fc9-9c01-b2226cbdaeba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_71d6eae7-3380-4cb3-a8a0-b26738b9e2b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7d6878ec-2a8b-418c-8f2b-b6fcd4b50cf8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_de4eedb8-4762-4c56-b80c-203df3aa6fa8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e43ce3f6-b60d-4b70-bed1-86e53bf07360

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_f17a3c81-b2fd-43f9-9679-dbe29e33f943

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_f9750d79-4871-47e8-88a8-1df956565712

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fabbb9cf-9b8c-4b2f-b33d-0de7a9a3a10e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7D1B.tmp

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Download Submit
\Program Files\Microsoft DN1\sqlmap.dll

Download Submit
\ProgramData\adobe.exe

Download Submit
\Users\Admin\AppData\Local\Temp\freebl3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\softokn3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\vcruntime140.dll

Download Submit
memory/452-0-0x0000000000000000-mapping.dmp

Download
memory/1052-5-0x0000000000000000-mapping.dmp

Download
memory/1160-4-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1160-2-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1160-3-0x0000000000405A3D-mapping.dmp

Download
memory/1516-7-0x0000000000000000-mapping.dmp

Download
memory/1908-14-0x0000000000405A3D-mapping.dmp

Download
memory/1908-16-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1956-23-0x0000000000000000-mapping.dmp

Download
memory/1956-22-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/1956-18-0x0000000000000000-mapping.dmp

Download
memory/1988-17-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads