83dc40c5814d63f0ff34410b5d0b73cc9eedec070af5f6934d63f73d562835f8

System Information Discovery

Processes:

adobe.exeIRMOutstandingReport_1594432868602.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools	adobe.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools	IRMOutstandingReport_1594432868602.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

IRMOutstandingReport_1594432868602.exepowershell.exeadobe.exepowershell.exeadobe.exe

description	pid	process
Token: SeDebugPrivilege	1104	IRMOutstandingReport_1594432868602.exe
Token: SeDebugPrivilege	1816	powershell.exe
Token: SeDebugPrivilege	1836	adobe.exe
Token: SeDebugPrivilege	684	powershell.exe
Token: SeDebugPrivilege	1480	adobe.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

IRMOutstandingReport_1594432868602.exeadobe.exe

description	pid	process	target process
PID 1104 set thread context of 1528	1104	IRMOutstandingReport_1594432868602.exe	IRMOutstandingReport_1594432868602.exe
PID 1836 set thread context of 1480	1836	adobe.exe	adobe.exe

Loads dropped DLL 8 IoCs

Processes:

IRMOutstandingReport_1594432868602.exeadobe.exe

pid process

1528 IRMOutstandingReport_1594432868602.exe
1808
1480 adobe.exe
1480 adobe.exe
1480 adobe.exe
1480 adobe.exe
1480 adobe.exe
1480 adobe.exe

pid	process
1528	IRMOutstandingReport_1594432868602.exe
1808
1480	adobe.exe
1480	adobe.exe
1480	adobe.exe
1480	adobe.exe
1480	adobe.exe
1480	adobe.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

adobe.exeIRMOutstandingReport_1594432868602.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	adobe.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	adobe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	IRMOutstandingReport_1594432868602.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	IRMOutstandingReport_1594432868602.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

Processes:

adobe.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	adobe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	adobe.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	adobe.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	adobe.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run entry to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

IRMOutstandingReport_1594432868602.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\microsoft.exe = "C:\\ProgramData\\adobe.exe"	IRMOutstandingReport_1594432868602.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

IRMOutstandingReport_1594432868602.exepowershell.exeadobe.exepowershell.exe

pid	process
1104	IRMOutstandingReport_1594432868602.exe
1104	IRMOutstandingReport_1594432868602.exe
1104	IRMOutstandingReport_1594432868602.exe
1104	IRMOutstandingReport_1594432868602.exe
1816	powershell.exe
1816	powershell.exe
1836	adobe.exe
684	powershell.exe
684	powershell.exe

NTFS ADS 1 IoCs

Processes:

IRMOutstandingReport_1594432868602.exe

description ioc process

File created C:\ProgramData:ApplicationData IRMOutstandingReport_1594432868602.exe

description	ioc	process
File created	C:\ProgramData:ApplicationData	IRMOutstandingReport_1594432868602.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

adobe.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\Microsoft DN1\\sqlmap.dll"	adobe.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

744 schtasks.exe

pid	process
744	schtasks.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

IRMOutstandingReport_1594432868602.exeadobe.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	IRMOutstandingReport_1594432868602.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	adobe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	adobe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	IRMOutstandingReport_1594432868602.exe

Drops startup file 2 IoCs

Processes:

IRMOutstandingReport_1594432868602.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat	IRMOutstandingReport_1594432868602.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start	IRMOutstandingReport_1594432868602.exe

Modifies WinLogon 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

Processes:

adobe.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	adobe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\jBggKKA = "0"	adobe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	adobe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	adobe.exe

Suspicious use of WriteProcessMemory 58 IoCs

Processes:

IRMOutstandingReport_1594432868602.exeIRMOutstandingReport_1594432868602.exeadobe.exeadobe.exe

description	pid	process	target process
PID 1104 wrote to memory of 744	1104	IRMOutstandingReport_1594432868602.exe	schtasks.exe
PID 1104 wrote to memory of 744	1104	IRMOutstandingReport_1594432868602.exe	schtasks.exe
PID 1104 wrote to memory of 744	1104	IRMOutstandingReport_1594432868602.exe	schtasks.exe
PID 1104 wrote to memory of 744	1104	IRMOutstandingReport_1594432868602.exe	schtasks.exe
PID 1104 wrote to memory of 1056	1104	IRMOutstandingReport_1594432868602.exe	IRMOutstandingReport_1594432868602.exe
PID 1104 wrote to memory of 1056	1104	IRMOutstandingReport_1594432868602.exe	IRMOutstandingReport_1594432868602.exe
PID 1104 wrote to memory of 1056	1104	IRMOutstandingReport_1594432868602.exe	IRMOutstandingReport_1594432868602.exe
PID 1104 wrote to memory of 1056	1104	IRMOutstandingReport_1594432868602.exe	IRMOutstandingReport_1594432868602.exe
PID 1104 wrote to memory of 1092	1104	IRMOutstandingReport_1594432868602.exe	IRMOutstandingReport_1594432868602.exe
PID 1104 wrote to memory of 1092	1104	IRMOutstandingReport_1594432868602.exe	IRMOutstandingReport_1594432868602.exe
PID 1104 wrote to memory of 1092	1104	IRMOutstandingReport_1594432868602.exe	IRMOutstandingReport_1594432868602.exe
PID 1104 wrote to memory of 1092	1104	IRMOutstandingReport_1594432868602.exe	IRMOutstandingReport_1594432868602.exe
PID 1104 wrote to memory of 1044	1104	IRMOutstandingReport_1594432868602.exe	IRMOutstandingReport_1594432868602.exe
PID 1104 wrote to memory of 1044	1104	IRMOutstandingReport_1594432868602.exe	IRMOutstandingReport_1594432868602.exe
PID 1104 wrote to memory of 1044	1104	IRMOutstandingReport_1594432868602.exe	IRMOutstandingReport_1594432868602.exe
PID 1104 wrote to memory of 1044	1104	IRMOutstandingReport_1594432868602.exe	IRMOutstandingReport_1594432868602.exe
PID 1104 wrote to memory of 1528	1104	IRMOutstandingReport_1594432868602.exe	IRMOutstandingReport_1594432868602.exe
PID 1104 wrote to memory of 1528	1104	IRMOutstandingReport_1594432868602.exe	IRMOutstandingReport_1594432868602.exe
PID 1104 wrote to memory of 1528	1104	IRMOutstandingReport_1594432868602.exe	IRMOutstandingReport_1594432868602.exe
PID 1104 wrote to memory of 1528	1104	IRMOutstandingReport_1594432868602.exe	IRMOutstandingReport_1594432868602.exe
PID 1104 wrote to memory of 1528	1104	IRMOutstandingReport_1594432868602.exe	IRMOutstandingReport_1594432868602.exe
PID 1104 wrote to memory of 1528	1104	IRMOutstandingReport_1594432868602.exe	IRMOutstandingReport_1594432868602.exe
PID 1104 wrote to memory of 1528	1104	IRMOutstandingReport_1594432868602.exe	IRMOutstandingReport_1594432868602.exe
PID 1104 wrote to memory of 1528	1104	IRMOutstandingReport_1594432868602.exe	IRMOutstandingReport_1594432868602.exe
PID 1104 wrote to memory of 1528	1104	IRMOutstandingReport_1594432868602.exe	IRMOutstandingReport_1594432868602.exe
PID 1104 wrote to memory of 1528	1104	IRMOutstandingReport_1594432868602.exe	IRMOutstandingReport_1594432868602.exe
PID 1104 wrote to memory of 1528	1104	IRMOutstandingReport_1594432868602.exe	IRMOutstandingReport_1594432868602.exe
PID 1104 wrote to memory of 1528	1104	IRMOutstandingReport_1594432868602.exe	IRMOutstandingReport_1594432868602.exe
PID 1528 wrote to memory of 1816	1528	IRMOutstandingReport_1594432868602.exe	powershell.exe
PID 1528 wrote to memory of 1816	1528	IRMOutstandingReport_1594432868602.exe	powershell.exe
PID 1528 wrote to memory of 1816	1528	IRMOutstandingReport_1594432868602.exe	powershell.exe
PID 1528 wrote to memory of 1816	1528	IRMOutstandingReport_1594432868602.exe	powershell.exe
PID 1528 wrote to memory of 1836	1528	IRMOutstandingReport_1594432868602.exe	adobe.exe
PID 1528 wrote to memory of 1836	1528	IRMOutstandingReport_1594432868602.exe	adobe.exe
PID 1528 wrote to memory of 1836	1528	IRMOutstandingReport_1594432868602.exe	adobe.exe
PID 1528 wrote to memory of 1836	1528	IRMOutstandingReport_1594432868602.exe	adobe.exe
PID 1836 wrote to memory of 1480	1836	adobe.exe	adobe.exe
PID 1836 wrote to memory of 1480	1836	adobe.exe	adobe.exe
PID 1836 wrote to memory of 1480	1836	adobe.exe	adobe.exe
PID 1836 wrote to memory of 1480	1836	adobe.exe	adobe.exe
PID 1836 wrote to memory of 1480	1836	adobe.exe	adobe.exe
PID 1836 wrote to memory of 1480	1836	adobe.exe	adobe.exe
PID 1836 wrote to memory of 1480	1836	adobe.exe	adobe.exe
PID 1836 wrote to memory of 1480	1836	adobe.exe	adobe.exe
PID 1836 wrote to memory of 1480	1836	adobe.exe	adobe.exe
PID 1836 wrote to memory of 1480	1836	adobe.exe	adobe.exe
PID 1836 wrote to memory of 1480	1836	adobe.exe	adobe.exe
PID 1836 wrote to memory of 1480	1836	adobe.exe	adobe.exe
PID 1480 wrote to memory of 684	1480	adobe.exe	powershell.exe
PID 1480 wrote to memory of 684	1480	adobe.exe	powershell.exe
PID 1480 wrote to memory of 684	1480	adobe.exe	powershell.exe
PID 1480 wrote to memory of 684	1480	adobe.exe	powershell.exe
PID 1480 wrote to memory of 528	1480	adobe.exe	cmd.exe
PID 1480 wrote to memory of 528	1480	adobe.exe	cmd.exe
PID 1480 wrote to memory of 528	1480	adobe.exe	cmd.exe
PID 1480 wrote to memory of 528	1480	adobe.exe	cmd.exe
PID 1480 wrote to memory of 528	1480	adobe.exe	cmd.exe
PID 1480 wrote to memory of 528	1480	adobe.exe	cmd.exe

Executes dropped EXE 2 IoCs

Processes:

adobe.exeadobe.exe

pid process

1836 adobe.exe
1480 adobe.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

adobe.exe

pid process

1480 adobe.exe
Suspicious behavior: LoadsDriver 3 IoCs

Processes:

pid process

1808
1808
1808

pid	process
1836	adobe.exe
1480	adobe.exe

pid	process
1480	adobe.exe

pid	process
1808
1808
1808

Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

Processes:

IRMOutstandingReport_1594432868602.exeadobe.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions	IRMOutstandingReport_1594432868602.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions	adobe.exe

Drops file in System32 directory 1 IoCs

Processes:

adobe.exe

description ioc process

File created C:\Windows\System32\rfxvmt.dll adobe.exe

description	ioc	process
File created	C:\Windows\System32\rfxvmt.dll	adobe.exe

C:\Users\Admin\AppData\Local\Temp\IRMOutstandingReport_1594432868602.exe
"C:\Users\Admin\AppData\Local\Temp\IRMOutstandingReport_1594432868602.exe"
1⤵
- Looks for VMWare Tools registry key
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Checks BIOS information in registry
- Suspicious use of WriteProcessMemory
- Looks for VirtualBox Guest Additions in registry
PID:1104

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oTIZQT" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8545.tmp"
2⤵
- Creates scheduled task(s)
PID:744

C:\Users\Admin\AppData\Local\Temp\IRMOutstandingReport_1594432868602.exe
"{path}"
2⤵
PID:1056

C:\Users\Admin\AppData\Local\Temp\IRMOutstandingReport_1594432868602.exe
"{path}"
2⤵
PID:1092

C:\Users\Admin\AppData\Local\Temp\IRMOutstandingReport_1594432868602.exe
"{path}"
2⤵
PID:1044

C:\Users\Admin\AppData\Local\Temp\IRMOutstandingReport_1594432868602.exe
"{path}"
2⤵
- Loads dropped DLL
- Adds Run entry to start application
- NTFS ADS
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1528

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1816

C:\ProgramData\adobe.exe
"C:\ProgramData\adobe.exe"
3⤵
- Looks for VMWare Tools registry key
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Checks BIOS information in registry
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Looks for VirtualBox Guest Additions in registry
PID:1836

C:\ProgramData\adobe.exe
"{path}"
4⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Loads dropped DLL
- Modifies system certificate store
- Sets DLL path for service in the registry
- Modifies WinLogon
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Drops file in System32 directory
PID:1480

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
5⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:684

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
5⤵
PID:528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Winlogon Helper DLL

T1004

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery