Analysis
-
max time kernel
76s -
max time network
62s -
platform
windows7_x64 -
resource
win7 -
submitted
16-07-2020 08:00
Static task
static1
Behavioral task
behavioral1
Sample
Adobe Reader XI.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Adobe Reader XI.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
Adobe Reader XI.exe
-
Size
972KB
-
MD5
2e78f507e765c9a2115684674b208807
-
SHA1
b15107bec5389d221916a49718a69651474822fa
-
SHA256
34408552d34edc061e6bce5aa476bdfa09f5c8a7f1936d902dea430c0fa14d62
-
SHA512
f3ea9738b408f6083a8683c27981254d90351808c4d3eefe95a0a39ac79d48990cefbd162209d35359859b0895fa3f0166d9be6a6b5822f76763de62ac92adde
Score
7/10
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Adobe Reader XI.exedescription pid process target process PID 1088 wrote to memory of 1400 1088 Adobe Reader XI.exe RegSvcs.exe PID 1088 wrote to memory of 1400 1088 Adobe Reader XI.exe RegSvcs.exe PID 1088 wrote to memory of 1400 1088 Adobe Reader XI.exe RegSvcs.exe PID 1088 wrote to memory of 1400 1088 Adobe Reader XI.exe RegSvcs.exe PID 1088 wrote to memory of 1400 1088 Adobe Reader XI.exe RegSvcs.exe PID 1088 wrote to memory of 1400 1088 Adobe Reader XI.exe RegSvcs.exe PID 1088 wrote to memory of 1400 1088 Adobe Reader XI.exe RegSvcs.exe PID 1088 wrote to memory of 1400 1088 Adobe Reader XI.exe RegSvcs.exe PID 1088 wrote to memory of 1400 1088 Adobe Reader XI.exe RegSvcs.exe PID 1088 wrote to memory of 1400 1088 Adobe Reader XI.exe RegSvcs.exe PID 1088 wrote to memory of 1400 1088 Adobe Reader XI.exe RegSvcs.exe PID 1088 wrote to memory of 1400 1088 Adobe Reader XI.exe RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Adobe Reader XI.exedescription pid process target process PID 1088 set thread context of 1400 1088 Adobe Reader XI.exe RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 1400 RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid process 1400 RegSvcs.exe 1400 RegSvcs.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\BAVLA = "C:\\Users\\Admin\\AppData\\Roaming\\BAVLA\\BAVLA.exe" RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Adobe Reader XI.exe"C:\Users\Admin\AppData\Local\Temp\Adobe Reader XI.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:1088 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Adds Run key to start application
PID:1400