netwire | e232e9c0d66770fe8e50466f3dd073160a8ddaf565ed0382ce997226c1b364dd

General

Target

Solictud_de_cotizacion (3699663-2020).exe
Size

553KB
MD5

748e4a49b7e306d7eb45aaa7b10faf5d
SHA1

ed4e974775f050e65233116fdbb28921618fceb7
SHA256

e232e9c0d66770fe8e50466f3dd073160a8ddaf565ed0382ce997226c1b364dd
SHA512

378f5c0ed4b94405a1287febc6a12901cbc8b386b41b66d9f2d007d704780424f3427b6e6973480656954f3d31540cacdc5e935118d4d561bba1bf399fc8d839

Score

10^/10

rat persistence botnet stealer netwire

Malware Config

Signatures

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Host.exeSolictud_de_cotizacion (3699663-2020).exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	Host.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Run\NetWire = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe"	Host.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	Solictud_de_cotizacion (3699663-2020).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Run\NetWire = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solictud_de_cotizacion (3699663-2020).exe"	Solictud_de_cotizacion (3699663-2020).exe

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Suspicious use of WriteProcessMemory 286 IoCs

Processes:

Solictud_de_cotizacion (3699663-2020).exeSolictud_de_cotizacion (3699663-2020).exeSolictud_de_cotizacion (3699663-2020).exeHost.exeSolictud_de_cotizacion (3699663-2020).exeAcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 3740 wrote to memory of 3048	3740	Solictud_de_cotizacion (3699663-2020).exe	AcroRd32.exe
PID 3740 wrote to memory of 3048	3740	Solictud_de_cotizacion (3699663-2020).exe	AcroRd32.exe
PID 3740 wrote to memory of 3048	3740	Solictud_de_cotizacion (3699663-2020).exe	AcroRd32.exe
PID 3740 wrote to memory of 2928	3740	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe
PID 3740 wrote to memory of 2928	3740	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe
PID 3740 wrote to memory of 2928	3740	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe
PID 3740 wrote to memory of 540	3740	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe
PID 3740 wrote to memory of 540	3740	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe
PID 3740 wrote to memory of 540	3740	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe
PID 2928 wrote to memory of 860	2928	Solictud_de_cotizacion (3699663-2020).exe	Host.exe
PID 2928 wrote to memory of 860	2928	Solictud_de_cotizacion (3699663-2020).exe	Host.exe
PID 2928 wrote to memory of 860	2928	Solictud_de_cotizacion (3699663-2020).exe	Host.exe
PID 540 wrote to memory of 864	540	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe
PID 540 wrote to memory of 864	540	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe
PID 540 wrote to memory of 864	540	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe
PID 860 wrote to memory of 1268	860	Host.exe	AcroRd32.exe
PID 860 wrote to memory of 1268	860	Host.exe	AcroRd32.exe
PID 860 wrote to memory of 1268	860	Host.exe	AcroRd32.exe
PID 860 wrote to memory of 1436	860	Host.exe	Host.exe
PID 860 wrote to memory of 1436	860	Host.exe	Host.exe
PID 860 wrote to memory of 1436	860	Host.exe	Host.exe
PID 860 wrote to memory of 1636	860	Host.exe	Host.exe
PID 860 wrote to memory of 1636	860	Host.exe	Host.exe
PID 860 wrote to memory of 1636	860	Host.exe	Host.exe
PID 864 wrote to memory of 1840	864	Solictud_de_cotizacion (3699663-2020).exe	AcroRd32.exe
PID 864 wrote to memory of 1840	864	Solictud_de_cotizacion (3699663-2020).exe	AcroRd32.exe
PID 864 wrote to memory of 1840	864	Solictud_de_cotizacion (3699663-2020).exe	AcroRd32.exe
PID 864 wrote to memory of 1932	864	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe
PID 864 wrote to memory of 1932	864	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe
PID 864 wrote to memory of 1932	864	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe
PID 864 wrote to memory of 1476	864	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe
PID 864 wrote to memory of 1476	864	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe
PID 864 wrote to memory of 1476	864	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe
PID 1268 wrote to memory of 2080	1268	AcroRd32.exe	RdrCEF.exe
PID 1268 wrote to memory of 2080	1268	AcroRd32.exe	RdrCEF.exe
PID 1268 wrote to memory of 2080	1268	AcroRd32.exe	RdrCEF.exe
PID 2080 wrote to memory of 2396	2080	RdrCEF.exe	RdrCEF.exe
PID 2080 wrote to memory of 2396	2080	RdrCEF.exe	RdrCEF.exe
PID 2080 wrote to memory of 2396	2080	RdrCEF.exe	RdrCEF.exe
PID 2080 wrote to memory of 2396	2080	RdrCEF.exe	RdrCEF.exe
PID 2080 wrote to memory of 2396	2080	RdrCEF.exe	RdrCEF.exe
PID 2080 wrote to memory of 2396	2080	RdrCEF.exe	RdrCEF.exe
PID 2080 wrote to memory of 2396	2080	RdrCEF.exe	RdrCEF.exe
PID 2080 wrote to memory of 2396	2080	RdrCEF.exe	RdrCEF.exe
PID 2080 wrote to memory of 2396	2080	RdrCEF.exe	RdrCEF.exe
PID 2080 wrote to memory of 2396	2080	RdrCEF.exe	RdrCEF.exe
PID 2080 wrote to memory of 2396	2080	RdrCEF.exe	RdrCEF.exe
PID 2080 wrote to memory of 2396	2080	RdrCEF.exe	RdrCEF.exe
PID 2080 wrote to memory of 2396	2080	RdrCEF.exe	RdrCEF.exe
PID 2080 wrote to memory of 2396	2080	RdrCEF.exe	RdrCEF.exe
PID 2080 wrote to memory of 2396	2080	RdrCEF.exe	RdrCEF.exe
PID 2080 wrote to memory of 2396	2080	RdrCEF.exe	RdrCEF.exe
PID 2080 wrote to memory of 2396	2080	RdrCEF.exe	RdrCEF.exe
PID 2080 wrote to memory of 2396	2080	RdrCEF.exe	RdrCEF.exe
PID 2080 wrote to memory of 2396	2080	RdrCEF.exe	RdrCEF.exe
PID 2080 wrote to memory of 2396	2080	RdrCEF.exe	RdrCEF.exe
PID 2080 wrote to memory of 2396	2080	RdrCEF.exe	RdrCEF.exe
PID 2080 wrote to memory of 2396	2080	RdrCEF.exe	RdrCEF.exe
PID 2080 wrote to memory of 2396	2080	RdrCEF.exe	RdrCEF.exe
PID 2080 wrote to memory of 2396	2080	RdrCEF.exe	RdrCEF.exe
PID 2080 wrote to memory of 2396	2080	RdrCEF.exe	RdrCEF.exe
PID 2080 wrote to memory of 2396	2080	RdrCEF.exe	RdrCEF.exe
PID 2080 wrote to memory of 2396	2080	RdrCEF.exe	RdrCEF.exe
PID 2080 wrote to memory of 2396	2080	RdrCEF.exe	RdrCEF.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Solictud_de_cotizacion (3699663-2020).exeHost.exeSolictud_de_cotizacion (3699663-2020).exe

description	pid	process	target process
PID 3740 set thread context of 2928	3740	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe
PID 860 set thread context of 1436	860	Host.exe	Host.exe
PID 864 set thread context of 1932	864	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

1268 AcroRd32.exe

pid	process
1268	AcroRd32.exe

NetWire RAT payload 9 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2928-1-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/2928-1-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/2928-2-0x000000000040242D-mapping.dmp	netwire
behavioral2/memory/2928-4-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/2928-4-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/1436-14-0x000000000040242D-mapping.dmp	netwire
behavioral2/memory/1436-17-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/1436-17-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/1932-21-0x000000000040242D-mapping.dmp	netwire

Modifies registry class 3 IoCs

Processes:

Host.exeSolictud_de_cotizacion (3699663-2020).exeSolictud_de_cotizacion (3699663-2020).exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings	Host.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings	Solictud_de_cotizacion (3699663-2020).exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings	Solictud_de_cotizacion (3699663-2020).exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exeAcroRd32.exeAcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Suspicious behavior: EnumeratesProcesses 5194 IoCs

Processes:

Solictud_de_cotizacion (3699663-2020).exeSolictud_de_cotizacion (3699663-2020).exeHost.exeSolictud_de_cotizacion (3699663-2020).exeHost.exeSolictud_de_cotizacion (3699663-2020).exe

pid	process
3740	Solictud_de_cotizacion (3699663-2020).exe
3740	Solictud_de_cotizacion (3699663-2020).exe
540	Solictud_de_cotizacion (3699663-2020).exe
540	Solictud_de_cotizacion (3699663-2020).exe
540	Solictud_de_cotizacion (3699663-2020).exe
540	Solictud_de_cotizacion (3699663-2020).exe
540	Solictud_de_cotizacion (3699663-2020).exe
540	Solictud_de_cotizacion (3699663-2020).exe
540	Solictud_de_cotizacion (3699663-2020).exe
540	Solictud_de_cotizacion (3699663-2020).exe
540	Solictud_de_cotizacion (3699663-2020).exe
540	Solictud_de_cotizacion (3699663-2020).exe
540	Solictud_de_cotizacion (3699663-2020).exe
540	Solictud_de_cotizacion (3699663-2020).exe
860	Host.exe
860	Host.exe
540	Solictud_de_cotizacion (3699663-2020).exe
540	Solictud_de_cotizacion (3699663-2020).exe
864	Solictud_de_cotizacion (3699663-2020).exe
864	Solictud_de_cotizacion (3699663-2020).exe
1636	Host.exe
1636	Host.exe
1636	Host.exe
1636	Host.exe
1636	Host.exe
1636	Host.exe
1476	Solictud_de_cotizacion (3699663-2020).exe
1476	Solictud_de_cotizacion (3699663-2020).exe
1476	Solictud_de_cotizacion (3699663-2020).exe
1476	Solictud_de_cotizacion (3699663-2020).exe
1636	Host.exe
1636	Host.exe
1476	Solictud_de_cotizacion (3699663-2020).exe
1476	Solictud_de_cotizacion (3699663-2020).exe
1476	Solictud_de_cotizacion (3699663-2020).exe
1476	Solictud_de_cotizacion (3699663-2020).exe
1636	Host.exe
1636	Host.exe
1636	Host.exe
1476	Solictud_de_cotizacion (3699663-2020).exe
1636	Host.exe
1476	Solictud_de_cotizacion (3699663-2020).exe
1476	Solictud_de_cotizacion (3699663-2020).exe
1476	Solictud_de_cotizacion (3699663-2020).exe
1636	Host.exe
1636	Host.exe
1636	Host.exe
1476	Solictud_de_cotizacion (3699663-2020).exe
1636	Host.exe
1476	Solictud_de_cotizacion (3699663-2020).exe
1636	Host.exe
1476	Solictud_de_cotizacion (3699663-2020).exe
1476	Solictud_de_cotizacion (3699663-2020).exe
1636	Host.exe
1636	Host.exe
1476	Solictud_de_cotizacion (3699663-2020).exe
1636	Host.exe
1476	Solictud_de_cotizacion (3699663-2020).exe
1476	Solictud_de_cotizacion (3699663-2020).exe
1636	Host.exe
1476	Solictud_de_cotizacion (3699663-2020).exe
1636	Host.exe
1476	Solictud_de_cotizacion (3699663-2020).exe
1636	Host.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

Solictud_de_cotizacion (3699663-2020).exeHost.exeSolictud_de_cotizacion (3699663-2020).exe

pid process

3740 Solictud_de_cotizacion (3699663-2020).exe
860 Host.exe
864 Solictud_de_cotizacion (3699663-2020).exe
Executes dropped EXE 3 IoCs

Processes:

Host.exeHost.exeHost.exe

pid process

860 Host.exe
1436 Host.exe
1636 Host.exe
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

AcroRd32.exeAcroRd32.exeAcroRd32.exe

pid process

1268 AcroRd32.exe
1840 AcroRd32.exe
3048 AcroRd32.exe
1268 AcroRd32.exe
1268 AcroRd32.exe
1268 AcroRd32.exe
1268 AcroRd32.exe
1268 AcroRd32.exe

pid	process
860	Host.exe
1436	Host.exe
1636	Host.exe

pid	process
1268	AcroRd32.exe
1840	AcroRd32.exe
3048	AcroRd32.exe
1268	AcroRd32.exe
1268	AcroRd32.exe
1268	AcroRd32.exe
1268	AcroRd32.exe
1268	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

C:\Users\Admin\AppData\Local\Temp\Solictud_de_cotizacion (3699663-2020).exe
"C:\Users\Admin\AppData\Local\Temp\Solictud_de_cotizacion (3699663-2020).exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3740

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Orden.pdf"
2⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:3048

C:\Users\Admin\AppData\Local\Temp\Solictud_de_cotizacion (3699663-2020).exe
"C:\Users\Admin\AppData\Local\Temp\Solictud_de_cotizacion (3699663-2020).exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2928

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
3⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Executes dropped EXE
PID:860

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Orden.pdf"
4⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of FindShellTrayWindow
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
- Modifies Internet Explorer settings
PID:1268

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
5⤵
- Suspicious use of WriteProcessMemory
PID:2080

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=DEA8C09C1BE5925C497E092A2D323BAE --mojo-platform-channel-handle=1648 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
6⤵
PID:2396

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=B73891A8B5774200FC6A0BB967E9710D --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=B73891A8B5774200FC6A0BB967E9710D --renderer-client-id=2 --mojo-platform-channel-handle=1656 --allow-no-sandbox-job /prefetch:1
6⤵
PID:2612

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=4A9ADA6004731B85EE8985076C08B9B9 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=4A9ADA6004731B85EE8985076C08B9B9 --renderer-client-id=4 --mojo-platform-channel-handle=2088 --allow-no-sandbox-job /prefetch:1
6⤵
PID:3144

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B83A6079EA8E773CEF8F9CCBC291D7F0 --mojo-platform-channel-handle=2464 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
6⤵
PID:3900

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=677735919CA10FF17FAFBE50EAEE937B --mojo-platform-channel-handle=1640 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
6⤵
PID:3740

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E11595F78ACD853B5681BCE5CB3B712A --mojo-platform-channel-handle=2024 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
6⤵
PID:908

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
4⤵
- Adds Run key to start application
- Executes dropped EXE
PID:1436

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe" 2 1436 84515
4⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
PID:1636

C:\Users\Admin\AppData\Local\Temp\Solictud_de_cotizacion (3699663-2020).exe
"C:\Users\Admin\AppData\Local\Temp\Solictud_de_cotizacion (3699663-2020).exe" 2 2928 83625
2⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
PID:540

C:\Users\Admin\AppData\Local\Temp\Solictud_de_cotizacion (3699663-2020).exe
"C:\Users\Admin\AppData\Local\Temp\Solictud_de_cotizacion (3699663-2020).exe"
3⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:864

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Orden.pdf"
4⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:1840

C:\Users\Admin\AppData\Local\Temp\Solictud_de_cotizacion (3699663-2020).exe
"C:\Users\Admin\AppData\Local\Temp\Solictud_de_cotizacion (3699663-2020).exe"
4⤵
- Adds Run key to start application
PID:1932

C:\Users\Admin\AppData\Local\Temp\Solictud_de_cotizacion (3699663-2020).exe
"C:\Users\Admin\AppData\Local\Temp\Solictud_de_cotizacion (3699663-2020).exe" 2 1932 84781
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1476

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Orden.pdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Orden.pdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Orden.pdf

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Download Submit
memory/540-3-0x0000000000000000-mapping.dmp

Download
memory/860-5-0x0000000000000000-mapping.dmp

Download
memory/864-9-0x0000000000000000-mapping.dmp

Download
memory/908-46-0x00000000779C2000-0x00000000779C200C-memory.dmp

Filesize
12B

Download
memory/908-47-0x0000000000000000-mapping.dmp

Download
memory/1268-12-0x0000000000000000-mapping.dmp

Download
memory/1436-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1436-14-0x000000000040242D-mapping.dmp

Download
memory/1476-22-0x0000000000000000-mapping.dmp

Download
memory/1636-16-0x0000000000000000-mapping.dmp

Download
memory/1840-18-0x0000000000000000-mapping.dmp

Download
memory/1932-21-0x000000000040242D-mapping.dmp

Download
memory/2080-24-0x0000000000000000-mapping.dmp

Download
memory/2396-28-0x0000000000000000-mapping.dmp

Download
memory/2396-27-0x00000000779C2000-0x00000000779C200C-memory.dmp

Filesize
12B

Download
memory/2612-30-0x00000000779C2000-0x00000000779C200C-memory.dmp

Filesize
12B

Download
memory/2612-31-0x0000000000000000-mapping.dmp

Download
memory/2928-2-0x000000000040242D-mapping.dmp

Download
memory/2928-1-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2928-4-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3048-0-0x0000000000000000-mapping.dmp

Download
memory/3144-36-0x0000000000000000-mapping.dmp

Download
memory/3144-35-0x00000000779C2000-0x00000000779C200C-memory.dmp

Filesize
12B

Download
memory/3740-43-0x00000000779C2000-0x00000000779C200C-memory.dmp

Filesize
12B

Download
memory/3740-44-0x0000000000000000-mapping.dmp

Download
memory/3900-41-0x0000000000000000-mapping.dmp

Download
memory/3900-40-0x00000000779C2000-0x00000000779C200C-memory.dmp

Filesize
12B

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads