infinitylock | bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4

Resubmissions

04-09-2021 18:09

210904-wrxmsshegj 10

31-08-2020 12:21

200831-tnfgvzw7da 10

Analysis

max time kernel
83s
max time network
113s
platform
windows10_x64
resource
win10v200722
submitted
31-08-2020 12:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
Size

77KB
MD5

4e24780d9700a1cb9d741d7ef51889f1
SHA1

4700da92e1f99b576ff517d3fa18103c67ac0d11
SHA256

bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4
SHA512

c1d2501b95822796d6116711d426463dd95fd059201e11cf19f9ba8709782e6997cd4d2c04eb163199d305e04e04462ed032a53f50f9df0f4ff495dfb75450a0

Score

10^/10

ransomware infinitylock

Malware Config

Signatures

InfinityLock Ransomware
Also known as InfinityCrypt. Based on the open-source HiddenTear ransomware.
ransomware infinitylock

Modifies extensions of user files 9 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\RegisterMount.raw.0F36340B4B5C3C0B4145B9EB17F6671934C9DCEAB81826836DCA44337CCC3C94	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Users\Admin\Pictures\SendConvertFrom.tiff.0F36340B4B5C3C0B4145B9EB17F6671934C9DCEAB81826836DCA44337CCC3C94	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Users\Admin\Pictures\ConvertFromInvoke.tiff.0F36340B4B5C3C0B4145B9EB17F6671934C9DCEAB81826836DCA44337CCC3C94	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Users\Admin\Pictures\DebugConvertTo.tiff.0F36340B4B5C3C0B4145B9EB17F6671934C9DCEAB81826836DCA44337CCC3C94	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Users\Admin\Pictures\FindRestore.tif.0F36340B4B5C3C0B4145B9EB17F6671934C9DCEAB81826836DCA44337CCC3C94	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Users\Admin\Pictures\WriteMerge.crw.0F36340B4B5C3C0B4145B9EB17F6671934C9DCEAB81826836DCA44337CCC3C94	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Users\Admin\Pictures\ProtectExit.png.0F36340B4B5C3C0B4145B9EB17F6671934C9DCEAB81826836DCA44337CCC3C94	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Users\Admin\Pictures\RevokeUnlock.tiff.0F36340B4B5C3C0B4145B9EB17F6671934C9DCEAB81826836DCA44337CCC3C94	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Users\Admin\Pictures\SkipEnter.raw.0F36340B4B5C3C0B4145B9EB17F6671934C9DCEAB81826836DCA44337CCC3C94	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe

Drops file in Program Files directory 2779 IoCs

Processes:

bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\en_CA.aff.0F36340B4B5C3C0B4145B9EB17F6671934C9DCEAB81826836DCA44337CCC3C94	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe.0F36340B4B5C3C0B4145B9EB17F6671934C9DCEAB81826836DCA44337CCC3C94	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ja-jp\ui-strings.js.0F36340B4B5C3C0B4145B9EB17F6671934C9DCEAB81826836DCA44337CCC3C94	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\css\main-selector.css.0F36340B4B5C3C0B4145B9EB17F6671934C9DCEAB81826836DCA44337CCC3C94	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\welcome-2x.png.0F36340B4B5C3C0B4145B9EB17F6671934C9DCEAB81826836DCA44337CCC3C94	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\eu-es\ui-strings.js.0F36340B4B5C3C0B4145B9EB17F6671934C9DCEAB81826836DCA44337CCC3C94	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\nl-nl\ui-strings.js.0F36340B4B5C3C0B4145B9EB17F6671934C9DCEAB81826836DCA44337CCC3C94	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\StorageConnectors.api.0F36340B4B5C3C0B4145B9EB17F6671934C9DCEAB81826836DCA44337CCC3C94	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_download_audit_report_18.svg.0F36340B4B5C3C0B4145B9EB17F6671934C9DCEAB81826836DCA44337CCC3C94	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\uk-ua\ui-strings.js.0F36340B4B5C3C0B4145B9EB17F6671934C9DCEAB81826836DCA44337CCC3C94	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Google\Chrome\Application\84.0.4147.89\Locales\sl.pak.0F36340B4B5C3C0B4145B9EB17F6671934C9DCEAB81826836DCA44337CCC3C94	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileAcrobatCard_Light.pdf.0F36340B4B5C3C0B4145B9EB17F6671934C9DCEAB81826836DCA44337CCC3C94	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe.0F36340B4B5C3C0B4145B9EB17F6671934C9DCEAB81826836DCA44337CCC3C94	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\plugins\rhp\combinepdf-tool-view.js.0F36340B4B5C3C0B4145B9EB17F6671934C9DCEAB81826836DCA44337CCC3C94	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\en_get.svg.0F36340B4B5C3C0B4145B9EB17F6671934C9DCEAB81826836DCA44337CCC3C94	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\zh-cn\ui-strings.js.0F36340B4B5C3C0B4145B9EB17F6671934C9DCEAB81826836DCA44337CCC3C94	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\da-dk\ui-strings.js.0F36340B4B5C3C0B4145B9EB17F6671934C9DCEAB81826836DCA44337CCC3C94	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\css\main-selector.css.0F36340B4B5C3C0B4145B9EB17F6671934C9DCEAB81826836DCA44337CCC3C94	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\root\ui-strings.js.0F36340B4B5C3C0B4145B9EB17F6671934C9DCEAB81826836DCA44337CCC3C94	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\eu-es\ui-strings.js.0F36340B4B5C3C0B4145B9EB17F6671934C9DCEAB81826836DCA44337CCC3C94	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\pt-br\ui-strings.js.0F36340B4B5C3C0B4145B9EB17F6671934C9DCEAB81826836DCA44337CCC3C94	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Comments.aapp.0F36340B4B5C3C0B4145B9EB17F6671934C9DCEAB81826836DCA44337CCC3C94	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\delete.svg.0F36340B4B5C3C0B4145B9EB17F6671934C9DCEAB81826836DCA44337CCC3C94	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\S_IlluEmptyFolder_160.svg.0F36340B4B5C3C0B4145B9EB17F6671934C9DCEAB81826836DCA44337CCC3C94	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Google\Chrome\Application\84.0.4147.89\VisualElements\SmallLogo.png.0F36340B4B5C3C0B4145B9EB17F6671934C9DCEAB81826836DCA44337CCC3C94	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\Close.png.0F36340B4B5C3C0B4145B9EB17F6671934C9DCEAB81826836DCA44337CCC3C94	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\fr-fr\ui-strings.js.0F36340B4B5C3C0B4145B9EB17F6671934C9DCEAB81826836DCA44337CCC3C94	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ui-strings.js.0F36340B4B5C3C0B4145B9EB17F6671934C9DCEAB81826836DCA44337CCC3C94	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Google\Chrome\Application\84.0.4147.89\Extensions\external_extensions.json.0F36340B4B5C3C0B4145B9EB17F6671934C9DCEAB81826836DCA44337CCC3C94	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sortedby_hover_18.svg.0F36340B4B5C3C0B4145B9EB17F6671934C9DCEAB81826836DCA44337CCC3C94	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\ko_get.svg.0F36340B4B5C3C0B4145B9EB17F6671934C9DCEAB81826836DCA44337CCC3C94	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\tr_get.svg.0F36340B4B5C3C0B4145B9EB17F6671934C9DCEAB81826836DCA44337CCC3C94	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_retina.png.0F36340B4B5C3C0B4145B9EB17F6671934C9DCEAB81826836DCA44337CCC3C94	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\dd_arrow_small.png.0F36340B4B5C3C0B4145B9EB17F6671934C9DCEAB81826836DCA44337CCC3C94	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ro-ro\ui-strings.js.0F36340B4B5C3C0B4145B9EB17F6671934C9DCEAB81826836DCA44337CCC3C94	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\s_listview_18.svg.0F36340B4B5C3C0B4145B9EB17F6671934C9DCEAB81826836DCA44337CCC3C94	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Google\Chrome\Application\84.0.4147.89\Locales\fa.pak.0F36340B4B5C3C0B4145B9EB17F6671934C9DCEAB81826836DCA44337CCC3C94	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\pl-pl\ui-strings.js.0F36340B4B5C3C0B4145B9EB17F6671934C9DCEAB81826836DCA44337CCC3C94	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\Comb_field_White@1x.png.0F36340B4B5C3C0B4145B9EB17F6671934C9DCEAB81826836DCA44337CCC3C94	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons.png.0F36340B4B5C3C0B4145B9EB17F6671934C9DCEAB81826836DCA44337CCC3C94	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\zh-cn\ui-strings.js.0F36340B4B5C3C0B4145B9EB17F6671934C9DCEAB81826836DCA44337CCC3C94	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Spelling.api.0F36340B4B5C3C0B4145B9EB17F6671934C9DCEAB81826836DCA44337CCC3C94	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\sv-se\ui-strings.js.0F36340B4B5C3C0B4145B9EB17F6671934C9DCEAB81826836DCA44337CCC3C94	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\es-es\ui-strings.js.0F36340B4B5C3C0B4145B9EB17F6671934C9DCEAB81826836DCA44337CCC3C94	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sk-sk\ui-strings.js.0F36340B4B5C3C0B4145B9EB17F6671934C9DCEAB81826836DCA44337CCC3C94	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\plugin.js.0F36340B4B5C3C0B4145B9EB17F6671934C9DCEAB81826836DCA44337CCC3C94	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\it-it\PlayStore_icon.svg.0F36340B4B5C3C0B4145B9EB17F6671934C9DCEAB81826836DCA44337CCC3C94	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\dummy\fake_logo.png.0F36340B4B5C3C0B4145B9EB17F6671934C9DCEAB81826836DCA44337CCC3C94	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\nl-nl\ui-strings.js.0F36340B4B5C3C0B4145B9EB17F6671934C9DCEAB81826836DCA44337CCC3C94	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\hyph_en_US.dic.0F36340B4B5C3C0B4145B9EB17F6671934C9DCEAB81826836DCA44337CCC3C94	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-focus.svg.0F36340B4B5C3C0B4145B9EB17F6671934C9DCEAB81826836DCA44337CCC3C94	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ja-jp\ui-strings.js.0F36340B4B5C3C0B4145B9EB17F6671934C9DCEAB81826836DCA44337CCC3C94	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\Microsoft.PackageManagement.dll.0F36340B4B5C3C0B4145B9EB17F6671934C9DCEAB81826836DCA44337CCC3C94	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll.0F36340B4B5C3C0B4145B9EB17F6671934C9DCEAB81826836DCA44337CCC3C94	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sk-sk\ui-strings.js.0F36340B4B5C3C0B4145B9EB17F6671934C9DCEAB81826836DCA44337CCC3C94	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateHelper.msi.0F36340B4B5C3C0B4145B9EB17F6671934C9DCEAB81826836DCA44337CCC3C94	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dummy.aff.0F36340B4B5C3C0B4145B9EB17F6671934C9DCEAB81826836DCA44337CCC3C94	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\en-gb\ui-strings.js.0F36340B4B5C3C0B4145B9EB17F6671934C9DCEAB81826836DCA44337CCC3C94	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\pt-br\ui-strings.js.0F36340B4B5C3C0B4145B9EB17F6671934C9DCEAB81826836DCA44337CCC3C94	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_gridview_selected.svg.0F36340B4B5C3C0B4145B9EB17F6671934C9DCEAB81826836DCA44337CCC3C94	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\example_icons2x.png.0F36340B4B5C3C0B4145B9EB17F6671934C9DCEAB81826836DCA44337CCC3C94	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\icons_ie8.gif.0F36340B4B5C3C0B4145B9EB17F6671934C9DCEAB81826836DCA44337CCC3C94	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\fi-fi\ui-strings.js.0F36340B4B5C3C0B4145B9EB17F6671934C9DCEAB81826836DCA44337CCC3C94	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\sl-si\ui-strings.js.0F36340B4B5C3C0B4145B9EB17F6671934C9DCEAB81826836DCA44337CCC3C94	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe

Drops file in Windows directory 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\Windows\ServiceProfiles\LocalService\winhttp\cachev3.dat svchost.exe

description	ioc	process
File opened for modification	C:\Windows\ServiceProfiles\LocalService\winhttp\cachev3.dat	svchost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionReason = "1"	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionTime = 1fa0ff96a27fd601	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecision = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

svchost.exebfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe

description	pid	process
Token: SeShutdownPrivilege	2596	svchost.exe
Token: SeCreatePagefilePrivilege	2596	svchost.exe
Token: SeDebugPrivilege	424	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe

C:\Users\Admin\AppData\Local\Temp\bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
"C:\Users\Admin\AppData\Local\Temp\bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe"
1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2596

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/424-0-0x0000000073530000-0x0000000073C1E000-memory.dmp

Filesize
6.9MB

Download
memory/424-1-0x0000000000E10000-0x0000000000E11000-memory.dmp

Filesize
4KB

Download
memory/424-3-0x0000000005710000-0x0000000005739000-memory.dmp

Filesize
164KB

Download
memory/424-4-0x0000000005830000-0x0000000005831000-memory.dmp

Filesize
4KB

Download
memory/424-5-0x0000000005DD0000-0x0000000005DD1000-memory.dmp

Filesize
4KB

Download
memory/424-6-0x0000000005970000-0x0000000005971000-memory.dmp

Filesize
4KB

Download
memory/424-7-0x0000000005820000-0x0000000005821000-memory.dmp

Filesize
4KB

Download
memory/424-8-0x0000000005B30000-0x0000000005B31000-memory.dmp

Filesize
4KB

Download
memory/424-9-0x0000000001510000-0x0000000001511000-memory.dmp

Filesize
4KB

Download