formbook | 1c9bd5c0c394b6aa7606bac0e69e85d65c5321ac6a17d9615d7e3a813bf44193

General

Target

Statement for T10495.jar
Size

811KB
MD5

0764a56dda2fd74d87e9303972af246c
SHA1

e0cb38683d4a5e83c4d26cd11cbdd97a42aef8d6
SHA256

1c9bd5c0c394b6aa7606bac0e69e85d65c5321ac6a17d9615d7e3a813bf44193
SHA512

c8835d58181d9f6c51d2b7fa1c980678211a004030d6a5f6fcb4dbfd332df7d1073f7ddc966fe151134357e099af510f0edfb758a462042f74c008ae31d09333

Score

10^/10

formbook xloader loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.dmvantalya.com/bnuw/

Decoy

amgggma.com

reptilerus.com

degearboss.com

jennaelsbakeshop.com

invisablescreen.com

beingsingleda.com

2nsupplements.online

12862.xyz

expand.care

romeoalchimistefullmental.com

7750166.com

brendonellis.com

sprayfoamharlemny.com

bukannyaterbuai30.com

boatpiz.com

stylistrx.com

decorationhaven.com

stockaro.com

state728.com

secretlairtoys.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3200-10-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral2/memory/1164-21-0x00000000007A0000-0x00000000007C8000-memory.dmp	xloader

Executes dropped EXE 2 IoCs

Processes:

Ckt40j50xJfd.exeCkt40j50xJfd.exe

pid process

4396 Ckt40j50xJfd.exe
3200 Ckt40j50xJfd.exe

pid	process
4396	Ckt40j50xJfd.exe
3200	Ckt40j50xJfd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Ckt40j50xJfd.exeCkt40j50xJfd.exeipconfig.exe

description	pid	process	target process
PID 4396 set thread context of 3200	4396	Ckt40j50xJfd.exe	Ckt40j50xJfd.exe
PID 3200 set thread context of 3152	3200	Ckt40j50xJfd.exe	Explorer.EXE
PID 1164 set thread context of 3152	1164	ipconfig.exe	Explorer.EXE

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

680 schtasks.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

1164 ipconfig.exe

pid	process
680	schtasks.exe

pid	process
1164	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

Processes:

java.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings java.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	java.exe

Suspicious behavior: EnumeratesProcesses 80 IoCs

Processes:

Ckt40j50xJfd.exeipconfig.exeAcroRd32.exe

pid	process
3200	Ckt40j50xJfd.exe
3200	Ckt40j50xJfd.exe
3200	Ckt40j50xJfd.exe
3200	Ckt40j50xJfd.exe
1164	ipconfig.exe
1164	ipconfig.exe
1164	ipconfig.exe
1164	ipconfig.exe
1164	ipconfig.exe
1164	ipconfig.exe
1944	AcroRd32.exe
1944	AcroRd32.exe
1944	AcroRd32.exe
1944	AcroRd32.exe
1944	AcroRd32.exe
1944	AcroRd32.exe
1944	AcroRd32.exe
1944	AcroRd32.exe
1944	AcroRd32.exe
1944	AcroRd32.exe
1944	AcroRd32.exe
1944	AcroRd32.exe
1944	AcroRd32.exe
1944	AcroRd32.exe
1944	AcroRd32.exe
1944	AcroRd32.exe
1944	AcroRd32.exe
1944	AcroRd32.exe
1944	AcroRd32.exe
1944	AcroRd32.exe
1164	ipconfig.exe
1164	ipconfig.exe
1164	ipconfig.exe
1164	ipconfig.exe
1164	ipconfig.exe
1164	ipconfig.exe
1164	ipconfig.exe
1164	ipconfig.exe
1164	ipconfig.exe
1164	ipconfig.exe
1164	ipconfig.exe
1164	ipconfig.exe
1164	ipconfig.exe
1164	ipconfig.exe
1164	ipconfig.exe
1164	ipconfig.exe
1164	ipconfig.exe
1164	ipconfig.exe
1164	ipconfig.exe
1164	ipconfig.exe
1164	ipconfig.exe
1164	ipconfig.exe
1164	ipconfig.exe
1164	ipconfig.exe
1164	ipconfig.exe
1164	ipconfig.exe
1164	ipconfig.exe
1164	ipconfig.exe
1164	ipconfig.exe
1164	ipconfig.exe
1164	ipconfig.exe
1164	ipconfig.exe
1164	ipconfig.exe
1164	ipconfig.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

Ckt40j50xJfd.exeCkt40j50xJfd.exeipconfig.exe

pid process

4396 Ckt40j50xJfd.exe
3200 Ckt40j50xJfd.exe
3200 Ckt40j50xJfd.exe
3200 Ckt40j50xJfd.exe
1164 ipconfig.exe
1164 ipconfig.exe

pid	process
4396	Ckt40j50xJfd.exe
3200	Ckt40j50xJfd.exe
3200	Ckt40j50xJfd.exe
3200	Ckt40j50xJfd.exe
1164	ipconfig.exe
1164	ipconfig.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

Ckt40j50xJfd.exeExplorer.EXEipconfig.exe

description	pid	process
Token: SeDebugPrivilege	3200	Ckt40j50xJfd.exe
Token: SeShutdownPrivilege	3152	Explorer.EXE
Token: SeCreatePagefilePrivilege	3152	Explorer.EXE
Token: SeShutdownPrivilege	3152	Explorer.EXE
Token: SeCreatePagefilePrivilege	3152	Explorer.EXE
Token: SeShutdownPrivilege	3152	Explorer.EXE
Token: SeCreatePagefilePrivilege	3152	Explorer.EXE
Token: SeShutdownPrivilege	3152	Explorer.EXE
Token: SeCreatePagefilePrivilege	3152	Explorer.EXE
Token: SeDebugPrivilege	1164	ipconfig.exe
Token: SeShutdownPrivilege	3152	Explorer.EXE
Token: SeCreatePagefilePrivilege	3152	Explorer.EXE
Token: SeShutdownPrivilege	3152	Explorer.EXE
Token: SeCreatePagefilePrivilege	3152	Explorer.EXE
Token: SeShutdownPrivilege	3152	Explorer.EXE
Token: SeCreatePagefilePrivilege	3152	Explorer.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

1944 AcroRd32.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

java.exeAcroRd32.exe

pid process

4808 java.exe
1944 AcroRd32.exe
1944 AcroRd32.exe
1944 AcroRd32.exe
1944 AcroRd32.exe
1944 AcroRd32.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3152 Explorer.EXE

pid	process
1944	AcroRd32.exe

pid	process
4808	java.exe
1944	AcroRd32.exe
1944	AcroRd32.exe
1944	AcroRd32.exe
1944	AcroRd32.exe
1944	AcroRd32.exe

pid	process
3152	Explorer.EXE

Suspicious use of WriteProcessMemory 275 IoCs

Processes:

java.exeCkt40j50xJfd.execmd.exeExplorer.EXEipconfig.exeAcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 4808 wrote to memory of 4396	4808	java.exe	Ckt40j50xJfd.exe
PID 4808 wrote to memory of 4396	4808	java.exe	Ckt40j50xJfd.exe
PID 4808 wrote to memory of 4396	4808	java.exe	Ckt40j50xJfd.exe
PID 4808 wrote to memory of 1944	4808	java.exe	AcroRd32.exe
PID 4808 wrote to memory of 1944	4808	java.exe	AcroRd32.exe
PID 4808 wrote to memory of 1944	4808	java.exe	AcroRd32.exe
PID 4396 wrote to memory of 4272	4396	Ckt40j50xJfd.exe	cmd.exe
PID 4396 wrote to memory of 4272	4396	Ckt40j50xJfd.exe	cmd.exe
PID 4396 wrote to memory of 4272	4396	Ckt40j50xJfd.exe	cmd.exe
PID 4396 wrote to memory of 3200	4396	Ckt40j50xJfd.exe	Ckt40j50xJfd.exe
PID 4396 wrote to memory of 3200	4396	Ckt40j50xJfd.exe	Ckt40j50xJfd.exe
PID 4396 wrote to memory of 3200	4396	Ckt40j50xJfd.exe	Ckt40j50xJfd.exe
PID 4396 wrote to memory of 3200	4396	Ckt40j50xJfd.exe	Ckt40j50xJfd.exe
PID 4272 wrote to memory of 680	4272	cmd.exe	schtasks.exe
PID 4272 wrote to memory of 680	4272	cmd.exe	schtasks.exe
PID 4272 wrote to memory of 680	4272	cmd.exe	schtasks.exe
PID 3152 wrote to memory of 1164	3152	Explorer.EXE	ipconfig.exe
PID 3152 wrote to memory of 1164	3152	Explorer.EXE	ipconfig.exe
PID 3152 wrote to memory of 1164	3152	Explorer.EXE	ipconfig.exe
PID 1164 wrote to memory of 2044	1164	ipconfig.exe	cmd.exe
PID 1164 wrote to memory of 2044	1164	ipconfig.exe	cmd.exe
PID 1164 wrote to memory of 2044	1164	ipconfig.exe	cmd.exe
PID 1944 wrote to memory of 2340	1944	AcroRd32.exe	RdrCEF.exe
PID 1944 wrote to memory of 2340	1944	AcroRd32.exe	RdrCEF.exe
PID 1944 wrote to memory of 2340	1944	AcroRd32.exe	RdrCEF.exe
PID 2340 wrote to memory of 4492	2340	RdrCEF.exe	RdrCEF.exe
PID 2340 wrote to memory of 4492	2340	RdrCEF.exe	RdrCEF.exe
PID 2340 wrote to memory of 4492	2340	RdrCEF.exe	RdrCEF.exe
PID 2340 wrote to memory of 4492	2340	RdrCEF.exe	RdrCEF.exe
PID 2340 wrote to memory of 4492	2340	RdrCEF.exe	RdrCEF.exe
PID 2340 wrote to memory of 4492	2340	RdrCEF.exe	RdrCEF.exe
PID 2340 wrote to memory of 4492	2340	RdrCEF.exe	RdrCEF.exe
PID 2340 wrote to memory of 4492	2340	RdrCEF.exe	RdrCEF.exe
PID 2340 wrote to memory of 4492	2340	RdrCEF.exe	RdrCEF.exe
PID 2340 wrote to memory of 4492	2340	RdrCEF.exe	RdrCEF.exe
PID 2340 wrote to memory of 4492	2340	RdrCEF.exe	RdrCEF.exe
PID 2340 wrote to memory of 4492	2340	RdrCEF.exe	RdrCEF.exe
PID 2340 wrote to memory of 4492	2340	RdrCEF.exe	RdrCEF.exe
PID 2340 wrote to memory of 4492	2340	RdrCEF.exe	RdrCEF.exe
PID 2340 wrote to memory of 4492	2340	RdrCEF.exe	RdrCEF.exe
PID 2340 wrote to memory of 4492	2340	RdrCEF.exe	RdrCEF.exe
PID 2340 wrote to memory of 4492	2340	RdrCEF.exe	RdrCEF.exe
PID 2340 wrote to memory of 4492	2340	RdrCEF.exe	RdrCEF.exe
PID 2340 wrote to memory of 4492	2340	RdrCEF.exe	RdrCEF.exe
PID 2340 wrote to memory of 4492	2340	RdrCEF.exe	RdrCEF.exe
PID 2340 wrote to memory of 4492	2340	RdrCEF.exe	RdrCEF.exe
PID 2340 wrote to memory of 4492	2340	RdrCEF.exe	RdrCEF.exe
PID 2340 wrote to memory of 4492	2340	RdrCEF.exe	RdrCEF.exe
PID 2340 wrote to memory of 4492	2340	RdrCEF.exe	RdrCEF.exe
PID 2340 wrote to memory of 4492	2340	RdrCEF.exe	RdrCEF.exe
PID 2340 wrote to memory of 4492	2340	RdrCEF.exe	RdrCEF.exe
PID 2340 wrote to memory of 4492	2340	RdrCEF.exe	RdrCEF.exe
PID 2340 wrote to memory of 4492	2340	RdrCEF.exe	RdrCEF.exe
PID 2340 wrote to memory of 4492	2340	RdrCEF.exe	RdrCEF.exe
PID 2340 wrote to memory of 4492	2340	RdrCEF.exe	RdrCEF.exe
PID 2340 wrote to memory of 4492	2340	RdrCEF.exe	RdrCEF.exe
PID 2340 wrote to memory of 4492	2340	RdrCEF.exe	RdrCEF.exe
PID 2340 wrote to memory of 4492	2340	RdrCEF.exe	RdrCEF.exe
PID 2340 wrote to memory of 4492	2340	RdrCEF.exe	RdrCEF.exe
PID 2340 wrote to memory of 4492	2340	RdrCEF.exe	RdrCEF.exe
PID 2340 wrote to memory of 4492	2340	RdrCEF.exe	RdrCEF.exe
PID 2340 wrote to memory of 4492	2340	RdrCEF.exe	RdrCEF.exe
PID 2340 wrote to memory of 4492	2340	RdrCEF.exe	RdrCEF.exe
PID 2340 wrote to memory of 4492	2340	RdrCEF.exe	RdrCEF.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3152

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar "C:\Users\Admin\AppData\Local\Temp\Statement for T10495.jar"
2⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4808

C:\Users\Admin\Ckt40j50xJfd.exe
C:\Users\Admin\Ckt40j50xJfd.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4396

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\13b7517e56994f3fa2d3ccb861f944e1.xml"
4⤵
- Suspicious use of WriteProcessMemory
PID:4272

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\13b7517e56994f3fa2d3ccb861f944e1.xml"
5⤵
- Creates scheduled task(s)
PID:680

C:\Users\Admin\Ckt40j50xJfd.exe
C:\Users\Admin\Ckt40j50xJfd.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3200

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\hi3A9NUbhQ.pdf"
3⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1944

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
4⤵
- Suspicious use of WriteProcessMemory
PID:2340

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F193301F440D06ACCB0E6C201FA5690F --mojo-platform-channel-handle=1616 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
5⤵
PID:4492

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=CFB6DD567F1CF30A48ECFE5D9EF973D1 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=CFB6DD567F1CF30A48ECFE5D9EF973D1 --renderer-client-id=2 --mojo-platform-channel-handle=1624 --allow-no-sandbox-job /prefetch:1
5⤵
PID:1000

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=FE74B599A1FF69E1366E30B65BA1221C --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=FE74B599A1FF69E1366E30B65BA1221C --renderer-client-id=4 --mojo-platform-channel-handle=2064 --allow-no-sandbox-job /prefetch:1
5⤵
PID:60

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=941A185E8EC126B80CDBDCFB3EBA8953 --mojo-platform-channel-handle=2476 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
5⤵
PID:4772

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=CF51A695AE996E57C831AFF3593B0952 --mojo-platform-channel-handle=2696 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
5⤵
PID:192

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=EB11BC02A9649EB808CCC8098BB30D4E --mojo-platform-channel-handle=2560 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
5⤵
PID:2684

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\SysWOW64\ipconfig.exe"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1164

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\Ckt40j50xJfd.exe"
3⤵
PID:2044

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Command-Line Interface

1

T1059

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\13b7517e56994f3fa2d3ccb861f944e1.xml
MD5
aa2f6636e997aaa0b01fbc78b1dabe52

SHA1
fd462100fc91975dcbea8e361cf1eb8a70f6ad54

SHA256
d710b6eda22285684579d8b547e5be2f48883c4bf8db39993b00df30f9dc8723

SHA512
6540a3bbdbd3ab51679d5b32380e6c288bf6eba2777d067d40bfe65642ccafecd18028b102dfa46ac189d84282da2b6cb202a4f307587c5639f86834788f5104

Download Submit
C:\Users\Admin\Ckt40j50xJfd.exe
MD5
76d3edb9a348bf7167f4bb0c6a3e6a35

SHA1
e304f9b76ef4fe0da767c490b15e1dd8d7a8392f

SHA256
c7a3ec323f7c3911c8d685e205b414484c626ef78464c860dd5e836e1406efd0

SHA512
8951905b8c9ee5b31ad67b31feced8bcf0e9e5feba98b18d3cac2fa4e713ba9acc123bf0aea693152a3295bd0e2d7ed1f047ac20aa7a445e7743e16d743d0b33

Download Submit
C:\Users\Admin\Ckt40j50xJfd.exe
MD5
76d3edb9a348bf7167f4bb0c6a3e6a35

SHA1
e304f9b76ef4fe0da767c490b15e1dd8d7a8392f

SHA256
c7a3ec323f7c3911c8d685e205b414484c626ef78464c860dd5e836e1406efd0

SHA512
8951905b8c9ee5b31ad67b31feced8bcf0e9e5feba98b18d3cac2fa4e713ba9acc123bf0aea693152a3295bd0e2d7ed1f047ac20aa7a445e7743e16d743d0b33

Download Submit
C:\Users\Admin\Ckt40j50xJfd.exe
MD5
76d3edb9a348bf7167f4bb0c6a3e6a35

SHA1
e304f9b76ef4fe0da767c490b15e1dd8d7a8392f

SHA256
c7a3ec323f7c3911c8d685e205b414484c626ef78464c860dd5e836e1406efd0

SHA512
8951905b8c9ee5b31ad67b31feced8bcf0e9e5feba98b18d3cac2fa4e713ba9acc123bf0aea693152a3295bd0e2d7ed1f047ac20aa7a445e7743e16d743d0b33

Download Submit
C:\Users\Admin\hi3A9NUbhQ.pdf
MD5
05feac88a3982cd6f58520ba3efdcfab

SHA1
b65289e98c62ca821da2c2dc2446fc3cd087d4ee

SHA256
06b91869bf886c49fc0871005f9001c7e3f2819e85ec27c12e4253f3e3f548a0

SHA512
5f5e5bbbb2a31ec0c5a02bf5b112613aa5beea9e14b2dfc4b44a342dfebc0e08aeacdb28e9ec6cf6eb6e002485f77dedeb38e18fb186277a0aced0d10a419297

Download Submit
memory/60-32-0x0000000000000000-mapping.dmp

Download
memory/60-30-0x0000000077802000-0x000000007780200C-memory.dmp

Filesize
12B

Download
memory/192-41-0x0000000000000000-mapping.dmp

Download
memory/192-40-0x0000000077802000-0x000000007780200C-memory.dmp

Filesize
12B

Download
memory/680-11-0x0000000000000000-mapping.dmp

Download
memory/1000-26-0x0000000077802000-0x000000007780200C-memory.dmp

Filesize
12B

Download
memory/1000-27-0x0000000000000000-mapping.dmp

Download
memory/1164-19-0x0000000001150000-0x000000000115B000-memory.dmp

Filesize
44KB

Download
memory/1164-18-0x0000000000000000-mapping.dmp

Download
memory/1164-20-0x0000000003300000-0x0000000003620000-memory.dmp

Filesize
3.1MB

Download
memory/1164-21-0x00000000007A0000-0x00000000007C8000-memory.dmp

Filesize
160KB

Download
memory/1164-46-0x0000000000FE0000-0x000000000106F000-memory.dmp

Filesize
572KB

Download
memory/1944-6-0x0000000000000000-mapping.dmp

Download
memory/2044-22-0x0000000000000000-mapping.dmp

Download
memory/2340-23-0x0000000000000000-mapping.dmp

Download
memory/2684-44-0x0000000000000000-mapping.dmp

Download
memory/2684-43-0x0000000077802000-0x000000007780200C-memory.dmp

Filesize
12B

Download
memory/3152-17-0x0000000003040000-0x0000000003101000-memory.dmp

Filesize
772KB

Download
memory/3152-47-0x00000000056F0000-0x00000000057DD000-memory.dmp

Filesize
948KB

Download
memory/3200-15-0x0000000001680000-0x00000000019A0000-memory.dmp

Filesize
3.1MB

Download
memory/3200-8-0x000000000041CFF0-mapping.dmp

Download
memory/3200-10-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3200-16-0x0000000001120000-0x0000000001130000-memory.dmp

Filesize
64KB

Download
memory/4272-7-0x0000000000000000-mapping.dmp

Download
memory/4396-3-0x0000000000000000-mapping.dmp

Download
memory/4492-25-0x0000000000000000-mapping.dmp

Download
memory/4492-24-0x0000000077802000-0x000000007780200C-memory.dmp

Filesize
12B

Download
memory/4772-37-0x0000000077802000-0x000000007780200C-memory.dmp

Filesize
12B

Download
memory/4772-38-0x0000000000000000-mapping.dmp

Download
memory/4808-2-0x0000000002E80000-0x00000000030F0000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads