infinitylock | bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4

Resubmissions

04-09-2021 18:09

210904-wrxmsshegj 10

31-08-2020 12:21

200831-tnfgvzw7da 10

Analysis

max time kernel
151s
max time network
135s
platform
windows10_x64
resource
win10-en
submitted
04-09-2021 18:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
Size

77KB
MD5

4e24780d9700a1cb9d741d7ef51889f1
SHA1

4700da92e1f99b576ff517d3fa18103c67ac0d11
SHA256

bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4
SHA512

c1d2501b95822796d6116711d426463dd95fd059201e11cf19f9ba8709782e6997cd4d2c04eb163199d305e04e04462ed032a53f50f9df0f4ff495dfb75450a0

Score

10^/10

infinitylock ransomware

Malware Config

Signatures

InfinityLock Ransomware
Also known as InfinityCrypt. Based on the open-source HiddenTear ransomware.
ransomware infinitylock

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\RepairWait.tiff.6E92A147EF5A35914D1FCE2C84E82927D2A5331CDE4F21608DC59BB210712E49	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Users\Admin\Pictures\ResizeBackup.tiff.6E92A147EF5A35914D1FCE2C84E82927D2A5331CDE4F21608DC59BB210712E49	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Users\Admin\Pictures\UnblockNew.tiff.6E92A147EF5A35914D1FCE2C84E82927D2A5331CDE4F21608DC59BB210712E49	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Users\Admin\Pictures\CompleteUndo.tiff.6E92A147EF5A35914D1FCE2C84E82927D2A5331CDE4F21608DC59BB210712E49	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_auditreport_18.svg.6E92A147EF5A35914D1FCE2C84E82927D2A5331CDE4F21608DC59BB210712E49	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\da-dk\AppStore_icon.svg.6E92A147EF5A35914D1FCE2C84E82927D2A5331CDE4F21608DC59BB210712E49	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Bus Schedule.pdf.6E92A147EF5A35914D1FCE2C84E82927D2A5331CDE4F21608DC59BB210712E49	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\tr-tr\ui-strings.js.6E92A147EF5A35914D1FCE2C84E82927D2A5331CDE4F21608DC59BB210712E49	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\VSTOFiles.cat.6E92A147EF5A35914D1FCE2C84E82927D2A5331CDE4F21608DC59BB210712E49	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\OptimizePDF_R_RHP.aapp.6E92A147EF5A35914D1FCE2C84E82927D2A5331CDE4F21608DC59BB210712E49	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ro-ro\ui-strings.js.6E92A147EF5A35914D1FCE2C84E82927D2A5331CDE4F21608DC59BB210712E49	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\css\main.css.6E92A147EF5A35914D1FCE2C84E82927D2A5331CDE4F21608DC59BB210712E49	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\fi-fi\ui-strings.js.6E92A147EF5A35914D1FCE2C84E82927D2A5331CDE4F21608DC59BB210712E49	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\s_listview_18.svg.6E92A147EF5A35914D1FCE2C84E82927D2A5331CDE4F21608DC59BB210712E49	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\eu-es\ui-strings.js.6E92A147EF5A35914D1FCE2C84E82927D2A5331CDE4F21608DC59BB210712E49	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\illustrations.png.6E92A147EF5A35914D1FCE2C84E82927D2A5331CDE4F21608DC59BB210712E49	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\EPDF_Full.aapp.6E92A147EF5A35914D1FCE2C84E82927D2A5331CDE4F21608DC59BB210712E49	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ru-ru\ui-strings.js.6E92A147EF5A35914D1FCE2C84E82927D2A5331CDE4F21608DC59BB210712E49	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\fr-fr\ui-strings.js.6E92A147EF5A35914D1FCE2C84E82927D2A5331CDE4F21608DC59BB210712E49	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\new_icons_retina.png.6E92A147EF5A35914D1FCE2C84E82927D2A5331CDE4F21608DC59BB210712E49	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\plugin.js.6E92A147EF5A35914D1FCE2C84E82927D2A5331CDE4F21608DC59BB210712E49	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\hu-hu\ui-strings.js.6E92A147EF5A35914D1FCE2C84E82927D2A5331CDE4F21608DC59BB210712E49	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\ccloud.png.6E92A147EF5A35914D1FCE2C84E82927D2A5331CDE4F21608DC59BB210712E49	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ja-jp\ui-strings.js.6E92A147EF5A35914D1FCE2C84E82927D2A5331CDE4F21608DC59BB210712E49	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\rhp_world_icon_hover.png.6E92A147EF5A35914D1FCE2C84E82927D2A5331CDE4F21608DC59BB210712E49	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\s_close2x.png.6E92A147EF5A35914D1FCE2C84E82927D2A5331CDE4F21608DC59BB210712E49	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT.6E92A147EF5A35914D1FCE2C84E82927D2A5331CDE4F21608DC59BB210712E49	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\plugins\rhp\exportpdfupsell-app-tool-view.js.6E92A147EF5A35914D1FCE2C84E82927D2A5331CDE4F21608DC59BB210712E49	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\find-text-2x.png.6E92A147EF5A35914D1FCE2C84E82927D2A5331CDE4F21608DC59BB210712E49	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\core_icons.png.6E92A147EF5A35914D1FCE2C84E82927D2A5331CDE4F21608DC59BB210712E49	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\de-de\ui-strings.js.6E92A147EF5A35914D1FCE2C84E82927D2A5331CDE4F21608DC59BB210712E49	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\fr\Microsoft.PackageManagement.MetaProvider.PowerShell.resources.dll.6E92A147EF5A35914D1FCE2C84E82927D2A5331CDE4F21608DC59BB210712E49	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\new_icons.png.6E92A147EF5A35914D1FCE2C84E82927D2A5331CDE4F21608DC59BB210712E49	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\hr-hr\ui-strings.js.6E92A147EF5A35914D1FCE2C84E82927D2A5331CDE4F21608DC59BB210712E49	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\ui-strings.js.6E92A147EF5A35914D1FCE2C84E82927D2A5331CDE4F21608DC59BB210712E49	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-cn\ui-strings.js.6E92A147EF5A35914D1FCE2C84E82927D2A5331CDE4F21608DC59BB210712E49	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\nb-no\ui-strings.js.6E92A147EF5A35914D1FCE2C84E82927D2A5331CDE4F21608DC59BB210712E49	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\AppStore_icon.svg.6E92A147EF5A35914D1FCE2C84E82927D2A5331CDE4F21608DC59BB210712E49	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\fi-fi\AppStore_icon.svg.6E92A147EF5A35914D1FCE2C84E82927D2A5331CDE4F21608DC59BB210712E49	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-ae\ui-strings.js.6E92A147EF5A35914D1FCE2C84E82927D2A5331CDE4F21608DC59BB210712E49	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\sv-se\ui-strings.js.6E92A147EF5A35914D1FCE2C84E82927D2A5331CDE4F21608DC59BB210712E49	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\it-it\ui-strings.js.6E92A147EF5A35914D1FCE2C84E82927D2A5331CDE4F21608DC59BB210712E49	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\ro_get.svg.6E92A147EF5A35914D1FCE2C84E82927D2A5331CDE4F21608DC59BB210712E49	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\pl-pl\ui-strings.js.6E92A147EF5A35914D1FCE2C84E82927D2A5331CDE4F21608DC59BB210712E49	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\es-es\ui-strings.js.6E92A147EF5A35914D1FCE2C84E82927D2A5331CDE4F21608DC59BB210712E49	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ja-jp\ui-strings.js.6E92A147EF5A35914D1FCE2C84E82927D2A5331CDE4F21608DC59BB210712E49	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\da_get.svg.6E92A147EF5A35914D1FCE2C84E82927D2A5331CDE4F21608DC59BB210712E49	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MinionPro-Regular.otf.6E92A147EF5A35914D1FCE2C84E82927D2A5331CDE4F21608DC59BB210712E49	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\tesselate.x3d.6E92A147EF5A35914D1FCE2C84E82927D2A5331CDE4F21608DC59BB210712E49	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_sortedby_selected_18.svg.6E92A147EF5A35914D1FCE2C84E82927D2A5331CDE4F21608DC59BB210712E49	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\Toast.svg.6E92A147EF5A35914D1FCE2C84E82927D2A5331CDE4F21608DC59BB210712E49	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\arrow-right.png.6E92A147EF5A35914D1FCE2C84E82927D2A5331CDE4F21608DC59BB210712E49	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\sv-se\PlayStore_icon.svg.6E92A147EF5A35914D1FCE2C84E82927D2A5331CDE4F21608DC59BB210712E49	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\da_get.svg.6E92A147EF5A35914D1FCE2C84E82927D2A5331CDE4F21608DC59BB210712E49	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\share_icons2x.png.6E92A147EF5A35914D1FCE2C84E82927D2A5331CDE4F21608DC59BB210712E49	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\libcef.dll.6E92A147EF5A35914D1FCE2C84E82927D2A5331CDE4F21608DC59BB210712E49	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_newfolder_18.svg.6E92A147EF5A35914D1FCE2C84E82927D2A5331CDE4F21608DC59BB210712E49	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\sv_get.svg.6E92A147EF5A35914D1FCE2C84E82927D2A5331CDE4F21608DC59BB210712E49	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview.png.6E92A147EF5A35914D1FCE2C84E82927D2A5331CDE4F21608DC59BB210712E49	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1.6E92A147EF5A35914D1FCE2C84E82927D2A5331CDE4F21608DC59BB210712E49	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fi-fi\ui-strings.js.6E92A147EF5A35914D1FCE2C84E82927D2A5331CDE4F21608DC59BB210712E49	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\sv-se\ui-strings.js.6E92A147EF5A35914D1FCE2C84E82927D2A5331CDE4F21608DC59BB210712E49	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\es-es\ui-strings.js.6E92A147EF5A35914D1FCE2C84E82927D2A5331CDE4F21608DC59BB210712E49	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-disabled.svg.6E92A147EF5A35914D1FCE2C84E82927D2A5331CDE4F21608DC59BB210712E49	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_selectlist_checkmark_18.svg.6E92A147EF5A35914D1FCE2C84E82927D2A5331CDE4F21608DC59BB210712E49	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_en_135x40.svg.6E92A147EF5A35914D1FCE2C84E82927D2A5331CDE4F21608DC59BB210712E49	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ja-jp\ui-strings.js.6E92A147EF5A35914D1FCE2C84E82927D2A5331CDE4F21608DC59BB210712E49	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\cs_get.svg.6E92A147EF5A35914D1FCE2C84E82927D2A5331CDE4F21608DC59BB210712E49	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\4183903823\1195458082.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\3068621934.pri	taskmgr.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2056	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2056	taskmgr.exe
Token: SeSystemProfilePrivilege	2056	taskmgr.exe
Token: SeCreateGlobalPrivilege	2056	taskmgr.exe
Token: SeDebugPrivilege	3940	bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe

C:\Users\Admin\AppData\Local\Temp\bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
"C:\Users\Admin\AppData\Local\Temp\bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe"
1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3940

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2056

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4232

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3940-115-0x0000000000F60000-0x0000000000F61000-memory.dmp

Filesize
4KB

Download
memory/3940-117-0x00000000030B0000-0x00000000030D9000-memory.dmp

Filesize
164KB

Download
memory/3940-118-0x00000000058B0000-0x00000000058B1000-memory.dmp

Filesize
4KB

Download
memory/3940-119-0x0000000005E50000-0x0000000005E51000-memory.dmp

Filesize
4KB

Download
memory/3940-120-0x0000000005950000-0x0000000005951000-memory.dmp

Filesize
4KB

Download
memory/3940-121-0x00000000030E0000-0x00000000030E1000-memory.dmp

Filesize
4KB

Download
memory/3940-122-0x0000000005820000-0x0000000005821000-memory.dmp

Filesize
4KB

Download
memory/3940-123-0x0000000005B40000-0x0000000005B41000-memory.dmp

Filesize
4KB

Download
memory/3940-124-0x0000000008EF0000-0x0000000008EF1000-memory.dmp

Filesize
4KB

Download
memory/3940-125-0x00000000030E3000-0x00000000030E5000-memory.dmp

Filesize
8KB

Download