njrat | 8797ab41f89827f3231b25b4240fd7aae72ee46415e1f28a3b81148debc00408

General

Target

8797AB41F89827F3231B25B4240FD7AAE72EE46415E1F.exe
Size

373KB
MD5

9eb869a782ce77b409f6126372c9d231
SHA1

b2aece502fa66059dcc61e33bd2e4822e01182df
SHA256

8797ab41f89827f3231b25b4240fd7aae72ee46415e1f28a3b81148debc00408
SHA512

fb2ef14ca11855fdc4ae37233cf52c99b619f9739bfafd1ce2ccfdcdd1df6a679c779312a01fde2115b86c4f08f8f9e832bdab119c570bf28a6cfc65f5c001d6

Score

10^/10

njrat lime link pdf trojan

Malware Config

Extracted

Family

njrat

Version

0.7.3

Botnet

Lime

C2

soportesltda30.duckdns.org:4433

Mutex

Client.exe

Attributes

reg_key
Client.exe
splitter
jairpicc

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 3 IoCs

Processes:

windows.exewindows.exewindows.exe

pid process

2144 windows.exe
728 windows.exe
3760 windows.exe
Drops startup file 1 IoCs

Processes:

WScript.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.EXE WScript.exe

pid	process
2144	windows.exe
728	windows.exe
3760	windows.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.EXE	WScript.exe

HTTP links in PDF interactive object 1 IoCs

Detects HTTP links in interactive objects within PDF files.

pdf link

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\leer.pdf	pdf_with_link_action

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

2768 schtasks.exe
3860 schtasks.exe
1820 schtasks.exe

pid	process
2768	schtasks.exe
3860	schtasks.exe
1820	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

Processes:

8797AB41F89827F3231B25B4240FD7AAE72EE46415E1F.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	8797AB41F89827F3231B25B4240FD7AAE72EE46415E1F.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

AcroRd32.exe

pid	process
1056	AcroRd32.exe
1056	AcroRd32.exe
1056	AcroRd32.exe
1056	AcroRd32.exe
1056	AcroRd32.exe
1056	AcroRd32.exe
1056	AcroRd32.exe
1056	AcroRd32.exe
1056	AcroRd32.exe
1056	AcroRd32.exe
1056	AcroRd32.exe
1056	AcroRd32.exe
1056	AcroRd32.exe
1056	AcroRd32.exe
1056	AcroRd32.exe
1056	AcroRd32.exe
1056	AcroRd32.exe
1056	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

windows.exe

description	pid	process
Token: SeDebugPrivilege	2144	windows.exe
Token: 33	2144	windows.exe
Token: SeIncBasePriorityPrivilege	2144	windows.exe
Token: 33	2144	windows.exe
Token: SeIncBasePriorityPrivilege	2144	windows.exe
Token: 33	2144	windows.exe
Token: SeIncBasePriorityPrivilege	2144	windows.exe
Token: 33	2144	windows.exe
Token: SeIncBasePriorityPrivilege	2144	windows.exe
Token: 33	2144	windows.exe
Token: SeIncBasePriorityPrivilege	2144	windows.exe
Token: 33	2144	windows.exe
Token: SeIncBasePriorityPrivilege	2144	windows.exe
Token: 33	2144	windows.exe
Token: SeIncBasePriorityPrivilege	2144	windows.exe
Token: 33	2144	windows.exe
Token: SeIncBasePriorityPrivilege	2144	windows.exe
Token: 33	2144	windows.exe
Token: SeIncBasePriorityPrivilege	2144	windows.exe
Token: 33	2144	windows.exe
Token: SeIncBasePriorityPrivilege	2144	windows.exe
Token: 33	2144	windows.exe
Token: SeIncBasePriorityPrivilege	2144	windows.exe
Token: 33	2144	windows.exe
Token: SeIncBasePriorityPrivilege	2144	windows.exe
Token: 33	2144	windows.exe
Token: SeIncBasePriorityPrivilege	2144	windows.exe
Token: 33	2144	windows.exe
Token: SeIncBasePriorityPrivilege	2144	windows.exe
Token: 33	2144	windows.exe
Token: SeIncBasePriorityPrivilege	2144	windows.exe
Token: 33	2144	windows.exe
Token: SeIncBasePriorityPrivilege	2144	windows.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

1056 AcroRd32.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

AcroRd32.exe

pid process

1056 AcroRd32.exe
1056 AcroRd32.exe
1056 AcroRd32.exe
1056 AcroRd32.exe
1056 AcroRd32.exe
1056 AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8797AB41F89827F3231B25B4240FD7AAE72EE46415E1F.exeWScript.exewindows.exeAcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 992 wrote to memory of 1056	992	8797AB41F89827F3231B25B4240FD7AAE72EE46415E1F.exe	AcroRd32.exe
PID 992 wrote to memory of 1056	992	8797AB41F89827F3231B25B4240FD7AAE72EE46415E1F.exe	AcroRd32.exe
PID 992 wrote to memory of 1056	992	8797AB41F89827F3231B25B4240FD7AAE72EE46415E1F.exe	AcroRd32.exe
PID 992 wrote to memory of 1484	992	8797AB41F89827F3231B25B4240FD7AAE72EE46415E1F.exe	WScript.exe
PID 992 wrote to memory of 1484	992	8797AB41F89827F3231B25B4240FD7AAE72EE46415E1F.exe	WScript.exe
PID 992 wrote to memory of 1484	992	8797AB41F89827F3231B25B4240FD7AAE72EE46415E1F.exe	WScript.exe
PID 1484 wrote to memory of 2144	1484	WScript.exe	windows.exe
PID 1484 wrote to memory of 2144	1484	WScript.exe	windows.exe
PID 1484 wrote to memory of 2144	1484	WScript.exe	windows.exe
PID 2144 wrote to memory of 2416	2144	windows.exe	schtasks.exe
PID 2144 wrote to memory of 2416	2144	windows.exe	schtasks.exe
PID 2144 wrote to memory of 2416	2144	windows.exe	schtasks.exe
PID 2144 wrote to memory of 2768	2144	windows.exe	schtasks.exe
PID 2144 wrote to memory of 2768	2144	windows.exe	schtasks.exe
PID 2144 wrote to memory of 2768	2144	windows.exe	schtasks.exe
PID 1056 wrote to memory of 3824	1056	AcroRd32.exe	RdrCEF.exe
PID 1056 wrote to memory of 3824	1056	AcroRd32.exe	RdrCEF.exe
PID 1056 wrote to memory of 3824	1056	AcroRd32.exe	RdrCEF.exe
PID 3824 wrote to memory of 3188	3824	RdrCEF.exe	RdrCEF.exe
PID 3824 wrote to memory of 3188	3824	RdrCEF.exe	RdrCEF.exe
PID 3824 wrote to memory of 3188	3824	RdrCEF.exe	RdrCEF.exe
PID 3824 wrote to memory of 3188	3824	RdrCEF.exe	RdrCEF.exe
PID 3824 wrote to memory of 3188	3824	RdrCEF.exe	RdrCEF.exe
PID 3824 wrote to memory of 3188	3824	RdrCEF.exe	RdrCEF.exe
PID 3824 wrote to memory of 3188	3824	RdrCEF.exe	RdrCEF.exe
PID 3824 wrote to memory of 3188	3824	RdrCEF.exe	RdrCEF.exe
PID 3824 wrote to memory of 3188	3824	RdrCEF.exe	RdrCEF.exe
PID 3824 wrote to memory of 3188	3824	RdrCEF.exe	RdrCEF.exe
PID 3824 wrote to memory of 3188	3824	RdrCEF.exe	RdrCEF.exe
PID 3824 wrote to memory of 3188	3824	RdrCEF.exe	RdrCEF.exe
PID 3824 wrote to memory of 3188	3824	RdrCEF.exe	RdrCEF.exe
PID 3824 wrote to memory of 3188	3824	RdrCEF.exe	RdrCEF.exe
PID 3824 wrote to memory of 3188	3824	RdrCEF.exe	RdrCEF.exe
PID 3824 wrote to memory of 3188	3824	RdrCEF.exe	RdrCEF.exe
PID 3824 wrote to memory of 3188	3824	RdrCEF.exe	RdrCEF.exe
PID 3824 wrote to memory of 3188	3824	RdrCEF.exe	RdrCEF.exe
PID 3824 wrote to memory of 3188	3824	RdrCEF.exe	RdrCEF.exe
PID 3824 wrote to memory of 3188	3824	RdrCEF.exe	RdrCEF.exe
PID 3824 wrote to memory of 3188	3824	RdrCEF.exe	RdrCEF.exe
PID 3824 wrote to memory of 3188	3824	RdrCEF.exe	RdrCEF.exe
PID 3824 wrote to memory of 3188	3824	RdrCEF.exe	RdrCEF.exe
PID 3824 wrote to memory of 3188	3824	RdrCEF.exe	RdrCEF.exe
PID 3824 wrote to memory of 3188	3824	RdrCEF.exe	RdrCEF.exe
PID 3824 wrote to memory of 3188	3824	RdrCEF.exe	RdrCEF.exe
PID 3824 wrote to memory of 3188	3824	RdrCEF.exe	RdrCEF.exe
PID 3824 wrote to memory of 3188	3824	RdrCEF.exe	RdrCEF.exe
PID 3824 wrote to memory of 3188	3824	RdrCEF.exe	RdrCEF.exe
PID 3824 wrote to memory of 3188	3824	RdrCEF.exe	RdrCEF.exe
PID 3824 wrote to memory of 3188	3824	RdrCEF.exe	RdrCEF.exe
PID 3824 wrote to memory of 3188	3824	RdrCEF.exe	RdrCEF.exe
PID 3824 wrote to memory of 3188	3824	RdrCEF.exe	RdrCEF.exe
PID 3824 wrote to memory of 3188	3824	RdrCEF.exe	RdrCEF.exe
PID 3824 wrote to memory of 3188	3824	RdrCEF.exe	RdrCEF.exe
PID 3824 wrote to memory of 3188	3824	RdrCEF.exe	RdrCEF.exe
PID 3824 wrote to memory of 3188	3824	RdrCEF.exe	RdrCEF.exe
PID 3824 wrote to memory of 3188	3824	RdrCEF.exe	RdrCEF.exe
PID 3824 wrote to memory of 3188	3824	RdrCEF.exe	RdrCEF.exe
PID 3824 wrote to memory of 3188	3824	RdrCEF.exe	RdrCEF.exe
PID 3824 wrote to memory of 3188	3824	RdrCEF.exe	RdrCEF.exe
PID 3824 wrote to memory of 3992	3824	RdrCEF.exe	RdrCEF.exe
PID 3824 wrote to memory of 3992	3824	RdrCEF.exe	RdrCEF.exe
PID 3824 wrote to memory of 3992	3824	RdrCEF.exe	RdrCEF.exe
PID 3824 wrote to memory of 3992	3824	RdrCEF.exe	RdrCEF.exe
PID 3824 wrote to memory of 3992	3824	RdrCEF.exe	RdrCEF.exe

C:\Users\Admin\AppData\Local\Temp\8797AB41F89827F3231B25B4240FD7AAE72EE46415E1F.exe
"C:\Users\Admin\AppData\Local\Temp\8797AB41F89827F3231B25B4240FD7AAE72EE46415E1F.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:992

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\leer.pdf"
2⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1056

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
3⤵
- Suspicious use of WriteProcessMemory
PID:3824

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=78DD0947CCB3C1EA81A300FB8476A5FB --mojo-platform-channel-handle=1652 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:3188

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=5F7A0720F508DFB244962FEB1563056E --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=5F7A0720F508DFB244962FEB1563056E --renderer-client-id=2 --mojo-platform-channel-handle=1688 --allow-no-sandbox-job /prefetch:1
4⤵
PID:3992

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=089D1D388D8C8E5BAFB4838BD2038F36 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=089D1D388D8C8E5BAFB4838BD2038F36 --renderer-client-id=4 --mojo-platform-channel-handle=2108 --allow-no-sandbox-job /prefetch:1
4⤵
PID:3676

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=44AE66984A04640FAF3C3A970B0A099A --mojo-platform-channel-handle=2488 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:1416

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=CC315EA98AE5C5F894641C10BAD5CCAA --mojo-platform-channel-handle=1884 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:2060

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=3B99B183088D68597900A1E557A053CB --mojo-platform-channel-handle=1872 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:3052

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\win.vbs"
2⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1484

C:\Users\Admin\AppData\Local\Temp\windows.exe
"C:\Users\Admin\AppData\Local\Temp\windows.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2144

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYAN /F
4⤵
PID:2416

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\windows.exe" /sc minute /mo 1
4⤵
- Creates scheduled task(s)
PID:2768

C:\Users\Admin\AppData\Local\Temp\windows.exe
C:\Users\Admin\AppData\Local\Temp\windows.exe
1⤵
- Executes dropped EXE
PID:728

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYAN /F
2⤵
PID:1796

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\windows.exe" /sc minute /mo 1
2⤵
- Creates scheduled task(s)
PID:3860

C:\Users\Admin\AppData\Local\Temp\windows.exe
C:\Users\Admin\AppData\Local\Temp\windows.exe
1⤵
- Executes dropped EXE
PID:3760

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYAN /F
2⤵
PID:1236

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\windows.exe" /sc minute /mo 1
2⤵
- Creates scheduled task(s)
PID:1820

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\windows.exe.log
MD5
6b062b48db9a8e149e10fefd80ab54ef

SHA1
1e72855f88c33b6ddce512b079bbe2e4aa2b6b57

SHA256
026518c621aa1e908fd3617fe1d684a6225393659345ad4f9c085fc4f6b3cf43

SHA512
b36007e2b0b71247979cdac1b17520cc37065c001464b4c70d642c8a059510d28ed8b57b7e4df59a43d99d69c588c1bab7b3c95c6a75c0ab98317246b56f7832

Download Submit
C:\Users\Admin\AppData\Local\Temp\leer.pdf
MD5
1db6b198366804e52fa1fbc3599934bf

SHA1
171b5758a6483ce5ccddfc3d5dc5e9d40c7aa7b1

SHA256
60205229cab8dce06632c2b9d61b0628186e74ff6fc7db66112d149a576ec8dc

SHA512
35631ecaf2124ee272f78e6382dc4b8f939ff8fe4b11f874176e44d20526b524b3540d5bf7fd2e21c81e92a69f7f31257e5f1ea1cf9f7e79ba01fd2a7f77efed

Download Submit
C:\Users\Admin\AppData\Local\Temp\win.vbs
MD5
466373d5f9d9e8daa9052c303071080f

SHA1
410d62f9075cae08e6b31c5e666f67892982a6ba

SHA256
f4056dbe3779c8e0700567ed46b782ddc7bfda547e7e63b43d2748ef60e12c12

SHA512
de1eca6b8f17980d44ed5c4de455a78865bc117cf51b02e9e1f026096d417e6593272aa64f45fb8f2657b646608b84df25842b2a5b9b45cda4b2e55bc3e0a303

Download Submit
C:\Users\Admin\AppData\Local\Temp\windows.exe
MD5
e755d66ec3fb3877c81b6c6818ef083e

SHA1
e79fdfd8ac6794ebf4daeb044dc98ea47ddb3c4f

SHA256
56203d61bb74a63227367a5d68f3a4869c109be343fccd0bf992f30d0d3192ad

SHA512
f1323391fb5bb2ad278a21905508de06e1ce5dd92895de30f010b9858e74069ec8ce97b7ef4e20cf5e17f6e7a37dd54da5791f2c3e0b5a48cd30318144c4714e

Download Submit
C:\Users\Admin\AppData\Local\Temp\windows.exe
MD5
e755d66ec3fb3877c81b6c6818ef083e

SHA1
e79fdfd8ac6794ebf4daeb044dc98ea47ddb3c4f

SHA256
56203d61bb74a63227367a5d68f3a4869c109be343fccd0bf992f30d0d3192ad

SHA512
f1323391fb5bb2ad278a21905508de06e1ce5dd92895de30f010b9858e74069ec8ce97b7ef4e20cf5e17f6e7a37dd54da5791f2c3e0b5a48cd30318144c4714e

Download Submit
C:\Users\Admin\AppData\Local\Temp\windows.exe
MD5
e755d66ec3fb3877c81b6c6818ef083e

SHA1
e79fdfd8ac6794ebf4daeb044dc98ea47ddb3c4f

SHA256
56203d61bb74a63227367a5d68f3a4869c109be343fccd0bf992f30d0d3192ad

SHA512
f1323391fb5bb2ad278a21905508de06e1ce5dd92895de30f010b9858e74069ec8ce97b7ef4e20cf5e17f6e7a37dd54da5791f2c3e0b5a48cd30318144c4714e

Download Submit
C:\Users\Admin\AppData\Local\Temp\windows.exe
MD5
e755d66ec3fb3877c81b6c6818ef083e

SHA1
e79fdfd8ac6794ebf4daeb044dc98ea47ddb3c4f

SHA256
56203d61bb74a63227367a5d68f3a4869c109be343fccd0bf992f30d0d3192ad

SHA512
f1323391fb5bb2ad278a21905508de06e1ce5dd92895de30f010b9858e74069ec8ce97b7ef4e20cf5e17f6e7a37dd54da5791f2c3e0b5a48cd30318144c4714e

Download Submit
memory/728-155-0x0000000002C00000-0x0000000002C01000-memory.dmp

Filesize
4KB

Download
memory/1056-114-0x0000000000000000-mapping.dmp

Download
memory/1236-159-0x0000000000000000-mapping.dmp

Download
memory/1416-141-0x00000000778D2000-0x00000000778D200C-memory.dmp

Filesize
12B

Download
memory/1416-143-0x0000000000000000-mapping.dmp

Download
memory/1484-115-0x0000000000000000-mapping.dmp

Download
memory/1796-154-0x0000000000000000-mapping.dmp

Download
memory/1820-160-0x0000000000000000-mapping.dmp

Download
memory/2060-145-0x00000000778D2000-0x00000000778D200C-memory.dmp

Filesize
12B

Download
memory/2060-147-0x0000000000000000-mapping.dmp

Download
memory/2144-121-0x00000000029E0000-0x00000000029E1000-memory.dmp

Filesize
4KB

Download
memory/2144-118-0x0000000000000000-mapping.dmp

Download
memory/2416-122-0x0000000000000000-mapping.dmp

Download
memory/2768-123-0x0000000000000000-mapping.dmp

Download
memory/3052-149-0x00000000778D2000-0x00000000778D200C-memory.dmp

Filesize
12B

Download
memory/3052-151-0x0000000000000000-mapping.dmp

Download
memory/3188-127-0x0000000000000000-mapping.dmp

Download
memory/3188-125-0x00000000778D2000-0x00000000778D200C-memory.dmp

Filesize
12B

Download
memory/3676-137-0x0000000000000000-mapping.dmp

Download
memory/3676-135-0x00000000778D2000-0x00000000778D200C-memory.dmp

Filesize
12B

Download
memory/3760-161-0x00000000013F0000-0x00000000013F1000-memory.dmp

Filesize
4KB

Download
memory/3824-124-0x0000000000000000-mapping.dmp

Download
memory/3860-156-0x0000000000000000-mapping.dmp

Download
memory/3992-131-0x0000000000000000-mapping.dmp

Download
memory/3992-129-0x00000000778D2000-0x00000000778D200C-memory.dmp

Filesize
12B

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads