cobaltstrike | 8307b7961483dbf57866eb3a58ee1645dc060319e3781ff5487babd28f7b13f4

General

Target

8307b7961483dbf57866eb3a58ee1645dc060319e3781ff5487babd28f7b13f4.exe
Size

1.4MB
MD5

5bda122840962b4fa884a5259064ed74
SHA1

baf9c557f397be3b58a9a8f56b8ff224ac231fec
SHA256

8307b7961483dbf57866eb3a58ee1645dc060319e3781ff5487babd28f7b13f4
SHA512

4992c44c5b67d47a92964b3ceb7cfa70b079e3f18912104279998766e21acde6fc37834688a3d6270cb4a1081687eb153475cc9b2f5d11f43f4487a014429ba8

Score

10^/10

cobaltstrike metasploit 305419896 backdoor link pdf persistence suricata trojan

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

C2

http://www.ctfwiki.workers.dev:443/_static/jquery-3.3.1.min.js

Extracted

Family

cobaltstrike

Botnet

305419896

C2

http://qianx1n.xyz:443/jquery.min.js

Attributes

access_type
512
beacon_type
2048
dns_idle
1.908702538e+09
host
qianx1n.xyz,/jquery.min.js
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADQAAAAIAAAAJX19jZmR1aWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADQAAAAUAAAAIX19jZmR1aWQAAAAHAAAAAQAAAAMAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_method1
GET
http_method2
POST
jitter
9472
maxdns
255
polling_time
45000
port_number
443
sc_process32
%windir%\syswow64\dllhost.exe
sc_process64
%windir%\sysnative\dllhost.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDyvfJWs++715HoMi9tlSZSgCf/o1NKJcRyCt2fTA4//I0nzqtcA1ePMsVi1OFNl2UlIXhJdeJXyZ+3km9g0VU6Lli+SRreeue/EolQNu6YmItro9iipWpHHpBxJvHPffpj0aivjN83hgY2CISRln6KsnXMspQpkSBBKYBL7Kv9kwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4.184478976e+09
unknown2
AAAABAAAAAEAAAXyAAAAAgAAAFQAAAACAAAPWwAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/jquery.js
user_agent
Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
watermark
305419896

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
suricata: ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile Response
suricata: ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile Response
suricata
Blocklisted process makes network request 5 IoCs

Processes:

rundll32.exe

flow pid process

11 1796 rundll32.exe
21 1796 rundll32.exe
36 1796 rundll32.exe
40 1796 rundll32.exe
41 1796 rundll32.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1796 rundll32.exe

flow	pid	process
11	1796	rundll32.exe
21	1796	rundll32.exe
36	1796	rundll32.exe
40	1796	rundll32.exe
41	1796	rundll32.exe

pid	process
1796	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

8307b7961483dbf57866eb3a58ee1645dc060319e3781ff5487babd28f7b13f4.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\lnk = "C:\\ProgramData\\lnk.lnk"	8307b7961483dbf57866eb3a58ee1645dc060319e3781ff5487babd28f7b13f4.exe

HTTP links in PDF interactive object 1 IoCs

Detects HTTP links in interactive objects within PDF files.

pdf link

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Ææ°²ÐÅ°²È«¹¥·ÀÑÝÏ°¼Ó¹ÌÖ¸µ¼ÊÖ²á.pdf	pdf_with_link_action

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

Processes:

8307b7961483dbf57866eb3a58ee1645dc060319e3781ff5487babd28f7b13f4.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings	8307b7961483dbf57866eb3a58ee1645dc060319e3781ff5487babd28f7b13f4.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

AcroRd32.exe

pid	process
1680	AcroRd32.exe
1680	AcroRd32.exe
1680	AcroRd32.exe
1680	AcroRd32.exe
1680	AcroRd32.exe
1680	AcroRd32.exe
1680	AcroRd32.exe
1680	AcroRd32.exe
1680	AcroRd32.exe
1680	AcroRd32.exe
1680	AcroRd32.exe
1680	AcroRd32.exe
1680	AcroRd32.exe
1680	AcroRd32.exe
1680	AcroRd32.exe
1680	AcroRd32.exe
1680	AcroRd32.exe
1680	AcroRd32.exe
1680	AcroRd32.exe
1680	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

8307b7961483dbf57866eb3a58ee1645dc060319e3781ff5487babd28f7b13f4.exe

description pid process

Token: SeIncBasePriorityPrivilege 456 8307b7961483dbf57866eb3a58ee1645dc060319e3781ff5487babd28f7b13f4.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

1680 AcroRd32.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

AcroRd32.exe

pid process

1680 AcroRd32.exe
1680 AcroRd32.exe
1680 AcroRd32.exe
1680 AcroRd32.exe
1680 AcroRd32.exe
1680 AcroRd32.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	456	8307b7961483dbf57866eb3a58ee1645dc060319e3781ff5487babd28f7b13f4.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8307b7961483dbf57866eb3a58ee1645dc060319e3781ff5487babd28f7b13f4.exeAcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 456 wrote to memory of 1680	456	8307b7961483dbf57866eb3a58ee1645dc060319e3781ff5487babd28f7b13f4.exe	AcroRd32.exe
PID 456 wrote to memory of 1680	456	8307b7961483dbf57866eb3a58ee1645dc060319e3781ff5487babd28f7b13f4.exe	AcroRd32.exe
PID 456 wrote to memory of 1680	456	8307b7961483dbf57866eb3a58ee1645dc060319e3781ff5487babd28f7b13f4.exe	AcroRd32.exe
PID 456 wrote to memory of 1796	456	8307b7961483dbf57866eb3a58ee1645dc060319e3781ff5487babd28f7b13f4.exe	rundll32.exe
PID 456 wrote to memory of 1796	456	8307b7961483dbf57866eb3a58ee1645dc060319e3781ff5487babd28f7b13f4.exe	rundll32.exe
PID 456 wrote to memory of 1796	456	8307b7961483dbf57866eb3a58ee1645dc060319e3781ff5487babd28f7b13f4.exe	rundll32.exe
PID 456 wrote to memory of 2300	456	8307b7961483dbf57866eb3a58ee1645dc060319e3781ff5487babd28f7b13f4.exe	cmd.exe
PID 456 wrote to memory of 2300	456	8307b7961483dbf57866eb3a58ee1645dc060319e3781ff5487babd28f7b13f4.exe	cmd.exe
PID 456 wrote to memory of 2300	456	8307b7961483dbf57866eb3a58ee1645dc060319e3781ff5487babd28f7b13f4.exe	cmd.exe
PID 1680 wrote to memory of 1176	1680	AcroRd32.exe	RdrCEF.exe
PID 1680 wrote to memory of 1176	1680	AcroRd32.exe	RdrCEF.exe
PID 1680 wrote to memory of 1176	1680	AcroRd32.exe	RdrCEF.exe
PID 1176 wrote to memory of 1676	1176	RdrCEF.exe	RdrCEF.exe
PID 1176 wrote to memory of 1676	1176	RdrCEF.exe	RdrCEF.exe
PID 1176 wrote to memory of 1676	1176	RdrCEF.exe	RdrCEF.exe
PID 1176 wrote to memory of 1676	1176	RdrCEF.exe	RdrCEF.exe
PID 1176 wrote to memory of 1676	1176	RdrCEF.exe	RdrCEF.exe
PID 1176 wrote to memory of 1676	1176	RdrCEF.exe	RdrCEF.exe
PID 1176 wrote to memory of 1676	1176	RdrCEF.exe	RdrCEF.exe
PID 1176 wrote to memory of 1676	1176	RdrCEF.exe	RdrCEF.exe
PID 1176 wrote to memory of 1676	1176	RdrCEF.exe	RdrCEF.exe
PID 1176 wrote to memory of 1676	1176	RdrCEF.exe	RdrCEF.exe
PID 1176 wrote to memory of 1676	1176	RdrCEF.exe	RdrCEF.exe
PID 1176 wrote to memory of 1676	1176	RdrCEF.exe	RdrCEF.exe
PID 1176 wrote to memory of 1676	1176	RdrCEF.exe	RdrCEF.exe
PID 1176 wrote to memory of 1676	1176	RdrCEF.exe	RdrCEF.exe
PID 1176 wrote to memory of 1676	1176	RdrCEF.exe	RdrCEF.exe
PID 1176 wrote to memory of 1676	1176	RdrCEF.exe	RdrCEF.exe
PID 1176 wrote to memory of 1676	1176	RdrCEF.exe	RdrCEF.exe
PID 1176 wrote to memory of 1676	1176	RdrCEF.exe	RdrCEF.exe
PID 1176 wrote to memory of 1676	1176	RdrCEF.exe	RdrCEF.exe
PID 1176 wrote to memory of 1676	1176	RdrCEF.exe	RdrCEF.exe
PID 1176 wrote to memory of 1676	1176	RdrCEF.exe	RdrCEF.exe
PID 1176 wrote to memory of 1676	1176	RdrCEF.exe	RdrCEF.exe
PID 1176 wrote to memory of 1676	1176	RdrCEF.exe	RdrCEF.exe
PID 1176 wrote to memory of 1676	1176	RdrCEF.exe	RdrCEF.exe
PID 1176 wrote to memory of 1676	1176	RdrCEF.exe	RdrCEF.exe
PID 1176 wrote to memory of 1676	1176	RdrCEF.exe	RdrCEF.exe
PID 1176 wrote to memory of 1676	1176	RdrCEF.exe	RdrCEF.exe
PID 1176 wrote to memory of 1676	1176	RdrCEF.exe	RdrCEF.exe
PID 1176 wrote to memory of 1676	1176	RdrCEF.exe	RdrCEF.exe
PID 1176 wrote to memory of 1676	1176	RdrCEF.exe	RdrCEF.exe
PID 1176 wrote to memory of 1676	1176	RdrCEF.exe	RdrCEF.exe
PID 1176 wrote to memory of 1676	1176	RdrCEF.exe	RdrCEF.exe
PID 1176 wrote to memory of 1676	1176	RdrCEF.exe	RdrCEF.exe
PID 1176 wrote to memory of 1676	1176	RdrCEF.exe	RdrCEF.exe
PID 1176 wrote to memory of 1676	1176	RdrCEF.exe	RdrCEF.exe
PID 1176 wrote to memory of 1676	1176	RdrCEF.exe	RdrCEF.exe
PID 1176 wrote to memory of 1676	1176	RdrCEF.exe	RdrCEF.exe
PID 1176 wrote to memory of 1676	1176	RdrCEF.exe	RdrCEF.exe
PID 1176 wrote to memory of 1676	1176	RdrCEF.exe	RdrCEF.exe
PID 1176 wrote to memory of 1676	1176	RdrCEF.exe	RdrCEF.exe
PID 1176 wrote to memory of 1676	1176	RdrCEF.exe	RdrCEF.exe
PID 1176 wrote to memory of 856	1176	RdrCEF.exe	RdrCEF.exe
PID 1176 wrote to memory of 856	1176	RdrCEF.exe	RdrCEF.exe
PID 1176 wrote to memory of 856	1176	RdrCEF.exe	RdrCEF.exe
PID 1176 wrote to memory of 856	1176	RdrCEF.exe	RdrCEF.exe
PID 1176 wrote to memory of 856	1176	RdrCEF.exe	RdrCEF.exe
PID 1176 wrote to memory of 856	1176	RdrCEF.exe	RdrCEF.exe
PID 1176 wrote to memory of 856	1176	RdrCEF.exe	RdrCEF.exe
PID 1176 wrote to memory of 856	1176	RdrCEF.exe	RdrCEF.exe
PID 1176 wrote to memory of 856	1176	RdrCEF.exe	RdrCEF.exe
PID 1176 wrote to memory of 856	1176	RdrCEF.exe	RdrCEF.exe
PID 1176 wrote to memory of 856	1176	RdrCEF.exe	RdrCEF.exe

C:\Users\Admin\AppData\Local\Temp\8307b7961483dbf57866eb3a58ee1645dc060319e3781ff5487babd28f7b13f4.exe
"C:\Users\Admin\AppData\Local\Temp\8307b7961483dbf57866eb3a58ee1645dc060319e3781ff5487babd28f7b13f4.exe"
1⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:456

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Ææ°²ÐÅ°²È«¹¥·ÀÑÝÏ°¼Ó¹ÌÖ¸µ¼ÊÖ²á.pdf"
2⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1680

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
3⤵
- Suspicious use of WriteProcessMemory
PID:1176

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8E148DE2FA29AC8586A27B3E6572D5F2 --mojo-platform-channel-handle=1644 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:1676

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=19814FA9010E385214125F7CA7842D38 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=19814FA9010E385214125F7CA7842D38 --renderer-client-id=2 --mojo-platform-channel-handle=1660 --allow-no-sandbox-job /prefetch:1
4⤵
PID:856

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=EAC047C88C186D4E3E97800D6513D1A7 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=EAC047C88C186D4E3E97800D6513D1A7 --renderer-client-id=4 --mojo-platform-channel-handle=2072 --allow-no-sandbox-job /prefetch:1
4⤵
PID:1388

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E9716DC3EE8287C1F9E4AD8B9D7B0C39 --mojo-platform-channel-handle=2476 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:2196

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=454722F0D6C2BC9BA3F9F30F50346877 --mojo-platform-channel-handle=1804 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:3160

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0CE153E8816F7571D6E51BC13EEEA076 --mojo-platform-channel-handle=2556 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:1948

C:\windows\SysWOW64\rundll32.exe
"C:\windows\system32\rundll32.exe" "C:\ProgramData\test.dll",Start
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:1796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\8307B7~1.EXE > nul
2⤵
PID:2300

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\test.dll
MD5
46048d51dd824be472c93aa05ef0a353

SHA1
f7f7c3a5aed0db850365a4b1fac45c7415859eb0

SHA256
17f52e0144b2c518e5dab0bb1f8ef06378cb6caba1593c47653aa936670e8526

SHA512
c4ec061692f1e5772916fb855a278bbd06cafcaded791c2387af0989df9845c23c0221950a003875252416e122c651146111d44d57f7ff760ac7f2450654ca46

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ææ°²ÐÅ°²È«¹¥·ÀÑÝÏ°¼Ó¹ÌÖ¸µ¼ÊÖ²á.pdf
MD5
1fb15a15ad8271da571d536684d1f7bd

SHA1
df7ca8fe4fae41b0f3d5ad320b237ad5aff5b2b6

SHA256
1af9106309a8276e3b48e3a45d2b7defe3112dbc76c087ad1db82d81abfd9957

SHA512
97c92964c71d353102aec9f031e3894a1f35cb08e472d2c30394a965ded6d3b53273236c18d010e529769ca4440f73deab6097e3a57c43201c4caae6fd601215

Download Submit
\ProgramData\test.dll
MD5
46048d51dd824be472c93aa05ef0a353

SHA1
f7f7c3a5aed0db850365a4b1fac45c7415859eb0

SHA256
17f52e0144b2c518e5dab0bb1f8ef06378cb6caba1593c47653aa936670e8526

SHA512
c4ec061692f1e5772916fb855a278bbd06cafcaded791c2387af0989df9845c23c0221950a003875252416e122c651146111d44d57f7ff760ac7f2450654ca46

Download Submit
memory/856-132-0x0000000000000000-mapping.dmp

Download
memory/856-135-0x0000000001020000-0x0000000001021000-memory.dmp

Filesize
4KB

Download
memory/856-131-0x0000000000BFC000-0x0000000000BFD000-memory.dmp

Filesize
4KB

Download
memory/856-134-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/856-130-0x0000000077932000-0x0000000077933000-memory.dmp

Filesize
4KB

Download
memory/1176-125-0x0000000000000000-mapping.dmp

Download
memory/1388-138-0x0000000000000000-mapping.dmp

Download
memory/1388-137-0x0000000000FBC000-0x0000000000FBD000-memory.dmp

Filesize
4KB

Download
memory/1388-136-0x0000000077932000-0x0000000077933000-memory.dmp

Filesize
4KB

Download
memory/1676-127-0x0000000001027000-0x0000000001028000-memory.dmp

Filesize
4KB

Download
memory/1676-128-0x0000000000000000-mapping.dmp

Download
memory/1676-129-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/1676-126-0x0000000077932000-0x0000000077933000-memory.dmp

Filesize
4KB

Download
memory/1680-115-0x0000000000000000-mapping.dmp

Download
memory/1796-123-0x0000000004FE0000-0x0000000005452000-memory.dmp

Filesize
4.4MB

Download
memory/1796-122-0x0000000004FE0000-0x0000000005452000-memory.dmp

Filesize
4.4MB

Download
memory/1796-120-0x0000000004450000-0x0000000004451000-memory.dmp

Filesize
4KB

Download
memory/1796-124-0x0000000004BE0000-0x0000000004FE0000-memory.dmp

Filesize
4.0MB

Download
memory/1796-116-0x0000000000000000-mapping.dmp

Download
memory/1948-150-0x0000000077932000-0x0000000077933000-memory.dmp

Filesize
4KB

Download
memory/1948-152-0x0000000000000000-mapping.dmp

Download
memory/1948-151-0x0000000000FBD000-0x0000000000FBE000-memory.dmp

Filesize
4KB

Download
memory/2196-142-0x0000000077932000-0x0000000077933000-memory.dmp

Filesize
4KB

Download
memory/2196-143-0x0000000000FBC000-0x0000000000FBD000-memory.dmp

Filesize
4KB

Download
memory/2196-144-0x0000000000000000-mapping.dmp

Download
memory/2300-119-0x0000000000000000-mapping.dmp

Download
memory/3160-148-0x0000000000000000-mapping.dmp

Download
memory/3160-147-0x0000000000FB1000-0x0000000000FB2000-memory.dmp

Filesize
4KB

Download
memory/3160-146-0x0000000077932000-0x0000000077933000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads