formbook | 2d40f472fa610ec9068b1bb4d057ca2293e2389fe7915acd2237b6df85e9b6b3

General

Target

dce983778e604b799e0470fd69e833f2.exe
Size

174KB
MD5

dce983778e604b799e0470fd69e833f2
SHA1

b97b22599b0b87bab09f24a7531c89d4cf35f5c2
SHA256

2d40f472fa610ec9068b1bb4d057ca2293e2389fe7915acd2237b6df85e9b6b3
SHA512

bac7da0e8730d35e1c160c22e578c93f70a7d75cf700874b8ab485b3c0056848e6c39ebe19f8dafe19dd8b379b4fb655c974593782a1a181172a735ca88a5416

Score

10^/10

formbook oh75 persistence rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

oh75

Decoy

denizgidam.com

6cc06.com

charlottewaldburgzeil.com

medijanus.com

qingdaoyiersan.com

datcabilgisayar.xyz

111439d.com

xn--1ruo40k.com

wu6enxwcx5h3.xyz

vnscloud.net

brtka.xyz

showztime.com

promocoesdedezenbro.com

wokpy.com

chnowuk.online

rockshotscafe.com

pelrjy.com

nato-riness.com

feixiang-chem.com

thcoinexchange.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook Payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3268-123-0x0000000000400000-0x000000000044F000-memory.dmp	formbook
C:\Users\Admin\AppData\Local\Temp\FB_A882.tmp.exe	formbook
behavioral2/memory/3268-128-0x0000000000400000-0x000000000044F000-memory.dmp	formbook
C:\Users\Admin\AppData\Local\Temp\FB_A882.tmp.exe	formbook
behavioral2/memory/4080-194-0x0000000000590000-0x00000000005BF000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

FB_A823.tmp.exeFB_A882.tmp.exe

pid process

1816 FB_A823.tmp.exe
928 FB_A882.tmp.exe

pid	process
1816	FB_A823.tmp.exe
928	FB_A882.tmp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

dce983778e604b799e0470fd69e833f2.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\update. = "\"C:\\Users\\Admin\\AppData\\Roaming\\update\\update..exe\""	dce983778e604b799e0470fd69e833f2.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

dce983778e604b799e0470fd69e833f2.exeFB_A882.tmp.exewlanext.exe

description	pid	process	target process
PID 3788 set thread context of 3268	3788	dce983778e604b799e0470fd69e833f2.exe	dce983778e604b799e0470fd69e833f2.exe
PID 928 set thread context of 3036	928	FB_A882.tmp.exe	Explorer.EXE
PID 4080 set thread context of 3036	4080	wlanext.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 2 IoCs

Processes:

dce983778e604b799e0470fd69e833f2.exeWScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	dce983778e604b799e0470fd69e833f2.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	WScript.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1152 PING.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

FB_A823.tmp.exe

pid process

1816 FB_A823.tmp.exe

pid	process
1152	PING.EXE

pid	process
1816	FB_A823.tmp.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

dce983778e604b799e0470fd69e833f2.exeFB_A882.tmp.exewlanext.exeAcroRd32.exe

pid	process
3788	dce983778e604b799e0470fd69e833f2.exe
3788	dce983778e604b799e0470fd69e833f2.exe
928	FB_A882.tmp.exe
928	FB_A882.tmp.exe
928	FB_A882.tmp.exe
928	FB_A882.tmp.exe
4080	wlanext.exe
4080	wlanext.exe
4080	wlanext.exe
4080	wlanext.exe
2736	AcroRd32.exe
2736	AcroRd32.exe
2736	AcroRd32.exe
2736	AcroRd32.exe
2736	AcroRd32.exe
2736	AcroRd32.exe
2736	AcroRd32.exe
2736	AcroRd32.exe
2736	AcroRd32.exe
2736	AcroRd32.exe
2736	AcroRd32.exe
2736	AcroRd32.exe
2736	AcroRd32.exe
2736	AcroRd32.exe
2736	AcroRd32.exe
2736	AcroRd32.exe
2736	AcroRd32.exe
2736	AcroRd32.exe
4080	wlanext.exe
4080	wlanext.exe
4080	wlanext.exe
4080	wlanext.exe
4080	wlanext.exe
4080	wlanext.exe
4080	wlanext.exe
4080	wlanext.exe
4080	wlanext.exe
4080	wlanext.exe
4080	wlanext.exe
4080	wlanext.exe
4080	wlanext.exe
4080	wlanext.exe
4080	wlanext.exe
4080	wlanext.exe
4080	wlanext.exe
4080	wlanext.exe
4080	wlanext.exe
4080	wlanext.exe
4080	wlanext.exe
4080	wlanext.exe
4080	wlanext.exe
4080	wlanext.exe
4080	wlanext.exe
4080	wlanext.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

FB_A882.tmp.exewlanext.exe

pid process

928 FB_A882.tmp.exe
928 FB_A882.tmp.exe
928 FB_A882.tmp.exe
4080 wlanext.exe
4080 wlanext.exe

pid	process
928	FB_A882.tmp.exe
928	FB_A882.tmp.exe
928	FB_A882.tmp.exe
4080	wlanext.exe
4080	wlanext.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

Processes:

dce983778e604b799e0470fd69e833f2.exeFB_A823.tmp.exeFB_A882.tmp.exeExplorer.EXEwlanext.exe

description	pid	process
Token: SeDebugPrivilege	3788	dce983778e604b799e0470fd69e833f2.exe
Token: SeDebugPrivilege	1816	FB_A823.tmp.exe
Token: SeDebugPrivilege	928	FB_A882.tmp.exe
Token: SeShutdownPrivilege	3036	Explorer.EXE
Token: SeCreatePagefilePrivilege	3036	Explorer.EXE
Token: SeShutdownPrivilege	3036	Explorer.EXE
Token: SeCreatePagefilePrivilege	3036	Explorer.EXE
Token: SeShutdownPrivilege	3036	Explorer.EXE
Token: SeCreatePagefilePrivilege	3036	Explorer.EXE
Token: SeShutdownPrivilege	3036	Explorer.EXE
Token: SeCreatePagefilePrivilege	3036	Explorer.EXE
Token: SeDebugPrivilege	4080	wlanext.exe
Token: SeShutdownPrivilege	3036	Explorer.EXE
Token: SeCreatePagefilePrivilege	3036	Explorer.EXE
Token: SeShutdownPrivilege	3036	Explorer.EXE
Token: SeCreatePagefilePrivilege	3036	Explorer.EXE
Token: SeShutdownPrivilege	3036	Explorer.EXE
Token: SeCreatePagefilePrivilege	3036	Explorer.EXE
Token: SeShutdownPrivilege	3036	Explorer.EXE
Token: SeCreatePagefilePrivilege	3036	Explorer.EXE
Token: SeShutdownPrivilege	3036	Explorer.EXE
Token: SeCreatePagefilePrivilege	3036	Explorer.EXE
Token: SeShutdownPrivilege	3036	Explorer.EXE
Token: SeCreatePagefilePrivilege	3036	Explorer.EXE
Token: SeShutdownPrivilege	3036	Explorer.EXE
Token: SeCreatePagefilePrivilege	3036	Explorer.EXE
Token: SeShutdownPrivilege	3036	Explorer.EXE
Token: SeCreatePagefilePrivilege	3036	Explorer.EXE
Token: SeShutdownPrivilege	3036	Explorer.EXE
Token: SeCreatePagefilePrivilege	3036	Explorer.EXE
Token: SeShutdownPrivilege	3036	Explorer.EXE
Token: SeCreatePagefilePrivilege	3036	Explorer.EXE
Token: SeShutdownPrivilege	3036	Explorer.EXE
Token: SeCreatePagefilePrivilege	3036	Explorer.EXE
Token: SeShutdownPrivilege	3036	Explorer.EXE
Token: SeCreatePagefilePrivilege	3036	Explorer.EXE
Token: SeShutdownPrivilege	3036	Explorer.EXE
Token: SeCreatePagefilePrivilege	3036	Explorer.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

2736 AcroRd32.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

AcroRd32.exe

pid process

2736 AcroRd32.exe
2736 AcroRd32.exe
2736 AcroRd32.exe
2736 AcroRd32.exe
2736 AcroRd32.exe
2736 AcroRd32.exe

pid	process
2736	AcroRd32.exe

pid	process
2736	AcroRd32.exe
2736	AcroRd32.exe
2736	AcroRd32.exe
2736	AcroRd32.exe
2736	AcroRd32.exe
2736	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

dce983778e604b799e0470fd69e833f2.execmd.exeWScript.exedce983778e604b799e0470fd69e833f2.exeExplorer.EXEwlanext.exeAcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 3788 wrote to memory of 1328	3788	dce983778e604b799e0470fd69e833f2.exe	cmd.exe
PID 3788 wrote to memory of 1328	3788	dce983778e604b799e0470fd69e833f2.exe	cmd.exe
PID 3788 wrote to memory of 1328	3788	dce983778e604b799e0470fd69e833f2.exe	cmd.exe
PID 1328 wrote to memory of 1152	1328	cmd.exe	PING.EXE
PID 1328 wrote to memory of 1152	1328	cmd.exe	PING.EXE
PID 1328 wrote to memory of 1152	1328	cmd.exe	PING.EXE
PID 3788 wrote to memory of 1052	3788	dce983778e604b799e0470fd69e833f2.exe	WScript.exe
PID 3788 wrote to memory of 1052	3788	dce983778e604b799e0470fd69e833f2.exe	WScript.exe
PID 3788 wrote to memory of 1052	3788	dce983778e604b799e0470fd69e833f2.exe	WScript.exe
PID 1052 wrote to memory of 2736	1052	WScript.exe	AcroRd32.exe
PID 1052 wrote to memory of 2736	1052	WScript.exe	AcroRd32.exe
PID 1052 wrote to memory of 2736	1052	WScript.exe	AcroRd32.exe
PID 3788 wrote to memory of 3268	3788	dce983778e604b799e0470fd69e833f2.exe	dce983778e604b799e0470fd69e833f2.exe
PID 3788 wrote to memory of 3268	3788	dce983778e604b799e0470fd69e833f2.exe	dce983778e604b799e0470fd69e833f2.exe
PID 3788 wrote to memory of 3268	3788	dce983778e604b799e0470fd69e833f2.exe	dce983778e604b799e0470fd69e833f2.exe
PID 3788 wrote to memory of 3268	3788	dce983778e604b799e0470fd69e833f2.exe	dce983778e604b799e0470fd69e833f2.exe
PID 3788 wrote to memory of 3268	3788	dce983778e604b799e0470fd69e833f2.exe	dce983778e604b799e0470fd69e833f2.exe
PID 3788 wrote to memory of 3268	3788	dce983778e604b799e0470fd69e833f2.exe	dce983778e604b799e0470fd69e833f2.exe
PID 3788 wrote to memory of 3268	3788	dce983778e604b799e0470fd69e833f2.exe	dce983778e604b799e0470fd69e833f2.exe
PID 3788 wrote to memory of 3268	3788	dce983778e604b799e0470fd69e833f2.exe	dce983778e604b799e0470fd69e833f2.exe
PID 3788 wrote to memory of 3268	3788	dce983778e604b799e0470fd69e833f2.exe	dce983778e604b799e0470fd69e833f2.exe
PID 3268 wrote to memory of 1816	3268	dce983778e604b799e0470fd69e833f2.exe	FB_A823.tmp.exe
PID 3268 wrote to memory of 1816	3268	dce983778e604b799e0470fd69e833f2.exe	FB_A823.tmp.exe
PID 3268 wrote to memory of 1816	3268	dce983778e604b799e0470fd69e833f2.exe	FB_A823.tmp.exe
PID 3268 wrote to memory of 928	3268	dce983778e604b799e0470fd69e833f2.exe	FB_A882.tmp.exe
PID 3268 wrote to memory of 928	3268	dce983778e604b799e0470fd69e833f2.exe	FB_A882.tmp.exe
PID 3268 wrote to memory of 928	3268	dce983778e604b799e0470fd69e833f2.exe	FB_A882.tmp.exe
PID 3036 wrote to memory of 4080	3036	Explorer.EXE	wlanext.exe
PID 3036 wrote to memory of 4080	3036	Explorer.EXE	wlanext.exe
PID 3036 wrote to memory of 4080	3036	Explorer.EXE	wlanext.exe
PID 4080 wrote to memory of 1976	4080	wlanext.exe	cmd.exe
PID 4080 wrote to memory of 1976	4080	wlanext.exe	cmd.exe
PID 4080 wrote to memory of 1976	4080	wlanext.exe	cmd.exe
PID 2736 wrote to memory of 3204	2736	AcroRd32.exe	RdrCEF.exe
PID 2736 wrote to memory of 3204	2736	AcroRd32.exe	RdrCEF.exe
PID 2736 wrote to memory of 3204	2736	AcroRd32.exe	RdrCEF.exe
PID 3204 wrote to memory of 3484	3204	RdrCEF.exe	RdrCEF.exe
PID 3204 wrote to memory of 3484	3204	RdrCEF.exe	RdrCEF.exe
PID 3204 wrote to memory of 3484	3204	RdrCEF.exe	RdrCEF.exe
PID 3204 wrote to memory of 3484	3204	RdrCEF.exe	RdrCEF.exe
PID 3204 wrote to memory of 3484	3204	RdrCEF.exe	RdrCEF.exe
PID 3204 wrote to memory of 3484	3204	RdrCEF.exe	RdrCEF.exe
PID 3204 wrote to memory of 3484	3204	RdrCEF.exe	RdrCEF.exe
PID 3204 wrote to memory of 3484	3204	RdrCEF.exe	RdrCEF.exe
PID 3204 wrote to memory of 3484	3204	RdrCEF.exe	RdrCEF.exe
PID 3204 wrote to memory of 3484	3204	RdrCEF.exe	RdrCEF.exe
PID 3204 wrote to memory of 3484	3204	RdrCEF.exe	RdrCEF.exe
PID 3204 wrote to memory of 3484	3204	RdrCEF.exe	RdrCEF.exe
PID 3204 wrote to memory of 3484	3204	RdrCEF.exe	RdrCEF.exe
PID 3204 wrote to memory of 3484	3204	RdrCEF.exe	RdrCEF.exe
PID 3204 wrote to memory of 3484	3204	RdrCEF.exe	RdrCEF.exe
PID 3204 wrote to memory of 3484	3204	RdrCEF.exe	RdrCEF.exe
PID 3204 wrote to memory of 3484	3204	RdrCEF.exe	RdrCEF.exe
PID 3204 wrote to memory of 3484	3204	RdrCEF.exe	RdrCEF.exe
PID 3204 wrote to memory of 3484	3204	RdrCEF.exe	RdrCEF.exe
PID 3204 wrote to memory of 3484	3204	RdrCEF.exe	RdrCEF.exe
PID 3204 wrote to memory of 3484	3204	RdrCEF.exe	RdrCEF.exe
PID 3204 wrote to memory of 3484	3204	RdrCEF.exe	RdrCEF.exe
PID 3204 wrote to memory of 3484	3204	RdrCEF.exe	RdrCEF.exe
PID 3204 wrote to memory of 3484	3204	RdrCEF.exe	RdrCEF.exe
PID 3204 wrote to memory of 3484	3204	RdrCEF.exe	RdrCEF.exe
PID 3204 wrote to memory of 3484	3204	RdrCEF.exe	RdrCEF.exe
PID 3204 wrote to memory of 3484	3204	RdrCEF.exe	RdrCEF.exe
PID 3204 wrote to memory of 3484	3204	RdrCEF.exe	RdrCEF.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3036

C:\Users\Admin\AppData\Local\Temp\dce983778e604b799e0470fd69e833f2.exe
"C:\Users\Admin\AppData\Local\Temp\dce983778e604b799e0470fd69e833f2.exe"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3788

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping google.com
3⤵
- Suspicious use of WriteProcessMemory
PID:1328

C:\Windows\SysWOW64\PING.EXE
ping google.com
4⤵
- Runs ping.exe
PID:1152

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\arpwat5dsvq.vbs"
3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1052

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Dunyfmjfile.pdf"
4⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2736

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
5⤵
- Suspicious use of WriteProcessMemory
PID:3204

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=B396F7B6706F3A26B5978306B1FF8CCD --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=B396F7B6706F3A26B5978306B1FF8CCD --renderer-client-id=2 --mojo-platform-channel-handle=1552 --allow-no-sandbox-job /prefetch:1
6⤵
PID:3484

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C74A1D2C4B1F6A77B55AC362B353C2E1 --mojo-platform-channel-handle=1656 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
6⤵
PID:940

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=CDD8DF55CE01DFC46A7A85D92D198B77 --mojo-platform-channel-handle=2192 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
6⤵
PID:2044

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=0B6CB28EA404EF718A5FD0FF65886339 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=0B6CB28EA404EF718A5FD0FF65886339 --renderer-client-id=5 --mojo-platform-channel-handle=2396 --allow-no-sandbox-job /prefetch:1
6⤵
PID:3088

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=69BF8C18D4ACF8BA3E954E30A23B3123 --mojo-platform-channel-handle=1992 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
6⤵
PID:3700

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=30D54F3983CCBEE5A6251199AD5A9541 --mojo-platform-channel-handle=2740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
6⤵
PID:2364

C:\Users\Admin\AppData\Local\Temp\dce983778e604b799e0470fd69e833f2.exe
C:\Users\Admin\AppData\Local\Temp\dce983778e604b799e0470fd69e833f2.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:3268

C:\Users\Admin\AppData\Local\Temp\FB_A823.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\FB_A823.tmp.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
PID:1816

C:\Users\Admin\AppData\Local\Temp\FB_A882.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\FB_A882.tmp.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:928

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1860

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4080

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\FB_A882.tmp.exe"
3⤵
PID:1976

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Dunyfmjfile.pdf
MD5
33e77f08076d0a57cf0c49bac2eb5427

SHA1
4913cfb36cf8faa5df289eda8dfc35a196c37df4

SHA256
4df1b409aeabe59d70d24524e2b2ca1b9ac1a7b5b65722df951faacbc8e44d1a

SHA512
5320f8d8585d298a5af08bf5120b66b78edbe253d4e0299855e52624fde28e025caf78a1c17c770c82ec8a3f8becb25eaa3afbb5ac02a82503e9f17b31ee0070

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_A823.tmp.exe
MD5
4538ef7f9c0d0e7c883d0aabb46c1052

SHA1
6c6517c8dae3a31abeb814700f38f31ea124d8a8

SHA256
bfdff4ccf418088fbfc206b769c378e096240e2b0596998458afc393a2ffa077

SHA512
891d900251e8d6936da1bf9467b0b2f353eda71ccc4b2e2892f009b9958b0c9e0657baddb3ab0a0df5a2dc93d4d2b96f6d4e1c692a3fc53e0c7e661fbc5fd706

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_A823.tmp.exe
MD5
4538ef7f9c0d0e7c883d0aabb46c1052

SHA1
6c6517c8dae3a31abeb814700f38f31ea124d8a8

SHA256
bfdff4ccf418088fbfc206b769c378e096240e2b0596998458afc393a2ffa077

SHA512
891d900251e8d6936da1bf9467b0b2f353eda71ccc4b2e2892f009b9958b0c9e0657baddb3ab0a0df5a2dc93d4d2b96f6d4e1c692a3fc53e0c7e661fbc5fd706

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_A882.tmp.exe
MD5
679e273b07867f0bfcd45402e8d92d00

SHA1
d6cfa3ed71af28f95229bce69fea45fe18eeaf5e

SHA256
37ed1ba1aab413fbf59e196f9337f6295a1fbbf1540e76525b43725b1e0b012d

SHA512
fa3e0ad8afd1791d304ed4a8f81af498f2005f83b0c7add8c5775d92c69c11c42462f5d3349bbcda1ffb251abf4c46915abcc3844eaabdc2bfd38e030a5f7e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_A882.tmp.exe
MD5
679e273b07867f0bfcd45402e8d92d00

SHA1
d6cfa3ed71af28f95229bce69fea45fe18eeaf5e

SHA256
37ed1ba1aab413fbf59e196f9337f6295a1fbbf1540e76525b43725b1e0b012d

SHA512
fa3e0ad8afd1791d304ed4a8f81af498f2005f83b0c7add8c5775d92c69c11c42462f5d3349bbcda1ffb251abf4c46915abcc3844eaabdc2bfd38e030a5f7e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\arpwat5dsvq.vbs
MD5
2acb2457b23d92c73721bb1e64bc97c1

SHA1
16f82f5555ad88b45104cae5dc777b7258e47d83

SHA256
0b60d3eeb34e312053b043cf22ee13946f525298e6ab35adad99d64b073a72b2

SHA512
524410e9cecefd2987a8096618fba1c0141d6f6eb2a9c6a491133c70eaef6441fd4a60d1ed7cca196e9d5a06495926b35cc1c9d4fe8f58ec738e13d3f53ca1a3

Download Submit
memory/928-144-0x00000000019E0000-0x00000000019F4000-memory.dmp

Filesize
80KB

Download
memory/928-141-0x00000000016C0000-0x00000000019E0000-memory.dmp

Filesize
3.1MB

Download
memory/940-239-0x0000000077662000-0x0000000077663000-memory.dmp

Filesize
4KB

Download
memory/1816-129-0x00000000006A0000-0x00000000006C0000-memory.dmp

Filesize
128KB

Download
memory/1816-130-0x00000000028C0000-0x00000000028F2000-memory.dmp

Filesize
200KB

Download
memory/1816-131-0x00000000053D0000-0x00000000058CE000-memory.dmp

Filesize
5.0MB

Download
memory/1816-132-0x0000000004FB0000-0x0000000005042000-memory.dmp

Filesize
584KB

Download
memory/1816-133-0x0000000004F70000-0x0000000004F78000-memory.dmp

Filesize
32KB

Download
memory/1816-134-0x00000000053B0000-0x00000000053BA000-memory.dmp

Filesize
40KB

Download
memory/1816-137-0x0000000002880000-0x00000000028C0000-memory.dmp

Filesize
256KB

Download
memory/2044-317-0x0000000077662000-0x0000000077663000-memory.dmp

Filesize
4KB

Download
memory/2364-338-0x0000000077662000-0x0000000077663000-memory.dmp

Filesize
4KB

Download
memory/3036-139-0x0000000004F70000-0x000000000507F000-memory.dmp

Filesize
1.1MB

Download
memory/3036-368-0x0000000005E70000-0x0000000005FC2000-memory.dmp

Filesize
1.3MB

Download
memory/3088-320-0x0000000077662000-0x0000000077663000-memory.dmp

Filesize
4KB

Download
memory/3268-123-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3268-128-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3484-234-0x0000000077662000-0x0000000077663000-memory.dmp

Filesize
4KB

Download
memory/3700-325-0x0000000077662000-0x0000000077663000-memory.dmp

Filesize
4KB

Download
memory/3788-120-0x0000000000C30000-0x0000000000C96000-memory.dmp

Filesize
408KB

Download
memory/3788-119-0x0000000005B90000-0x0000000005BDC000-memory.dmp

Filesize
304KB

Download
memory/3788-118-0x0000000005B20000-0x0000000005B88000-memory.dmp

Filesize
416KB

Download
memory/3788-115-0x0000000000440000-0x0000000000470000-memory.dmp

Filesize
192KB

Download
memory/3788-117-0x0000000004EA0000-0x0000000004F52000-memory.dmp

Filesize
712KB

Download
memory/3788-116-0x0000000004BD0000-0x0000000004C20000-memory.dmp

Filesize
320KB

Download
memory/4080-197-0x0000000002DA0000-0x00000000031C0000-memory.dmp

Filesize
4.1MB

Download
memory/4080-194-0x0000000000590000-0x00000000005BF000-memory.dmp

Filesize
188KB

Download
memory/4080-193-0x0000000000BC0000-0x0000000000BD7000-memory.dmp

Filesize
92KB

Download
memory/4080-341-0x0000000002BE0000-0x0000000002D7E000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads