netwire | 472bd26e0dec365a75bb00046b1025c75cbddc7cad4eef7c50213c6382f5d063

General

Target

Solictud_de_cotizacion (3699663-2020).exe
Size

553KB
MD5

748e4a49b7e306d7eb45aaa7b10faf5d
SHA1

ed4e974775f050e65233116fdbb28921618fceb7
SHA256

e232e9c0d66770fe8e50466f3dd073160a8ddaf565ed0382ce997226c1b364dd
SHA512

378f5c0ed4b94405a1287febc6a12901cbc8b386b41b66d9f2d007d704780424f3427b6e6973480656954f3d31540cacdc5e935118d4d561bba1bf399fc8d839

Score

10^/10

netwire botnet persistence stealer upx

Malware Config

Signatures

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 3 IoCs

Processes:

Host.exeHost.exeHost.exe

pid process

3216 Host.exe
4868 Host.exe
4284 Host.exe

pid	process
3216	Host.exe
4868	Host.exe
4284	Host.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Install\Host.exe	upx
C:\Users\Admin\AppData\Roaming\Install\Host.exe	upx
C:\Users\Admin\AppData\Roaming\Install\Host.exe	upx
C:\Users\Admin\AppData\Roaming\Install\Host.exe	upx

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Solictud_de_cotizacion (3699663-2020).exeSolictud_de_cotizacion (3699663-2020).exeHost.exeSolictud_de_cotizacion (3699663-2020).exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Solictud_de_cotizacion (3699663-2020).exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Solictud_de_cotizacion (3699663-2020).exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Solictud_de_cotizacion (3699663-2020).exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Solictud_de_cotizacion (3699663-2020).exeHost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	Solictud_de_cotizacion (3699663-2020).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetWire = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solictud_de_cotizacion (3699663-2020).exe"	Solictud_de_cotizacion (3699663-2020).exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	Host.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetWire = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe"	Host.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Solictud_de_cotizacion (3699663-2020).exeHost.exeSolictud_de_cotizacion (3699663-2020).exe

description	pid	process	target process
PID 1960 set thread context of 4200	1960	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe
PID 3216 set thread context of 4868	3216	Host.exe	Host.exe
PID 4864 set thread context of 4132	4864	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exeAcroRd32.exeAcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 3 IoCs

Processes:

Solictud_de_cotizacion (3699663-2020).exeHost.exeSolictud_de_cotizacion (3699663-2020).exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	Solictud_de_cotizacion (3699663-2020).exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	Host.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	Solictud_de_cotizacion (3699663-2020).exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Solictud_de_cotizacion (3699663-2020).exeSolictud_de_cotizacion (3699663-2020).exeHost.exeSolictud_de_cotizacion (3699663-2020).exeHost.exeSolictud_de_cotizacion (3699663-2020).exe

pid	process
1960	Solictud_de_cotizacion (3699663-2020).exe
1960	Solictud_de_cotizacion (3699663-2020).exe
2492	Solictud_de_cotizacion (3699663-2020).exe
2492	Solictud_de_cotizacion (3699663-2020).exe
2492	Solictud_de_cotizacion (3699663-2020).exe
2492	Solictud_de_cotizacion (3699663-2020).exe
2492	Solictud_de_cotizacion (3699663-2020).exe
2492	Solictud_de_cotizacion (3699663-2020).exe
2492	Solictud_de_cotizacion (3699663-2020).exe
2492	Solictud_de_cotizacion (3699663-2020).exe
3216	Host.exe
3216	Host.exe
2492	Solictud_de_cotizacion (3699663-2020).exe
2492	Solictud_de_cotizacion (3699663-2020).exe
4864	Solictud_de_cotizacion (3699663-2020).exe
4864	Solictud_de_cotizacion (3699663-2020).exe
4284	Host.exe
4284	Host.exe
4284	Host.exe
4284	Host.exe
4284	Host.exe
4284	Host.exe
4144	Solictud_de_cotizacion (3699663-2020).exe
4144	Solictud_de_cotizacion (3699663-2020).exe
4144	Solictud_de_cotizacion (3699663-2020).exe
4144	Solictud_de_cotizacion (3699663-2020).exe
4284	Host.exe
4284	Host.exe
4144	Solictud_de_cotizacion (3699663-2020).exe
4144	Solictud_de_cotizacion (3699663-2020).exe
4284	Host.exe
4284	Host.exe
4144	Solictud_de_cotizacion (3699663-2020).exe
4144	Solictud_de_cotizacion (3699663-2020).exe
4284	Host.exe
4284	Host.exe
4144	Solictud_de_cotizacion (3699663-2020).exe
4144	Solictud_de_cotizacion (3699663-2020).exe
4284	Host.exe
4284	Host.exe
4144	Solictud_de_cotizacion (3699663-2020).exe
4144	Solictud_de_cotizacion (3699663-2020).exe
4284	Host.exe
4284	Host.exe
4144	Solictud_de_cotizacion (3699663-2020).exe
4144	Solictud_de_cotizacion (3699663-2020).exe
4284	Host.exe
4284	Host.exe
4144	Solictud_de_cotizacion (3699663-2020).exe
4144	Solictud_de_cotizacion (3699663-2020).exe
4284	Host.exe
4284	Host.exe
4144	Solictud_de_cotizacion (3699663-2020).exe
4144	Solictud_de_cotizacion (3699663-2020).exe
4284	Host.exe
4284	Host.exe
4144	Solictud_de_cotizacion (3699663-2020).exe
4144	Solictud_de_cotizacion (3699663-2020).exe
4284	Host.exe
4284	Host.exe
4144	Solictud_de_cotizacion (3699663-2020).exe
4144	Solictud_de_cotizacion (3699663-2020).exe
4284	Host.exe
4284	Host.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

Solictud_de_cotizacion (3699663-2020).exeHost.exeSolictud_de_cotizacion (3699663-2020).exe

pid process

1960 Solictud_de_cotizacion (3699663-2020).exe
3216 Host.exe
4864 Solictud_de_cotizacion (3699663-2020).exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

4908 AcroRd32.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

AcroRd32.exeAcroRd32.exeAcroRd32.exeAdobeARM.exe

pid	process
4908	AcroRd32.exe
3404	AcroRd32.exe
4908	AcroRd32.exe
4252	AcroRd32.exe
4908	AcroRd32.exe
4908	AcroRd32.exe
4908	AcroRd32.exe
4908	AcroRd32.exe
1716	AdobeARM.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Solictud_de_cotizacion (3699663-2020).exeSolictud_de_cotizacion (3699663-2020).exeSolictud_de_cotizacion (3699663-2020).exeHost.exeSolictud_de_cotizacion (3699663-2020).exeAcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 1960 wrote to memory of 4908	1960	Solictud_de_cotizacion (3699663-2020).exe	AcroRd32.exe
PID 1960 wrote to memory of 4908	1960	Solictud_de_cotizacion (3699663-2020).exe	AcroRd32.exe
PID 1960 wrote to memory of 4908	1960	Solictud_de_cotizacion (3699663-2020).exe	AcroRd32.exe
PID 1960 wrote to memory of 4200	1960	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe
PID 1960 wrote to memory of 4200	1960	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe
PID 1960 wrote to memory of 4200	1960	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe
PID 1960 wrote to memory of 2492	1960	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe
PID 1960 wrote to memory of 2492	1960	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe
PID 1960 wrote to memory of 2492	1960	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe
PID 4200 wrote to memory of 3216	4200	Solictud_de_cotizacion (3699663-2020).exe	Host.exe
PID 4200 wrote to memory of 3216	4200	Solictud_de_cotizacion (3699663-2020).exe	Host.exe
PID 4200 wrote to memory of 3216	4200	Solictud_de_cotizacion (3699663-2020).exe	Host.exe
PID 2492 wrote to memory of 4864	2492	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe
PID 2492 wrote to memory of 4864	2492	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe
PID 2492 wrote to memory of 4864	2492	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe
PID 3216 wrote to memory of 3404	3216	Host.exe	AcroRd32.exe
PID 3216 wrote to memory of 3404	3216	Host.exe	AcroRd32.exe
PID 3216 wrote to memory of 3404	3216	Host.exe	AcroRd32.exe
PID 3216 wrote to memory of 4868	3216	Host.exe	Host.exe
PID 3216 wrote to memory of 4868	3216	Host.exe	Host.exe
PID 3216 wrote to memory of 4868	3216	Host.exe	Host.exe
PID 3216 wrote to memory of 4284	3216	Host.exe	Host.exe
PID 3216 wrote to memory of 4284	3216	Host.exe	Host.exe
PID 3216 wrote to memory of 4284	3216	Host.exe	Host.exe
PID 4864 wrote to memory of 4252	4864	Solictud_de_cotizacion (3699663-2020).exe	AcroRd32.exe
PID 4864 wrote to memory of 4252	4864	Solictud_de_cotizacion (3699663-2020).exe	AcroRd32.exe
PID 4864 wrote to memory of 4252	4864	Solictud_de_cotizacion (3699663-2020).exe	AcroRd32.exe
PID 4864 wrote to memory of 4132	4864	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe
PID 4864 wrote to memory of 4132	4864	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe
PID 4864 wrote to memory of 4132	4864	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe
PID 4864 wrote to memory of 4144	4864	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe
PID 4864 wrote to memory of 4144	4864	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe
PID 4864 wrote to memory of 4144	4864	Solictud_de_cotizacion (3699663-2020).exe	Solictud_de_cotizacion (3699663-2020).exe
PID 4908 wrote to memory of 2076	4908	AcroRd32.exe	RdrCEF.exe
PID 4908 wrote to memory of 2076	4908	AcroRd32.exe	RdrCEF.exe
PID 4908 wrote to memory of 2076	4908	AcroRd32.exe	RdrCEF.exe
PID 2076 wrote to memory of 3824	2076	RdrCEF.exe	RdrCEF.exe
PID 2076 wrote to memory of 3824	2076	RdrCEF.exe	RdrCEF.exe
PID 2076 wrote to memory of 3824	2076	RdrCEF.exe	RdrCEF.exe
PID 2076 wrote to memory of 3824	2076	RdrCEF.exe	RdrCEF.exe
PID 2076 wrote to memory of 3824	2076	RdrCEF.exe	RdrCEF.exe
PID 2076 wrote to memory of 3824	2076	RdrCEF.exe	RdrCEF.exe
PID 2076 wrote to memory of 3824	2076	RdrCEF.exe	RdrCEF.exe
PID 2076 wrote to memory of 3824	2076	RdrCEF.exe	RdrCEF.exe
PID 2076 wrote to memory of 3824	2076	RdrCEF.exe	RdrCEF.exe
PID 2076 wrote to memory of 3824	2076	RdrCEF.exe	RdrCEF.exe
PID 2076 wrote to memory of 3824	2076	RdrCEF.exe	RdrCEF.exe
PID 2076 wrote to memory of 3824	2076	RdrCEF.exe	RdrCEF.exe
PID 2076 wrote to memory of 3824	2076	RdrCEF.exe	RdrCEF.exe
PID 2076 wrote to memory of 3824	2076	RdrCEF.exe	RdrCEF.exe
PID 2076 wrote to memory of 3824	2076	RdrCEF.exe	RdrCEF.exe
PID 2076 wrote to memory of 3824	2076	RdrCEF.exe	RdrCEF.exe
PID 2076 wrote to memory of 3824	2076	RdrCEF.exe	RdrCEF.exe
PID 2076 wrote to memory of 3824	2076	RdrCEF.exe	RdrCEF.exe
PID 2076 wrote to memory of 3824	2076	RdrCEF.exe	RdrCEF.exe
PID 2076 wrote to memory of 3824	2076	RdrCEF.exe	RdrCEF.exe
PID 2076 wrote to memory of 3824	2076	RdrCEF.exe	RdrCEF.exe
PID 2076 wrote to memory of 3824	2076	RdrCEF.exe	RdrCEF.exe
PID 2076 wrote to memory of 3824	2076	RdrCEF.exe	RdrCEF.exe
PID 2076 wrote to memory of 3824	2076	RdrCEF.exe	RdrCEF.exe
PID 2076 wrote to memory of 3824	2076	RdrCEF.exe	RdrCEF.exe
PID 2076 wrote to memory of 3824	2076	RdrCEF.exe	RdrCEF.exe
PID 2076 wrote to memory of 3824	2076	RdrCEF.exe	RdrCEF.exe
PID 2076 wrote to memory of 3824	2076	RdrCEF.exe	RdrCEF.exe

C:\Users\Admin\AppData\Local\Temp\Solictud_de_cotizacion (3699663-2020).exe
"C:\Users\Admin\AppData\Local\Temp\Solictud_de_cotizacion (3699663-2020).exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1960

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Orden.pdf"
2⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4908

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
3⤵
- Suspicious use of WriteProcessMemory
PID:2076

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=B9A7C66ED68F0B9826523004E33F2B16 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=B9A7C66ED68F0B9826523004E33F2B16 --renderer-client-id=2 --mojo-platform-channel-handle=1736 --allow-no-sandbox-job /prefetch:1
4⤵
PID:3824

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=9DB13FC7502D482F1942551CFE7D6743 --mojo-platform-channel-handle=1744 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:4412

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1DA0A79F1474CD95961D81CB572E218B --mojo-platform-channel-handle=2324 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:1076

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=0A7DDC8E039F73E81B15C2DC2C0DE226 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=0A7DDC8E039F73E81B15C2DC2C0DE226 --renderer-client-id=5 --mojo-platform-channel-handle=2096 --allow-no-sandbox-job /prefetch:1
4⤵
PID:4860

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A25CD5DA0F99498E41FBD7424906D37D --mojo-platform-channel-handle=2452 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:4604

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4573F9E851DEC59A045CAA793B62A6F2 --mojo-platform-channel-handle=2128 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:452

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /PRODUCT:Reader /VERSION:19.0 /MODE:3
3⤵
- Suspicious use of SetWindowsHookEx
PID:1716

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"
4⤵
PID:1268

C:\Users\Admin\AppData\Local\Temp\Solictud_de_cotizacion (3699663-2020).exe
"C:\Users\Admin\AppData\Local\Temp\Solictud_de_cotizacion (3699663-2020).exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4200

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3216

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Orden.pdf"
4⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:3404

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4868

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe" 2 4868 240547937
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4284

C:\Users\Admin\AppData\Local\Temp\Solictud_de_cotizacion (3699663-2020).exe
"C:\Users\Admin\AppData\Local\Temp\Solictud_de_cotizacion (3699663-2020).exe" 2 4200 240547312
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2492

C:\Users\Admin\AppData\Local\Temp\Solictud_de_cotizacion (3699663-2020).exe
"C:\Users\Admin\AppData\Local\Temp\Solictud_de_cotizacion (3699663-2020).exe"
3⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4864

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Orden.pdf"
4⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:4252

C:\Users\Admin\AppData\Local\Temp\Solictud_de_cotizacion (3699663-2020).exe
"C:\Users\Admin\AppData\Local\Temp\Solictud_de_cotizacion (3699663-2020).exe"
4⤵
- Adds Run key to start application
PID:4132

C:\Users\Admin\AppData\Local\Temp\Solictud_de_cotizacion (3699663-2020).exe
"C:\Users\Admin\AppData\Local\Temp\Solictud_de_cotizacion (3699663-2020).exe" 2 4132 240548218
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4144

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2576

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Orden.pdf
Filesize
175KB

MD5
d4005f6c245d66fe21b8671d28dfbf12

SHA1
f9405fc9f33a084c689df8dcd6dc59afa98b4282

SHA256
49e52034c5e32c1c4c2f3bbfc4e99ce4ac917e934373a93d5ad2df5c364d63d8

SHA512
6efb3cccd57e30c80f0bf00be0aa646fde75df78b014ed0aa85aaeb35644e7fb96c1c089ba34946627c1df2368c67ff5ce49fd7e44e224dc5980af59814f3f10

Download Submit
C:\Users\Admin\AppData\Local\Temp\Orden.pdf
Filesize
175KB

MD5
d4005f6c245d66fe21b8671d28dfbf12

SHA1
f9405fc9f33a084c689df8dcd6dc59afa98b4282

SHA256
49e52034c5e32c1c4c2f3bbfc4e99ce4ac917e934373a93d5ad2df5c364d63d8

SHA512
6efb3cccd57e30c80f0bf00be0aa646fde75df78b014ed0aa85aaeb35644e7fb96c1c089ba34946627c1df2368c67ff5ce49fd7e44e224dc5980af59814f3f10

Download Submit
C:\Users\Admin\AppData\Local\Temp\Orden.pdf
Filesize
175KB

MD5
d4005f6c245d66fe21b8671d28dfbf12

SHA1
f9405fc9f33a084c689df8dcd6dc59afa98b4282

SHA256
49e52034c5e32c1c4c2f3bbfc4e99ce4ac917e934373a93d5ad2df5c364d63d8

SHA512
6efb3cccd57e30c80f0bf00be0aa646fde75df78b014ed0aa85aaeb35644e7fb96c1c089ba34946627c1df2368c67ff5ce49fd7e44e224dc5980af59814f3f10

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
553KB

MD5
748e4a49b7e306d7eb45aaa7b10faf5d

SHA1
ed4e974775f050e65233116fdbb28921618fceb7

SHA256
e232e9c0d66770fe8e50466f3dd073160a8ddaf565ed0382ce997226c1b364dd

SHA512
378f5c0ed4b94405a1287febc6a12901cbc8b386b41b66d9f2d007d704780424f3427b6e6973480656954f3d31540cacdc5e935118d4d561bba1bf399fc8d839

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
553KB

MD5
748e4a49b7e306d7eb45aaa7b10faf5d

SHA1
ed4e974775f050e65233116fdbb28921618fceb7

SHA256
e232e9c0d66770fe8e50466f3dd073160a8ddaf565ed0382ce997226c1b364dd

SHA512
378f5c0ed4b94405a1287febc6a12901cbc8b386b41b66d9f2d007d704780424f3427b6e6973480656954f3d31540cacdc5e935118d4d561bba1bf399fc8d839

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
553KB

MD5
748e4a49b7e306d7eb45aaa7b10faf5d

SHA1
ed4e974775f050e65233116fdbb28921618fceb7

SHA256
e232e9c0d66770fe8e50466f3dd073160a8ddaf565ed0382ce997226c1b364dd

SHA512
378f5c0ed4b94405a1287febc6a12901cbc8b386b41b66d9f2d007d704780424f3427b6e6973480656954f3d31540cacdc5e935118d4d561bba1bf399fc8d839

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
553KB

MD5
748e4a49b7e306d7eb45aaa7b10faf5d

SHA1
ed4e974775f050e65233116fdbb28921618fceb7

SHA256
e232e9c0d66770fe8e50466f3dd073160a8ddaf565ed0382ce997226c1b364dd

SHA512
378f5c0ed4b94405a1287febc6a12901cbc8b386b41b66d9f2d007d704780424f3427b6e6973480656954f3d31540cacdc5e935118d4d561bba1bf399fc8d839

Download Submit
memory/452-170-0x0000000000000000-mapping.dmp

Download
memory/1076-159-0x0000000000000000-mapping.dmp

Download
memory/1268-173-0x0000000000000000-mapping.dmp

Download
memory/1716-172-0x0000000000000000-mapping.dmp

Download
memory/1960-130-0x0000000000B00000-0x0000000000B11000-memory.dmp

Filesize
68KB

Download
memory/2076-149-0x0000000000000000-mapping.dmp

Download
memory/2492-133-0x0000000000000000-mapping.dmp

Download
memory/3216-134-0x0000000000000000-mapping.dmp

Download
memory/3404-141-0x0000000000000000-mapping.dmp

Download
memory/3824-151-0x0000000000000000-mapping.dmp

Download
memory/4132-147-0x0000000000000000-mapping.dmp

Download
memory/4144-148-0x0000000000000000-mapping.dmp

Download
memory/4200-132-0x0000000000000000-mapping.dmp

Download
memory/4252-146-0x0000000000000000-mapping.dmp

Download
memory/4284-144-0x0000000000000000-mapping.dmp

Download
memory/4412-154-0x0000000000000000-mapping.dmp

Download
memory/4604-167-0x0000000000000000-mapping.dmp

Download
memory/4860-162-0x0000000000000000-mapping.dmp

Download
memory/4864-138-0x0000000000000000-mapping.dmp

Download
memory/4868-142-0x0000000000000000-mapping.dmp

Download
memory/4908-131-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads