netwire | 4a8587f61a4969ae73d103ee83d1cdb1a12ebe6734bf32ab00a1de1529e54cf5

General

Target

SCANDA_Statement_of_Account_July_2020.exe
Size

486KB
MD5

32c10b0b4bb8a7e70cf58c573a05f16a
SHA1

a22e8814f215f2564d6c476506d7f76eb78fe80e
SHA256

146856560590ec6f2434f34fe94b4dd5de0d7ed700cdaccc15663db1fbc8c4aa
SHA512

717ea71453999846b87dfe952b9d6cc64617a69909e07de9934668e48f320b7be52ec370917adf520a36de5a0441091e73565c3083e58f251e8b8af5776b7042

Score

10^/10

netwire botnet persistence rat stealer upx

Malware Config

Signatures

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/64-139-0x0000000003180000-0x00000000031B3000-memory.dmp	netwire
behavioral2/memory/4964-160-0x00000000021C0000-0x00000000021F3000-memory.dmp	netwire
behavioral2/memory/2024-162-0x00000000022F0000-0x0000000002323000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 3 IoCs

Processes:

Host.exeHost.exeHost.exe

pid process

4476 Host.exe
4964 Host.exe
5028 Host.exe

pid	process
4476	Host.exe
4964	Host.exe
5028	Host.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/916-130-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
behavioral2/memory/916-131-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
behavioral2/memory/1848-135-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\Install\Host.exe	upx
C:\Users\Admin\AppData\Roaming\Install\Host.exe	upx
behavioral2/memory/1848-142-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
behavioral2/memory/4476-141-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
behavioral2/memory/4432-144-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
behavioral2/memory/4476-147-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
behavioral2/memory/4432-148-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\Install\Host.exe	upx
behavioral2/memory/5028-157-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
behavioral2/memory/4304-158-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\Install\Host.exe	upx
behavioral2/memory/5028-159-0x0000000000400000-0x00000000004EF000-memory.dmp	upx
behavioral2/memory/4304-161-0x0000000000400000-0x00000000004EF000-memory.dmp	upx

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SCANDA_Statement_of_Account_July_2020.exeSCANDA_Statement_of_Account_July_2020.exeHost.exeSCANDA_Statement_of_Account_July_2020.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	SCANDA_Statement_of_Account_July_2020.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	SCANDA_Statement_of_Account_July_2020.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	Host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	SCANDA_Statement_of_Account_July_2020.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

SCANDA_Statement_of_Account_July_2020.exeHost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetWire = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SCANDA_Statement_of_Account_July_2020.exe"	SCANDA_Statement_of_Account_July_2020.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	Host.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetWire = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe"	Host.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	SCANDA_Statement_of_Account_July_2020.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

SCANDA_Statement_of_Account_July_2020.exeHost.exeSCANDA_Statement_of_Account_July_2020.exe

description	pid	process	target process
PID 916 set thread context of 64	916	SCANDA_Statement_of_Account_July_2020.exe	SCANDA_Statement_of_Account_July_2020.exe
PID 4476 set thread context of 4964	4476	Host.exe	Host.exe
PID 4432 set thread context of 2024	4432	SCANDA_Statement_of_Account_July_2020.exe	SCANDA_Statement_of_Account_July_2020.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exeAcroRd32.exeAcroRd32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 3 IoCs

Processes:

SCANDA_Statement_of_Account_July_2020.exeSCANDA_Statement_of_Account_July_2020.exeHost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings	SCANDA_Statement_of_Account_July_2020.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings	SCANDA_Statement_of_Account_July_2020.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings	Host.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

SCANDA_Statement_of_Account_July_2020.exeSCANDA_Statement_of_Account_July_2020.exeSCANDA_Statement_of_Account_July_2020.exeHost.exeSCANDA_Statement_of_Account_July_2020.exeHost.exeHost.exeSCANDA_Statement_of_Account_July_2020.exeSCANDA_Statement_of_Account_July_2020.exe

pid	process
916	SCANDA_Statement_of_Account_July_2020.exe
916	SCANDA_Statement_of_Account_July_2020.exe
1848	SCANDA_Statement_of_Account_July_2020.exe
1848	SCANDA_Statement_of_Account_July_2020.exe
1848	SCANDA_Statement_of_Account_July_2020.exe
1848	SCANDA_Statement_of_Account_July_2020.exe
1848	SCANDA_Statement_of_Account_July_2020.exe
1848	SCANDA_Statement_of_Account_July_2020.exe
1848	SCANDA_Statement_of_Account_July_2020.exe
1848	SCANDA_Statement_of_Account_July_2020.exe
64	SCANDA_Statement_of_Account_July_2020.exe
64	SCANDA_Statement_of_Account_July_2020.exe
64	SCANDA_Statement_of_Account_July_2020.exe
64	SCANDA_Statement_of_Account_July_2020.exe
1848	SCANDA_Statement_of_Account_July_2020.exe
1848	SCANDA_Statement_of_Account_July_2020.exe
1848	SCANDA_Statement_of_Account_July_2020.exe
1848	SCANDA_Statement_of_Account_July_2020.exe
1848	SCANDA_Statement_of_Account_July_2020.exe
1848	SCANDA_Statement_of_Account_July_2020.exe
1848	SCANDA_Statement_of_Account_July_2020.exe
1848	SCANDA_Statement_of_Account_July_2020.exe
4476	Host.exe
4476	Host.exe
4432	SCANDA_Statement_of_Account_July_2020.exe
4432	SCANDA_Statement_of_Account_July_2020.exe
5028	Host.exe
5028	Host.exe
5028	Host.exe
5028	Host.exe
4964	Host.exe
4964	Host.exe
4964	Host.exe
4964	Host.exe
4304	SCANDA_Statement_of_Account_July_2020.exe
4304	SCANDA_Statement_of_Account_July_2020.exe
4304	SCANDA_Statement_of_Account_July_2020.exe
4304	SCANDA_Statement_of_Account_July_2020.exe
4304	SCANDA_Statement_of_Account_July_2020.exe
4304	SCANDA_Statement_of_Account_July_2020.exe
2024	SCANDA_Statement_of_Account_July_2020.exe
2024	SCANDA_Statement_of_Account_July_2020.exe
2024	SCANDA_Statement_of_Account_July_2020.exe
5028	Host.exe
5028	Host.exe
2024	SCANDA_Statement_of_Account_July_2020.exe
4304	SCANDA_Statement_of_Account_July_2020.exe
5028	Host.exe
4304	SCANDA_Statement_of_Account_July_2020.exe
5028	Host.exe
5028	Host.exe
4304	SCANDA_Statement_of_Account_July_2020.exe
5028	Host.exe
4304	SCANDA_Statement_of_Account_July_2020.exe
4304	SCANDA_Statement_of_Account_July_2020.exe
4304	SCANDA_Statement_of_Account_July_2020.exe
5028	Host.exe
5028	Host.exe
4304	SCANDA_Statement_of_Account_July_2020.exe
4304	SCANDA_Statement_of_Account_July_2020.exe
5028	Host.exe
5028	Host.exe
5028	Host.exe
5028	Host.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

SCANDA_Statement_of_Account_July_2020.exeHost.exeSCANDA_Statement_of_Account_July_2020.exe

pid process

916 SCANDA_Statement_of_Account_July_2020.exe
4476 Host.exe
4432 SCANDA_Statement_of_Account_July_2020.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

2688 AcroRd32.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

AcroRd32.exeAcroRd32.exeAcroRd32.exeAdobeARM.exe

pid	process
2688	AcroRd32.exe
2688	AcroRd32.exe
4972	AcroRd32.exe
4592	AcroRd32.exe
2688	AcroRd32.exe
2688	AcroRd32.exe
2688	AcroRd32.exe
2688	AcroRd32.exe
4224	AdobeARM.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

SCANDA_Statement_of_Account_July_2020.exeSCANDA_Statement_of_Account_July_2020.exeSCANDA_Statement_of_Account_July_2020.exeHost.exeSCANDA_Statement_of_Account_July_2020.exeAcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 916 wrote to memory of 2688	916	SCANDA_Statement_of_Account_July_2020.exe	AcroRd32.exe
PID 916 wrote to memory of 2688	916	SCANDA_Statement_of_Account_July_2020.exe	AcroRd32.exe
PID 916 wrote to memory of 2688	916	SCANDA_Statement_of_Account_July_2020.exe	AcroRd32.exe
PID 916 wrote to memory of 64	916	SCANDA_Statement_of_Account_July_2020.exe	SCANDA_Statement_of_Account_July_2020.exe
PID 916 wrote to memory of 64	916	SCANDA_Statement_of_Account_July_2020.exe	SCANDA_Statement_of_Account_July_2020.exe
PID 916 wrote to memory of 64	916	SCANDA_Statement_of_Account_July_2020.exe	SCANDA_Statement_of_Account_July_2020.exe
PID 916 wrote to memory of 1848	916	SCANDA_Statement_of_Account_July_2020.exe	SCANDA_Statement_of_Account_July_2020.exe
PID 916 wrote to memory of 1848	916	SCANDA_Statement_of_Account_July_2020.exe	SCANDA_Statement_of_Account_July_2020.exe
PID 916 wrote to memory of 1848	916	SCANDA_Statement_of_Account_July_2020.exe	SCANDA_Statement_of_Account_July_2020.exe
PID 64 wrote to memory of 4476	64	SCANDA_Statement_of_Account_July_2020.exe	Host.exe
PID 64 wrote to memory of 4476	64	SCANDA_Statement_of_Account_July_2020.exe	Host.exe
PID 64 wrote to memory of 4476	64	SCANDA_Statement_of_Account_July_2020.exe	Host.exe
PID 1848 wrote to memory of 4432	1848	SCANDA_Statement_of_Account_July_2020.exe	SCANDA_Statement_of_Account_July_2020.exe
PID 1848 wrote to memory of 4432	1848	SCANDA_Statement_of_Account_July_2020.exe	SCANDA_Statement_of_Account_July_2020.exe
PID 1848 wrote to memory of 4432	1848	SCANDA_Statement_of_Account_July_2020.exe	SCANDA_Statement_of_Account_July_2020.exe
PID 4476 wrote to memory of 4972	4476	Host.exe	AcroRd32.exe
PID 4476 wrote to memory of 4972	4476	Host.exe	AcroRd32.exe
PID 4476 wrote to memory of 4972	4476	Host.exe	AcroRd32.exe
PID 4476 wrote to memory of 4964	4476	Host.exe	Host.exe
PID 4476 wrote to memory of 4964	4476	Host.exe	Host.exe
PID 4476 wrote to memory of 4964	4476	Host.exe	Host.exe
PID 4432 wrote to memory of 4592	4432	SCANDA_Statement_of_Account_July_2020.exe	AcroRd32.exe
PID 4432 wrote to memory of 4592	4432	SCANDA_Statement_of_Account_July_2020.exe	AcroRd32.exe
PID 4432 wrote to memory of 4592	4432	SCANDA_Statement_of_Account_July_2020.exe	AcroRd32.exe
PID 4432 wrote to memory of 2024	4432	SCANDA_Statement_of_Account_July_2020.exe	SCANDA_Statement_of_Account_July_2020.exe
PID 4432 wrote to memory of 2024	4432	SCANDA_Statement_of_Account_July_2020.exe	SCANDA_Statement_of_Account_July_2020.exe
PID 4432 wrote to memory of 2024	4432	SCANDA_Statement_of_Account_July_2020.exe	SCANDA_Statement_of_Account_July_2020.exe
PID 4476 wrote to memory of 5028	4476	Host.exe	Host.exe
PID 4476 wrote to memory of 5028	4476	Host.exe	Host.exe
PID 4476 wrote to memory of 5028	4476	Host.exe	Host.exe
PID 4432 wrote to memory of 4304	4432	SCANDA_Statement_of_Account_July_2020.exe	SCANDA_Statement_of_Account_July_2020.exe
PID 4432 wrote to memory of 4304	4432	SCANDA_Statement_of_Account_July_2020.exe	SCANDA_Statement_of_Account_July_2020.exe
PID 4432 wrote to memory of 4304	4432	SCANDA_Statement_of_Account_July_2020.exe	SCANDA_Statement_of_Account_July_2020.exe
PID 2688 wrote to memory of 216	2688	AcroRd32.exe	RdrCEF.exe
PID 2688 wrote to memory of 216	2688	AcroRd32.exe	RdrCEF.exe
PID 2688 wrote to memory of 216	2688	AcroRd32.exe	RdrCEF.exe
PID 216 wrote to memory of 3056	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 3056	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 3056	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 3056	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 3056	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 3056	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 3056	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 3056	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 3056	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 3056	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 3056	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 3056	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 3056	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 3056	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 3056	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 3056	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 3056	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 3056	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 3056	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 3056	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 3056	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 3056	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 3056	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 3056	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 3056	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 3056	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 3056	216	RdrCEF.exe	RdrCEF.exe
PID 216 wrote to memory of 3056	216	RdrCEF.exe	RdrCEF.exe

C:\Users\Admin\AppData\Local\Temp\SCANDA_Statement_of_Account_July_2020.exe
"C:\Users\Admin\AppData\Local\Temp\SCANDA_Statement_of_Account_July_2020.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:916

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Order.pdf"
2⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2688

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
3⤵
- Suspicious use of WriteProcessMemory
PID:216

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=05A38CFB560B027C7687CA3190ED2082 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:3056

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=3F95365AA15CF8F0F3F0AD112FCF15B2 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=3F95365AA15CF8F0F3F0AD112FCF15B2 --renderer-client-id=2 --mojo-platform-channel-handle=1760 --allow-no-sandbox-job /prefetch:1
4⤵
PID:2704

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=02F8B8321432C78C78BE6083B75202EA --mojo-platform-channel-handle=2300 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:452

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=A45B94778139E6AC23B00B80F32DC4A8 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=A45B94778139E6AC23B00B80F32DC4A8 --renderer-client-id=5 --mojo-platform-channel-handle=1848 --allow-no-sandbox-job /prefetch:1
4⤵
PID:4816

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6791E52AC3B4A358FB2A4D1AA960BA70 --mojo-platform-channel-handle=2556 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:3808

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=EE5DF0B2F74B7B846DB4402D13A743E6 --mojo-platform-channel-handle=1736 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:5056

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /PRODUCT:Reader /VERSION:19.0 /MODE:3
3⤵
- Suspicious use of SetWindowsHookEx
PID:4224

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"
4⤵
PID:5088

C:\Users\Admin\AppData\Local\Temp\SCANDA_Statement_of_Account_July_2020.exe
"C:\Users\Admin\AppData\Local\Temp\SCANDA_Statement_of_Account_July_2020.exe"
2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:64

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4476

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Order.pdf"
4⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:4972

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:4964

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe" 2 4964 240587078
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5028

C:\Users\Admin\AppData\Local\Temp\SCANDA_Statement_of_Account_July_2020.exe
"C:\Users\Admin\AppData\Local\Temp\SCANDA_Statement_of_Account_July_2020.exe" 2 64 240585703
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1848

C:\Users\Admin\AppData\Local\Temp\SCANDA_Statement_of_Account_July_2020.exe
"C:\Users\Admin\AppData\Local\Temp\SCANDA_Statement_of_Account_July_2020.exe"
3⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4432

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Order.pdf"
4⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:4592

C:\Users\Admin\AppData\Local\Temp\SCANDA_Statement_of_Account_July_2020.exe
"C:\Users\Admin\AppData\Local\Temp\SCANDA_Statement_of_Account_July_2020.exe" 2 2024 240587140
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4304

C:\Users\Admin\AppData\Local\Temp\SCANDA_Statement_of_Account_July_2020.exe
"C:\Users\Admin\AppData\Local\Temp\SCANDA_Statement_of_Account_July_2020.exe"
4⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:2024

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Order.pdf
Filesize
38KB

MD5
64c51e428b3aae202fe3b1f250783e38

SHA1
9c37ca4019a5ed8b6368a2c8a9319cac7541d86d

SHA256
0f92458dfe74bca8a5fb6e5db0d52d0227e9126a846f311a6b3b7ba16d8021d4

SHA512
dab4a6fe5331d757311737dffa73ebca4a91c6fa53b50e50c1d39f839039ab46b8e5fd029259394292c30ec85a88726de31fb2fa99d87e9a7350e9f82f4985dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Order.pdf
Filesize
38KB

MD5
64c51e428b3aae202fe3b1f250783e38

SHA1
9c37ca4019a5ed8b6368a2c8a9319cac7541d86d

SHA256
0f92458dfe74bca8a5fb6e5db0d52d0227e9126a846f311a6b3b7ba16d8021d4

SHA512
dab4a6fe5331d757311737dffa73ebca4a91c6fa53b50e50c1d39f839039ab46b8e5fd029259394292c30ec85a88726de31fb2fa99d87e9a7350e9f82f4985dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Order.pdf
Filesize
38KB

MD5
64c51e428b3aae202fe3b1f250783e38

SHA1
9c37ca4019a5ed8b6368a2c8a9319cac7541d86d

SHA256
0f92458dfe74bca8a5fb6e5db0d52d0227e9126a846f311a6b3b7ba16d8021d4

SHA512
dab4a6fe5331d757311737dffa73ebca4a91c6fa53b50e50c1d39f839039ab46b8e5fd029259394292c30ec85a88726de31fb2fa99d87e9a7350e9f82f4985dd

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
486KB

MD5
32c10b0b4bb8a7e70cf58c573a05f16a

SHA1
a22e8814f215f2564d6c476506d7f76eb78fe80e

SHA256
146856560590ec6f2434f34fe94b4dd5de0d7ed700cdaccc15663db1fbc8c4aa

SHA512
717ea71453999846b87dfe952b9d6cc64617a69909e07de9934668e48f320b7be52ec370917adf520a36de5a0441091e73565c3083e58f251e8b8af5776b7042

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
486KB

MD5
32c10b0b4bb8a7e70cf58c573a05f16a

SHA1
a22e8814f215f2564d6c476506d7f76eb78fe80e

SHA256
146856560590ec6f2434f34fe94b4dd5de0d7ed700cdaccc15663db1fbc8c4aa

SHA512
717ea71453999846b87dfe952b9d6cc64617a69909e07de9934668e48f320b7be52ec370917adf520a36de5a0441091e73565c3083e58f251e8b8af5776b7042

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
486KB

MD5
32c10b0b4bb8a7e70cf58c573a05f16a

SHA1
a22e8814f215f2564d6c476506d7f76eb78fe80e

SHA256
146856560590ec6f2434f34fe94b4dd5de0d7ed700cdaccc15663db1fbc8c4aa

SHA512
717ea71453999846b87dfe952b9d6cc64617a69909e07de9934668e48f320b7be52ec370917adf520a36de5a0441091e73565c3083e58f251e8b8af5776b7042

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
486KB

MD5
32c10b0b4bb8a7e70cf58c573a05f16a

SHA1
a22e8814f215f2564d6c476506d7f76eb78fe80e

SHA256
146856560590ec6f2434f34fe94b4dd5de0d7ed700cdaccc15663db1fbc8c4aa

SHA512
717ea71453999846b87dfe952b9d6cc64617a69909e07de9934668e48f320b7be52ec370917adf520a36de5a0441091e73565c3083e58f251e8b8af5776b7042

Download Submit
memory/64-133-0x0000000000000000-mapping.dmp

Download
memory/64-139-0x0000000003180000-0x00000000031B3000-memory.dmp

Filesize
204KB

Download
memory/216-163-0x0000000000000000-mapping.dmp

Download
memory/452-173-0x0000000000000000-mapping.dmp

Download
memory/916-131-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/916-130-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1848-134-0x0000000000000000-mapping.dmp

Download
memory/1848-135-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1848-142-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2024-154-0x0000000000000000-mapping.dmp

Download
memory/2024-162-0x00000000022F0000-0x0000000002323000-memory.dmp

Filesize
204KB

Download
memory/2688-132-0x0000000000000000-mapping.dmp

Download
memory/2704-168-0x0000000000000000-mapping.dmp

Download
memory/3056-165-0x0000000000000000-mapping.dmp

Download
memory/3808-181-0x0000000000000000-mapping.dmp

Download
memory/4224-186-0x0000000000000000-mapping.dmp

Download
memory/4304-158-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/4304-156-0x0000000000000000-mapping.dmp

Download
memory/4304-161-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/4432-144-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/4432-140-0x0000000000000000-mapping.dmp

Download
memory/4432-148-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/4476-141-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/4476-147-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/4476-136-0x0000000000000000-mapping.dmp

Download
memory/4592-151-0x0000000000000000-mapping.dmp

Download
memory/4816-176-0x0000000000000000-mapping.dmp

Download
memory/4964-160-0x00000000021C0000-0x00000000021F3000-memory.dmp

Filesize
204KB

Download
memory/4964-150-0x0000000000000000-mapping.dmp

Download
memory/4972-149-0x0000000000000000-mapping.dmp

Download
memory/5028-159-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/5028-157-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/5028-153-0x0000000000000000-mapping.dmp

Download
memory/5056-184-0x0000000000000000-mapping.dmp

Download
memory/5088-187-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads