globeimposter | 2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274

General

Target

2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
Size

220KB
MD5

7b65b6bdd6866345d6f9d0e18a0dcbc9
SHA1

fe3fdda918a3db1b17fc48716b574356700d5fc0
SHA256

2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274
SHA512

0e73217400e0763ff6e455f7e6fec40b9bfc849c45d2dfec88e5b4ea7f5f102578a0694d35c1b18993bf8f41a5bcbf09903f5bc9662b08fbcae4f6484a274ef1

Score

10^/10

globeimposter persistence ransomware spyware stealer

Malware Config

Signatures

GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
ransomware globeimposter

Modifies extensions of user files 8 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\OptimizeEdit.png => C:\Users\Admin\Pictures\OptimizeEdit.png..doc	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File opened for modification	C:\Users\Admin\Pictures\SelectRepair.tiff	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File renamed	C:\Users\Admin\Pictures\SelectRepair.tiff => C:\Users\Admin\Pictures\SelectRepair.tiff..doc	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File renamed	C:\Users\Admin\Pictures\SkipUndo.tif => C:\Users\Admin\Pictures\SkipUndo.tif..doc	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File opened for modification	C:\Users\Admin\Pictures\TestConfirm.tiff	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File renamed	C:\Users\Admin\Pictures\TestConfirm.tiff => C:\Users\Admin\Pictures\TestConfirm.tiff..doc	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File renamed	C:\Users\Admin\Pictures\ClearSearch.png => C:\Users\Admin\Pictures\ClearSearch.png..doc	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File renamed	C:\Users\Admin\Pictures\FormatTest.crw => C:\Users\Admin\Pictures\FormatTest.crw..doc	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Roaming\\2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe"	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe

Drops desktop.ini file(s) 27 IoCs

Processes:

2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File opened for modification	C:\Program Files\desktop.ini	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File opened for modification	C:\Users\Public\desktop.ini	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe

Drops file in Program Files directory 64 IoCs

Processes:

2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe

description	ioc	process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ro-ro\Read___ME.html	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\S_IlluNoInternetConnection_120x80.svg	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-60.png	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\s_filter_18.svg	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ar-ae\ui-strings.js	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\OrientationControlMiddleCircleHover.png	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxSignature.p7x	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ru-ru\Read___ME.html	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-ae\ui-strings.js	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ca-es\ui-strings.js	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp8.scale-100.png	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\tr-tr\ui-strings.js	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sv-se\ui-strings.js	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pt-br\Read___ME.html	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-il\ui-strings.js	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\1851_20x20x32.png	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\zh-tw\Read___ME.html	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\plugins\rhp\Read___ME.html	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia.api	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-white\MedTile.scale-200.png	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Outlook.scale-200.png	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ko-kr\Read___ME.html	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\Read___ME.html	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\tr-tr\Read___ME.html	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\new_icons_retina.png	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ca-es\ui-strings.js	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\root\Read___ME.html	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\en-IN\en-IN_female_TTS\prompts_en-IN_TTS.lua	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\GenericMailMediumTile.scale-125.png	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\no_get.svg	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ca-es\ui-strings.js	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-20_altform-unplated.png	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\en-ae\Read___ME.html	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\plugins\rhp\Read___ME.html	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GamesXboxHubSmallTile.scale-100.png	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\MixerBranding\Mixer_logo_half-White_RGB.png	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\Me\MeControl\offline\offlineUtilities.js	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\root\Read___ME.html	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ja-jp\ui-strings.js	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_export_18.svg	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\ccloud.png	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GameBar_AppList.scale-100.png	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderWideTile.contrast-black_scale-100.png	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\hr-hr\Read___ME.html	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sk-sk\Read___ME.html	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\sv-se\Read___ME.html	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-gb\ui-strings.js	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\tr-tr\Read___ME.html	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\ind_prog.gif	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\Me\MeControl\offline\webviewBoot.min.js	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\resources.pri	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\sv-se\ui-strings.js	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\plugins\rhp\Read___ME.html	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Exchange.scale-150.png	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-ae\ui-strings.js	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nl-nl\ui-strings.js	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\hscroll-thumb.png	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\DigSig.api	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef_100_percent.pak	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsSplashScreen.scale-100.png	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\appstore.png	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\SwipeTeachingCalloutImage.layoutdir-RTL.gif	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-gb\Read___ME.html	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe

pid	process
2128	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
2128	2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe

C:\Users\Admin\AppData\Local\Temp\2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe
"C:\Users\Admin\AppData\Local\Temp\2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274.exe"
1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2128

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2128-131-0x0000000000600000-0x0000000000700000-memory.dmp

Filesize
1024KB

Download
memory/2128-132-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2128-133-0x0000000000600000-0x0000000000700000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads