Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23/11/2022, 14:03
Static task
static1
Behavioral task
behavioral1
Sample
6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe
Resource
win10v2004-20220812-en
General
-
Target
6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe
-
Size
605KB
-
MD5
3a9d22c436ba5595f37eb85fb63179f5
-
SHA1
b5dd3f9223f82208b51d181c2e2bd8aef60c76ec
-
SHA256
6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb
-
SHA512
3aac161a6fcd30df59253e6ce0a8fe155bea86c51d577e27f6abe1c01b8cf8f7e48381bf42793e79c9d9689b008ccafc4015ab567283d960c2691bbff6217031
-
SSDEEP
12288:N5+UjLWwac3wzp/DLxcLkZQT+H0M7ozQ26:N5+4lJ3acLkZEY126
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Acrobat Debugger\\acrobtdeb.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Acrobat Debugger\\acrobtdeb.exe" explorer.exe -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Adds policy Run key to start application 2 TTPs 16 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run acrobtdeb.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run acrobtdeb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Acrobat Debugger = "C:\\Users\\Admin\\AppData\\Roaming\\Acrobat Debugger\\acrobtdeb.exe" acrobtdeb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Acrobat Debugger = "C:\\Users\\Admin\\AppData\\Roaming\\Acrobat Debugger\\acrobtdeb.exe" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Acrobat Debugger = "C:\\Users\\Admin\\AppData\\Roaming\\Acrobat Debugger\\acrobtdeb.exe" 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Acrobat Debugger = "C:\\Users\\Admin\\AppData\\Roaming\\Acrobat Debugger\\acrobtdeb.exe" acrobtdeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Acrobat Debugger = "C:\\Users\\Admin\\AppData\\Roaming\\Acrobat Debugger\\acrobtdeb.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Acrobat Debugger = "C:\\Users\\Admin\\AppData\\Roaming\\Acrobat Debugger\\acrobtdeb.exe" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Acrobat Debugger = "C:\\Users\\Admin\\AppData\\Roaming\\Acrobat Debugger\\acrobtdeb.exe" svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Acrobat Debugger = "C:\\Users\\Admin\\AppData\\Roaming\\Acrobat Debugger\\acrobtdeb.exe" 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run explorer.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run svchost.exe -
Executes dropped EXE 2 IoCs
pid Process 1992 acrobtdeb.exe 3392 acrobtdeb.exe -
resource yara_rule behavioral2/memory/2508-154-0x0000000001610000-0x000000000171F000-memory.dmp upx behavioral2/memory/2508-155-0x0000000001610000-0x000000000171F000-memory.dmp upx behavioral2/memory/2508-156-0x0000000001610000-0x000000000171F000-memory.dmp upx behavioral2/memory/2508-158-0x0000000001610000-0x000000000171F000-memory.dmp upx behavioral2/memory/2508-159-0x0000000001610000-0x000000000171F000-memory.dmp upx behavioral2/memory/2508-160-0x0000000001610000-0x000000000171F000-memory.dmp upx behavioral2/memory/2508-161-0x0000000001610000-0x000000000171F000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe -
Adds Run key to start application 2 TTPs 20 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Acrobat Debugger = "C:\\Users\\Admin\\AppData\\Roaming\\Acrobat Debugger\\acrobtdeb.exe" 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Acrobat Debugger = "C:\\Users\\Admin\\AppData\\Roaming\\Acrobat Debugger\\acrobtdeb.exe" acrobtdeb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Acrobat Debugger = "C:\\Users\\Admin\\AppData\\Roaming\\Acrobat Debugger\\acrobtdeb.exe" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Acrobat Debugger = "C:\\Users\\Admin\\AppData\\Roaming\\Acrobat Debugger\\acrobtdeb.exe" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Acrobat Debugger = "C:\\Users\\Admin\\AppData\\Roaming\\Acrobat Debugger\\acrobtdeb.exe" acrobtdeb.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run acrobtdeb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Acrobat Debugger = "C:\\Users\\Admin\\AppData\\Roaming\\Acrobat Debugger\\acrobtdeb.exe" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Acrobat Debugger = "C:\\Users\\Admin\\AppData\\Roaming\\Acrobat Debugger\\acrobtdeb.exe" 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Acrobat Debugger = "C:\\Users\\Admin\\AppData\\Roaming\\Acrobat Debugger\\acrobtdeb.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Acrobat Debugger = "C:\\Users\\Admin\\AppData\\Roaming\\Acrobat Debugger\\acrobtdeb.exe" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run explorer.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Acrobat Debugger = "C:\\Users\\Admin\\AppData\\Roaming\\Acrobat Debugger\\acrobtdeb.exe" svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run acrobtdeb.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1496 set thread context of 3900 1496 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe 79 PID 1992 set thread context of 3392 1992 acrobtdeb.exe 119 PID 3392 set thread context of 2508 3392 acrobtdeb.exe 121 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 8 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 explorer.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2508 explorer.exe 2508 explorer.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3900 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe 2508 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1496 wrote to memory of 3900 1496 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe 79 PID 1496 wrote to memory of 3900 1496 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe 79 PID 1496 wrote to memory of 3900 1496 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe 79 PID 1496 wrote to memory of 3900 1496 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe 79 PID 1496 wrote to memory of 3900 1496 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe 79 PID 1496 wrote to memory of 3900 1496 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe 79 PID 1496 wrote to memory of 3900 1496 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe 79 PID 1496 wrote to memory of 3900 1496 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe 79 PID 1496 wrote to memory of 3900 1496 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe 79 PID 1496 wrote to memory of 3900 1496 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe 79 PID 1496 wrote to memory of 3900 1496 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe 79 PID 1496 wrote to memory of 3900 1496 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe 79 PID 1496 wrote to memory of 3900 1496 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe 79 PID 3900 wrote to memory of 3852 3900 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe 82 PID 3900 wrote to memory of 3852 3900 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe 82 PID 3900 wrote to memory of 3852 3900 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe 82 PID 3900 wrote to memory of 2888 3900 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe 83 PID 3900 wrote to memory of 2888 3900 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe 83 PID 3900 wrote to memory of 1756 3900 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe 84 PID 3900 wrote to memory of 1756 3900 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe 84 PID 3900 wrote to memory of 1756 3900 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe 84 PID 3900 wrote to memory of 1476 3900 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe 85 PID 3900 wrote to memory of 1476 3900 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe 85 PID 3900 wrote to memory of 1476 3900 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe 85 PID 3900 wrote to memory of 1476 3900 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe 85 PID 3900 wrote to memory of 4524 3900 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe 86 PID 3900 wrote to memory of 4524 3900 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe 86 PID 3900 wrote to memory of 4684 3900 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe 87 PID 3900 wrote to memory of 4684 3900 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe 87 PID 3900 wrote to memory of 4684 3900 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe 87 PID 3900 wrote to memory of 1420 3900 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe 88 PID 3900 wrote to memory of 1420 3900 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe 88 PID 3900 wrote to memory of 2892 3900 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe 89 PID 3900 wrote to memory of 2892 3900 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe 89 PID 3900 wrote to memory of 2892 3900 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe 89 PID 3900 wrote to memory of 4124 3900 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe 91 PID 3900 wrote to memory of 4124 3900 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe 91 PID 3900 wrote to memory of 2636 3900 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe 90 PID 3900 wrote to memory of 2636 3900 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe 90 PID 3900 wrote to memory of 2636 3900 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe 90 PID 3900 wrote to memory of 4668 3900 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe 92 PID 3900 wrote to memory of 4668 3900 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe 92 PID 3900 wrote to memory of 5032 3900 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe 93 PID 3900 wrote to memory of 5032 3900 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe 93 PID 3900 wrote to memory of 5032 3900 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe 93 PID 3900 wrote to memory of 3568 3900 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe 94 PID 3900 wrote to memory of 3568 3900 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe 94 PID 3900 wrote to memory of 2296 3900 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe 95 PID 3900 wrote to memory of 2296 3900 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe 95 PID 3900 wrote to memory of 2296 3900 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe 95 PID 3900 wrote to memory of 4368 3900 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe 96 PID 3900 wrote to memory of 4368 3900 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe 96 PID 3900 wrote to memory of 4316 3900 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe 97 PID 3900 wrote to memory of 4316 3900 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe 97 PID 3900 wrote to memory of 4316 3900 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe 97 PID 3900 wrote to memory of 1300 3900 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe 98 PID 3900 wrote to memory of 1300 3900 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe 98 PID 3900 wrote to memory of 3476 3900 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe 99 PID 3900 wrote to memory of 3476 3900 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe 99 PID 3900 wrote to memory of 3476 3900 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe 99 PID 3900 wrote to memory of 4520 3900 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe 101 PID 3900 wrote to memory of 4520 3900 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe 101 PID 3900 wrote to memory of 4540 3900 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe 100 PID 3900 wrote to memory of 4540 3900 6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe"C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe"C:\Users\Admin\AppData\Local\Temp\6d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb.exe"2⤵
- Adds policy Run key to start application
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3900 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵PID:3852
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:2888
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:1756
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:1476
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:4524
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:4684
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:1420
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:2892
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:2636
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:4124
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:4668
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:5032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:3568
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:2296
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:4368
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:4316
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:1300
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:3476
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:4540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:4520
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:4104
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:4404
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:4904
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:2596
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:3684
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:3196
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:4212
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:4132
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:536
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:2200
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:2248
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:448
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:1660
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:1432
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:4492
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:1748
-
-
C:\Users\Admin\AppData\Roaming\Acrobat Debugger\acrobtdeb.exe"C:\Users\Admin\AppData\Roaming\Acrobat Debugger\acrobtdeb.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1992 -
C:\Users\Admin\AppData\Roaming\Acrobat Debugger\acrobtdeb.exe"C:\Users\Admin\AppData\Roaming\Acrobat Debugger\acrobtdeb.exe"4⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3392 -
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- Adds policy Run key to start application
- Adds Run key to start application
PID:3896
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Adds Run key to start application
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2508
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵PID:2316
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
605KB
MD53a9d22c436ba5595f37eb85fb63179f5
SHA1b5dd3f9223f82208b51d181c2e2bd8aef60c76ec
SHA2566d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb
SHA5123aac161a6fcd30df59253e6ce0a8fe155bea86c51d577e27f6abe1c01b8cf8f7e48381bf42793e79c9d9689b008ccafc4015ab567283d960c2691bbff6217031
-
Filesize
605KB
MD53a9d22c436ba5595f37eb85fb63179f5
SHA1b5dd3f9223f82208b51d181c2e2bd8aef60c76ec
SHA2566d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb
SHA5123aac161a6fcd30df59253e6ce0a8fe155bea86c51d577e27f6abe1c01b8cf8f7e48381bf42793e79c9d9689b008ccafc4015ab567283d960c2691bbff6217031
-
Filesize
605KB
MD53a9d22c436ba5595f37eb85fb63179f5
SHA1b5dd3f9223f82208b51d181c2e2bd8aef60c76ec
SHA2566d3f87f3abe501b3f48ffbb98cc9c6369386a0a06d001a3928d10ef49e66bfdb
SHA5123aac161a6fcd30df59253e6ce0a8fe155bea86c51d577e27f6abe1c01b8cf8f7e48381bf42793e79c9d9689b008ccafc4015ab567283d960c2691bbff6217031
-
Filesize
2B
MD593e00066d099c0485cfffa1359246d26
SHA1bc69a773f37b2f2071e25f755a66d47b871e5d98
SHA2563b271649a94ad5be4ef46ecbb6a4e7363e8498b7e69b751737bf30df2e0d1dde
SHA512d3dfe508cacae7d36f13908134b5b438b87429fcf93ccb060bcfa346c04633a99e9ca497297418c969537be1da2405171982794055dd0f52e59a82720d3b3d02
-
Filesize
3KB
MD53cd65f58ae0f3e1b588c34eed4246a5f
SHA11523fbb4ec02295e9448eafbcb805318ac7b638c
SHA2565d31801d466968640302995d1f84a3a8937ce109808f83e13d1c231f4ee2e9e3
SHA512d8991f849637c16ce11defa42a29b682704231c5a77e22131aa4f5c0aa1bd44fb3fa3e41e5f54814b0bd7770b7d42315183219482dc63b3b712b97a7ba973894
-
Filesize
3KB
MD53cd65f58ae0f3e1b588c34eed4246a5f
SHA11523fbb4ec02295e9448eafbcb805318ac7b638c
SHA2565d31801d466968640302995d1f84a3a8937ce109808f83e13d1c231f4ee2e9e3
SHA512d8991f849637c16ce11defa42a29b682704231c5a77e22131aa4f5c0aa1bd44fb3fa3e41e5f54814b0bd7770b7d42315183219482dc63b3b712b97a7ba973894
-
Filesize
356KB
MD5a0eaa79f7fc06363a4be2586faf870c4
SHA14a917e5edeb6ef24d3254cc4736c51f3328819ac
SHA25663d2efdbaadf9ab86413b83f868eefb6e1d0affc30081e3e2a10ea2605345ee3
SHA512b79494de07f28cd64edccedf84a07fb4d7a791c04832c82d301846449f5fd138af0a7c9a0e0fc9f78c0302b4a9d0c9fcc63313370962c2ee622ecac525dec4b8