eternity | 67014237713d167e0676ed58d8aa095cbfef04cbc834c0dc512fd5c3df6285ea

General

Target

219c1d87426d8ed8b3e62176d1291f80.exe
Size

8.9MB
MD5

219c1d87426d8ed8b3e62176d1291f80
SHA1

105af4d6ca9510c99657145ff0ebf4db71238a32
SHA256

67014237713d167e0676ed58d8aa095cbfef04cbc834c0dc512fd5c3df6285ea
SHA512

0bcfb390bd234bd313ea4335faae2011e297f7d9012b14457a011c883b171b99c08e8c43a6f4502ea260a2138521c006e0e78365cbcfb74cb7a417e8e9b56dd6
SSDEEP

196608:FquoUUOSW7GeGIr1reEs+sqgwC1UODDjai0fyxrAWk:00EkbGIrZbbsPUODZY

Score

10^/10

eternity

Malware Config

Extracted

Family

eternity

C2

http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion

Attributes

payload_urls
http://167.88.170.23/w993.exe
http://167.88.170.23/s101.exe,http://167.88.170.23/101.exe,http://167.88.170.23/R101.exe

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity
Executes dropped EXE 4 IoCs

Processes:

Catalogo2019.exeCatalogo2019.exeCatalogo2019.exeCatalogo2019.exe

pid process

3408 Catalogo2019.exe
4948 Catalogo2019.exe
2456 Catalogo2019.exe
4048 Catalogo2019.exe

pid	process
3408	Catalogo2019.exe
4948	Catalogo2019.exe
2456	Catalogo2019.exe
4048	Catalogo2019.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

219c1d87426d8ed8b3e62176d1291f80.exeCatalogo2019.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	219c1d87426d8ed8b3e62176d1291f80.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Catalogo2019.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Catalogo2019.exe

description pid process target process

PID 3408 set thread context of 4948 3408 Catalogo2019.exe Catalogo2019.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 3408 set thread context of 4948	3408	Catalogo2019.exe	Catalogo2019.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2916 schtasks.exe

pid	process
2916	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

Processes:

219c1d87426d8ed8b3e62176d1291f80.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	219c1d87426d8ed8b3e62176d1291f80.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2612 PING.EXE

pid	process
2612	PING.EXE

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

AcroRd32.exe

pid	process
2240	AcroRd32.exe
2240	AcroRd32.exe
2240	AcroRd32.exe
2240	AcroRd32.exe
2240	AcroRd32.exe
2240	AcroRd32.exe
2240	AcroRd32.exe
2240	AcroRd32.exe
2240	AcroRd32.exe
2240	AcroRd32.exe
2240	AcroRd32.exe
2240	AcroRd32.exe
2240	AcroRd32.exe
2240	AcroRd32.exe
2240	AcroRd32.exe
2240	AcroRd32.exe
2240	AcroRd32.exe
2240	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

2240 AcroRd32.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

AcroRd32.exe

pid process

2240 AcroRd32.exe
2240 AcroRd32.exe
2240 AcroRd32.exe
2240 AcroRd32.exe
2240 AcroRd32.exe
2240 AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

219c1d87426d8ed8b3e62176d1291f80.exeAcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 764 wrote to memory of 2240	764	219c1d87426d8ed8b3e62176d1291f80.exe	AcroRd32.exe
PID 764 wrote to memory of 2240	764	219c1d87426d8ed8b3e62176d1291f80.exe	AcroRd32.exe
PID 764 wrote to memory of 2240	764	219c1d87426d8ed8b3e62176d1291f80.exe	AcroRd32.exe
PID 764 wrote to memory of 3408	764	219c1d87426d8ed8b3e62176d1291f80.exe	Catalogo2019.exe
PID 764 wrote to memory of 3408	764	219c1d87426d8ed8b3e62176d1291f80.exe	Catalogo2019.exe
PID 764 wrote to memory of 3408	764	219c1d87426d8ed8b3e62176d1291f80.exe	Catalogo2019.exe
PID 2240 wrote to memory of 4916	2240	AcroRd32.exe	RdrCEF.exe
PID 2240 wrote to memory of 4916	2240	AcroRd32.exe	RdrCEF.exe
PID 2240 wrote to memory of 4916	2240	AcroRd32.exe	RdrCEF.exe
PID 4916 wrote to memory of 1520	4916	RdrCEF.exe	RdrCEF.exe
PID 4916 wrote to memory of 1520	4916	RdrCEF.exe	RdrCEF.exe
PID 4916 wrote to memory of 1520	4916	RdrCEF.exe	RdrCEF.exe
PID 4916 wrote to memory of 1520	4916	RdrCEF.exe	RdrCEF.exe
PID 4916 wrote to memory of 1520	4916	RdrCEF.exe	RdrCEF.exe
PID 4916 wrote to memory of 1520	4916	RdrCEF.exe	RdrCEF.exe
PID 4916 wrote to memory of 1520	4916	RdrCEF.exe	RdrCEF.exe
PID 4916 wrote to memory of 1520	4916	RdrCEF.exe	RdrCEF.exe
PID 4916 wrote to memory of 1520	4916	RdrCEF.exe	RdrCEF.exe
PID 4916 wrote to memory of 1520	4916	RdrCEF.exe	RdrCEF.exe
PID 4916 wrote to memory of 1520	4916	RdrCEF.exe	RdrCEF.exe
PID 4916 wrote to memory of 1520	4916	RdrCEF.exe	RdrCEF.exe
PID 4916 wrote to memory of 1520	4916	RdrCEF.exe	RdrCEF.exe
PID 4916 wrote to memory of 1520	4916	RdrCEF.exe	RdrCEF.exe
PID 4916 wrote to memory of 1520	4916	RdrCEF.exe	RdrCEF.exe
PID 4916 wrote to memory of 1520	4916	RdrCEF.exe	RdrCEF.exe
PID 4916 wrote to memory of 1520	4916	RdrCEF.exe	RdrCEF.exe
PID 4916 wrote to memory of 1520	4916	RdrCEF.exe	RdrCEF.exe
PID 4916 wrote to memory of 1520	4916	RdrCEF.exe	RdrCEF.exe
PID 4916 wrote to memory of 1520	4916	RdrCEF.exe	RdrCEF.exe
PID 4916 wrote to memory of 1520	4916	RdrCEF.exe	RdrCEF.exe
PID 4916 wrote to memory of 1520	4916	RdrCEF.exe	RdrCEF.exe
PID 4916 wrote to memory of 1520	4916	RdrCEF.exe	RdrCEF.exe
PID 4916 wrote to memory of 1520	4916	RdrCEF.exe	RdrCEF.exe
PID 4916 wrote to memory of 1520	4916	RdrCEF.exe	RdrCEF.exe
PID 4916 wrote to memory of 1520	4916	RdrCEF.exe	RdrCEF.exe
PID 4916 wrote to memory of 1520	4916	RdrCEF.exe	RdrCEF.exe
PID 4916 wrote to memory of 1520	4916	RdrCEF.exe	RdrCEF.exe
PID 4916 wrote to memory of 1520	4916	RdrCEF.exe	RdrCEF.exe
PID 4916 wrote to memory of 1520	4916	RdrCEF.exe	RdrCEF.exe
PID 4916 wrote to memory of 1520	4916	RdrCEF.exe	RdrCEF.exe
PID 4916 wrote to memory of 1520	4916	RdrCEF.exe	RdrCEF.exe
PID 4916 wrote to memory of 1520	4916	RdrCEF.exe	RdrCEF.exe
PID 4916 wrote to memory of 1520	4916	RdrCEF.exe	RdrCEF.exe
PID 4916 wrote to memory of 1520	4916	RdrCEF.exe	RdrCEF.exe
PID 4916 wrote to memory of 1520	4916	RdrCEF.exe	RdrCEF.exe
PID 4916 wrote to memory of 1520	4916	RdrCEF.exe	RdrCEF.exe
PID 4916 wrote to memory of 1520	4916	RdrCEF.exe	RdrCEF.exe
PID 4916 wrote to memory of 1520	4916	RdrCEF.exe	RdrCEF.exe
PID 4916 wrote to memory of 1520	4916	RdrCEF.exe	RdrCEF.exe
PID 4916 wrote to memory of 1520	4916	RdrCEF.exe	RdrCEF.exe
PID 4916 wrote to memory of 1520	4916	RdrCEF.exe	RdrCEF.exe
PID 4916 wrote to memory of 1520	4916	RdrCEF.exe	RdrCEF.exe
PID 4916 wrote to memory of 240	4916	RdrCEF.exe	RdrCEF.exe
PID 4916 wrote to memory of 240	4916	RdrCEF.exe	RdrCEF.exe
PID 4916 wrote to memory of 240	4916	RdrCEF.exe	RdrCEF.exe
PID 4916 wrote to memory of 240	4916	RdrCEF.exe	RdrCEF.exe
PID 4916 wrote to memory of 240	4916	RdrCEF.exe	RdrCEF.exe
PID 4916 wrote to memory of 240	4916	RdrCEF.exe	RdrCEF.exe
PID 4916 wrote to memory of 240	4916	RdrCEF.exe	RdrCEF.exe
PID 4916 wrote to memory of 240	4916	RdrCEF.exe	RdrCEF.exe
PID 4916 wrote to memory of 240	4916	RdrCEF.exe	RdrCEF.exe
PID 4916 wrote to memory of 240	4916	RdrCEF.exe	RdrCEF.exe
PID 4916 wrote to memory of 240	4916	RdrCEF.exe	RdrCEF.exe
PID 4916 wrote to memory of 240	4916	RdrCEF.exe	RdrCEF.exe

C:\Users\Admin\AppData\Local\Temp\219c1d87426d8ed8b3e62176d1291f80.exe
"C:\Users\Admin\AppData\Local\Temp\219c1d87426d8ed8b3e62176d1291f80.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:764

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Catalogo2019.pdf"
2⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2240

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
3⤵
- Suspicious use of WriteProcessMemory
PID:4916

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=F75942E21761538BE004F19EA1B84969 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=F75942E21761538BE004F19EA1B84969 --renderer-client-id=2 --mojo-platform-channel-handle=1700 --allow-no-sandbox-job /prefetch:1
4⤵
PID:1520

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=0935864CE6408BEA13586B4CCA3587A3 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=0935864CE6408BEA13586B4CCA3587A3 --renderer-client-id=3 --mojo-platform-channel-handle=2012 --allow-no-sandbox-job /prefetch:1
4⤵
PID:240

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D67B073A3FBF97803E6E60F289097D00 --mojo-platform-channel-handle=2192 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:2712

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=BAF26209D526BEEBD72BE83B7E814B9A --mojo-platform-channel-handle=2584 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:1928

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=943318D0486DF8949538A2FB1D3E3084 --mojo-platform-channel-handle=2700 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:384

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0C7D9B5D63FB24033307C6CD1D091A41 --mojo-platform-channel-handle=2628 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:856

C:\Users\Admin\AppData\Local\Temp\Catalogo2019.exe
"C:\Users\Admin\AppData\Local\Temp\Catalogo2019.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3408

C:\Users\Admin\AppData\Local\Temp\Catalogo2019.exe
"{path}"
3⤵
- Executes dropped EXE
- Checks computer location settings
PID:4948

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "Catalogo2019" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\Catalogo2019.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\Catalogo2019.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\Catalogo2019.exe"
4⤵
PID:3796

C:\Windows\SysWOW64\chcp.com
chcp 65001
5⤵
PID:3176

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
5⤵
- Runs ping.exe
PID:2612

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "Catalogo2019" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\Catalogo2019.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:2916

C:\Users\Admin\AppData\Local\ServiceHub\Catalogo2019.exe
"C:\Users\Admin\AppData\Local\ServiceHub\Catalogo2019.exe"
5⤵
- Executes dropped EXE
PID:2456

C:\Users\Admin\AppData\Local\ServiceHub\Catalogo2019.exe
C:\Users\Admin\AppData\Local\ServiceHub\Catalogo2019.exe
1⤵
- Executes dropped EXE
PID:4048

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Catalogo2019.exe.log
Filesize
1KB

MD5
84e77a587d94307c0ac1357eb4d3d46f

SHA1
83cc900f9401f43d181207d64c5adba7a85edc1e

SHA256
e16024b092a026a9dc00df69d4b9bbcab7b2dc178dc5291fc308a1abc9304a99

SHA512
aefb5c62200b3ed97718d20a89990954d4d8acdc0a6a73c5a420f1bba619cb79e70c2cd0a579b9f52dc6b09e1de2cea6cd6cac4376cfee92d94e2c01d310f691

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\Catalogo2019.exe
Filesize
1.8MB

MD5
68d348019229f619929995cf7f7dfa4d

SHA1
9e2f888c42d51f91c900bec478e703fe145e1a54

SHA256
6a3e51e28e36cd97a2583a95027eb800a228e40572070be67ec9fcd5790e2077

SHA512
31bb14a79825d2c86fce283ff928accf8e387da06dff03614ab50c55ab18aa9ef7ad055f5c3569529bffae8d9d5c9891b31e54da3d5e58a0f173fc6af0ef51a6

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\Catalogo2019.exe
Filesize
1.8MB

MD5
68d348019229f619929995cf7f7dfa4d

SHA1
9e2f888c42d51f91c900bec478e703fe145e1a54

SHA256
6a3e51e28e36cd97a2583a95027eb800a228e40572070be67ec9fcd5790e2077

SHA512
31bb14a79825d2c86fce283ff928accf8e387da06dff03614ab50c55ab18aa9ef7ad055f5c3569529bffae8d9d5c9891b31e54da3d5e58a0f173fc6af0ef51a6

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\Catalogo2019.exe
Filesize
1.8MB

MD5
68d348019229f619929995cf7f7dfa4d

SHA1
9e2f888c42d51f91c900bec478e703fe145e1a54

SHA256
6a3e51e28e36cd97a2583a95027eb800a228e40572070be67ec9fcd5790e2077

SHA512
31bb14a79825d2c86fce283ff928accf8e387da06dff03614ab50c55ab18aa9ef7ad055f5c3569529bffae8d9d5c9891b31e54da3d5e58a0f173fc6af0ef51a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Catalogo2019.exe
Filesize
1.8MB

MD5
68d348019229f619929995cf7f7dfa4d

SHA1
9e2f888c42d51f91c900bec478e703fe145e1a54

SHA256
6a3e51e28e36cd97a2583a95027eb800a228e40572070be67ec9fcd5790e2077

SHA512
31bb14a79825d2c86fce283ff928accf8e387da06dff03614ab50c55ab18aa9ef7ad055f5c3569529bffae8d9d5c9891b31e54da3d5e58a0f173fc6af0ef51a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Catalogo2019.exe
Filesize
1.8MB

MD5
68d348019229f619929995cf7f7dfa4d

SHA1
9e2f888c42d51f91c900bec478e703fe145e1a54

SHA256
6a3e51e28e36cd97a2583a95027eb800a228e40572070be67ec9fcd5790e2077

SHA512
31bb14a79825d2c86fce283ff928accf8e387da06dff03614ab50c55ab18aa9ef7ad055f5c3569529bffae8d9d5c9891b31e54da3d5e58a0f173fc6af0ef51a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Catalogo2019.exe
Filesize
1.8MB

MD5
68d348019229f619929995cf7f7dfa4d

SHA1
9e2f888c42d51f91c900bec478e703fe145e1a54

SHA256
6a3e51e28e36cd97a2583a95027eb800a228e40572070be67ec9fcd5790e2077

SHA512
31bb14a79825d2c86fce283ff928accf8e387da06dff03614ab50c55ab18aa9ef7ad055f5c3569529bffae8d9d5c9891b31e54da3d5e58a0f173fc6af0ef51a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Catalogo2019.pdf
Filesize
6.9MB

MD5
860c783b07be69a39bcc9ffd3037c26e

SHA1
aecdf16bd194f061a9a61e43e6572e5cc207721c

SHA256
cc61f690953749f79783f8001b7e450709e74d54a13857806bc4bda1603bcb4e

SHA512
f01840127856ae37167de832b67d8361452365d452c58a753a4f9c1692dde44f1b1c6d2f1083e3e9999fc4642e03a08bf6e5c3ade2b3e3a3cf21ca4996b6e3a8

Download Submit
memory/240-150-0x0000000000000000-mapping.dmp

Download
memory/384-161-0x0000000000000000-mapping.dmp

Download
memory/764-132-0x0000000000700000-0x0000000000FF0000-memory.dmp

Filesize
8.9MB

Download
memory/856-164-0x0000000000000000-mapping.dmp

Download
memory/1520-145-0x0000000000000000-mapping.dmp

Download
memory/1928-158-0x0000000000000000-mapping.dmp

Download
memory/2240-133-0x0000000000000000-mapping.dmp

Download
memory/2456-174-0x0000000000000000-mapping.dmp

Download
memory/2612-172-0x0000000000000000-mapping.dmp

Download
memory/2712-155-0x0000000000000000-mapping.dmp

Download
memory/2916-173-0x0000000000000000-mapping.dmp

Download
memory/3176-171-0x0000000000000000-mapping.dmp

Download
memory/3408-139-0x0000000005560000-0x0000000005B04000-memory.dmp

Filesize
5.6MB

Download
memory/3408-142-0x0000000005090000-0x000000000509A000-memory.dmp

Filesize
40KB

Download
memory/3408-141-0x00000000050F0000-0x000000000518C000-memory.dmp

Filesize
624KB

Download
memory/3408-140-0x0000000004FB0000-0x0000000005042000-memory.dmp

Filesize
584KB

Download
memory/3408-138-0x0000000000540000-0x000000000071E000-memory.dmp

Filesize
1.9MB

Download
memory/3408-135-0x0000000000000000-mapping.dmp

Download
memory/3796-169-0x0000000000000000-mapping.dmp

Download
memory/4916-143-0x0000000000000000-mapping.dmp

Download
memory/4948-167-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/4948-166-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads