b9fe9161b2b5701a16b846dd89dbe839e98cf7adc96f5041bbd3edd404a81b01

Analysis

max time kernel
177s
max time network
185s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 06:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b9fe9161b2b5701a16b846dd89dbe839e98cf7adc96f5041bbd3edd404a81b01.exe
Size

201KB
MD5

b1839f3b0f0e4038d1fd83c983be0d84
SHA1

2bf1f11aa6ea2d3c143b96429af67732422045b7
SHA256

b9fe9161b2b5701a16b846dd89dbe839e98cf7adc96f5041bbd3edd404a81b01
SHA512

a38615b638277c03228bf2ab4cc62501cae9733c8ef0b26997b1aebc14b460004a0475e98767e95874a1784f8bbfda4da4b620966b6994128862f3ca72d91735
SSDEEP

3072:jvqz89m+363/7AbwLYtcFkTS3WqNbuXJ7RqhqzPdeplhkB7wAKLu0A9JsZKjtU89:r3TSFNiNsqoplhKEu0Wswj2eMs

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
4364	acrotray.exe
216	acrotray.exe
2804	acrotray .exe
1196	acrotray .exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	b9fe9161b2b5701a16b846dd89dbe839e98cf7adc96f5041bbd3edd404a81b01.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	acrotray.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	acrotray .exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe_Reader = "C:\\Program Files (x86)\\Adobe\\acrotray.exe"	b9fe9161b2b5701a16b846dd89dbe839e98cf7adc96f5041bbd3edd404a81b01.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\acrotray .exe	b9fe9161b2b5701a16b846dd89dbe839e98cf7adc96f5041bbd3edd404a81b01.exe
File created	C:\Program Files (x86)\Adobe\acrotray.exe	b9fe9161b2b5701a16b846dd89dbe839e98cf7adc96f5041bbd3edd404a81b01.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 62 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007f21575e5ff9b94ab87f366c8ae4228b00000000020000000000106600000001000020000000536a0ae3e30bb965ebd7e30d6f69bc46e68b45030593f4a7a0c7208e2326b891000000000e8000000002000020000000c5b4987a732d079d05e3459688113b5cb86c64bbd945967fa3acdf2de3668c5820000000c7d73b4b110f594d6c8a867bdf41a7f5a42349307bb1c57ffb81e74b666809004000000014a7c7c11381b455075faffcbdc332c39764dab7e60cd5818a3407053bf521c564bfa864b17bfe25d342b67aeafef5ef437ca4a20376f1374889af3565b117af	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31000904"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0fc6d424809d901	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 4083a24a4809d901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "1925"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007f21575e5ff9b94ab87f366c8ae4228b000000000200000000001066000000010000200000006994393be4ae5a3fbb22b0fee13480cc3b7407158c45a58be67d12ce40d3b2e9000000000e800000000200002000000003743966be567c240fdf5971120c8b68689daa18c7e351f4854a4a115f33f0c120000000161dafc61412536902aefde1e6e0373b26e815fdc2bcf53d052b3c56ce4b4c0b40000000db4ddd7b97bc8652c5b9e450b1e21ec05024fec7e96ad9338228b9f976b13661084592780c1b4fee1cd64f672e3413ece03dafc415bbb27dcf9900568080011e	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\superwebbysearch.com\Total = "970"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\supernetforme.com\Total = "955"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31000904"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DOMStorage\superwebbysearch.com	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DOMStorage\supernetforme.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\supernetforme.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "955"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\superwebbysearch.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "811646275"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.superwebbysearch.com\ = "970"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{57FD30BB-753B-11ED-89AC-72E5C3FA065D} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.superwebbysearch.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1048883278"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.supernetforme.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31000904"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007f21575e5ff9b94ab87f366c8ae4228b0000000002000000000010660000000100002000000046e8511b2ae3306619d9d521eb267fb3455281552ac72d183561a519594fe635000000000e8000000002000020000000e04c070a93e781b3572a40512b3b7fd13dab6e4a0eee3602315806a9a86e1c03200000008cbfee3911e6e2019461e2b8594df3c65fa23930e5fd15ef3f8b2e3c4cac9a5d400000009db4f328ed81ec6160fdf5a291a09fe26f4366df93d3c76f9f5edc954b92e3c35e9fb1d411bb409fe5d7ab8bc6020992cbfbf564ac44acfd2cac52e276b8df7a	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "377078318"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60d257534809d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\supernetforme.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.supernetforme.com\ = "955"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31000904"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "811646275"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1048883278"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007f21575e5ff9b94ab87f366c8ae4228b000000000200000000001066000000010000200000005ff326ff6af8495f5c6a04ee62a9adc9c7d45efcd8f144ad8b061f15def80280000000000e80000000020000200000009e53507fc4875e6c07a13d45d08ce149204025e2cfc9b119fe26756c2aad9ff720000000e2961ec221b8dfad01f0e113e8f8a4372374eda4276dad0f7ef68931a42ac60c400000004339d423228c210275a9e2cbf30b2977ea651f9de8bc0bdd904c7eca4e3689acaa2a43e2dcc406163cc6ded7059a3474f7f800fb5c0e842d1c27163fa71a99c6	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1176	b9fe9161b2b5701a16b846dd89dbe839e98cf7adc96f5041bbd3edd404a81b01.exe
1176	b9fe9161b2b5701a16b846dd89dbe839e98cf7adc96f5041bbd3edd404a81b01.exe
1176	b9fe9161b2b5701a16b846dd89dbe839e98cf7adc96f5041bbd3edd404a81b01.exe
1176	b9fe9161b2b5701a16b846dd89dbe839e98cf7adc96f5041bbd3edd404a81b01.exe
1176	b9fe9161b2b5701a16b846dd89dbe839e98cf7adc96f5041bbd3edd404a81b01.exe
1176	b9fe9161b2b5701a16b846dd89dbe839e98cf7adc96f5041bbd3edd404a81b01.exe
3568	b9fe9161b2b5701a16b846dd89dbe839e98cf7adc96f5041bbd3edd404a81b01.exe
3568	b9fe9161b2b5701a16b846dd89dbe839e98cf7adc96f5041bbd3edd404a81b01.exe
3568	b9fe9161b2b5701a16b846dd89dbe839e98cf7adc96f5041bbd3edd404a81b01.exe
3568	b9fe9161b2b5701a16b846dd89dbe839e98cf7adc96f5041bbd3edd404a81b01.exe
4364	acrotray.exe
4364	acrotray.exe
4364	acrotray.exe
4364	acrotray.exe
4364	acrotray.exe
4364	acrotray.exe
216	acrotray.exe
216	acrotray.exe
216	acrotray.exe
216	acrotray.exe
2804	acrotray .exe
2804	acrotray .exe
2804	acrotray .exe
2804	acrotray .exe
2804	acrotray .exe
2804	acrotray .exe
1196	acrotray .exe
1196	acrotray .exe
1196	acrotray .exe
1196	acrotray .exe
3568	b9fe9161b2b5701a16b846dd89dbe839e98cf7adc96f5041bbd3edd404a81b01.exe
3568	b9fe9161b2b5701a16b846dd89dbe839e98cf7adc96f5041bbd3edd404a81b01.exe
216	acrotray.exe
216	acrotray.exe
1196	acrotray .exe
1196	acrotray .exe
3568	b9fe9161b2b5701a16b846dd89dbe839e98cf7adc96f5041bbd3edd404a81b01.exe
3568	b9fe9161b2b5701a16b846dd89dbe839e98cf7adc96f5041bbd3edd404a81b01.exe
216	acrotray.exe
216	acrotray.exe
1196	acrotray .exe
1196	acrotray .exe
3568	b9fe9161b2b5701a16b846dd89dbe839e98cf7adc96f5041bbd3edd404a81b01.exe
3568	b9fe9161b2b5701a16b846dd89dbe839e98cf7adc96f5041bbd3edd404a81b01.exe
216	acrotray.exe
216	acrotray.exe
1196	acrotray .exe
1196	acrotray .exe
3568	b9fe9161b2b5701a16b846dd89dbe839e98cf7adc96f5041bbd3edd404a81b01.exe
3568	b9fe9161b2b5701a16b846dd89dbe839e98cf7adc96f5041bbd3edd404a81b01.exe
216	acrotray.exe
216	acrotray.exe
1196	acrotray .exe
1196	acrotray .exe
3568	b9fe9161b2b5701a16b846dd89dbe839e98cf7adc96f5041bbd3edd404a81b01.exe
3568	b9fe9161b2b5701a16b846dd89dbe839e98cf7adc96f5041bbd3edd404a81b01.exe
216	acrotray.exe
216	acrotray.exe
1196	acrotray .exe
1196	acrotray .exe
3568	b9fe9161b2b5701a16b846dd89dbe839e98cf7adc96f5041bbd3edd404a81b01.exe
3568	b9fe9161b2b5701a16b846dd89dbe839e98cf7adc96f5041bbd3edd404a81b01.exe
216	acrotray.exe
216	acrotray.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1176	b9fe9161b2b5701a16b846dd89dbe839e98cf7adc96f5041bbd3edd404a81b01.exe
Token: SeDebugPrivilege	3568	b9fe9161b2b5701a16b846dd89dbe839e98cf7adc96f5041bbd3edd404a81b01.exe
Token: SeDebugPrivilege	4364	acrotray.exe
Token: SeDebugPrivilege	216	acrotray.exe
Token: SeDebugPrivilege	2804	acrotray .exe
Token: SeDebugPrivilege	1196	acrotray .exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3884	iexplore.exe
3884	iexplore.exe
3884	iexplore.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3884	iexplore.exe
3884	iexplore.exe
5052	IEXPLORE.EXE
5052	IEXPLORE.EXE
3884	iexplore.exe
3884	iexplore.exe
3328	IEXPLORE.EXE
3328	IEXPLORE.EXE
3884	iexplore.exe
3884	iexplore.exe
2728	IEXPLORE.EXE
2728	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1176 wrote to memory of 3568	1176	b9fe9161b2b5701a16b846dd89dbe839e98cf7adc96f5041bbd3edd404a81b01.exe	80
PID 1176 wrote to memory of 3568	1176	b9fe9161b2b5701a16b846dd89dbe839e98cf7adc96f5041bbd3edd404a81b01.exe	80
PID 1176 wrote to memory of 3568	1176	b9fe9161b2b5701a16b846dd89dbe839e98cf7adc96f5041bbd3edd404a81b01.exe	80
PID 1176 wrote to memory of 4364	1176	b9fe9161b2b5701a16b846dd89dbe839e98cf7adc96f5041bbd3edd404a81b01.exe	81
PID 1176 wrote to memory of 4364	1176	b9fe9161b2b5701a16b846dd89dbe839e98cf7adc96f5041bbd3edd404a81b01.exe	81
PID 1176 wrote to memory of 4364	1176	b9fe9161b2b5701a16b846dd89dbe839e98cf7adc96f5041bbd3edd404a81b01.exe	81
PID 4364 wrote to memory of 216	4364	acrotray.exe	83
PID 4364 wrote to memory of 216	4364	acrotray.exe	83
PID 4364 wrote to memory of 216	4364	acrotray.exe	83
PID 4364 wrote to memory of 2804	4364	acrotray.exe	84
PID 4364 wrote to memory of 2804	4364	acrotray.exe	84
PID 4364 wrote to memory of 2804	4364	acrotray.exe	84
PID 2804 wrote to memory of 1196	2804	acrotray .exe	86
PID 2804 wrote to memory of 1196	2804	acrotray .exe	86
PID 2804 wrote to memory of 1196	2804	acrotray .exe	86
PID 3884 wrote to memory of 5052	3884	iexplore.exe	87
PID 3884 wrote to memory of 5052	3884	iexplore.exe	87
PID 3884 wrote to memory of 5052	3884	iexplore.exe	87
PID 3884 wrote to memory of 3328	3884	iexplore.exe	95
PID 3884 wrote to memory of 3328	3884	iexplore.exe	95
PID 3884 wrote to memory of 3328	3884	iexplore.exe	95
PID 3884 wrote to memory of 2728	3884	iexplore.exe	97
PID 3884 wrote to memory of 2728	3884	iexplore.exe	97
PID 3884 wrote to memory of 2728	3884	iexplore.exe	97

C:\Users\Admin\AppData\Local\Temp\b9fe9161b2b5701a16b846dd89dbe839e98cf7adc96f5041bbd3edd404a81b01.exe
"C:\Users\Admin\AppData\Local\Temp\b9fe9161b2b5701a16b846dd89dbe839e98cf7adc96f5041bbd3edd404a81b01.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1176
- C:\Users\Admin\AppData\Local\Temp\b9fe9161b2b5701a16b846dd89dbe839e98cf7adc96f5041bbd3edd404a81b01.exe
  "C:\Users\Admin\AppData\Local\Temp\b9fe9161b2b5701a16b846dd89dbe839e98cf7adc96f5041bbd3edd404a81b01.exe" C:\Users\Admin\AppData\Local\Temp\b9fe9161b2b5701a16b846dd89dbe839e98cf7adc96f5041bbd3edd404a81b01.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3568
- C:\Program Files (x86)\Adobe\acrotray.exe
  "C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Admin\AppData\Local\Temp\b9fe9161b2b5701a16b846dd89dbe839e98cf7adc96f5041bbd3edd404a81b01.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4364
- - C:\Program Files (x86)\Adobe\acrotray.exe
    "C:\Program Files (x86)\Adobe\acrotray.exe" C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Admin\AppData\Local\Temp\b9fe9161b2b5701a16b846dd89dbe839e98cf7adc96f5041bbd3edd404a81b01.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:216
- - C:\Program Files (x86)\Adobe\acrotray .exe
    "C:\Program Files (x86)\Adobe\acrotray .exe" C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Admin\AppData\Local\Temp\b9fe9161b2b5701a16b846dd89dbe839e98cf7adc96f5041bbd3edd404a81b01.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Program Files (x86)\Adobe\acrotray .exe
      "C:\Program Files (x86)\Adobe\acrotray .exe" C:\Program Files (x86)\Adobe\acrotray .exe" C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Admin\AppData\Local\Temp\b9fe9161b2b5701a16b846dd89dbe839e98cf7adc96f5041bbd3edd404a81b01.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1196

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:2840

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3884
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3884 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:5052
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3884 CREDAT:82952 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3328
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3884 CREDAT:17420 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\acrotray .exe

Filesize
233KB

MD5
d91b8faaa33d666121e532a7ef7d44d8

SHA1
1a8765fac937de74d0ed79fdb7b99f92b18e0717

SHA256
d7bcfd3598a5fb0edc186e7c79fb71ff43bad50e079e4268ad64806a200847e0

SHA512
7fce2858983d0792e0f7a694fbb3509d53d0cad2ca39e365802070b37c978da7647f482b4b7eb166686ccf17501080f202bce16b8681dfcad762bc6cd6881efd

Download Submit
C:\Program Files (x86)\Adobe\acrotray .exe

Filesize
233KB

MD5
d91b8faaa33d666121e532a7ef7d44d8

SHA1
1a8765fac937de74d0ed79fdb7b99f92b18e0717

SHA256
d7bcfd3598a5fb0edc186e7c79fb71ff43bad50e079e4268ad64806a200847e0

SHA512
7fce2858983d0792e0f7a694fbb3509d53d0cad2ca39e365802070b37c978da7647f482b4b7eb166686ccf17501080f202bce16b8681dfcad762bc6cd6881efd

Download Submit
C:\Program Files (x86)\Adobe\acrotray .exe

Filesize
233KB

MD5
d91b8faaa33d666121e532a7ef7d44d8

SHA1
1a8765fac937de74d0ed79fdb7b99f92b18e0717

SHA256
d7bcfd3598a5fb0edc186e7c79fb71ff43bad50e079e4268ad64806a200847e0

SHA512
7fce2858983d0792e0f7a694fbb3509d53d0cad2ca39e365802070b37c978da7647f482b4b7eb166686ccf17501080f202bce16b8681dfcad762bc6cd6881efd

Download Submit
C:\Program Files (x86)\Adobe\acrotray.exe

Filesize
203KB

MD5
3a1ed478afdb3b2029c6a8ced04e6958

SHA1
4288d3cc28fef5995c3fb4072e6221d7b5e0b698

SHA256
643bd15f90571c2858a5b7f74a871cb9163425cd7ef42776b38fbaaa2c809981

SHA512
81d45d087c5a9b7bd5ff1605ff026f4440f86a9d9a1030621f384a5ece08bb05a34ed1890b6d92c491fd9db5d43baf4a7de5f1274d108dba104fd9d7b75a833c

Download Submit
C:\Program Files (x86)\Adobe\acrotray.exe

Filesize
203KB

MD5
3a1ed478afdb3b2029c6a8ced04e6958

SHA1
4288d3cc28fef5995c3fb4072e6221d7b5e0b698

SHA256
643bd15f90571c2858a5b7f74a871cb9163425cd7ef42776b38fbaaa2c809981

SHA512
81d45d087c5a9b7bd5ff1605ff026f4440f86a9d9a1030621f384a5ece08bb05a34ed1890b6d92c491fd9db5d43baf4a7de5f1274d108dba104fd9d7b75a833c

Download Submit
C:\Program Files (x86)\Adobe\acrotray.exe

Filesize
203KB

MD5
3a1ed478afdb3b2029c6a8ced04e6958

SHA1
4288d3cc28fef5995c3fb4072e6221d7b5e0b698

SHA256
643bd15f90571c2858a5b7f74a871cb9163425cd7ef42776b38fbaaa2c809981

SHA512
81d45d087c5a9b7bd5ff1605ff026f4440f86a9d9a1030621f384a5ece08bb05a34ed1890b6d92c491fd9db5d43baf4a7de5f1274d108dba104fd9d7b75a833c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0684275E946EA5A526A0B9446D8D1B31_8BC55A34553CE38DA9A256FD39734BE9

Filesize
1KB

MD5
ef0a5356109e7bbe89316d30b1704102

SHA1
c03110d8b0660d80bcf5b30732ff548af793f0fb

SHA256
ddc49b9f1b3a236cef1a6affc184b9140af764819904e92e18b3f88612deb16d

SHA512
e787e4ebedc00078925da48016099bc4eaedf0daf8f5871916cabaf1f25a78b4d791dfd628b397d7ff59d02f70fe89247805d4a6796e7e2562f0984ecc664e29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

Filesize
1KB

MD5
e564cab61e382406f4d7e9ebdca3f2ca

SHA1
68f896027033333b22ce4479fbe87e3a13ff79df

SHA256
9b67206021b63e35a55fe2b95b9263fd514099f4e4bd0e3fef0f4a33d1c69028

SHA512
6ed16f0eeea4c054b21f187dab5dbed13109ba9355700fa7a0e57c5823300aac2e9acd00455b2adb4ab2d81cb96f05082ac2cd23877be5894e2c51408bd45fc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
28b32aa5ff3510390e757a05e43f3b95

SHA1
ec807cc921ef696297c7783aa463bbdea3b9d696

SHA256
3482ea10aa62bb911999d06d1f8f875103e97140d691a6b7b202349f9674b0d7

SHA512
78b598cd8e59ef5f038482576a8746233d66d592ea579691a88d53a38f4baaea7b7e4c8fb2f31ca8d496788e1d1a32fd936adf7a323220e41c1f758f852a9d20

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_46F574BDF8F8E3AC29733131E4667BA4

Filesize
472B

MD5
5006b8e985c5838b7fd2f2b558a65bc4

SHA1
183ff15e0faedf346305fd6fe1c70c9c7a1eef4a

SHA256
fcbfec9f5fd0e10d44778c1df64d8612281cd39881cdfd0aa8ca30d13655655a

SHA512
56526aaf34500a94404e83461b3580513be1f07b288485c7059fc1ec86b77cda50da613b7def2fe6a8e2d04bb3d522fdffb5f7e9293eab06e86cd2d6af24a1a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_7E301575BABDCBC6D3C3B91BC6B458AD

Filesize
471B

MD5
342da2c33af109ac503ef72014789071

SHA1
9f9ce9e9c713ba3ebf8d2c2339b9ec2fa506567a

SHA256
beade5b410ce931a244db18222f0228e501d4c517a29a1af6e316f6c2fc340a7

SHA512
a743f374f1ace6ea6dfd7450cd5ccd6d7bd4d2e9a098932aff6105786a3b5e96647bce9a5029e2265517930478b41d96e261fd3cd9e7b4575605e679065101e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
724B

MD5
f569e1d183b84e8078dc456192127536

SHA1
30c537463eed902925300dd07a87d820a713753f

SHA256
287bc80237497eb8681dbf136a56cc3870dd5bd12d48051525a280ae62aab413

SHA512
49553b65a8e3fc0bf98c1bc02bae5b22188618d8edf8e88e4e25932105796956ae8301c63c487e0afe368ea39a4a2af07935a808f5fb53287ef9287bc73e1012

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0684275E946EA5A526A0B9446D8D1B31_8BC55A34553CE38DA9A256FD39734BE9

Filesize
458B

MD5
6d3fd22b1c9a114f649c71b430af5064

SHA1
0a3ba5e7d6c394b4340bc57f057816bdcf5185f7

SHA256
ecc24508ee4c39ffa48b64bb93dc42249181ed1880e25bc12287c2c4f905c695

SHA512
03e6b3fbc4748c4f97e202b0d895b192311d60d42cc1b9873dce325c4f8ea3e5b39e971c58e49ae91db7ed6d822e9be15388b74afb7cf890465d6a31d77176c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

Filesize
450B

MD5
ab89b3027f2155a8c89813c5281781c9

SHA1
1b8aaec80446e98573975eb1f35af817f0fbf5e2

SHA256
c0909093063dc402962142955d1a4ca0678be7ca37e32807961f625b7d4ae0ed

SHA512
1c76d7bf483da5e01ccf98a9a39cd833b498b8c9a1703528c177f1afc8ce9030a4e9dd3050e1235600d29f1fd0255baf1cd33c3769824e62f8aa868145464f1b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
b14b2e026aee07d9c1807a2389d1012a

SHA1
e5c7d50c54eda34a2068f3b82e29bed6d795340f

SHA256
b6275775adcfaff780d304f4ab007d75a57bbf9ac64ccf47499f8cb9beedf18b

SHA512
313535fdc5b985270552e6aa31d1269e1f17032efdd0b2a7b8c8f1e2046914d01e83b285b8eb0fad40ee2ac3e126dd2f65c93795abd0131f9bcebd1414d6c5a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_46F574BDF8F8E3AC29733131E4667BA4

Filesize
402B

MD5
82ec3c0f8347777121b61caaf768c341

SHA1
cf74deb1696845f5a70ac9d6b0564738f74532a4

SHA256
55d780167e0a3a7ab4d7670aa03a4bbf421327e14e67ae8c3eb70e5ac2e3bb40

SHA512
be166ac6485ee549b6b5cecfd7133978317b03f840bedcb314cb08d784601a9cb1b4c5244d4b0e0233801b5ffa2e49372066eb23aa147f6c22879014b17f5818

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_7E301575BABDCBC6D3C3B91BC6B458AD

Filesize
406B

MD5
3cca07ced8ef332d7a6e1241fd08613c

SHA1
bcfaa11d715ac80c244f2c7c0b1b737f2d6eae92

SHA256
fdf313e82ab6784ee136ed03073a2c7731ab55d002f19d4f6fa4b6e5bfc7fd05

SHA512
d50dde4f16aef5fd5043ce50bbff7ed32173066beb88c07e1781c00310e0257c4f91261f2fb7480f9ae5608bceb7919ba361db05284b87d4114fd919b5ca4976

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
392B

MD5
4abc5854cc10abfd61bf32d454de518b

SHA1
9d12afbdb355a2bb20c2684367010ebe8bcae7d0

SHA256
3338521459e3f761886120286492744cc7321790bad4217302b0ecc0003f4f6d

SHA512
0704bcc8fd0c7efe0e473129bd5ca5f4be0aa372deb261ed4a306aa1012a0996663a8fd1d4e25f945fd3bd7c623cc14a2e1c6628585f4b87689220ea59b3e1ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G9LDH5FK\2.5940ae1c.chunk[1].js

Filesize
418KB

MD5
04bb6e8d9135d976f28e9ba68fbc6f67

SHA1
fe386efd5e23414c48e37d3dbfe340f1ae5d4d4a

SHA256
b81d40ef3e5928c7bee6ec287ecebfea17f6d62b277916f0b70d223fa4881d18

SHA512
aa21f0744d9e6d286506e425af6f1ea091ebcbe3c671fe339d5c3c18e541323cada2182fae79e3c910aabf4d225142b2bd8458b890322e07f4f9084cf686fbd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G9LDH5FK\main.4e219663.chunk[1].js

Filesize
273KB

MD5
87b518e8e45487e774f8d47f2dc0026f

SHA1
e5da4365a7867737da9b39ef021cf9f35d12cc5b

SHA256
1ef669d1914ecf9299396df700b34839c61c6bb24297dc6b4284820eb5f2e5d9

SHA512
7b8b1c87c0eb5ab34d515df4880b88dcc5bf7c6b5089349bcf05cd2bb82a0152ba7ebd21fa45fabbc460076543e7e563f881234d3b1dbe66188e98d01a8c7d4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GMQ6XNBF\caf[2].js

Filesize
143KB

MD5
087fa8b05a1bbf548117c0e33ac77baf

SHA1
be02e7989299c68f5ffc11841c0de8fc2e6e024d

SHA256
e69512ecc3e2daec343f481cdbf617163f62cb9bc31a38bd8ff08ceff6e52df4

SHA512
e979b03e9e54920971f11b84643742c068570a3ca61c15a7f6cea567a30cbbb7a31f44adf5a52cfa6cf10cc492cbcc8060fe314d4d992533136ef8c80cd0cea7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GMQ6XNBF\chevron[1].svg

Filesize
200B

MD5
11b3089d616633ca6b73b57aa877eeb4

SHA1
07632f63e06b30d9b63c97177d3a8122629bda9b

SHA256
809fb4619d2a2f1a85dbda8cc69a7f1659215212d708a098d62150eee57070c1

SHA512
079b0e35b479dfdbe64a987661000f4a034b10688e26f2a5fe6aaa807e81ccc5593d40609b731ab3340e687d83dd08de4b8b1e01cdac9d4523a9f6bb3acfcba0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GMQ6XNBF\search[1].svg

Filesize
391B

MD5
a6ad6e65373db8c1b1f154c4c83f8ce5

SHA1
84cc007d6d682c589e1e1f87482a5278830f3000

SHA256
920a378947204498c122722933b3a4b67788a2b6fade8bd0d47cf830eeee0563

SHA512
09b6d4711c284b1a04c9c4d874f3d1ddfc876c1491fb2aa283a13505bcdbfe90b02731d0b7ad5f492b1dda2161a4afe20040801ea634d2727cde84319adfb1d2

Download Submit
memory/1176-132-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download