ac72ba9b9f9e7c32dacc9aab2c6f651163acbf6013aabd2691e28553d2e08aee

Analysis

max time kernel
159s
max time network
197s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2022 15:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac72ba9b9f9e7c32dacc9aab2c6f651163acbf6013aabd2691e28553d2e08aee.exe
Size

908KB
MD5

29bea19331f3cc3ea9df51ad081d70ab
SHA1

ceadab9a23fc578caeb44ffcd46bb619d45f482b
SHA256

ac72ba9b9f9e7c32dacc9aab2c6f651163acbf6013aabd2691e28553d2e08aee
SHA512

413f9a491d1a710107fcb5baa465cfb51b6f3a0d55b25144940afba43b69f3c7767647ce9a55fc0e4625b0a96f8b4c24dfd38ec99a10697be2fa7a7f749e1869
SSDEEP

12288:QcQgCJcyk4S6QesXwuwMZnEGWzjcIEZXL4LUYCok7rA7WU+KGt9dUX:QNcyk44DAOWzv+p1yMzdUX

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1420	acrotray.exe
5116	acrotray.exe
5000	acrotray .exe
5080	acrotray .exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	ac72ba9b9f9e7c32dacc9aab2c6f651163acbf6013aabd2691e28553d2e08aee.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	acrotray.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	acrotray .exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe_Reader = "C:\\Program Files (x86)\\Adobe\\acrotray.exe"	ac72ba9b9f9e7c32dacc9aab2c6f651163acbf6013aabd2691e28553d2e08aee.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\acrotray .exe	ac72ba9b9f9e7c32dacc9aab2c6f651163acbf6013aabd2691e28553d2e08aee.exe
File created	C:\Program Files (x86)\Adobe\acrotray.exe	ac72ba9b9f9e7c32dacc9aab2c6f651163acbf6013aabd2691e28553d2e08aee.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 48 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3502474685"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0bef8d7a409d901	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e6851ef31fd3cf49b332bbb4721c9748000000000200000000001066000000010000200000007636e654213db6fc7db46e46bf952c0732bf09e755315692b91e9d8323983230000000000e8000000002000020000000b27041197b73d5ccf229ab4a0d240d1445c44d70c212fa770cef0eba04754305200000007030538cafe9002c3f457d313dadf154ab88536ce84dc59431d8e5085729ad6940000000453207f04d4068be79e5f9d219914eedbbcc8576948fac186898e264f1aca4fad815339307fbf049858fd8aa85f9b0f64abe2c65b44bc6472f5815c675634d77	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e6851ef31fd3cf49b332bbb4721c97480000000002000000000010660000000100002000000097601ecf4f59a8ccb63127c7c29881b72b39282ad80e7f9c357f7e2902192a57000000000e8000000002000020000000f83650e0ce1f2e3709b5bb88a589c342bc01196ddebf630b5f0d4dcd49ebdba120000000f311e7b97cf2a5eb0fcf36145137536070928b88afb49d800a1bed2b54fbce9e400000004833590cc11aaee13c3a8d2c0878a0f4b7419ba406a6fd576ed88e6f2188ecb5f9f7a78b7ded72ba9504e3481e8ba1e68bc18ddc56a29d50734d5e8d2675ade1	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31000996"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90760fd4a409d901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3753413914"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\superwebbysearch.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{F05FE9B8-7597-11ED-919F-DE9E83FE850F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "377118071"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\superwebbysearch.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e6851ef31fd3cf49b332bbb4721c974800000000020000000000106600000001000020000000f3a2f54c315e4f99875b2dc58e3d7f9f0be81ba174698415c4f4c671ddd07559000000000e8000000002000020000000e7ffae4c0a0f5372d1c7374d0b7bb1a8495c219e1178e67b0c7ae134be93432d200000005ef7606e50c0b1faadcef94ef77cdfb340d7f1e7cc30cc840f1c904885ce775840000000f90941825879e662c7d8c3d995d23b6392db1f443a246f3665feb56594d42d7e9018f3058794fbf74cea0f6fac902b0af2823d57425450882bf763b481c8e428	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31000996"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e6851ef31fd3cf49b332bbb4721c974800000000020000000000106600000001000020000000f4b318e6591ab55cc9cb7d5550175d64e7ddc22bafcec6bdb7c7d48c94b83775000000000e8000000002000020000000adfb09206a5691da1ec4a8039812470548c1e91910520ea28cfdba31be0d4976200000004093370e8d8d6e9383086491e14f4abcaf1d58066d67196229bdf88813bbfc3640000000ec0020502c4866b7d976b730517b6195a843d525fd3aa6f704d7048d46e52ac59d91f6e9c0c5f67ee595e6ed9cee2a86ed0843f89ad6044bd339ffe0c3dda89a	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3502474685"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31000996"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DOMStorage\superwebbysearch.com	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 2021befea409d901	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3224	ac72ba9b9f9e7c32dacc9aab2c6f651163acbf6013aabd2691e28553d2e08aee.exe
3224	ac72ba9b9f9e7c32dacc9aab2c6f651163acbf6013aabd2691e28553d2e08aee.exe
3224	ac72ba9b9f9e7c32dacc9aab2c6f651163acbf6013aabd2691e28553d2e08aee.exe
3224	ac72ba9b9f9e7c32dacc9aab2c6f651163acbf6013aabd2691e28553d2e08aee.exe
668	ac72ba9b9f9e7c32dacc9aab2c6f651163acbf6013aabd2691e28553d2e08aee.exe
668	ac72ba9b9f9e7c32dacc9aab2c6f651163acbf6013aabd2691e28553d2e08aee.exe
668	ac72ba9b9f9e7c32dacc9aab2c6f651163acbf6013aabd2691e28553d2e08aee.exe
668	ac72ba9b9f9e7c32dacc9aab2c6f651163acbf6013aabd2691e28553d2e08aee.exe
3224	ac72ba9b9f9e7c32dacc9aab2c6f651163acbf6013aabd2691e28553d2e08aee.exe
3224	ac72ba9b9f9e7c32dacc9aab2c6f651163acbf6013aabd2691e28553d2e08aee.exe
1420	acrotray.exe
1420	acrotray.exe
1420	acrotray.exe
1420	acrotray.exe
5116	acrotray.exe
5116	acrotray.exe
5116	acrotray.exe
5116	acrotray.exe
1420	acrotray.exe
1420	acrotray.exe
5000	acrotray .exe
5000	acrotray .exe
5000	acrotray .exe
5000	acrotray .exe
5000	acrotray .exe
5000	acrotray .exe
5080	acrotray .exe
5080	acrotray .exe
5080	acrotray .exe
5080	acrotray .exe
668	ac72ba9b9f9e7c32dacc9aab2c6f651163acbf6013aabd2691e28553d2e08aee.exe
668	ac72ba9b9f9e7c32dacc9aab2c6f651163acbf6013aabd2691e28553d2e08aee.exe
5116	acrotray.exe
5116	acrotray.exe
5080	acrotray .exe
5080	acrotray .exe
668	ac72ba9b9f9e7c32dacc9aab2c6f651163acbf6013aabd2691e28553d2e08aee.exe
668	ac72ba9b9f9e7c32dacc9aab2c6f651163acbf6013aabd2691e28553d2e08aee.exe
5116	acrotray.exe
5116	acrotray.exe
5080	acrotray .exe
5080	acrotray .exe
668	ac72ba9b9f9e7c32dacc9aab2c6f651163acbf6013aabd2691e28553d2e08aee.exe
668	ac72ba9b9f9e7c32dacc9aab2c6f651163acbf6013aabd2691e28553d2e08aee.exe
5116	acrotray.exe
5116	acrotray.exe
5080	acrotray .exe
5080	acrotray .exe
668	ac72ba9b9f9e7c32dacc9aab2c6f651163acbf6013aabd2691e28553d2e08aee.exe
668	ac72ba9b9f9e7c32dacc9aab2c6f651163acbf6013aabd2691e28553d2e08aee.exe
5116	acrotray.exe
5116	acrotray.exe
5080	acrotray .exe
5080	acrotray .exe
668	ac72ba9b9f9e7c32dacc9aab2c6f651163acbf6013aabd2691e28553d2e08aee.exe
668	ac72ba9b9f9e7c32dacc9aab2c6f651163acbf6013aabd2691e28553d2e08aee.exe
5116	acrotray.exe
5116	acrotray.exe
5080	acrotray .exe
5080	acrotray .exe
668	ac72ba9b9f9e7c32dacc9aab2c6f651163acbf6013aabd2691e28553d2e08aee.exe
668	ac72ba9b9f9e7c32dacc9aab2c6f651163acbf6013aabd2691e28553d2e08aee.exe
5116	acrotray.exe
5116	acrotray.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	3224	ac72ba9b9f9e7c32dacc9aab2c6f651163acbf6013aabd2691e28553d2e08aee.exe
Token: SeDebugPrivilege	668	ac72ba9b9f9e7c32dacc9aab2c6f651163acbf6013aabd2691e28553d2e08aee.exe
Token: SeDebugPrivilege	1420	acrotray.exe
Token: SeDebugPrivilege	5116	acrotray.exe
Token: SeDebugPrivilege	5000	acrotray .exe
Token: SeDebugPrivilege	5080	acrotray .exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
5032	iexplore.exe
5032	iexplore.exe
5032	iexplore.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
5032	iexplore.exe
5032	iexplore.exe
3672	IEXPLORE.EXE
3672	IEXPLORE.EXE
5032	iexplore.exe
5032	iexplore.exe
3964	IEXPLORE.EXE
3964	IEXPLORE.EXE
5032	iexplore.exe
5032	iexplore.exe
2272	IEXPLORE.EXE
2272	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3224 wrote to memory of 668	3224	ac72ba9b9f9e7c32dacc9aab2c6f651163acbf6013aabd2691e28553d2e08aee.exe	81
PID 3224 wrote to memory of 668	3224	ac72ba9b9f9e7c32dacc9aab2c6f651163acbf6013aabd2691e28553d2e08aee.exe	81
PID 3224 wrote to memory of 668	3224	ac72ba9b9f9e7c32dacc9aab2c6f651163acbf6013aabd2691e28553d2e08aee.exe	81
PID 3224 wrote to memory of 1420	3224	ac72ba9b9f9e7c32dacc9aab2c6f651163acbf6013aabd2691e28553d2e08aee.exe	82
PID 3224 wrote to memory of 1420	3224	ac72ba9b9f9e7c32dacc9aab2c6f651163acbf6013aabd2691e28553d2e08aee.exe	82
PID 3224 wrote to memory of 1420	3224	ac72ba9b9f9e7c32dacc9aab2c6f651163acbf6013aabd2691e28553d2e08aee.exe	82
PID 1420 wrote to memory of 5116	1420	acrotray.exe	85
PID 1420 wrote to memory of 5116	1420	acrotray.exe	85
PID 1420 wrote to memory of 5116	1420	acrotray.exe	85
PID 1420 wrote to memory of 5000	1420	acrotray.exe	87
PID 1420 wrote to memory of 5000	1420	acrotray.exe	87
PID 1420 wrote to memory of 5000	1420	acrotray.exe	87
PID 5032 wrote to memory of 3672	5032	iexplore.exe	88
PID 5032 wrote to memory of 3672	5032	iexplore.exe	88
PID 5032 wrote to memory of 3672	5032	iexplore.exe	88
PID 5000 wrote to memory of 5080	5000	acrotray .exe	90
PID 5000 wrote to memory of 5080	5000	acrotray .exe	90
PID 5000 wrote to memory of 5080	5000	acrotray .exe	90
PID 5032 wrote to memory of 3964	5032	iexplore.exe	93
PID 5032 wrote to memory of 3964	5032	iexplore.exe	93
PID 5032 wrote to memory of 3964	5032	iexplore.exe	93
PID 5032 wrote to memory of 2272	5032	iexplore.exe	102
PID 5032 wrote to memory of 2272	5032	iexplore.exe	102
PID 5032 wrote to memory of 2272	5032	iexplore.exe	102

C:\Users\Admin\AppData\Local\Temp\ac72ba9b9f9e7c32dacc9aab2c6f651163acbf6013aabd2691e28553d2e08aee.exe
"C:\Users\Admin\AppData\Local\Temp\ac72ba9b9f9e7c32dacc9aab2c6f651163acbf6013aabd2691e28553d2e08aee.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3224
- C:\Users\Admin\AppData\Local\Temp\ac72ba9b9f9e7c32dacc9aab2c6f651163acbf6013aabd2691e28553d2e08aee.exe
  "C:\Users\Admin\AppData\Local\Temp\ac72ba9b9f9e7c32dacc9aab2c6f651163acbf6013aabd2691e28553d2e08aee.exe" C:\Users\Admin\AppData\Local\Temp\ac72ba9b9f9e7c32dacc9aab2c6f651163acbf6013aabd2691e28553d2e08aee.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:668
- C:\Program Files (x86)\Adobe\acrotray.exe
  "C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Admin\AppData\Local\Temp\ac72ba9b9f9e7c32dacc9aab2c6f651163acbf6013aabd2691e28553d2e08aee.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1420
- - C:\Program Files (x86)\Adobe\acrotray.exe
    "C:\Program Files (x86)\Adobe\acrotray.exe" C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Admin\AppData\Local\Temp\ac72ba9b9f9e7c32dacc9aab2c6f651163acbf6013aabd2691e28553d2e08aee.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5116
- - C:\Program Files (x86)\Adobe\acrotray .exe
    "C:\Program Files (x86)\Adobe\acrotray .exe" C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Admin\AppData\Local\Temp\ac72ba9b9f9e7c32dacc9aab2c6f651163acbf6013aabd2691e28553d2e08aee.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5000
  - - C:\Program Files (x86)\Adobe\acrotray .exe
      "C:\Program Files (x86)\Adobe\acrotray .exe" C:\Program Files (x86)\Adobe\acrotray .exe" C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Admin\AppData\Local\Temp\ac72ba9b9f9e7c32dacc9aab2c6f651163acbf6013aabd2691e28553d2e08aee.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5080

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:3868

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5032
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5032 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3672
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5032 CREDAT:82952 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3964
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5032 CREDAT:17418 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2272

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\acrotray .exe

Filesize
917KB

MD5
3f3f320ae6cd151a58e13f5ac3b043ea

SHA1
d7aec47074f0eabbb0ca847e2288ef7aa077771a

SHA256
cd577b0e5376263737fea9bfc17aa26c19152a5bbb3a8e7b3aef207a53088267

SHA512
b836c65d12a347e4225f105c3562e6c1c5fbd334306188c36ab0aeeebbc5baa03e5697415cac3bfa209fafc215be6cf50b4624ad2b403e0e8fbe1b7cb6dbe09a

Download Submit
C:\Program Files (x86)\Adobe\acrotray .exe

Filesize
917KB

MD5
3f3f320ae6cd151a58e13f5ac3b043ea

SHA1
d7aec47074f0eabbb0ca847e2288ef7aa077771a

SHA256
cd577b0e5376263737fea9bfc17aa26c19152a5bbb3a8e7b3aef207a53088267

SHA512
b836c65d12a347e4225f105c3562e6c1c5fbd334306188c36ab0aeeebbc5baa03e5697415cac3bfa209fafc215be6cf50b4624ad2b403e0e8fbe1b7cb6dbe09a

Download Submit
C:\Program Files (x86)\Adobe\acrotray .exe

Filesize
917KB

MD5
3f3f320ae6cd151a58e13f5ac3b043ea

SHA1
d7aec47074f0eabbb0ca847e2288ef7aa077771a

SHA256
cd577b0e5376263737fea9bfc17aa26c19152a5bbb3a8e7b3aef207a53088267

SHA512
b836c65d12a347e4225f105c3562e6c1c5fbd334306188c36ab0aeeebbc5baa03e5697415cac3bfa209fafc215be6cf50b4624ad2b403e0e8fbe1b7cb6dbe09a

Download Submit
C:\Program Files (x86)\Adobe\acrotray.exe

Filesize
923KB

MD5
17facfd4bc4c413baa8bc9a07c30452d

SHA1
80386de25cadf0c03e936eb07fbfa52db0000fbc

SHA256
3ea79e47eeb88a46ead505793a1b3da97db1c4bff0daab809025bee8c8161d13

SHA512
29a9978a2aec31c63da2675c86d289c25976dfd70c1c344bc8617bf88048e10f2cff1db4b6e415d3e95ca9f40a7ad2f808d53c1da7996886854863bf26dcd139

Download Submit
C:\Program Files (x86)\Adobe\acrotray.exe

Filesize
923KB

MD5
17facfd4bc4c413baa8bc9a07c30452d

SHA1
80386de25cadf0c03e936eb07fbfa52db0000fbc

SHA256
3ea79e47eeb88a46ead505793a1b3da97db1c4bff0daab809025bee8c8161d13

SHA512
29a9978a2aec31c63da2675c86d289c25976dfd70c1c344bc8617bf88048e10f2cff1db4b6e415d3e95ca9f40a7ad2f808d53c1da7996886854863bf26dcd139

Download Submit
C:\Program Files (x86)\Adobe\acrotray.exe

Filesize
923KB

MD5
17facfd4bc4c413baa8bc9a07c30452d

SHA1
80386de25cadf0c03e936eb07fbfa52db0000fbc

SHA256
3ea79e47eeb88a46ead505793a1b3da97db1c4bff0daab809025bee8c8161d13

SHA512
29a9978a2aec31c63da2675c86d289c25976dfd70c1c344bc8617bf88048e10f2cff1db4b6e415d3e95ca9f40a7ad2f808d53c1da7996886854863bf26dcd139

Download Submit
memory/3224-132-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download