9c27e4b5564c2da4365c36e822687659bda5918c7cff0bae167859f7dc571b83

Analysis

max time kernel
91s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
06/01/2023, 19:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AdbeRdr707_DLM_de_DE.exe
Size

521KB
MD5

b3901d9076cc75bf91c9189d07ac7198
SHA1

ac329223dc14352c85ed0e1051bab6db0080a546
SHA256

9c27e4b5564c2da4365c36e822687659bda5918c7cff0bae167859f7dc571b83
SHA512

2fdc4aef3ffa274323225c1288fbe63b72e7bf09c763b146237a968b68821411b96386c3bb307ef59bd6b41f097c899f26e294c7d12b77ae9bc6aac28d3cc23d
SSDEEP

12288:lHcoZ62g+Z7t401RQbpntRFYCG7o9Sc2TAFGf/mA6:lHcu62NZAbjRFYCGNc5Gf6

Score

8^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
3372	adminstaller.exe
4016	AdobeDownloadManager.exe
1276	AdobeDownloadManager.exe
4644	AdbeRdr707_de_DE.exe
968	setup.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	AdbeRdr707_de_DE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	AdbeRdr707_DLM_de_DE.exe

Loads dropped DLL 4 IoCs

pid	Process
3372	adminstaller.exe
3372	adminstaller.exe
4644	AdbeRdr707_de_DE.exe
3880	MsiExec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	AdobeDownloadManager.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dlmMgr = "\"C:\\Program Files (x86)\\Common Files\\Adobe\\ESD\\AdobeDownloadManager.exe\" restart=1"	AdobeDownloadManager.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	MSIEXEC.EXE
File opened (read-only)	\??\Z:	MSIEXEC.EXE
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	MSIEXEC.EXE
File opened (read-only)	\??\J:	MSIEXEC.EXE
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	MSIEXEC.EXE
File opened (read-only)	\??\F:	MSIEXEC.EXE
File opened (read-only)	\??\I:	MSIEXEC.EXE
File opened (read-only)	\??\T:	MSIEXEC.EXE
File opened (read-only)	\??\W:	MSIEXEC.EXE
File opened (read-only)	\??\G:	MSIEXEC.EXE
File opened (read-only)	\??\V:	MSIEXEC.EXE
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\L:	MSIEXEC.EXE
File opened (read-only)	\??\N:	MSIEXEC.EXE
File opened (read-only)	\??\P:	MSIEXEC.EXE
File opened (read-only)	\??\X:	MSIEXEC.EXE
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	MSIEXEC.EXE
File opened (read-only)	\??\U:	MSIEXEC.EXE
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	MSIEXEC.EXE
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	MSIEXEC.EXE
File opened (read-only)	\??\M:	MSIEXEC.EXE
File opened (read-only)	\??\O:	MSIEXEC.EXE
File opened (read-only)	\??\Q:	MSIEXEC.EXE
File opened (read-only)	\??\R:	MSIEXEC.EXE
File opened (read-only)	\??\Y:	MSIEXEC.EXE
File opened (read-only)	\??\V:	msiexec.exe

Drops file in Program Files directory 23 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat 7.0\Setup Files\RdrBig707\DEU\Rdr70.itw	AdbeRdr707_de_DE.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ESD\AdobeDownloadManager.exe	adminstaller.exe
File created	C:\Program Files (x86)\Adobe\Acrobat 7.0\Setup Files\RdrBig707\DEU\Adobe Reader 7.0.7 - Deutsch.msi	AdbeRdr707_de_DE.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat 7.0\Setup Files\RdrBig707\DEU\instmsiw.exe	AdbeRdr707_de_DE.exe
File created	C:\Program Files (x86)\Adobe\Acrobat 7.0\Setup Files\RdrBig707\DEU\Data1.cab	AdbeRdr707_de_DE.exe
File created	C:\Program Files (x86)\Adobe\Acrobat 7.0\Setup Files\RdrBig707\DEU\instmsiw.exe	AdbeRdr707_de_DE.exe
File created	C:\Program Files (x86)\Common Files\Adobe\ESD\uninst.exe	adminstaller.exe
File created	C:\Program Files (x86)\Adobe\Acrobat 7.0\Setup Files\RdrBig707\DEU\0x0407.ini	AdbeRdr707_de_DE.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat 7.0\Setup Files\RdrBig707\DEU\Abcpy.ini	AdbeRdr707_de_DE.exe
File created	C:\Program Files (x86)\Adobe\Acrobat 7.0\Setup Files\RdrBig707\DEU\Abcpy.ini	AdbeRdr707_de_DE.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat 7.0\Setup Files\RdrBig707\DEU\Rdr70.itw	AdbeRdr707_de_DE.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat 7.0\Setup Files\RdrBig707\DEU\setup.exe	AdbeRdr707_de_DE.exe
File created	C:\Program Files (x86)\Adobe\Acrobat 7.0\Setup Files\RdrBig707\DEU\Setup.ini	AdbeRdr707_de_DE.exe
File created	C:\Program Files (x86)\Common Files\Adobe\ESD\AdobeDownloadManager.exe	adminstaller.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ESD\DLMCleanup.exe	adminstaller.exe
File created	C:\Program Files (x86)\Common Files\Adobe\ESD\DLMCleanup.exe	adminstaller.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat 7.0\Setup Files\RdrBig707\DEU\Adobe Reader 7.0.7 - Deutsch.msi	AdbeRdr707_de_DE.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat 7.0\Setup Files\RdrBig707\DEU\Data1.cab	AdbeRdr707_de_DE.exe
File created	C:\Program Files (x86)\Adobe\Acrobat 7.0\Setup Files\RdrBig707\DEU\setup.exe	AdbeRdr707_de_DE.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat 7.0\Setup Files\RdrBig707\DEU\Setup.ini	AdbeRdr707_de_DE.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ESD\install.log	adminstaller.exe
File created	C:\Program Files (x86)\Adobe\Acrobat 7.0\Setup Files\RdrBig707\DEU\f	AdbeRdr707_de_DE.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat 7.0\Setup Files\RdrBig707\DEU\0x0407.ini	AdbeRdr707_de_DE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 28 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.aom\Content Type = "application/aom"	adminstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\aom\DefaultIcon\ = "\"C:\\Program Files (x86)\\Common Files\\Adobe\\ESD\\AdobeDownloadManager.exe\",0"	adminstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\aom\EditFlags = 00000100	adminstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F46E6268-684C-11D2-A06E-00C04FC2E6EB}\ = "ADM Document"	AdobeDownloadManager.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F46E6268-684C-11D2-A06E-00C04FC2E6EB}\ProgID	AdobeDownloadManager.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F46E6268-684C-11D2-A06E-00C04FC2E6EB}\ProgID\ = "ADM.Document"	AdobeDownloadManager.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\aom\shell\open	adminstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/aom\Extension = ".aom"	adminstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ADM.Document\CLSID	AdobeDownloadManager.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\aom\DefaultIcon	adminstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.aom	adminstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\aom\shell\open\command	adminstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\aom\shell\open\command\ = "\"C:\\Program Files (x86)\\Common Files\\Adobe\\ESD\\AdobeDownloadManager.exe\" \"%1\""	adminstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AOM	adminstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F46E6268-684C-11D2-A06E-00C04FC2E6EB}\InprocHandler32	AdobeDownloadManager.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\aom\shell	adminstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/aom	adminstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F46E6268-684C-11D2-A06E-00C04FC2E6EB}\LocalServer32\ = "C:\\PROGRA~2\\COMMON~1\\Adobe\\ESD\\ADOBED~1.EXE"	AdobeDownloadManager.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ADM.Document\CLSID\ = "{F46E6268-684C-11D2-A06E-00C04FC2E6EB}"	AdobeDownloadManager.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.aom\ = "AOM"	adminstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F46E6268-684C-11D2-A06E-00C04FC2E6EB}	AdobeDownloadManager.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F46E6268-684C-11D2-A06E-00C04FC2E6EB}\LocalServer32	AdobeDownloadManager.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\aom	adminstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\aom\ = "Adobe Download Manager file"	adminstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F46E6268-684C-11D2-A06E-00C04FC2E6EB}\InprocHandler32\ = "ole32.dll"	AdobeDownloadManager.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ADM.Document\ = "ADM Document"	AdobeDownloadManager.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	AdbeRdr707_DLM_de_DE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ADM.Document	AdobeDownloadManager.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2	AdobeDownloadManager.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2\Blob = 5c0000000100000004000000000400007e0000000100000008000000000010c51e92d201620000000100000020000000e7685634efacf69ace939a6b255b7b4fabef42935b50a265acb5cb6027e44e7009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030119000000010000001000000091161b894b117ecdc257628db460cc04030000000100000014000000742c3192e607e424eb4549542be1bbc53e6174e21d000000010000001000000027b3517667331ce2c1e74002b5ff2298140000000100000014000000e27f7bd877d5df9e0a3f9eb4cb0e2ea9efdb69770b000000010000004600000056006500720069005300690067006e00200043006c006100730073002000330020005000750062006c006900630020005000720069006d00610072007900200043004100000004000000010000001000000010fc635df6263e0df325be5f79cd67670f0000000100000010000000d7c63be0837dbabf881d4fbf5f986ad853000000010000002400000030223020060a2b0601040182375e010130123010060a2b0601040182373c0101030200c07a000000010000000e000000300c060a2b0601040182375e010268000000010000000800000000003db65bd9d5012000000001000000400200003082023c308201a5021070bae41d10d92934b638ca7b03ccbabf300d06092a864886f70d0101020500305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479301e170d3936303132393030303030305a170d3238303830313233353935395a305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f7269747930819f300d06092a864886f70d010101050003818d0030818902818100c95c599ef21b8a0114b410df0440dbe357af6a45408f840c0bd133d9d911cfee02581f25f72aa84405aaec031f787f9e93b99a00aa237dd6ac85a26345c77227ccf44cc67571d239ef4f42f075df0a90c68e206f980ff8ac235f702936a4c986e7b19a20cb53a585e73dbe7d9afe244533dc7615ed0fa271644c652e816845a70203010001300d06092a864886f70d010102050003818100bb4c122bcf2c26004f1413dda6fbfc0a11848cf3281c67922f7cb6c5fadff0e895bc1d8f6c2ca851cc73d8a4c053f04ed626c076015781925e21f1d1b1ffe7d02158cd6917e3441c9c194439895cdc9c000f568d0299eda290454ce4bb10a43df032030ef1cef8e8c9518ce6629fe69fc07db7729cc9363a6b9f4ea8ff640d64	AdobeDownloadManager.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5012	AdbeRdr707_DLM_de_DE.exe
5012	AdbeRdr707_DLM_de_DE.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4656	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	4656	MSIEXEC.EXE
Token: SeSecurityPrivilege	4176	msiexec.exe
Token: SeCreateTokenPrivilege	4656	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	4656	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	4656	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	4656	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	4656	MSIEXEC.EXE
Token: SeTcbPrivilege	4656	MSIEXEC.EXE
Token: SeSecurityPrivilege	4656	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	4656	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	4656	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	4656	MSIEXEC.EXE
Token: SeSystemtimePrivilege	4656	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	4656	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	4656	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	4656	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	4656	MSIEXEC.EXE
Token: SeBackupPrivilege	4656	MSIEXEC.EXE
Token: SeRestorePrivilege	4656	MSIEXEC.EXE
Token: SeShutdownPrivilege	4656	MSIEXEC.EXE
Token: SeDebugPrivilege	4656	MSIEXEC.EXE
Token: SeAuditPrivilege	4656	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	4656	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	4656	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	4656	MSIEXEC.EXE
Token: SeUndockPrivilege	4656	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	4656	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	4656	MSIEXEC.EXE
Token: SeManageVolumePrivilege	4656	MSIEXEC.EXE
Token: SeImpersonatePrivilege	4656	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	4656	MSIEXEC.EXE
Token: SeCreateTokenPrivilege	4656	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	4656	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	4656	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	4656	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	4656	MSIEXEC.EXE
Token: SeTcbPrivilege	4656	MSIEXEC.EXE
Token: SeSecurityPrivilege	4656	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	4656	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	4656	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	4656	MSIEXEC.EXE
Token: SeSystemtimePrivilege	4656	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	4656	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	4656	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	4656	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	4656	MSIEXEC.EXE
Token: SeBackupPrivilege	4656	MSIEXEC.EXE
Token: SeRestorePrivilege	4656	MSIEXEC.EXE
Token: SeShutdownPrivilege	4656	MSIEXEC.EXE
Token: SeDebugPrivilege	4656	MSIEXEC.EXE
Token: SeAuditPrivilege	4656	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	4656	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	4656	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	4656	MSIEXEC.EXE
Token: SeUndockPrivilege	4656	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	4656	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	4656	MSIEXEC.EXE
Token: SeManageVolumePrivilege	4656	MSIEXEC.EXE
Token: SeImpersonatePrivilege	4656	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	4656	MSIEXEC.EXE
Token: SeCreateTokenPrivilege	4656	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	4656	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	4656	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1276	AdobeDownloadManager.exe
4656	MSIEXEC.EXE

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1276	AdobeDownloadManager.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4016	AdobeDownloadManager.exe
4016	AdobeDownloadManager.exe
1276	AdobeDownloadManager.exe
1276	AdobeDownloadManager.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 5012 wrote to memory of 5104	5012	AdbeRdr707_DLM_de_DE.exe	80
PID 5012 wrote to memory of 5104	5012	AdbeRdr707_DLM_de_DE.exe	80
PID 5012 wrote to memory of 3372	5012	AdbeRdr707_DLM_de_DE.exe	82
PID 5012 wrote to memory of 3372	5012	AdbeRdr707_DLM_de_DE.exe	82
PID 5012 wrote to memory of 3372	5012	AdbeRdr707_DLM_de_DE.exe	82
PID 3372 wrote to memory of 4016	3372	adminstaller.exe	83
PID 3372 wrote to memory of 4016	3372	adminstaller.exe	83
PID 3372 wrote to memory of 4016	3372	adminstaller.exe	83
PID 5012 wrote to memory of 1276	5012	AdbeRdr707_DLM_de_DE.exe	84
PID 5012 wrote to memory of 1276	5012	AdbeRdr707_DLM_de_DE.exe	84
PID 5012 wrote to memory of 1276	5012	AdbeRdr707_DLM_de_DE.exe	84
PID 1276 wrote to memory of 4644	1276	AdobeDownloadManager.exe	94
PID 1276 wrote to memory of 4644	1276	AdobeDownloadManager.exe	94
PID 1276 wrote to memory of 4644	1276	AdobeDownloadManager.exe	94
PID 4644 wrote to memory of 4044	4644	AdbeRdr707_de_DE.exe	95
PID 4644 wrote to memory of 4044	4644	AdbeRdr707_de_DE.exe	95
PID 4644 wrote to memory of 968	4644	AdbeRdr707_de_DE.exe	96
PID 4644 wrote to memory of 968	4644	AdbeRdr707_de_DE.exe	96
PID 4644 wrote to memory of 968	4644	AdbeRdr707_de_DE.exe	96
PID 968 wrote to memory of 4656	968	setup.exe	97
PID 968 wrote to memory of 4656	968	setup.exe	97
PID 968 wrote to memory of 4656	968	setup.exe	97
PID 4176 wrote to memory of 3880	4176	msiexec.exe	99
PID 4176 wrote to memory of 3880	4176	msiexec.exe	99
PID 4176 wrote to memory of 3880	4176	msiexec.exe	99

C:\Users\Admin\AppData\Local\Temp\AdbeRdr707_DLM_de_DE.exe
"C:\Users\Admin\AppData\Local\Temp\AdbeRdr707_DLM_de_DE.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5012
- C:\Windows\system32\pcaui.exe
  "C:\Windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {be207fd6-212f-47d5-904f-ded8f7d9739b} -a "Acrobat Reader 7" -v "Adobe" -s "This app can't run because it causes security or performance issues on Windows. A new version may be available. Check with your software provider for an updated version that runs on this version of Windows." -n 1 -f 0 -k 0 -e "C:\Users\Admin\AppData\Local\Temp\AdbeRdr707_DLM_de_DE.exe"
  2⤵
  PID:5104
- C:\Users\Admin\AppData\Local\Temp\adminstaller.exe
  C:\Users\Admin\AppData\Local\Temp\adminstaller.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3372
- - C:\Program Files (x86)\Common Files\Adobe\ESD\AdobeDownloadManager.exe
    "C:\Program Files (x86)\Common Files\Adobe\ESD\AdobeDownloadManager.exe" /register
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:4016
- C:\Program Files (x86)\Common Files\Adobe\ESD\AdobeDownloadManager.exe
  "C:\Program Files (x86)\Common Files\Adobe\ESD\AdobeDownloadManager.exe" "C:\Users\Admin\AppData\Local\Temp\adberdr707_dlm_de_de.aom"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies system certificate store
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1276
- - C:\Users\Admin\AppData\Local\Temp\AdbeRdr707_de_DE.exe
    AdbeRdr707_de_DE.exe
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:4644
  - - C:\Windows\system32\pcaui.exe
      "C:\Windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {be207fd6-212f-47d5-904f-ded8f7d9739b} -a "Acrobat Reader 7" -v "Adobe" -s "This app can't run because it causes security or performance issues on Windows. A new version may be available. Check with your software provider for an updated version that runs on this version of Windows." -n 1 -f 0 -k 0 -e "C:\Users\Admin\AppData\Local\Temp\AdbeRdr707_de_DE.exe"
      4⤵
      PID:4044
  - - C:\Program Files (x86)\Adobe\Acrobat 7.0\Setup Files\RdrBig707\DEU\setup.exe
      "C:\Program Files (x86)\Adobe\Acrobat 7.0\Setup Files\RdrBig707\DEU\setup.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:968
    - - C:\Windows\SysWOW64\MSIEXEC.EXE
        
        MSIEXEC.EXE /i "C:\Program Files (x86)\Adobe\Acrobat 7.0\Setup Files\RdrBig707\DEU\Adobe Reader 7.0.7 - Deutsch.msi" SETUPEXEDIR="C:\Program Files (x86)\Adobe\Acrobat 7.0\Setup Files\RdrBig707\DEU"
        5⤵
        Enumerates connected drives
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:4656

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4176
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 28591F4E43697E676CA7BAB8CCDB7F72 C
  2⤵
  - Loads dropped DLL
  PID:3880

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRAM FILES (X86)\ADOBE\ACROBAT 7.0\SETUP FILES\RDRBIG707\DEU\Abcpy.ini

Filesize
1KB

MD5
26dd0d418f82f8ff1b538cccc6f84207

SHA1
4ad48dd37d1137e0c37db9339a278b42c8e65476

SHA256
a824350611434ac9d38d54621e31ef616c7f148ff97dc0ef37e284f97f15853c

SHA512
b4a8435e912b1f805f9ab7bf899f4bcf92b3ee164f1bac8ed39fd4985b33459a3f3003e420c940c577dbf2aeabfa56ba59f6e0af581665741ab8201cbc760652

Download Submit
C:\Program Files (x86)\Adobe\Acrobat 7.0\Setup Files\RdrBig707\DEU\0x0407.ini

Filesize
4KB

MD5
1e03bb8f12327ed2d8f06325ec70a882

SHA1
d5048d3f827d5b815e992e8caefb7e31ac84e6e3

SHA256
c6c2229ce013ee222175b4d9a8a61ce7642a2abf3c0b40cd2a7703a401ec4484

SHA512
d70bc42c9a73ecb7feea0be74d4a16692fc8601fa94cc7b8105794d408c5a44c2913d1aa9ed101c0c05e5a8e1daf88824e073a014a34413be79b9526216c3f1e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat 7.0\Setup Files\RdrBig707\DEU\Adobe Reader 7.0.7 - Deutsch.msi

Filesize
2.9MB

MD5
4ca86c16548d8d5c5336c8b23666d6ed

SHA1
b9a8c80373614cf48492c32564ab6ca41dbabf1d

SHA256
9db69e9439e7dbbd0a2ef8d71cd4b97809074ea7cbe7019360cb05c38d2f58b9

SHA512
34314e22ecb76ea4e510e39d1794dfdfe7f5cf380d99fd2adfdd7946bd0e73657ed29ae92b8c5bc7cef07c286a76e990932fc2981c1accbd23049cb0f10ce1c4

Download Submit
C:\Program Files (x86)\Adobe\Acrobat 7.0\Setup Files\RdrBig707\DEU\Setup.INI

Filesize
1KB

MD5
5520fa172e06f878fd44eda861a75175

SHA1
86fead7ab19e1bf9a1deda048e57783e7a6a7dc2

SHA256
1108940c29720ddd489f76d190f014da9584118cc75ff2e33365554036a7513a

SHA512
f7b5b459267cdb7d27749efac0156e864eaee8d40d9ebb013988bbec7bfd45d88deaca9100d3ca9eb20a2446c0333ef2e33fe27811b0538111c4bcbbd1f303e9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat 7.0\Setup Files\RdrBig707\DEU\setup.exe

Filesize
220KB

MD5
9a45973b283bea24eabcec0def8e2644

SHA1
c6f5042b88ad4b04c3ef07400b804d03f6c04771

SHA256
bde0a2cb49baaaf9b18396a472914ac1f104918781b163c3003f1f86ca912e01

SHA512
7e86a2e88a41a75e2f183e0a1313da74a7afaaf8b8300e9b5eb3fdf809553d1468699eb148afcce96001764829b3d4b5b5579d28382c7938d1589a4b19857327

Download Submit
C:\Program Files (x86)\Adobe\Acrobat 7.0\Setup Files\RdrBig707\DEU\setup.exe

Filesize
220KB

MD5
9a45973b283bea24eabcec0def8e2644

SHA1
c6f5042b88ad4b04c3ef07400b804d03f6c04771

SHA256
bde0a2cb49baaaf9b18396a472914ac1f104918781b163c3003f1f86ca912e01

SHA512
7e86a2e88a41a75e2f183e0a1313da74a7afaaf8b8300e9b5eb3fdf809553d1468699eb148afcce96001764829b3d4b5b5579d28382c7938d1589a4b19857327

Download Submit
C:\Program Files (x86)\Common Files\Adobe\ESD\AdobeDownloadManager.exe

Filesize
404KB

MD5
67243cad38d2b3a3194358a60b06504e

SHA1
582c38e219e049cf8f1095d03edf99962b7a42ed

SHA256
9584835292fb2d6eb7b648f8b419fd5ca10b52b08c657d6a440070e6afc6fc14

SHA512
7ccedd9aef43a95f64f2ff0581040c44610674a68aa7489c25472a930e51e356ff3c39501ef13666967dcb1b4062dba4d677ae0af1cf87b6dba2a552e7fb60f7

Download Submit
C:\Program Files (x86)\Common Files\Adobe\ESD\AdobeDownloadManager.exe

Filesize
404KB

MD5
67243cad38d2b3a3194358a60b06504e

SHA1
582c38e219e049cf8f1095d03edf99962b7a42ed

SHA256
9584835292fb2d6eb7b648f8b419fd5ca10b52b08c657d6a440070e6afc6fc14

SHA512
7ccedd9aef43a95f64f2ff0581040c44610674a68aa7489c25472a930e51e356ff3c39501ef13666967dcb1b4062dba4d677ae0af1cf87b6dba2a552e7fb60f7

Download Submit
C:\Program Files (x86)\Common Files\Adobe\ESD\AdobeDownloadManager.exe

Filesize
404KB

MD5
67243cad38d2b3a3194358a60b06504e

SHA1
582c38e219e049cf8f1095d03edf99962b7a42ed

SHA256
9584835292fb2d6eb7b648f8b419fd5ca10b52b08c657d6a440070e6afc6fc14

SHA512
7ccedd9aef43a95f64f2ff0581040c44610674a68aa7489c25472a930e51e356ff3c39501ef13666967dcb1b4062dba4d677ae0af1cf87b6dba2a552e7fb60f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADMInstaller.exe

Filesize
474KB

MD5
f909a3b60e8da177c3469cec07b46e49

SHA1
b1b5cf5bdaea088e507b8e8eb7aa667eab68ce74

SHA256
b0482a15f16ab9a32ce4ba6b3f5b1cdf848bd3c1ccd116af902fae983f51c412

SHA512
f93a115e927be80cf2e16dc6198f2990053d3668ef121e67675104ab61773b6f3b0901d8c592686cf4848e2893209d3068e959ab2e1c39ac2cb293ea3265c31c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdbeRdr707_de_DE.exe

Filesize
22.7MB

MD5
a65d3c8d633ac44d453f8fd95da9f018

SHA1
4b09956cb8567cb03e9ed6a2b273c33e442349f0

SHA256
89bcb3dd1d8c0de3bec864a4a51b1a284a426e537060d063c45e2e20616c90c9

SHA512
b041e1543ef9bbbc4081a6a83aa9cb28f6a8b72f69ede56ea8306758f6e893adba4768a3f1990c7654fb2459e695c6ea32a64fd46961878c7bad857847d754cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdbeRdr707_de_DE.exe

Filesize
22.7MB

MD5
a65d3c8d633ac44d453f8fd95da9f018

SHA1
4b09956cb8567cb03e9ed6a2b273c33e442349f0

SHA256
89bcb3dd1d8c0de3bec864a4a51b1a284a426e537060d063c45e2e20616c90c9

SHA512
b041e1543ef9bbbc4081a6a83aa9cb28f6a8b72f69ede56ea8306758f6e893adba4768a3f1990c7654fb2459e695c6ea32a64fd46961878c7bad857847d754cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI6CF2.tmp

Filesize
32KB

MD5
d323a3ebb3bce01f663e70c4c16c30da

SHA1
8b78b76f5acaceeb30b0621ed1111d96e55f2426

SHA256
d37a7755b215e915991963165da0e8afb80d78e39b3f7853de856ac52810a3be

SHA512
f67f7d4d9a3f9f7b5b2bd76d6c59e2f0ee70e4d096d02f4ca6377637958030ce9dadef80551e7df90822775f733f14d10686b3db8841c33d0a24518302a2ad8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI6CF2.tmp

Filesize
32KB

MD5
d323a3ebb3bce01f663e70c4c16c30da

SHA1
8b78b76f5acaceeb30b0621ed1111d96e55f2426

SHA256
d37a7755b215e915991963165da0e8afb80d78e39b3f7853de856ac52810a3be

SHA512
f67f7d4d9a3f9f7b5b2bd76d6c59e2f0ee70e4d096d02f4ca6377637958030ce9dadef80551e7df90822775f733f14d10686b3db8841c33d0a24518302a2ad8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\adberdr707_dlm_de_de.aom

Filesize
408B

MD5
66d32c23b104e8e3b98dc974fe9a4223

SHA1
7fe44e5646d40c11c593c4672eee7e90cd146f2f

SHA256
195e85e1fb41a9fb0fb06f06f745f684fdebc7073f3062a86585efff304e168f

SHA512
dc0145ee57899fea61322811d15db00a4c68b1d23ab1f111f6cc9ad8b425684cf461b637956c63c051a30e3c78d20b31036a20c0b8e89826a5ddd5bbbd9449f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\adminstaller.exe

Filesize
474KB

MD5
f909a3b60e8da177c3469cec07b46e49

SHA1
b1b5cf5bdaea088e507b8e8eb7aa667eab68ce74

SHA256
b0482a15f16ab9a32ce4ba6b3f5b1cdf848bd3c1ccd116af902fae983f51c412

SHA512
f93a115e927be80cf2e16dc6198f2990053d3668ef121e67675104ab61773b6f3b0901d8c592686cf4848e2893209d3068e959ab2e1c39ac2cb293ea3265c31c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst6585.tmp\ESDInstallerPlugin.dll

Filesize
31KB

MD5
93917e4b9de96d996195b47f9f15c1fc

SHA1
90f5da2bfa95d4f0b96b45da44fffd1b4f10b1c7

SHA256
07307c23b5d78b4cc4f4689ffa8b8fa955f1bc2afa264947bbdf982a3c0f8003

SHA512
4517e2ab2ba35f133b06b53216cdc2c63c18aeabb0831c46f92c2e56fdba5ad4a61d8f5dc71a952b35bdab0ff7f334e24bdaec7591ce1ae174670827d7809ad4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst6585.tmp\ESDInstallerPlugin.dll

Filesize
31KB

MD5
93917e4b9de96d996195b47f9f15c1fc

SHA1
90f5da2bfa95d4f0b96b45da44fffd1b4f10b1c7

SHA256
07307c23b5d78b4cc4f4689ffa8b8fa955f1bc2afa264947bbdf982a3c0f8003

SHA512
4517e2ab2ba35f133b06b53216cdc2c63c18aeabb0831c46f92c2e56fdba5ad4a61d8f5dc71a952b35bdab0ff7f334e24bdaec7591ce1ae174670827d7809ad4

Download Submit
C:\Users\Admin\AppData\Roaming\AdobeDLM.log

Filesize
326B

MD5
232d076bc9e9a89b3188c15a2d8f69a9

SHA1
976d4f0d5ca212da074174db6081487215707e43

SHA256
91e117c43a8e1972eaafaabbb6ee0893aee85bc840268132c74bb7e802fb33f9

SHA512
262cf32e8b4e7b36fae63f940e0876f7da14fee1e664fd14c7480d3d83493097331d85b2774bea9a2298b1d7b8afd99947fe9c506931d69852cfe501e5f8b25a

Download Submit
C:\Users\Admin\AppData\Roaming\dm.ini

Filesize
134B

MD5
eed011a485db85a3fa558b37c39b2e0c

SHA1
fbd186a5dce2becfd019c5d0156a9791914a0ac4

SHA256
53538221edb4935494de70a3e954b14c9325607e1276bd3b6115148f2068392a

SHA512
55c4b453080f7021f4740b6a4a894e0cb49f33f332a41b02e842ade64809760935213a8232857efb33b76a651d304b8cfd09d6568e432f24c75f6e068b0b9030

Download Submit
C:\Windows\Temp\nos4644\nos484.tmp

Filesize
44KB

MD5
71ffc4fd7b9683d2f9bcc9861f695d3e

SHA1
fbfc092bb2d4af5b128e1c2f323f51d7a60d6f91

SHA256
e3849ca001350de57b64ca8fbd1891fafaf039bc2c761a3bc65814ba8afc8102

SHA512
a877c074ce68ebe153f42204b38cafd38c1905a9708a3b1bf9c588f6d030695a2e661e9edc00e521e5b17ccb5d75c55d4235912a0d93c6fd02a7ef88cefe93db

Download Submit
memory/1276-150-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/1276-156-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/3372-143-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/3372-144-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/4016-140-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/4644-158-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4644-157-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4644-171-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/5012-147-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/5012-132-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download