Overview

overview

10

Static

static

1

Adobe Acro...ix.exe

windows7-x64

10

Adobe Acro...ix.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    159s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    16-02-2023 00:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Adobe Acrobat DC OCR Fix.exe

  • Size

    109.7MB

  • MD5

    36e21b27644c07b5e815c9eb2a819e6e

  • SHA1

    e51a64704ca5862af9fb1c61f73bf9cb55dfaee4

  • SHA256

    d79fa6a863bb63a7df878d66fcdbd17a31bd69f6d05190f9ffa7b0fb38b2799d

  • SHA512

    cbc043aebf7ac712eb4f5da908d2e00eb67df4759f313329bea4276a5b092e5a40ce01989ded11427f7318883e0f9d34de371d9b206b21e5c3ed36ef5b89066d

  • SSDEEP

    3145728:G4HZnnw/hW6RbeNV9Y1tncbdm+fxd57f/W:dZnw/MKu/Y1BcJ9xdZHW

Score
10/10
purecrypterredlinetpbdownloaderinfostealerloaderspyware

Malware Config

Extracted

Family

redline

Botnet

TPB

C2

amrican-sport-live-stream.cc:4581

Attributes
  • auth_value

    9af3f668d2aa93965a3f83753e8ccb3f

Signatures

  • Detect PureCrypter injector 1 IoCs
    loader
  • PureCrypter

    PureCrypter is a .NET malware loader first seen in early 2021.

    loaderdownloaderpurecrypter
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Downloads MZ/PE file
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 6 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 36 IoCs
  • Drops file in Windows directory 17 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 46 IoCs
  • Modifies registry class 24 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Adobe Acrobat DC OCR Fix.exe
    "C:\Users\Admin\AppData\Local\Temp\Adobe Acrobat DC OCR Fix.exe"
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1460
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Adobe Acrobat DC OCR Fix\Adobe Acrobat DC OCR Fix 1.0.0\install\Adobe Acrobat DC OCR Fix.msi" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\Adobe Acrobat DC OCR Fix.exe" SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1676504215 "
      2⤵
      • Enumerates connected drives
      • Suspicious use of FindShellTrayWindow
      PID:1816
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:888
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding E9D09FAD8C0EDBDC1C008524F56F6D5E C
      2⤵
      • Loads dropped DLL
      PID:1764
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 5129D93CF157156EB227C1F4B676B171
      2⤵
      • Loads dropped DLL
      PID:1884
    • C:\Users\Admin\AppData\Roaming\WindowsActiveServices\PatchFix.exe
      "C:\Users\Admin\AppData\Roaming\WindowsActiveServices\PatchFix.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1700
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1968
        • C:\Users\Admin\AppData\Roaming\WindowsServices\WindowsServices.exe
          "C:\Users\Admin\AppData\Roaming\WindowsServices\WindowsServices.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:1224
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
            C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:580
    • C:\Windows\Installer\MSI1D39.tmp
      "C:\Windows\Installer\MSI1D39.tmp" "C:\Program Files (x86)\Adobe Acrobat DC OCR Fix\Adobe Acrobat DC OCR Fix\Adobe Acrobat DC OCR Fix.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1624
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
      PID:380
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000004A4" "000000000000049C"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      PID:576
    • C:\Program Files (x86)\Adobe Acrobat DC OCR Fix\Adobe Acrobat DC OCR Fix\Adobe Acrobat DC OCR Fix.exe
      "C:\Program Files (x86)\Adobe Acrobat DC OCR Fix\Adobe Acrobat DC OCR Fix\Adobe Acrobat DC OCR Fix.exe"
      1⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious use of FindShellTrayWindow
      PID:1752
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      1⤵
        PID:672
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x1ac
        1⤵
          PID:1100

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Adobe Acrobat DC OCR Fix\Adobe Acrobat DC OCR Fix\Adobe Acrobat DC OCR Fix.exe
          Filesize

          78.9MB

          MD5

          c79bd426892455c5940558ed35d1c31d

          SHA1

          c20cc903f5448ed529fdc432f76f292bb129da3f

          SHA256

          80b49468a65d7d697a82dfd8c1666c030b98b86d9b1ffe6e686dd44e2cb526ef

          SHA512

          281adf9b580a75be96d01da9944d8984154ab5a3ce270173ce2ba4daec427374787f80e333a745d942c5eb8a0ae9d7682e36ab83558ac996bc178b82ee68321d

          Download Submit

        • C:\Program Files (x86)\Adobe Acrobat DC OCR Fix\Adobe Acrobat DC OCR Fix\Adobe Acrobat DC OCR Fix.exe
          Filesize

          78.9MB

          MD5

          c79bd426892455c5940558ed35d1c31d

          SHA1

          c20cc903f5448ed529fdc432f76f292bb129da3f

          SHA256

          80b49468a65d7d697a82dfd8c1666c030b98b86d9b1ffe6e686dd44e2cb526ef

          SHA512

          281adf9b580a75be96d01da9944d8984154ab5a3ce270173ce2ba4daec427374787f80e333a745d942c5eb8a0ae9d7682e36ab83558ac996bc178b82ee68321d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\MSI677B.tmp
          Filesize

          378KB

          MD5

          0981d5c068a9c33f4e8110f81ffbb92e

          SHA1

          badb871adf6f24aba6923b9b21b211cea2aeca77

          SHA256

          b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

          SHA512

          59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Adobe Acrobat DC OCR Fix\Adobe Acrobat DC OCR Fix 1.0.0\install\Adobe Acrobat DC OCR Fix.msi
          Filesize

          1.5MB

          MD5

          ad90c85e5ffeb58971681af0b8f957e7

          SHA1

          5da0606d3bfee71dd6b715bdb5bb6f01390309f2

          SHA256

          61230bdd7f8e5b5bb1238a4769c313195034e62041b39a35efec046a4911002e

          SHA512

          efbc9e56424740297f80a2ffa285736bf37c65b1d8397afa8b6c294558a313e3a706de4448067e67bac12ebb30e19b2b0fbc60ea22868cdd278b43bdade915f4

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Adobe Acrobat DC OCR Fix\Adobe Acrobat DC OCR Fix 1.0.0\install\Adobe Acrobat DC OCR Fix1.cab
          Filesize

          106.1MB

          MD5

          37e49cb56995f022efb42b4257c06226

          SHA1

          db8c5e5cddea5d176f6d3449c3efb9682f7929ec

          SHA256

          4393dd38e12e603822f948f3372e33231657170459470ab5a1eccd74b6ff8e0d

          SHA512

          4f3847ad181597408e07c71b194a53a47911565e2ba50867ca4157ff00b74ec0dcc90b2b4a01956ed18420fc4513b310925ca601a7bd4906b4c023ee74198f49

          Download Submit

        • C:\Users\Admin\AppData\Roaming\WindowsActiveServices\PatchFix.exe
          Filesize

          410KB

          MD5

          49fe4d0ff69682f4ed74f16cf6257cc6

          SHA1

          9b9780a98637bfd2938fde3a4e22c3d20602acb4

          SHA256

          0a7dfe1887ddf815a120858594159c63ae7b218690c94ce30c32752c74398bb8

          SHA512

          840b33b5e1d1277892b6b5cfb31aa6972a0d4518c3fa61ebd74678f5593d7a9de7c99fe3ac9d6df259bf532bd354620bd889290c826d058376824063b76b0bc1

          Download Submit

        • C:\Users\Admin\AppData\Roaming\WindowsActiveServices\PatchFix.exe
          Filesize

          410KB

          MD5

          49fe4d0ff69682f4ed74f16cf6257cc6

          SHA1

          9b9780a98637bfd2938fde3a4e22c3d20602acb4

          SHA256

          0a7dfe1887ddf815a120858594159c63ae7b218690c94ce30c32752c74398bb8

          SHA512

          840b33b5e1d1277892b6b5cfb31aa6972a0d4518c3fa61ebd74678f5593d7a9de7c99fe3ac9d6df259bf532bd354620bd889290c826d058376824063b76b0bc1

          Download Submit

        • C:\Users\Admin\AppData\Roaming\WindowsServices\WindowsServices.exe
          Filesize

          1.2MB

          MD5

          b27e75867100b7f34b35cf147b7ce92e

          SHA1

          e1b51e321d8a5595cc0382198a6ab34c98924194

          SHA256

          7304e4710381b20058acc561ff7a36df7e2ce614e8d8e045452bbfaec9f1ab6e

          SHA512

          b71ba509772548d94d7a31685527f454ffc12380fa1537ef133140ece9f67d9070d21497b5694adbe405c528bb83266409053f754a437cde9caf361797318773

          Download Submit

        • C:\Users\Admin\AppData\Roaming\WindowsServices\WindowsServices.exe
          Filesize

          1.2MB

          MD5

          b27e75867100b7f34b35cf147b7ce92e

          SHA1

          e1b51e321d8a5595cc0382198a6ab34c98924194

          SHA256

          7304e4710381b20058acc561ff7a36df7e2ce614e8d8e045452bbfaec9f1ab6e

          SHA512

          b71ba509772548d94d7a31685527f454ffc12380fa1537ef133140ece9f67d9070d21497b5694adbe405c528bb83266409053f754a437cde9caf361797318773

          Download Submit

        • C:\Windows\Installer\MSI1D39.tmp
          Filesize

          381KB

          MD5

          88a4962643af83785b80ea15fe74e860

          SHA1

          d061c3d6cc1286626f76443591594580bac7c0c6

          SHA256

          c8e5d349d9f6f3b5f20e5d5a0c5315c882d2afcedb21abe66cff00c1a57fd91e

          SHA512

          015de66204dfff71f284ec0df58107e6a6ec20326cd75183a8aa49d7095184b85f78503a3a16e86d999b4720e0c2380d661395416b4be2e6346fc8488065a9c8

          Download Submit

        • C:\Windows\Installer\MSIF393.tmp
          Filesize

          378KB

          MD5

          0981d5c068a9c33f4e8110f81ffbb92e

          SHA1

          badb871adf6f24aba6923b9b21b211cea2aeca77

          SHA256

          b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

          SHA512

          59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

          Download Submit

        • C:\Windows\Installer\MSIF4FB.tmp
          Filesize

          378KB

          MD5

          0981d5c068a9c33f4e8110f81ffbb92e

          SHA1

          badb871adf6f24aba6923b9b21b211cea2aeca77

          SHA256

          b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

          SHA512

          59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

          Download Submit

        • C:\Windows\Installer\MSIF894.tmp
          Filesize

          378KB

          MD5

          0981d5c068a9c33f4e8110f81ffbb92e

          SHA1

          badb871adf6f24aba6923b9b21b211cea2aeca77

          SHA256

          b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

          SHA512

          59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

          Download Submit

        • C:\Windows\Installer\MSIFF88.tmp
          Filesize

          567KB

          MD5

          5f1b243813a203c66ba735139d8ce0c7

          SHA1

          c60a57668d348a61e4e2f12115afb9f9024162ba

          SHA256

          52d5b228221cd5276e4ee2a038e0ce0cf494d5af9c23ac45dcbfadc3115c8cb2

          SHA512

          083c6d1af44847db4b6fb90349234128141a838d1d438d5c24f5063539a8087f0814d06cfa162aeace20e162292f64c7635b4a0e81b2ca972706cfbc484adfb5

          Download Submit

        • \Users\Admin\AppData\Local\Temp\MSI677B.tmp
          Filesize

          378KB

          MD5

          0981d5c068a9c33f4e8110f81ffbb92e

          SHA1

          badb871adf6f24aba6923b9b21b211cea2aeca77

          SHA256

          b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

          SHA512

          59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

          Download Submit

        • \Users\Admin\AppData\Roaming\WindowsServices\WindowsServices.exe
          Filesize

          1.2MB

          MD5

          b27e75867100b7f34b35cf147b7ce92e

          SHA1

          e1b51e321d8a5595cc0382198a6ab34c98924194

          SHA256

          7304e4710381b20058acc561ff7a36df7e2ce614e8d8e045452bbfaec9f1ab6e

          SHA512

          b71ba509772548d94d7a31685527f454ffc12380fa1537ef133140ece9f67d9070d21497b5694adbe405c528bb83266409053f754a437cde9caf361797318773

          Download Submit

        • \Windows\Installer\MSIF393.tmp
          Filesize

          378KB

          MD5

          0981d5c068a9c33f4e8110f81ffbb92e

          SHA1

          badb871adf6f24aba6923b9b21b211cea2aeca77

          SHA256

          b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

          SHA512

          59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

          Download Submit

        • \Windows\Installer\MSIF4FB.tmp
          Filesize

          378KB

          MD5

          0981d5c068a9c33f4e8110f81ffbb92e

          SHA1

          badb871adf6f24aba6923b9b21b211cea2aeca77

          SHA256

          b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

          SHA512

          59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

          Download Submit

        • \Windows\Installer\MSIF894.tmp
          Filesize

          378KB

          MD5

          0981d5c068a9c33f4e8110f81ffbb92e

          SHA1

          badb871adf6f24aba6923b9b21b211cea2aeca77

          SHA256

          b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

          SHA512

          59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

          Download Submit

        • \Windows\Installer\MSIFF88.tmp
          Filesize

          567KB

          MD5

          5f1b243813a203c66ba735139d8ce0c7

          SHA1

          c60a57668d348a61e4e2f12115afb9f9024162ba

          SHA256

          52d5b228221cd5276e4ee2a038e0ce0cf494d5af9c23ac45dcbfadc3115c8cb2

          SHA512

          083c6d1af44847db4b6fb90349234128141a838d1d438d5c24f5063539a8087f0814d06cfa162aeace20e162292f64c7635b4a0e81b2ca972706cfbc484adfb5

          Download Submit

        • memory/580-117-0x0000000000400000-0x000000000045A000-memory.dmp

          Filesize

          360KB

          Download

        • memory/580-111-0x0000000000400000-0x000000000045A000-memory.dmp

          Filesize

          360KB

          Download

        • memory/580-122-0x0000000000400000-0x000000000045A000-memory.dmp

          Filesize

          360KB

          Download

        • memory/580-116-0x0000000000400000-0x000000000045A000-memory.dmp

          Filesize

          360KB

          Download

        • memory/580-114-0x0000000000400000-0x000000000045A000-memory.dmp

          Filesize

          360KB

          Download

        • memory/580-112-0x0000000000400000-0x000000000045A000-memory.dmp

          Filesize

          360KB

          Download

        • memory/580-120-0x0000000000400000-0x000000000045A000-memory.dmp

          Filesize

          360KB

          Download

        • memory/580-123-0x0000000000340000-0x0000000000346000-memory.dmp

          Filesize

          24KB

          Download

        • memory/888-56-0x000007FEFC141000-0x000007FEFC143000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1224-109-0x0000000004D00000-0x0000000004F70000-memory.dmp

          Filesize

          2.4MB

          Download

        • memory/1224-108-0x0000000000F00000-0x0000000001042000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1224-110-0x0000000004BF0000-0x0000000004C50000-memory.dmp

          Filesize

          384KB

          Download

        • memory/1460-55-0x0000000074521000-0x0000000074523000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1460-54-0x00000000768A1000-0x00000000768A3000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1700-82-0x0000000000A40000-0x0000000000A8C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/1700-78-0x0000000001210000-0x000000000127C000-memory.dmp

          Filesize

          432KB

          Download

        • memory/1700-80-0x0000000000B70000-0x0000000000BD8000-memory.dmp

          Filesize

          416KB

          Download

        • memory/1700-81-0x0000000000550000-0x000000000057C000-memory.dmp

          Filesize

          176KB

          Download

        • memory/1968-92-0x0000000000400000-0x0000000000408000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1968-83-0x0000000000400000-0x0000000000408000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1968-89-0x0000000000400000-0x0000000000408000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1968-88-0x0000000000400000-0x0000000000408000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1968-94-0x0000000000400000-0x0000000000408000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1968-86-0x0000000000400000-0x0000000000408000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1968-84-0x0000000000400000-0x0000000000408000-memory.dmp

          Filesize

          32KB

          Download