ardamax | a5c263a5bf6522fcaaab2cf772e5d257644734d78a7149ae511fe338da350325

Analysis

max time kernel
179s
max time network
194s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2023 10:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68288c29d8546aadc301eda4436def32.exe
Size

2.4MB
MD5

68288c29d8546aadc301eda4436def32
SHA1

b2f25aa72549ab250213e20850aa3e5beab1928f
SHA256

a5c263a5bf6522fcaaab2cf772e5d257644734d78a7149ae511fe338da350325
SHA512

d6b17aea77d4df88af97cebc0ecc40ec5bdb4e79f3ed44378c47438216eb03082544375327a93551c92ebe9e8003814781194983d88c12c525c95104bfa0b369
SSDEEP

49152:gX5TvrVpRCDhBeEJl+KVR/PKaF42Nt3XET4LTE7j5CS:gXxvrZeeEJRHa24sE71p

Score

10^/10

ardamax darkcomet discovery evasion keylogger persistence rat stealer trojan

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 3 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023246-58.dat	family_ardamax
behavioral2/files/0x0006000000023246-57.dat	family_ardamax
behavioral2/files/0x0006000000023246-55.dat	family_ardamax

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	HKCMB.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	HKCMB.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
1836	attrib.exe
1464	attrib.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	68288c29d8546aadc301eda4436def32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	HKCMB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	INSTALL.EXE

Executes dropped EXE 5 IoCs

pid	Process
332	Transaction mangement.exe
4872	HKCMB.exe
1796	INSTALL.EXE
2952	FQO.exe
888	msdcsc.exe

Loads dropped DLL 3 IoCs

pid	Process
2952	FQO.exe
404	AcroRd32.exe
404	AcroRd32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	HKCMB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FQO Start = "C:\\Windows\\SysWOW64\\JHPMIJ\\FQO.exe"	FQO.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\JHPMIJ\FQO.004	INSTALL.EXE
File created	C:\Windows\SysWOW64\JHPMIJ\FQO.001	INSTALL.EXE
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	HKCMB.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	HKCMB.exe
File created	C:\Windows\SysWOW64\JHPMIJ\FQO.002	INSTALL.EXE
File created	C:\Windows\SysWOW64\JHPMIJ\AKV.exe	INSTALL.EXE
File created	C:\Windows\SysWOW64\JHPMIJ\FQO.exe	INSTALL.EXE
File opened for modification	C:\Windows\SysWOW64\JHPMIJ\	FQO.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	HKCMB.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 332 set thread context of 4872	332	Transaction mangement.exe	94

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727	attrib.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\HKCMB.exe	Transaction mangement.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\HKCMB.exe	Transaction mangement.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727	attrib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings	68288c29d8546aadc301eda4436def32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	HKCMB.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
404	AcroRd32.exe
404	AcroRd32.exe
404	AcroRd32.exe
404	AcroRd32.exe
404	AcroRd32.exe
404	AcroRd32.exe
404	AcroRd32.exe
404	AcroRd32.exe
404	AcroRd32.exe
404	AcroRd32.exe
404	AcroRd32.exe
404	AcroRd32.exe
404	AcroRd32.exe
404	AcroRd32.exe
404	AcroRd32.exe
404	AcroRd32.exe
404	AcroRd32.exe
404	AcroRd32.exe
404	AcroRd32.exe
404	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4872	HKCMB.exe
Token: SeSecurityPrivilege	4872	HKCMB.exe
Token: SeTakeOwnershipPrivilege	4872	HKCMB.exe
Token: SeLoadDriverPrivilege	4872	HKCMB.exe
Token: SeSystemProfilePrivilege	4872	HKCMB.exe
Token: SeSystemtimePrivilege	4872	HKCMB.exe
Token: SeProfSingleProcessPrivilege	4872	HKCMB.exe
Token: SeIncBasePriorityPrivilege	4872	HKCMB.exe
Token: SeCreatePagefilePrivilege	4872	HKCMB.exe
Token: SeBackupPrivilege	4872	HKCMB.exe
Token: SeRestorePrivilege	4872	HKCMB.exe
Token: SeShutdownPrivilege	4872	HKCMB.exe
Token: SeDebugPrivilege	4872	HKCMB.exe
Token: SeSystemEnvironmentPrivilege	4872	HKCMB.exe
Token: SeChangeNotifyPrivilege	4872	HKCMB.exe
Token: SeRemoteShutdownPrivilege	4872	HKCMB.exe
Token: SeUndockPrivilege	4872	HKCMB.exe
Token: SeManageVolumePrivilege	4872	HKCMB.exe
Token: SeImpersonatePrivilege	4872	HKCMB.exe
Token: SeCreateGlobalPrivilege	4872	HKCMB.exe
Token: 33	4872	HKCMB.exe
Token: 34	4872	HKCMB.exe
Token: 35	4872	HKCMB.exe
Token: 36	4872	HKCMB.exe
Token: 33	2952	FQO.exe
Token: SeIncBasePriorityPrivilege	2952	FQO.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
404	AcroRd32.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
404	AcroRd32.exe
404	AcroRd32.exe
404	AcroRd32.exe
404	AcroRd32.exe
2952	FQO.exe
2952	FQO.exe
2952	FQO.exe
2952	FQO.exe
404	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 332	1632	68288c29d8546aadc301eda4436def32.exe	92
PID 1632 wrote to memory of 332	1632	68288c29d8546aadc301eda4436def32.exe	92
PID 1632 wrote to memory of 332	1632	68288c29d8546aadc301eda4436def32.exe	92
PID 1632 wrote to memory of 404	1632	68288c29d8546aadc301eda4436def32.exe	93
PID 1632 wrote to memory of 404	1632	68288c29d8546aadc301eda4436def32.exe	93
PID 1632 wrote to memory of 404	1632	68288c29d8546aadc301eda4436def32.exe	93
PID 332 wrote to memory of 4872	332	Transaction mangement.exe	94
PID 332 wrote to memory of 4872	332	Transaction mangement.exe	94
PID 332 wrote to memory of 4872	332	Transaction mangement.exe	94
PID 332 wrote to memory of 4872	332	Transaction mangement.exe	94
PID 332 wrote to memory of 4872	332	Transaction mangement.exe	94
PID 332 wrote to memory of 4872	332	Transaction mangement.exe	94
PID 332 wrote to memory of 4872	332	Transaction mangement.exe	94
PID 332 wrote to memory of 4872	332	Transaction mangement.exe	94
PID 332 wrote to memory of 4872	332	Transaction mangement.exe	94
PID 332 wrote to memory of 4872	332	Transaction mangement.exe	94
PID 332 wrote to memory of 4872	332	Transaction mangement.exe	94
PID 332 wrote to memory of 4872	332	Transaction mangement.exe	94
PID 332 wrote to memory of 4872	332	Transaction mangement.exe	94
PID 332 wrote to memory of 4872	332	Transaction mangement.exe	94
PID 4872 wrote to memory of 3292	4872	HKCMB.exe	95
PID 4872 wrote to memory of 3292	4872	HKCMB.exe	95
PID 4872 wrote to memory of 3292	4872	HKCMB.exe	95
PID 4872 wrote to memory of 1168	4872	HKCMB.exe	102
PID 4872 wrote to memory of 1168	4872	HKCMB.exe	102
PID 4872 wrote to memory of 1168	4872	HKCMB.exe	102
PID 4872 wrote to memory of 1796	4872	HKCMB.exe	100
PID 4872 wrote to memory of 1796	4872	HKCMB.exe	100
PID 4872 wrote to memory of 1796	4872	HKCMB.exe	100
PID 3292 wrote to memory of 1464	3292	cmd.exe	99
PID 3292 wrote to memory of 1464	3292	cmd.exe	99
PID 3292 wrote to memory of 1464	3292	cmd.exe	99
PID 1168 wrote to memory of 1836	1168	cmd.exe	97
PID 1168 wrote to memory of 1836	1168	cmd.exe	97
PID 1168 wrote to memory of 1836	1168	cmd.exe	97
PID 1796 wrote to memory of 2952	1796	INSTALL.EXE	98
PID 1796 wrote to memory of 2952	1796	INSTALL.EXE	98
PID 1796 wrote to memory of 2952	1796	INSTALL.EXE	98
PID 404 wrote to memory of 1428	404	AcroRd32.exe	104
PID 404 wrote to memory of 1428	404	AcroRd32.exe	104
PID 404 wrote to memory of 1428	404	AcroRd32.exe	104
PID 4872 wrote to memory of 888	4872	HKCMB.exe	105
PID 4872 wrote to memory of 888	4872	HKCMB.exe	105
PID 4872 wrote to memory of 888	4872	HKCMB.exe	105
PID 404 wrote to memory of 4736	404	AcroRd32.exe	108
PID 404 wrote to memory of 4736	404	AcroRd32.exe	108
PID 404 wrote to memory of 4736	404	AcroRd32.exe	108
PID 1428 wrote to memory of 4312	1428	RdrCEF.exe	111
PID 1428 wrote to memory of 4312	1428	RdrCEF.exe	111
PID 1428 wrote to memory of 4312	1428	RdrCEF.exe	111
PID 1428 wrote to memory of 4312	1428	RdrCEF.exe	111
PID 1428 wrote to memory of 4312	1428	RdrCEF.exe	111
PID 1428 wrote to memory of 4312	1428	RdrCEF.exe	111
PID 1428 wrote to memory of 4312	1428	RdrCEF.exe	111
PID 1428 wrote to memory of 4312	1428	RdrCEF.exe	111
PID 1428 wrote to memory of 4312	1428	RdrCEF.exe	111
PID 1428 wrote to memory of 4312	1428	RdrCEF.exe	111
PID 1428 wrote to memory of 4312	1428	RdrCEF.exe	111
PID 1428 wrote to memory of 4312	1428	RdrCEF.exe	111
PID 1428 wrote to memory of 4312	1428	RdrCEF.exe	111
PID 1428 wrote to memory of 4312	1428	RdrCEF.exe	111
PID 1428 wrote to memory of 4312	1428	RdrCEF.exe	111
PID 1428 wrote to memory of 4312	1428	RdrCEF.exe	111
PID 1428 wrote to memory of 4312	1428	RdrCEF.exe	111

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1836	attrib.exe
1464	attrib.exe

C:\Users\Admin\AppData\Local\Temp\68288c29d8546aadc301eda4436def32.exe
"C:\Users\Admin\AppData\Local\Temp\68288c29d8546aadc301eda4436def32.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Users\Admin\AppData\Local\Temp\Transaction mangement.exe
  "C:\Users\Admin\AppData\Local\Temp\Transaction mangement.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:332
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\HKCMB.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\HKCMB.exe
    3⤵
    - Modifies WinLogon for persistence
    - Drops file in Drivers directory
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4872
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3292
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
        5⤵
        Sets file to hidden
        Drops file in Windows directory
        Views/modifies file attributes
        
        PID:1464
  - - C:\Users\Admin\AppData\Local\Temp\INSTALL.EXE
      "C:\Users\Admin\AppData\Local\Temp\INSTALL.EXE"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1796
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1168
  - - C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
      "C:\Windows\system32\MSDCSC\msdcsc.exe"
      4⤵
      Executes dropped EXE
      PID:888
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Transaction_mangement.pdf"
  2⤵
  - Loads dropped DLL
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:404
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1428
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7969FB439DB80262E289A0B1D2F57299 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:4312
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=F0EFBFDCFC2696AEBD8DDA44469BEF20 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=F0EFBFDCFC2696AEBD8DDA44469BEF20 --renderer-client-id=2 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job /prefetch:1
      4⤵
      PID:1760
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=9B50D4F1718253449DE8CA522ACE72C6 --mojo-platform-channel-handle=2300 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:4280
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4429CA06F88B2DF5ACB036BB7605B6B9 --mojo-platform-channel-handle=2408 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:1288
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=75AB78ABA72D58CFECDFBBE810A6059D --mojo-platform-channel-handle=1948 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:3440
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=404C35A5D705B0418D58DE99CCE7995F --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=404C35A5D705B0418D58DE99CCE7995F --renderer-client-id=7 --mojo-platform-channel-handle=1876 --allow-no-sandbox-job /prefetch:1
      4⤵
      PID:3996
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    PID:4736

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
1⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:1836

C:\Windows\SysWOW64\JHPMIJ\FQO.exe
"C:\Windows\system32\JHPMIJ\FQO.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2952

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\INSTALL.EXE

Filesize
160KB

MD5
802e96dbe4e6315628605663e6582595

SHA1
a300299de4a28a55d3d6b57c09154879bd175ca0

SHA256
6f22ca0fc2172f8a98b04d711679da6c3c19645900dc818844f1c323408eb2b2

SHA512
6bdcfa9a0d83433b2fe4b53e86d9b6e377ce7d5f84bf42da08a9ad5b4984bc1c2f218ec1e24b34ddce1f8b92fc09daa53227bb0f97224bce6ead3fd687b5732b

Download Submit
C:\Users\Admin\AppData\Local\Temp\INSTALL.EXE

Filesize
266KB

MD5
6bd7c8c36687fa6e64e44a8e77154978

SHA1
5543f5f7dcac043f4bfd3096f0f7a5337beba430

SHA256
606d27d23966b9a800700aa04207c18b98bc4f7a934edc5282ceb5aac8a0d14e

SHA512
237f7fe60f2befc50ba1544649c507bf06461413c2f2cba39b329ef363b5bdd310a8e8f285db19ce0e513d99e2a4822ab3e03c431697906bcd10691586df5a2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\INSTALL.EXE

Filesize
245KB

MD5
c9285dbc76726a7e5f252aa8a16835b5

SHA1
5509df38576f636cd28d3174062514ed2d7a6a12

SHA256
0e770d7e7524089f442045a721452e058ebf53653976a634056272b1ffebdbac

SHA512
8ecdef85643f322948bfc4c1ca7aa6cbd37d364dee85eded1b49969415fa11fbea70f2d6a93c1548741f89371bcdaf01f32142d3cf05c2c8d2864f2e144f5b4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Transaction mangement.exe

Filesize
221KB

MD5
65068a550179e89b880311717b4e9709

SHA1
5eb8b749575a0fb7086f276fa403e572b877ab35

SHA256
15f7ac28e93bb52bd8f3759624c257736518032d97ccd26386c26fecd61dcddc

SHA512
94d893d0a972e257836517536fa677db074aba0c259e60d48d1038650a5509cd379c793df998e9a14818f3a104d9497e5a041c0cd2f2c780a1c15047716a3754

Download Submit
C:\Users\Admin\AppData\Local\Temp\Transaction mangement.exe

Filesize
343KB

MD5
8a410f4ef57881011c1529996849e8e9

SHA1
9db1bc18539a8343aaac59321264fc0e073f6187

SHA256
2c8ff88cccdaba0ad9fc2a863557eb94d768cb6b21229a2f3e99c13c74e60fa6

SHA512
b32222f3cd96347eeb11993920632d6c6d692a72c9968290f4031e442da59746d21f88b57523a3e3924a04b90f3d6dc0fb2cb6e73dd7b16b0fd546dd2649601d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Transaction mangement.exe

Filesize
301KB

MD5
fc0ed7f7a4a59a732a4a8c4eb95eebf3

SHA1
2af0a3c0f0a1a8c1315f66ba8793924ace1627b2

SHA256
a1c22d250e6fecdf0dcfad586d8cd59a50b8efe7af34fbf155127b384db9cd71

SHA512
32a0b7d3be6ed66db1b816955ae8e23b9256a226589563bd4a8174ccee65b33e16b14787c026bcddade0a2212a6fa6ab9a956fe6f2101038cb2635f68edca276

Download Submit
C:\Users\Admin\AppData\Local\Temp\Transaction_mangement.pdf

Filesize
10KB

MD5
1a8c8fa4dcb51a539e96fab0931a5930

SHA1
601899ecfbfe0d1b0baa5c789b1483374da55153

SHA256
24c03b37c852d8947c61a7a8ee947363440e16de55093a620017f9b06dfc5a3f

SHA512
27f7c2ab830f710b1a5d42e88954760fec137c8a9b2f592b6692f715917f8ba9156143680e0e9fa477c3084d173153c53b88b5f4635634b42023dd8a2cacb1c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat

Filesize
62B

MD5
c6abd7a109bb37ab773b9e79b91b7741

SHA1
7933b8795914b27483d2afed35b3830e8bf5bdb6

SHA256
8bc84b3ddfd9c295f555926bf1c311be423732423c585ca90796cdee7a245629

SHA512
35d14c9b7366a4737e3685223d55d85c583c7fbe73274577424dc8d9960cc78c79a80a8b42a62f6d9d9962ddd60cf2a332411d4ac18196258dc9d5b0b575e3dc

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\HKCMB.exe

Filesize
323KB

MD5
86700229d7e660924220e7713ea46af0

SHA1
e78a763ca9ccd25016b9281648f28c26db018c6c

SHA256
e2124f46dd238fbf0d135d34eb9f5bce767cad6051db2feeb8a9f6a0fae60b80

SHA512
a54e5ccf9842e756e3060e433571cf9e7618217f0055ed614a7cc69e4ed444bee9cb44d500ecf32767c246e0198327866b1b8ee1dc7882613827b7f83c911cc5

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\HKCMB.exe

Filesize
19KB

MD5
6bb6cc7262b09b0f4d4efc2d4074054a

SHA1
a02642d1cab64ab948ba1e7208a915778314c3c8

SHA256
21820319c650e39a76917a354417095c7db7a4389cb63ad97dc978b67b0c3477

SHA512
d05e836e68005ff8ca7192e3a41fe6315e032942512303443efbf11009bca850ecc00f4a7236085ffb22c1d59c9a2d18da9c86055c8d577174c037bf82b3bbc6

Download Submit
C:\Windows\SysWOW64\JHPMIJ\AKV.exe

Filesize
98KB

MD5
430303411e4855a40fedabfcc29ce77a

SHA1
172b58583ed0800c8ef4a2a1ff1a295be337e450

SHA256
51d69c310094c03818844eca292ee12d9a7cae05e4168283a6f8bc5028d0da0e

SHA512
6e952750500462e8c0a2c2d59345da5c68305db458fdeffa28086553c2d477078fe3f13decfaffed7fd5061c63535a8889958e6d44e0897091eaac48243a88aa

Download Submit
C:\Windows\SysWOW64\JHPMIJ\FQO.001

Filesize
51KB

MD5
442d256bd0e695154b5c71a3a968c95f

SHA1
f285c69bd7fe375818a40106ce3ded75be065c5c

SHA256
f07ae5d2f6fe48a948275d852fd64927d9f6a6e04c8285f9a69e016a68156235

SHA512
89852a143a857a22586c671338a99d041b0336af418b713e3582a64ab83eba67123bfcb87d3d3eb7bc70226cd9f80a9e58ddf2a561863691842492c57ae4f4cd

Download Submit
C:\Windows\SysWOW64\JHPMIJ\FQO.001

Filesize
61KB

MD5
383d5f5d4240d590e7dec3f7312a4ac7

SHA1
f6bcade8d37afb80cf52a89b3e84683f4643fbce

SHA256
7e87f6817b17a75106d34ce9884c40ddfb381bf8f2013930916498d1df0a6422

SHA512
e652c41ec95d653940b869426bc2cbd8e5b3159110ffaab7d623e23eebe1f34ca65be6a9a9cdcd5f41aec7567469d6b4d6362d24ae92267cddb8940e1265806a

Download Submit
C:\Windows\SysWOW64\JHPMIJ\FQO.001

Filesize
55KB

MD5
6804fb29f925fedcd964961370363c40

SHA1
f001d46d18248aa710e109a453658cda6f517738

SHA256
801bc3bf747d06ddb41e754bc3c965fa93c5160909a913eeb3b00621d875ca34

SHA512
c13e0ed84bcec366a4078401416c7441aaff2ab3a55f59898da09ba5fc15557871c649b8c6ae6d999d41ce7e0624c8d243d77e0a831f4017b7892feafd154f81

Download Submit
C:\Windows\SysWOW64\JHPMIJ\FQO.002

Filesize
43KB

MD5
93df156c4bd9d7341f4c4a4847616a69

SHA1
c7663b32c3c8e247bc16b51aff87b45484652dc1

SHA256
e55b6eabf0f99b90bd4cf3777c25813bded7b6fc5c9955188c8aa5224d299c3e

SHA512
ed2e98c5fd1f0d49e5bac8baa515d489c89f8d42772ae05e4b7a32da8f06d511adad27867034ca0865beae9f78223e95c7d0f826154fc663f2fab9bd61e36e35

Download Submit
C:\Windows\SysWOW64\JHPMIJ\FQO.004

Filesize
1KB

MD5
c419eadafd70c55f88b6235ccf3d14a0

SHA1
e04856391e275bfe54fdc6dfabdfe798f80d2afb

SHA256
76f3de81ac5a57b368786feffd51e82c49527298bd6ed554ae2cdac118043968

SHA512
4b3e1e8d94f7e8bd9a32758fab27b2fed6299882a092fea578e1107655e9d5a7d9480eca2c205b3a85e897a1ae3ffd92587b7c4b9ccd3722bb84bfb45a30f683

Download Submit
C:\Windows\SysWOW64\JHPMIJ\FQO.exe

Filesize
199KB

MD5
549eb1bedc8b6ffaebbf1158a51fb888

SHA1
f0d526350af57c212832a62607b755cb13766f31

SHA256
a3315da9aff2bc3f976b759359c006cc083f7257e0261520fe4eb75577222f1f

SHA512
bd0f3ed9abf846e88548fe0cb441e1ddf578ed6251dc448a3b71cee337301f651ec20220bd124eaf75467ab5be86dfeae293a6384946fd176b66a007687bc465

Download Submit
C:\Windows\SysWOW64\JHPMIJ\FQO.exe

Filesize
154KB

MD5
c2fe091588a2c41af4d1b96b71cab3ae

SHA1
a4aed5538f97ac74ebe8042c69239261cebb2f00

SHA256
8b2f791e1e43869391975b4c63514218bf014ac50654e40e49c611af35eb83b8

SHA512
34b0689310ed313ce15a23d1748cd7f8c652cec6244a4af327a8948e85d8fa07c3c1606b2a9107ea2e282d18e1df7a1d49dc49bea8c82a955fbfd04ea83c2087

Download Submit
C:\Windows\SysWOW64\JHPMIJ\FQO.exe

Filesize
169KB

MD5
10e2650017fbc434f7c2b5e427ccb78f

SHA1
667b9a909dfd1fb86aa857faa547085972149631

SHA256
52f5fc02f1fec5e7b271d2fce01e70220947a2315eab551ba590fabf491dc713

SHA512
cf166aed8ab8109c291ab6e2c7f6d18006a1547563d7f1aa9687fa723d2defed2baa2a3e14bafb725786d2de26f42698ffe4fe7d60dd64b84be57295d8820a15

Download Submit
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe

Filesize
64KB

MD5
8a7cec555f3d57e28236ce2865e32fbd

SHA1
f7d2e9c63ceff2eb1b60436ecc738474f83900ca

SHA256
cf26499f04f629940e9e250fd69e45e0c425b568c882eb1e1c1ab99f4885d754

SHA512
1bf7d62f47b4cd19d6e6969dfd75060b4f7f323a78f83dbaa9ac9c062d204d7a9ba8c97afc48ad2c8bdb6090e28599aa130d73e6d49710850a669cfeb3bd9ea4

Download Submit
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe

Filesize
46KB

MD5
477900bbf197d5583c8a54162f418c75

SHA1
5cc70ef0843586dde656ecd577c51c64196ab861

SHA256
12481f25e2fd9a591e2bbfded3270eb7198798b6acd4f4b2da36be630b53dbc7

SHA512
ff96507ca1a106eecfab80173996752a9293d600c519a03ca273d1b0ed9e09923a73220f9ff69fcc43cd36ee4a585a6cdd5661cd86cdb72b1af8b867ff232204

Download Submit
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe

Filesize
159KB

MD5
983445265d7336ed1268a952191edd19

SHA1
ba50cbe3761458faa737802015fdd0534ad3af54

SHA256
aa6c16d2f0d8061a00f2ef16daad0900d1746f6eeebabe45c310ee8dbd0ed150

SHA512
4472e0406dd6a9bd70d226c8025956ea204245216151eb3dc290d1893a5305d18733bede5b18abcd79d8192d20f88708dd1536ec63edf24adaf6679659164a6e

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
1KB

MD5
ea1a1fb9ccfd94175ac7949b7c0937fd

SHA1
19f49e082f0bfbe697a30a283a8d96e5f2c96f97

SHA256
2f741dca98c6bb003b57a004523cd3ed6fc1d9c629ba27bb9ae065da2691e904

SHA512
b79bc17c026c5bb9804252fd09ef05f3c1400b5a81c3776c812de832e13d251adfa5ba9b301c9fb1126d9e55fb348f69978e2397cb9dcfc29bdfda89ba2461c8

Download Submit
memory/332-15-0x0000000001340000-0x0000000001350000-memory.dmp

Filesize
64KB

Download
memory/332-13-0x0000000073A90000-0x0000000074041000-memory.dmp

Filesize
5.7MB

Download
memory/332-14-0x0000000073A90000-0x0000000074041000-memory.dmp

Filesize
5.7MB

Download
memory/332-25-0x0000000073A90000-0x0000000074041000-memory.dmp

Filesize
5.7MB

Download
memory/404-116-0x00000000073A0000-0x00000000073B5000-memory.dmp

Filesize
84KB

Download
memory/2952-139-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/2952-64-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/4872-27-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download
memory/4872-24-0x0000000000400000-0x000000000062F000-memory.dmp

Filesize
2.2MB

Download
memory/4872-59-0x0000000000400000-0x000000000062F000-memory.dmp

Filesize
2.2MB

Download
memory/4872-26-0x0000000000400000-0x000000000062F000-memory.dmp

Filesize
2.2MB

Download
memory/4872-19-0x0000000000400000-0x000000000062F000-memory.dmp

Filesize
2.2MB

Download
memory/4872-22-0x0000000000400000-0x000000000062F000-memory.dmp

Filesize
2.2MB

Download