3a44787d2cb3d19a2482dc745fe9c6fa4633deaabe9d1fb302f9166ff11fb345

Analysis

max time kernel
147s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2024, 21:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b846797239f53087160e9ad02fbf675e.exe
Size

70KB
MD5

b846797239f53087160e9ad02fbf675e
SHA1

55dd7659bb2587888eea0459680cff3f7b95032f
SHA256

3a44787d2cb3d19a2482dc745fe9c6fa4633deaabe9d1fb302f9166ff11fb345
SHA512

4da45fc7b7d3249389dc2541b4d760cd58291d1c01d93bc368d6072c97215c4444300d4aa69f79f7d09d5340eb3b9935c645cd4bfe0972667dda2406a1f8778d
SSDEEP

1536:jvqz89m+363/7AbwLYtAFFW9yciOigri2X8dIJhlBwOUrBjlSNCSDRoqx:jvqz89m+363/7AbwLYtcFkTiQ8mdUZq3

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	b846797239f53087160e9ad02fbf675e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	acrotray.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	acrotray .exe

Executes dropped EXE 4 IoCs

pid	Process
3932	acrotray.exe
1804	acrotray.exe
836	acrotray .exe
4444	acrotray .exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe_Reader = "C:\\Program Files (x86)\\Adobe\\acrotray.exe"	b846797239f53087160e9ad02fbf675e.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\acrotray .exe	b846797239f53087160e9ad02fbf675e.exe
File created	C:\Program Files (x86)\Adobe\acrotray.exe	b846797239f53087160e9ad02fbf675e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 33 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31092752"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000055176c4ced34542856d0f29947515a5000000000200000000001066000000010000200000002cfe7d92d7b77993fd2319f398dff3512b181406b2bfed563aeaa55636446dd5000000000e80000000020000200000009bb5b575ada0a04ba86a6b3b3f122ee24f5fa8c8faebf96935573353e61765ac2000000011588cee7e6f59ba9a3e81c36adab241d0cb19d793b21434664f7eea3e6f61b6400000005fd051506c47a8b0e87066e4005eae8019b24e77dd5614300a0241fe087dd84df04b7699763127e21d7b1143b760a0568b2ff926caf6641e429e93f114df5a9b	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "371064237"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000055176c4ced34542856d0f29947515a5000000000200000000001066000000010000200000004aae0d5e2ad6012ed71bcacf4f82c19972cf0e56266fcb102c96c0f4b63c87d4000000000e8000000002000020000000b5a9c7321261243510e6e87f66f25dceffe6645247b49f504262b8f112274c6920000000d44a89f7d24836c1205976631e6e633af444b41db5573d35991289cb4b5d40474000000027eff159493f8718cb98fd4d37bf099e8950893799756672c39d48220adefe72498c115854f30775b570a42255f2d2d5f6c38645dc37f93b28a40d69b82af0cb	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{41B471B8-DC03-11EE-87B8-C69DB2B6DED0} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80acf8141070da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31092752"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "371064237"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0c19a1d1070da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3920	b846797239f53087160e9ad02fbf675e.exe
3920	b846797239f53087160e9ad02fbf675e.exe
3920	b846797239f53087160e9ad02fbf675e.exe
3920	b846797239f53087160e9ad02fbf675e.exe
3920	b846797239f53087160e9ad02fbf675e.exe
3920	b846797239f53087160e9ad02fbf675e.exe
3788	b846797239f53087160e9ad02fbf675e.exe
3788	b846797239f53087160e9ad02fbf675e.exe
3788	b846797239f53087160e9ad02fbf675e.exe
3788	b846797239f53087160e9ad02fbf675e.exe
3932	acrotray.exe
3932	acrotray.exe
3932	acrotray.exe
3932	acrotray.exe
3932	acrotray.exe
3932	acrotray.exe
1804	acrotray.exe
1804	acrotray.exe
1804	acrotray.exe
1804	acrotray.exe
836	acrotray .exe
836	acrotray .exe
836	acrotray .exe
836	acrotray .exe
836	acrotray .exe
836	acrotray .exe
4444	acrotray .exe
4444	acrotray .exe
4444	acrotray .exe
4444	acrotray .exe
3788	b846797239f53087160e9ad02fbf675e.exe
3788	b846797239f53087160e9ad02fbf675e.exe
1804	acrotray.exe
1804	acrotray.exe
4444	acrotray .exe
4444	acrotray .exe
3788	b846797239f53087160e9ad02fbf675e.exe
3788	b846797239f53087160e9ad02fbf675e.exe
1804	acrotray.exe
1804	acrotray.exe
4444	acrotray .exe
4444	acrotray .exe
3788	b846797239f53087160e9ad02fbf675e.exe
3788	b846797239f53087160e9ad02fbf675e.exe
1804	acrotray.exe
1804	acrotray.exe
4444	acrotray .exe
4444	acrotray .exe
3788	b846797239f53087160e9ad02fbf675e.exe
3788	b846797239f53087160e9ad02fbf675e.exe
1804	acrotray.exe
1804	acrotray.exe
4444	acrotray .exe
4444	acrotray .exe
3788	b846797239f53087160e9ad02fbf675e.exe
3788	b846797239f53087160e9ad02fbf675e.exe
1804	acrotray.exe
1804	acrotray.exe
4444	acrotray .exe
4444	acrotray .exe
3788	b846797239f53087160e9ad02fbf675e.exe
3788	b846797239f53087160e9ad02fbf675e.exe
1804	acrotray.exe
1804	acrotray.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	3920	b846797239f53087160e9ad02fbf675e.exe
Token: SeDebugPrivilege	3788	b846797239f53087160e9ad02fbf675e.exe
Token: SeDebugPrivilege	3932	acrotray.exe
Token: SeDebugPrivilege	1804	acrotray.exe
Token: SeDebugPrivilege	836	acrotray .exe
Token: SeDebugPrivilege	4444	acrotray .exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1816	iexplore.exe
1816	iexplore.exe
1816	iexplore.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1816	iexplore.exe
1816	iexplore.exe
672	IEXPLORE.EXE
672	IEXPLORE.EXE
1816	iexplore.exe
1816	iexplore.exe
4680	IEXPLORE.EXE
4680	IEXPLORE.EXE
1816	iexplore.exe
1816	iexplore.exe
4340	IEXPLORE.EXE
4340	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3920 wrote to memory of 3788	3920	b846797239f53087160e9ad02fbf675e.exe	92
PID 3920 wrote to memory of 3788	3920	b846797239f53087160e9ad02fbf675e.exe	92
PID 3920 wrote to memory of 3788	3920	b846797239f53087160e9ad02fbf675e.exe	92
PID 3920 wrote to memory of 3932	3920	b846797239f53087160e9ad02fbf675e.exe	101
PID 3920 wrote to memory of 3932	3920	b846797239f53087160e9ad02fbf675e.exe	101
PID 3920 wrote to memory of 3932	3920	b846797239f53087160e9ad02fbf675e.exe	101
PID 1816 wrote to memory of 672	1816	iexplore.exe	105
PID 1816 wrote to memory of 672	1816	iexplore.exe	105
PID 1816 wrote to memory of 672	1816	iexplore.exe	105
PID 3932 wrote to memory of 1804	3932	acrotray.exe	106
PID 3932 wrote to memory of 1804	3932	acrotray.exe	106
PID 3932 wrote to memory of 1804	3932	acrotray.exe	106
PID 3932 wrote to memory of 836	3932	acrotray.exe	107
PID 3932 wrote to memory of 836	3932	acrotray.exe	107
PID 3932 wrote to memory of 836	3932	acrotray.exe	107
PID 836 wrote to memory of 4444	836	acrotray .exe	108
PID 836 wrote to memory of 4444	836	acrotray .exe	108
PID 836 wrote to memory of 4444	836	acrotray .exe	108
PID 1816 wrote to memory of 4680	1816	iexplore.exe	111
PID 1816 wrote to memory of 4680	1816	iexplore.exe	111
PID 1816 wrote to memory of 4680	1816	iexplore.exe	111
PID 1816 wrote to memory of 4340	1816	iexplore.exe	112
PID 1816 wrote to memory of 4340	1816	iexplore.exe	112
PID 1816 wrote to memory of 4340	1816	iexplore.exe	112

C:\Users\Admin\AppData\Local\Temp\b846797239f53087160e9ad02fbf675e.exe
"C:\Users\Admin\AppData\Local\Temp\b846797239f53087160e9ad02fbf675e.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3920
- C:\Users\Admin\AppData\Local\Temp\b846797239f53087160e9ad02fbf675e.exe
  "C:\Users\Admin\AppData\Local\Temp\b846797239f53087160e9ad02fbf675e.exe" C:\Users\Admin\AppData\Local\Temp\b846797239f53087160e9ad02fbf675e.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3788
- C:\Program Files (x86)\Adobe\acrotray.exe
  "C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Admin\AppData\Local\Temp\b846797239f53087160e9ad02fbf675e.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3932
- - C:\Program Files (x86)\Adobe\acrotray.exe
    "C:\Program Files (x86)\Adobe\acrotray.exe" C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Admin\AppData\Local\Temp\b846797239f53087160e9ad02fbf675e.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1804
- - C:\Program Files (x86)\Adobe\acrotray .exe
    "C:\Program Files (x86)\Adobe\acrotray .exe" C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Admin\AppData\Local\Temp\b846797239f53087160e9ad02fbf675e.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:836
  - - C:\Program Files (x86)\Adobe\acrotray .exe
      "C:\Program Files (x86)\Adobe\acrotray .exe" C:\Program Files (x86)\Adobe\acrotray .exe" C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Admin\AppData\Local\Temp\b846797239f53087160e9ad02fbf675e.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4444

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:688

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1816
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1816 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:672
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1816 CREDAT:17416 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4680
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1816 CREDAT:17424 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\acrotray .exe

Filesize
107KB

MD5
111b011be30e53818aa8ceb230eaf920

SHA1
499e2a5e24e8e76fafe0bb1be157650834b66971

SHA256
58b993dc6811dffe4f5fd7089b66076234d5a9f7e6b93fa3d0e937e03338193f

SHA512
9ebbdf517616c2c5e20f6e37655943122477bf934bf05822a25497231e0f4d1d332ea64a8af8922a25a6411b30e649031e26a19d7c37d42a2eddf903804770da

Download Submit
C:\Program Files (x86)\Adobe\acrotray.exe

Filesize
78KB

MD5
4c979a52d734b4b9366fa650d9b566e3

SHA1
4814bdb93be89b3bf43fe22910d0fd766896bcbb

SHA256
72c324fd6065f49041e94e4467d8bfe2c39e1512670b9699a799bda0ac4002b3

SHA512
b62c07da154486a2d2f896f725445915fe28065dee5acafac2429d41a8fc19c1aab5569179909d380122b00e79630515894388a72336f56cf43119e893af8574

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\IGS2C121\bcBNaQRUG[1].js

Filesize
32KB

MD5
155aa791940dc8c525a4dbab4d8dbc0a

SHA1
9320dba4977ec5b99f1bbd6c396a9a972c215886

SHA256
763e602ef7c13af2dd7289d1290b1219e0bbfb6dbab56a46c8965970947a466b

SHA512
0bb005bf1b1aea41bc1dffbaeba6ea4f66a09bf789bff805c71859853e2ea756952776fd2cffb71f2c4b44e2fe894f1785d42374a85f3f9c19e45853b9572153

Download Submit
memory/3920-0-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download