50ab4df7d9411160c2d865d393fe7ffefcb87d8989341cc4a6a538a3bef829e9

Analysis

max time kernel
150s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 20:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e323c11ae0aff211f26acc3add9ad68f.exe
Size

799KB
MD5

e323c11ae0aff211f26acc3add9ad68f
SHA1

393178ec692bff839190177e239c3048fb189fbd
SHA256

50ab4df7d9411160c2d865d393fe7ffefcb87d8989341cc4a6a538a3bef829e9
SHA512

0e1ef07a525c5885ea0c0c4e16a0567680c86a5a740ef35e571c4dca2929b64565c1fe2ee25dcc85acb01a0dbce1e325b0fb3c709f7050a68860933a5356c241
SSDEEP

12288:Wh3ZukLF5fRY5a/6GX4D1DwhHd1zre/9CL77EVMTe9jrsrXQuVz2c:WhMkxlRSaiPDi3qs3lTWYrX2c

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	e323c11ae0aff211f26acc3add9ad68f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	acrotray.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	acrotray .exe

Executes dropped EXE 4 IoCs

pid	Process
4900	acrotray.exe
4116	acrotray.exe
2120	acrotray .exe
4472	acrotray .exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe_Reader = "C:\\Program Files (x86)\\Adobe\\acrotray.exe"	e323c11ae0aff211f26acc3add9ad68f.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\acrotray .exe	e323c11ae0aff211f26acc3add9ad68f.exe
File created	C:\Program Files (x86)\Adobe\acrotray.exe	e323c11ae0aff211f26acc3add9ad68f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 33 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 202e957abd8ada01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1941443420"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31099581"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1941443420"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31099581"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000055176c4ced34542856d0f29947515a5000000000200000000001066000000010000200000005cb7870a57e43260ffb9b671fe93cb3f9df9341285d0f4ccbf702d76bfdd1ca3000000000e8000000002000020000000aa72f8bc545567366721e6ad15fadff30d982025aff7f35b17451024ebb7950720000000350a44afd847d4faece87609ce5a7509ecb0eb06cf8d33a24f9c9bc7d97f8e0940000000773eb7dfbe4d698cbe27f0ea57da5e5c91ada3c8fd0edf1fa290bd127c6496151e7550002763f4456a349206fe5baad2e13a446503ecab4c7d53fdc832b01b19	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000055176c4ced34542856d0f29947515a500000000020000000000106600000001000020000000fbce2040c443b48227837c7b50509e92d383f5430f6cefedc681904c258740da000000000e8000000002000020000000abba5127bb18063f0ed030f621aae1d4bfd22351e83bf270eb4c526ccfdd088f200000009ff288652e53e86f060dec075b8f399fb5157064c22aefa6013a6c7edf09735940000000583a8c6ce32366cec7f1b5c4941bea3a406b706965cc5fdc8a84d53291ababd7816c6d7aa34b08087badcf699733c492b2c15b26da67616234f8d24c41777188	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{9F4E8667-F6B0-11EE-87B8-628714877227} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 306f9772bd8ada01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4412	e323c11ae0aff211f26acc3add9ad68f.exe
4412	e323c11ae0aff211f26acc3add9ad68f.exe
4412	e323c11ae0aff211f26acc3add9ad68f.exe
4412	e323c11ae0aff211f26acc3add9ad68f.exe
4412	e323c11ae0aff211f26acc3add9ad68f.exe
4412	e323c11ae0aff211f26acc3add9ad68f.exe
2556	e323c11ae0aff211f26acc3add9ad68f.exe
2556	e323c11ae0aff211f26acc3add9ad68f.exe
2556	e323c11ae0aff211f26acc3add9ad68f.exe
2556	e323c11ae0aff211f26acc3add9ad68f.exe
4900	acrotray.exe
4900	acrotray.exe
4900	acrotray.exe
4900	acrotray.exe
4900	acrotray.exe
4900	acrotray.exe
4116	acrotray.exe
4116	acrotray.exe
4116	acrotray.exe
4116	acrotray.exe
2120	acrotray .exe
2120	acrotray .exe
2120	acrotray .exe
2120	acrotray .exe
2120	acrotray .exe
2120	acrotray .exe
4472	acrotray .exe
4472	acrotray .exe
4472	acrotray .exe
4472	acrotray .exe
2556	e323c11ae0aff211f26acc3add9ad68f.exe
2556	e323c11ae0aff211f26acc3add9ad68f.exe
4116	acrotray.exe
4116	acrotray.exe
4472	acrotray .exe
4472	acrotray .exe
2556	e323c11ae0aff211f26acc3add9ad68f.exe
2556	e323c11ae0aff211f26acc3add9ad68f.exe
4116	acrotray.exe
4116	acrotray.exe
4472	acrotray .exe
4472	acrotray .exe
2556	e323c11ae0aff211f26acc3add9ad68f.exe
2556	e323c11ae0aff211f26acc3add9ad68f.exe
4116	acrotray.exe
4116	acrotray.exe
4472	acrotray .exe
4472	acrotray .exe
2556	e323c11ae0aff211f26acc3add9ad68f.exe
2556	e323c11ae0aff211f26acc3add9ad68f.exe
4116	acrotray.exe
4116	acrotray.exe
4472	acrotray .exe
4472	acrotray .exe
2556	e323c11ae0aff211f26acc3add9ad68f.exe
2556	e323c11ae0aff211f26acc3add9ad68f.exe
4116	acrotray.exe
4116	acrotray.exe
4472	acrotray .exe
4472	acrotray .exe
2556	e323c11ae0aff211f26acc3add9ad68f.exe
2556	e323c11ae0aff211f26acc3add9ad68f.exe
4116	acrotray.exe
4116	acrotray.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4412	e323c11ae0aff211f26acc3add9ad68f.exe
Token: SeDebugPrivilege	2556	e323c11ae0aff211f26acc3add9ad68f.exe
Token: SeDebugPrivilege	4900	acrotray.exe
Token: SeDebugPrivilege	4116	acrotray.exe
Token: SeDebugPrivilege	2120	acrotray .exe
Token: SeDebugPrivilege	4472	acrotray .exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4744	iexplore.exe
4744	iexplore.exe
4744	iexplore.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
4744	iexplore.exe
4744	iexplore.exe
1640	IEXPLORE.EXE
1640	IEXPLORE.EXE
4744	iexplore.exe
4744	iexplore.exe
3644	IEXPLORE.EXE
3644	IEXPLORE.EXE
4744	iexplore.exe
4744	iexplore.exe
684	IEXPLORE.EXE
684	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4412 wrote to memory of 2556	4412	e323c11ae0aff211f26acc3add9ad68f.exe	89
PID 4412 wrote to memory of 2556	4412	e323c11ae0aff211f26acc3add9ad68f.exe	89
PID 4412 wrote to memory of 2556	4412	e323c11ae0aff211f26acc3add9ad68f.exe	89
PID 4412 wrote to memory of 4900	4412	e323c11ae0aff211f26acc3add9ad68f.exe	98
PID 4412 wrote to memory of 4900	4412	e323c11ae0aff211f26acc3add9ad68f.exe	98
PID 4412 wrote to memory of 4900	4412	e323c11ae0aff211f26acc3add9ad68f.exe	98
PID 4744 wrote to memory of 1640	4744	iexplore.exe	101
PID 4744 wrote to memory of 1640	4744	iexplore.exe	101
PID 4744 wrote to memory of 1640	4744	iexplore.exe	101
PID 4900 wrote to memory of 4116	4900	acrotray.exe	102
PID 4900 wrote to memory of 4116	4900	acrotray.exe	102
PID 4900 wrote to memory of 4116	4900	acrotray.exe	102
PID 4900 wrote to memory of 2120	4900	acrotray.exe	103
PID 4900 wrote to memory of 2120	4900	acrotray.exe	103
PID 4900 wrote to memory of 2120	4900	acrotray.exe	103
PID 2120 wrote to memory of 4472	2120	acrotray .exe	104
PID 2120 wrote to memory of 4472	2120	acrotray .exe	104
PID 2120 wrote to memory of 4472	2120	acrotray .exe	104
PID 4744 wrote to memory of 3644	4744	iexplore.exe	106
PID 4744 wrote to memory of 3644	4744	iexplore.exe	106
PID 4744 wrote to memory of 3644	4744	iexplore.exe	106
PID 4744 wrote to memory of 684	4744	iexplore.exe	107
PID 4744 wrote to memory of 684	4744	iexplore.exe	107
PID 4744 wrote to memory of 684	4744	iexplore.exe	107

C:\Users\Admin\AppData\Local\Temp\e323c11ae0aff211f26acc3add9ad68f.exe
"C:\Users\Admin\AppData\Local\Temp\e323c11ae0aff211f26acc3add9ad68f.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4412
- C:\Users\Admin\AppData\Local\Temp\e323c11ae0aff211f26acc3add9ad68f.exe
  "C:\Users\Admin\AppData\Local\Temp\e323c11ae0aff211f26acc3add9ad68f.exe" C:\Users\Admin\AppData\Local\Temp\e323c11ae0aff211f26acc3add9ad68f.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2556
- C:\Program Files (x86)\Adobe\acrotray.exe
  "C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Admin\AppData\Local\Temp\e323c11ae0aff211f26acc3add9ad68f.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4900
- - C:\Program Files (x86)\Adobe\acrotray.exe
    "C:\Program Files (x86)\Adobe\acrotray.exe" C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Admin\AppData\Local\Temp\e323c11ae0aff211f26acc3add9ad68f.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4116
- - C:\Program Files (x86)\Adobe\acrotray .exe
    "C:\Program Files (x86)\Adobe\acrotray .exe" C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Admin\AppData\Local\Temp\e323c11ae0aff211f26acc3add9ad68f.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2120
  - - C:\Program Files (x86)\Adobe\acrotray .exe
      "C:\Program Files (x86)\Adobe\acrotray .exe" C:\Program Files (x86)\Adobe\acrotray .exe" C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Admin\AppData\Local\Temp\e323c11ae0aff211f26acc3add9ad68f.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4472

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:396

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4744
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4744 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1640
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4744 CREDAT:17416 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3644
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4744 CREDAT:17424 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\acrotray .exe

Filesize
829KB

MD5
878a187cc3b8eebfc7fa89502b6d5de5

SHA1
8ce3fbab20e7478255b2a6b60a08c5246c344ecc

SHA256
5fd4f0de4ee64f45c5dce3e515b9f5e903a2610c4cf6d1becb5bc615df584d7d

SHA512
6aab78f9fcb83f349b60717fb9522df60239724342eab5ccfa7c7dfda417f01984d803976313acb111aebfaa39f499e426fb242054e6f0d98b03f3a96bd68f86

Download Submit
C:\Program Files (x86)\Adobe\acrotray.exe

Filesize
832KB

MD5
3f5955255dc1d5b0ffd92ad6a4c2cc43

SHA1
972f333bfac57467279c87ab6eaaeeea6d9d9eec

SHA256
40ab4c8a3573a35d7b84f7f7da8cb4471e6c0fbade2fbb9ba0b46115f6c0474b

SHA512
fe01fa5e8f2ef504e40aa1a34ae23498b2bb4017a654cbc03e9db6557dfca29421b101276e9e4a88707112fbbd10b0311eeb0d5d3397d7b7754dc81f8239b547

Download Submit
memory/4412-0-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download