666859e6c3724513d033e3197dc7efb8736f690eb15603210813a9e5b761d2c7

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
16/08/2024, 23:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AdobeReader 10.exe
Size

45.7MB
MD5

4b2f2dd39efca7ab7d69ad6735a26ffc
SHA1

3d5b75ae4bd60262aaacfb35c852e31dd8ade37f
SHA256

666859e6c3724513d033e3197dc7efb8736f690eb15603210813a9e5b761d2c7
SHA512

56b6554f24746f18d742f962f6635649318d0dfaff399853814e4fff22efe9f141eb3bb6455f240fdd9e5eeebf324b0771e3dab3b0b0e18a193180b395fcdfb4
SSDEEP

786432:nUKocG8JHLygNDq4dIQO6kOm256ddCpTe50HWS3Burn0AwdokgFLSw3:RocfLtNDMQDYBXEe0HWJ0A17Sk

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3828	setup.exe

Loads dropped DLL 2 IoCs

pid	Process
3732	MsiExec.exe
3732	MsiExec.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
21	848	msiexec.exe
24	848	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdobeReader 10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	848	msiexec.exe
Token: SeIncreaseQuotaPrivilege	848	msiexec.exe
Token: SeSecurityPrivilege	4728	msiexec.exe
Token: SeCreateTokenPrivilege	848	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	848	msiexec.exe
Token: SeLockMemoryPrivilege	848	msiexec.exe
Token: SeIncreaseQuotaPrivilege	848	msiexec.exe
Token: SeMachineAccountPrivilege	848	msiexec.exe
Token: SeTcbPrivilege	848	msiexec.exe
Token: SeSecurityPrivilege	848	msiexec.exe
Token: SeTakeOwnershipPrivilege	848	msiexec.exe
Token: SeLoadDriverPrivilege	848	msiexec.exe
Token: SeSystemProfilePrivilege	848	msiexec.exe
Token: SeSystemtimePrivilege	848	msiexec.exe
Token: SeProfSingleProcessPrivilege	848	msiexec.exe
Token: SeIncBasePriorityPrivilege	848	msiexec.exe
Token: SeCreatePagefilePrivilege	848	msiexec.exe
Token: SeCreatePermanentPrivilege	848	msiexec.exe
Token: SeBackupPrivilege	848	msiexec.exe
Token: SeRestorePrivilege	848	msiexec.exe
Token: SeShutdownPrivilege	848	msiexec.exe
Token: SeDebugPrivilege	848	msiexec.exe
Token: SeAuditPrivilege	848	msiexec.exe
Token: SeSystemEnvironmentPrivilege	848	msiexec.exe
Token: SeChangeNotifyPrivilege	848	msiexec.exe
Token: SeRemoteShutdownPrivilege	848	msiexec.exe
Token: SeUndockPrivilege	848	msiexec.exe
Token: SeSyncAgentPrivilege	848	msiexec.exe
Token: SeEnableDelegationPrivilege	848	msiexec.exe
Token: SeManageVolumePrivilege	848	msiexec.exe
Token: SeImpersonatePrivilege	848	msiexec.exe
Token: SeCreateGlobalPrivilege	848	msiexec.exe
Token: SeCreateTokenPrivilege	848	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	848	msiexec.exe
Token: SeLockMemoryPrivilege	848	msiexec.exe
Token: SeIncreaseQuotaPrivilege	848	msiexec.exe
Token: SeMachineAccountPrivilege	848	msiexec.exe
Token: SeTcbPrivilege	848	msiexec.exe
Token: SeSecurityPrivilege	848	msiexec.exe
Token: SeTakeOwnershipPrivilege	848	msiexec.exe
Token: SeLoadDriverPrivilege	848	msiexec.exe
Token: SeSystemProfilePrivilege	848	msiexec.exe
Token: SeSystemtimePrivilege	848	msiexec.exe
Token: SeProfSingleProcessPrivilege	848	msiexec.exe
Token: SeIncBasePriorityPrivilege	848	msiexec.exe
Token: SeCreatePagefilePrivilege	848	msiexec.exe
Token: SeCreatePermanentPrivilege	848	msiexec.exe
Token: SeBackupPrivilege	848	msiexec.exe
Token: SeRestorePrivilege	848	msiexec.exe
Token: SeShutdownPrivilege	848	msiexec.exe
Token: SeDebugPrivilege	848	msiexec.exe
Token: SeAuditPrivilege	848	msiexec.exe
Token: SeSystemEnvironmentPrivilege	848	msiexec.exe
Token: SeChangeNotifyPrivilege	848	msiexec.exe
Token: SeRemoteShutdownPrivilege	848	msiexec.exe
Token: SeUndockPrivilege	848	msiexec.exe
Token: SeSyncAgentPrivilege	848	msiexec.exe
Token: SeEnableDelegationPrivilege	848	msiexec.exe
Token: SeManageVolumePrivilege	848	msiexec.exe
Token: SeImpersonatePrivilege	848	msiexec.exe
Token: SeCreateGlobalPrivilege	848	msiexec.exe
Token: SeCreateTokenPrivilege	848	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	848	msiexec.exe
Token: SeLockMemoryPrivilege	848	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
848	msiexec.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3548	AdobeReader 10.exe
3548	AdobeReader 10.exe
3548	AdobeReader 10.exe
3828	setup.exe
3828	setup.exe
3828	setup.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3548 wrote to memory of 3828	3548	AdobeReader 10.exe	92
PID 3548 wrote to memory of 3828	3548	AdobeReader 10.exe	92
PID 3548 wrote to memory of 3828	3548	AdobeReader 10.exe	92
PID 3828 wrote to memory of 848	3828	setup.exe	93
PID 3828 wrote to memory of 848	3828	setup.exe	93
PID 3828 wrote to memory of 848	3828	setup.exe	93
PID 4728 wrote to memory of 3732	4728	msiexec.exe	97
PID 4728 wrote to memory of 3732	4728	msiexec.exe	97
PID 4728 wrote to memory of 3732	4728	msiexec.exe	97

C:\Users\Admin\AppData\Local\Temp\AdobeReader 10.exe
"C:\Users\Admin\AppData\Local\Temp\AdobeReader 10.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3548
- C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1034-7B44-AA0000000001}\setup.exe
  "C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1034-7B44-AA0000000001}\setup.exe" /msi DISABLE_CACHE=1
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3828
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec.exe /i "C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1034-7B44-AA0000000001}\AcroRead.msi" DISABLE_CACHE=1 REBOOT="ReallySuppress" PATCH="C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1034-7B44-AA0000000001}\AdbeRdrUpd1001_Tier2.msp"
    3⤵
    - Blocklisted process makes network request
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:848

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4728
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A82587CAFAF60182E482B3B8AF37F4EC C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRAMDATA\ADOBE\SETUP\{AC76BA86-7AD7-1034-7B44-AA0000000001}\Abcpy.ini

Filesize
1KB

MD5
8e50f582a84c800ed8919f84c77332ca

SHA1
5c818feb6ec42660b894a9641002874241ab865f

SHA256
2c3dfca37d2618d54781b65d12ad25651eef1f6b321808826e5c22acc0fe2901

SHA512
7b7e45303881b77d33f844eb76937ac0c021d626b15eb11843cb0478fa218b85ed7781c0c612e7b113decc299ebc63c466b9bde197b80500568c4f0c2dd7db3e

Download Submit
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1034-7B44-AA0000000001}\AcroRead.msi

Filesize
2.2MB

MD5
dffe2c18cb45ee1557463633fa060df1

SHA1
668d1cb4ab20ed085c215e8cd815521686ebc32b

SHA256
0579d853b52f854eb6257b86465b70ec6d9317a2733bf38adc95b8bfb178f20d

SHA512
4a797e53450f5ece0bb9ad47a8894b8938bc37ca60d0c3ba9aee715f7999bacc9dd107f8aad34bbe2fc35e0fda719d438bcd4a2f71bc7af362cba4b66090e1fc

Download Submit
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1034-7B44-AA0000000001}\AdbeRdrUpd1001_Tier2.msp

Filesize
12.0MB

MD5
f4158dfce3aa1b3da5469f2b34c40248

SHA1
85960f7b30096c81b38794c34bc4fa0970807421

SHA256
e7336642f0c1e08bee66470d9409fc0f71e93c8eec7c925fac89c397baa8dede

SHA512
9658f887a97bfaaa6d307b2d0f38edfc7355d9066f05b33ce05d748c9473cce2e95eb60255ea40a314b199011a28ab4fb29e0a2128d31aad5ea51b64f4e4f6a3

Download Submit
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1034-7B44-AA0000000001}\Setup.ini

Filesize
212B

MD5
7bb337959d26a4dd4a18c311cffc94f8

SHA1
56884ac3ca54b8d1cb4d6b2e9ec51cc1248c50c9

SHA256
71bf727c4976dccd39628d1e71fbdb1de69da8cee6eae8f76e320ffd4668586b

SHA512
5c844292e359767f005c7f9b6505debbddad6b6388333d0b9fbe06c09c590f4a7f22e3e53245dbf06f8e2bc3987dd818738f7a7da4b7ad8e595ce0ed6d9f9e74

Download Submit
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1034-7B44-AA0000000001}\setup.exe

Filesize
329KB

MD5
298b89d914f1a0a5a75c48a5ae9b75b9

SHA1
fe9f329d755e4d42ae5140e31875a9ea989043a5

SHA256
0ac3d080d42d4d1bde82bd0b20883e5fb5e7ed9d287f51dfda0b3ce6f9f83557

SHA512
f0e2ad4b706ea88c1f84ae5b604093f75ff295e6e7ca48a78ec62efc31a6def4ce8c8421791a2082c47ec153ba6db31a72aa7841b99db8da9bfb6eb3b02a90a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4DD39726D4B55AC3B4119B35A893323C_46CCCFB940A93F39A734F69EFCDD76E9

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\Local\Temp\22269\config.bin

Filesize
3KB

MD5
30c61a855268759e06a28a85c4e43808

SHA1
8fbb462eac7026a2cb61ed59b117a168b896c783

SHA256
f1cb73c52a99d86ee2525499c7cc5bd2f66046038154caa2d2e41f261951656b

SHA512
683ba39f98a4425f0fa8d256b1d8f9f4e5821f9be2d0c9f94d80677e3384f47afe9833f4683d857eb7cb2053d6a8414991777d2a60729bee2cf27bbab745e80f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA7B9.tmp

Filesize
52KB

MD5
4a908ee9c6f2f4aad63382cccee731e4

SHA1
e572580949f277987fe232757ce88c2ac35e0223

SHA256
459f503fb8b4fc4a600261430ac77bf70118d41fa19f7b2620d43ba6e9c8fa5e

SHA512
75ba5856df7ed1457b6192e3b12c5dbb9cd0c6860d787357b37d5e2aabdd1dddb1fd6195064cad1b166431a71dee233b76cb6304d8e868050d79c731ef6e567f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA8A5.tmp

Filesize
75KB

MD5
0c6864f73134ebdacf4458c7a2c3251f

SHA1
99cc4dd14f972dd58badc51ed9001dbcdb80e938

SHA256
862ad396ee52836a9b7a8f8142a177875f79c81964b542c3168dd8b242e19a23

SHA512
78048337cbdb4f7cd900366348537c80dbd9135c9a79b220895d77a494317258fc1a8ec5f7225e6652a8f44a9a2d1253a65af735a451f842d47d30376c0eb089

Download Submit