Analysis Overview
SHA256
ae6b4473f53666e39edab08c5865b1778b27becac24fac714f4bffee0b4ed475
Threat Level: Known bad
The file c19b56884372973a458fb9f3fb809722_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Banload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Sets file to hidden
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Checks BIOS information in registry
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Modifies registry class
Views/modifies file attributes
Enumerates system info in registry
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Gathers network information
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-25 21:19
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-25 21:19
Reported
2024-08-25 21:22
Platform
win7-20240708-en
Max time kernel
4s
Max time network
0s
Command Line
Signatures
Banload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\AdobeA = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Adobe Inc\\AdobeRead\\dpro1.bat" | C:\Windows\SysWOW64\reg.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Po2865-16-CD1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\DllHost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ipconfig.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InProcServer32\ = "C:\\Windows\\SysWOW64\\webcheck.dll" | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187} | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\ = "WebCheckWebCrawler" | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InProcServer32 | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\DllHost.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Po2865-16-CD1.exe
"C:\Users\Admin\AppData\Local\Temp\Po2865-16-CD1.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adobedc.vbs"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adob02.bat" /quiet /passive /norestart"
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
C:\Windows\SysWOW64\xcopy.exe
xcopy /y /h /e /r /k /c *.* "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\"
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead"
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe Reader\AdobeR"
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe Reader\ADBR\READER"
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER"
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\AdobeR"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adob7.vbs"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adb03.bat" /quiet /passive /norestart"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "AdobeA" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\dpro1.bat"
C:\Windows\SysWOW64\ipconfig.exe
ipconfig /all
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe
adbr01.exe -f "011.011"
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe
adbr01.exe -f "011.011"
Network
Files
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adobedc.vbs
| MD5 | 620e43d3cd51594e6f631e90d9fd8c22 |
| SHA1 | 000e31e9557fa25e9fd94cd51c7b9583d495d3b2 |
| SHA256 | 53540306a6a950f8cbd1e7c9628d5342eb6f3849398fc448b9c5a42c8cabf449 |
| SHA512 | bcbab8cfbe5a425531c64dfebf5d3c08323c203d9dd74bea08bd955631dda0a7a88a9092f0eb7ae70e4c0221f85c5ca9e360ed03b8e9d0eeacd1a458ab2c38c6 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adob02.bat
| MD5 | 9d87ac4776ba4e29a292f23e5495e606 |
| SHA1 | 253df9f0dca81a2766876c265206a8fb4c3137a9 |
| SHA256 | 14d8eee9761a090c5f5fe79dda8ca9531d400b0b383a2a5680a2dff0b886917a |
| SHA512 | 3ccf64e3ae4012456c8c94aacf0838a3d277dafbc20e0f093338a863963ffce3b715dba291fe9701c96390242457d8d0cafa834b667c73dca68760aca6447148 |
memory/1724-73-0x00000000005B0000-0x00000000005B2000-memory.dmp
memory/1100-74-0x0000000000210000-0x0000000000212000-memory.dmp
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\004.afq
| MD5 | b0512358af17f4999841bebf8afcb2c5 |
| SHA1 | 56904fade30129d6b224c8b5b2a55e9820d20293 |
| SHA256 | 63e94cc5a681c68f87332103e1b3736bc4fb8ae618b4143a5cd6302661cdc66e |
| SHA512 | 261d2260e80cbbff96fb6f42295823360bbc72be8a9eda9596976861280d0c25b03056cd96cc217b6dd4ecc774c9f0adf124028626bacf7341bb1a8e6bfda136 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\acro1.bat
| MD5 | 124cb6324d434946a483e0f2e55d08b0 |
| SHA1 | 2a8955feb5919c59221191c94b6191425eda6c6f |
| SHA256 | f3b41f2e24a8cd343d71db7d861ad2511690d4ce6020714e5831ddeab5df2637 |
| SHA512 | 9d8c940c4c420f6048ce6bfa67d8d1ce9c7c7392b02a0c500ddbce91ca708f6cd3892c27db9f06bae7e325b39db5f86cb77cbcf168906d3c7444cc7797a178a5 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\adb03.bat
| MD5 | 743524e8dcafbeb3b1723c1b8b69da1f |
| SHA1 | a7410d68a17e91b56f379b647ed87c8f06728564 |
| SHA256 | 6058df5b51469d19a8a386136e2f6caefaa36d8c4a596c5d202f819837f1627a |
| SHA512 | d3f0f7b5b6382d5e4228ea9baaa6466a2eb8cd3a00aa9e79683c87a559723a0baab46738e94fce8f3d380758006636e5486a0c6adc3941628b9f37aacc36b5c6 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\adbr01.exe
| MD5 | 7d56f54e9d29ea8e6b5533bc87db0349 |
| SHA1 | 129cbcf51bc30a690f99d25fb7fc5fa1e910ddc5 |
| SHA256 | 67373f02e2d5cb85f46e2f30de7eb5a4ff9762155baf6d75f3437ef1e9a40c5b |
| SHA512 | 5f027113bc529b708a348b3c0ae62edaf926ca6fef089fbcef99d2ff43bbe7e229ec2bfe562b50a49b807dcb9834aff164e30c9f410f96da621fdcea09f67a38 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\adbr02.exe
| MD5 | e0c3bf874e08648e65a16fa62b11c735 |
| SHA1 | 5e4f96d982cb4c8522befc27dd8779ef681637b3 |
| SHA256 | fd558458ed917c4be35e4a1b6be608e087ae86eecb280f408b39af112717382d |
| SHA512 | b2955a3b36d2002a166e62d459fe028b0b6c727390b9e5b545b683572db244bc8b4ce5bff6cef05509cf8d529caa874c4955708a07ad3f508438fed8ea87c02a |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adob7.vbs
| MD5 | 198d2b0736cfc4833acdf49e8cf261dc |
| SHA1 | 05ef064907fbec52a8385367f687a5561731fb37 |
| SHA256 | c9d4227e54618b900f365342587d5843d23ed22116c089e984f394a6f5ce8006 |
| SHA512 | 089f66c8bf793c357ab85dbbdd5852d9ce097c55153ae2c44f6eb728e06c7ddbd6988f9a0de4348343bc211241104e6dbe726a6478749093d17335427ae9da02 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adobeta.exe
| MD5 | e498d1248df22b33ef62ec548f2b76b7 |
| SHA1 | db53f5f6a7f7d0c36292d641898409dc81efb1c0 |
| SHA256 | b1d2ee6ddc0b53765d2aa7af44be4531e77fe8eca912854307aeba25e284ada6 |
| SHA512 | 6923fba13a2ef9c5e975134cb27b77074754a22d0363d525c36b7867012c0e06ff4bff9555fcc83be72723f39b19462655de19877c0206fa2d618ad2d1cb3c63 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\AReader.exe
| MD5 | 1a1075e5e307f3a4b8527110a51ce827 |
| SHA1 | f453838ed21020b7ca059244feea8579e5aa74ef |
| SHA256 | ddd90e3546e95b0991df26a17cf26fa2f1c20d6a1fd4ffccf1e9b3ec3d3810d5 |
| SHA512 | b6b70c6cb3cdb05a69c75b86c1fa0fadb38de0391e1fa17daff7d12dfae2a9f483546d9bf1001ff622694fdf8a28b85cd30fc541c25be62df022d22ca17decc1 |
memory/2472-125-0x0000000002570000-0x000000000283B000-memory.dmp
memory/2064-124-0x0000000000400000-0x00000000006CB000-memory.dmp
memory/2472-123-0x0000000000400000-0x00000000006CB000-memory.dmp
memory/1768-122-0x00000000024A0000-0x000000000276B000-memory.dmp
memory/1768-121-0x00000000024A0000-0x000000000276B000-memory.dmp
memory/2064-130-0x00000000026C0000-0x00000000028CC000-memory.dmp
memory/2064-126-0x00000000026C0000-0x00000000028CC000-memory.dmp
memory/2064-141-0x00000000026C0000-0x00000000028CC000-memory.dmp
memory/2064-140-0x0000000000400000-0x00000000006CB000-memory.dmp
memory/2064-138-0x0000000000400000-0x00000000006CB000-memory.dmp
memory/2064-137-0x0000000000400000-0x00000000006CB000-memory.dmp
memory/2064-139-0x0000000000400000-0x00000000006CB000-memory.dmp
memory/2064-148-0x00000000026C0000-0x00000000028CC000-memory.dmp
memory/2064-152-0x00000000026C0000-0x00000000028CC000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-25 21:19
Reported
2024-08-25 21:20
Platform
win10v2004-20240802-en
Max time kernel
12s
Max time network
8s
Command Line
Signatures
Banload
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Po2865-16-CD1.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobeA = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Adobe Inc\\AdobeRead\\dpro1.bat" | C:\Windows\SysWOW64\reg.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Po2865-16-CD1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ipconfig.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\Po2865-16-CD1.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187} | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Po2865-16-CD1.exe
"C:\Users\Admin\AppData\Local\Temp\Po2865-16-CD1.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adobedc.vbs"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adob02.bat" /quiet /passive /norestart"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4116,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=4408 /prefetch:8
C:\Windows\SysWOW64\xcopy.exe
xcopy /y /h /e /r /k /c *.* "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\"
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead"
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe Reader\AdobeR"
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe Reader\ADBR\READER"
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER"
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\AdobeR"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adob7.vbs"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adb03.bat" /quiet /passive /norestart"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "AdobeA" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\dpro1.bat"
C:\Windows\SysWOW64\ipconfig.exe
ipconfig /all
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe
adbr01.exe -f "011.011"
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe
adbr01.exe -f "011.011"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 44.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adobedc.vbs
| MD5 | 620e43d3cd51594e6f631e90d9fd8c22 |
| SHA1 | 000e31e9557fa25e9fd94cd51c7b9583d495d3b2 |
| SHA256 | 53540306a6a950f8cbd1e7c9628d5342eb6f3849398fc448b9c5a42c8cabf449 |
| SHA512 | bcbab8cfbe5a425531c64dfebf5d3c08323c203d9dd74bea08bd955631dda0a7a88a9092f0eb7ae70e4c0221f85c5ca9e360ed03b8e9d0eeacd1a458ab2c38c6 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adob02.bat
| MD5 | 9d87ac4776ba4e29a292f23e5495e606 |
| SHA1 | 253df9f0dca81a2766876c265206a8fb4c3137a9 |
| SHA256 | 14d8eee9761a090c5f5fe79dda8ca9531d400b0b383a2a5680a2dff0b886917a |
| SHA512 | 3ccf64e3ae4012456c8c94aacf0838a3d277dafbc20e0f093338a863963ffce3b715dba291fe9701c96390242457d8d0cafa834b667c73dca68760aca6447148 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\004.afq
| MD5 | b0512358af17f4999841bebf8afcb2c5 |
| SHA1 | 56904fade30129d6b224c8b5b2a55e9820d20293 |
| SHA256 | 63e94cc5a681c68f87332103e1b3736bc4fb8ae618b4143a5cd6302661cdc66e |
| SHA512 | 261d2260e80cbbff96fb6f42295823360bbc72be8a9eda9596976861280d0c25b03056cd96cc217b6dd4ecc774c9f0adf124028626bacf7341bb1a8e6bfda136 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\acro1.bat
| MD5 | 124cb6324d434946a483e0f2e55d08b0 |
| SHA1 | 2a8955feb5919c59221191c94b6191425eda6c6f |
| SHA256 | f3b41f2e24a8cd343d71db7d861ad2511690d4ce6020714e5831ddeab5df2637 |
| SHA512 | 9d8c940c4c420f6048ce6bfa67d8d1ce9c7c7392b02a0c500ddbce91ca708f6cd3892c27db9f06bae7e325b39db5f86cb77cbcf168906d3c7444cc7797a178a5 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\adb03.bat
| MD5 | 743524e8dcafbeb3b1723c1b8b69da1f |
| SHA1 | a7410d68a17e91b56f379b647ed87c8f06728564 |
| SHA256 | 6058df5b51469d19a8a386136e2f6caefaa36d8c4a596c5d202f819837f1627a |
| SHA512 | d3f0f7b5b6382d5e4228ea9baaa6466a2eb8cd3a00aa9e79683c87a559723a0baab46738e94fce8f3d380758006636e5486a0c6adc3941628b9f37aacc36b5c6 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\adbr01.exe
| MD5 | 7d56f54e9d29ea8e6b5533bc87db0349 |
| SHA1 | 129cbcf51bc30a690f99d25fb7fc5fa1e910ddc5 |
| SHA256 | 67373f02e2d5cb85f46e2f30de7eb5a4ff9762155baf6d75f3437ef1e9a40c5b |
| SHA512 | 5f027113bc529b708a348b3c0ae62edaf926ca6fef089fbcef99d2ff43bbe7e229ec2bfe562b50a49b807dcb9834aff164e30c9f410f96da621fdcea09f67a38 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\adbr02.exe
| MD5 | e0c3bf874e08648e65a16fa62b11c735 |
| SHA1 | 5e4f96d982cb4c8522befc27dd8779ef681637b3 |
| SHA256 | fd558458ed917c4be35e4a1b6be608e087ae86eecb280f408b39af112717382d |
| SHA512 | b2955a3b36d2002a166e62d459fe028b0b6c727390b9e5b545b683572db244bc8b4ce5bff6cef05509cf8d529caa874c4955708a07ad3f508438fed8ea87c02a |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adob7.vbs
| MD5 | 198d2b0736cfc4833acdf49e8cf261dc |
| SHA1 | 05ef064907fbec52a8385367f687a5561731fb37 |
| SHA256 | c9d4227e54618b900f365342587d5843d23ed22116c089e984f394a6f5ce8006 |
| SHA512 | 089f66c8bf793c357ab85dbbdd5852d9ce097c55153ae2c44f6eb728e06c7ddbd6988f9a0de4348343bc211241104e6dbe726a6478749093d17335427ae9da02 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\AReader.exe
| MD5 | 1a1075e5e307f3a4b8527110a51ce827 |
| SHA1 | f453838ed21020b7ca059244feea8579e5aa74ef |
| SHA256 | ddd90e3546e95b0991df26a17cf26fa2f1c20d6a1fd4ffccf1e9b3ec3d3810d5 |
| SHA512 | b6b70c6cb3cdb05a69c75b86c1fa0fadb38de0391e1fa17daff7d12dfae2a9f483546d9bf1001ff622694fdf8a28b85cd30fc541c25be62df022d22ca17decc1 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adobeta.exe
| MD5 | e498d1248df22b33ef62ec548f2b76b7 |
| SHA1 | db53f5f6a7f7d0c36292d641898409dc81efb1c0 |
| SHA256 | b1d2ee6ddc0b53765d2aa7af44be4531e77fe8eca912854307aeba25e284ada6 |
| SHA512 | 6923fba13a2ef9c5e975134cb27b77074754a22d0363d525c36b7867012c0e06ff4bff9555fcc83be72723f39b19462655de19877c0206fa2d618ad2d1cb3c63 |
memory/2568-50-0x0000000000400000-0x00000000006CB000-memory.dmp
memory/4832-54-0x0000000000400000-0x00000000006CB000-memory.dmp
memory/4832-56-0x00000000029B0000-0x0000000002BBC000-memory.dmp
memory/4832-60-0x00000000029B0000-0x0000000002BBC000-memory.dmp
memory/4832-67-0x0000000000400000-0x00000000006CB000-memory.dmp
memory/4832-68-0x0000000000400000-0x00000000006CB000-memory.dmp
memory/4832-70-0x0000000000400000-0x00000000006CB000-memory.dmp
memory/4832-69-0x0000000000400000-0x00000000006CB000-memory.dmp
memory/4832-71-0x00000000029B0000-0x0000000002BBC000-memory.dmp
memory/4832-77-0x00000000029B0000-0x0000000002BBC000-memory.dmp
memory/4832-82-0x00000000029B0000-0x0000000002BBC000-memory.dmp