379a78c65d8e5e5b7e1f25917a5493ae623042dd9ca3f12b0b3ae4e3ca72f101

General

Target

daf29c624693210dcf0743b0e31c273d181936beb0d09c58660b5241efc737ef.exe
Size

36KB
MD5

8ef0778cfb358be6b7d9b25104ad9e87
SHA1

48fa290678c95010bcf198fdc2d4cb3d485b37c5
SHA256

daf29c624693210dcf0743b0e31c273d181936beb0d09c58660b5241efc737ef
SHA512

1e49f8e39d3b6d2a3c346f69abc42a5e2b824674a953c4ec6997b8c54827c2c5dea31857ec7b04e60e965f337e0e52cc85acd1d279fbfe1813b84271e075c1f1

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

daf29c624693210dcf0743b0e31c273d181936beb0d09c58660b5241efc737ef.exeadobeupdate.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\Temp\\adobe\\adobeupdate.exe\""	daf29c624693210dcf0743b0e31c273d181936beb0d09c58660b5241efc737ef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Local\\Temp\\adobe\\adobeupdate.exe\""	daf29c624693210dcf0743b0e31c273d181936beb0d09c58660b5241efc737ef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\Temp\\adobe\\adobeupdate.exe\""	adobeupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Local\\Temp\\adobe\\adobeupdate.exe\""	adobeupdate.exe

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

daf29c624693210dcf0743b0e31c273d181936beb0d09c58660b5241efc737ef.exeadobeupdate.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	daf29c624693210dcf0743b0e31c273d181936beb0d09c58660b5241efc737ef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\adobeupdate = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\adobe\\adobeupdate.exe\""	daf29c624693210dcf0743b0e31c273d181936beb0d09c58660b5241efc737ef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	adobeupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\adobeupdate = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\adobe\\adobeupdate.exe\""	adobeupdate.exe

Executes dropped EXE 1 IoCs

Processes:

adobeupdate.exe

pid process

468 adobeupdate.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1972 cmd.exe
Loads dropped DLL 4 IoCs

Processes:

cmd.exeadobeupdate.exe

pid process

1972 cmd.exe
468 adobeupdate.exe
468 adobeupdate.exe
468 adobeupdate.exe

pid	process
468	adobeupdate.exe

pid	process
1972	cmd.exe

pid	process
1972	cmd.exe
468	adobeupdate.exe
468	adobeupdate.exe
468	adobeupdate.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

adobeupdate.exedaf29c624693210dcf0743b0e31c273d181936beb0d09c58660b5241efc737ef.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\	adobeupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\adobeupdate = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\adobe\\adobeupdate.exe\""	adobeupdate.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	adobeupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\adobeupdate = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\adobe\\adobeupdate.exe\""	adobeupdate.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\	daf29c624693210dcf0743b0e31c273d181936beb0d09c58660b5241efc737ef.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\adobeupdate = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\adobe\\adobeupdate.exe\""	daf29c624693210dcf0743b0e31c273d181936beb0d09c58660b5241efc737ef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	daf29c624693210dcf0743b0e31c273d181936beb0d09c58660b5241efc737ef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\adobeupdate = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\adobe\\adobeupdate.exe\""	daf29c624693210dcf0743b0e31c273d181936beb0d09c58660b5241efc737ef.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

daf29c624693210dcf0743b0e31c273d181936beb0d09c58660b5241efc737ef.exeadobeupdate.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	daf29c624693210dcf0743b0e31c273d181936beb0d09c58660b5241efc737ef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	adobeupdate.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

adobeupdate.exe

description pid process target process

PID 468 set thread context of 1892 468 adobeupdate.exe iexplore.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

1220 reg.exe
660 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1796 PING.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

adobeupdate.exe

description pid process

Token: SeRestorePrivilege 468 adobeupdate.exe
Token: SeBackupPrivilege 468 adobeupdate.exe

description	pid	process	target process
PID 468 set thread context of 1892	468	adobeupdate.exe	iexplore.exe

pid	process
1220	reg.exe
660	reg.exe

pid	process
1796	PING.EXE

description	pid	process
Token: SeRestorePrivilege	468	adobeupdate.exe
Token: SeBackupPrivilege	468	adobeupdate.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

daf29c624693210dcf0743b0e31c273d181936beb0d09c58660b5241efc737ef.execmd.execmd.exeadobeupdate.execmd.exe

description	pid	process	target process
PID 1652 wrote to memory of 1484	1652	daf29c624693210dcf0743b0e31c273d181936beb0d09c58660b5241efc737ef.exe	cmd.exe
PID 1652 wrote to memory of 1484	1652	daf29c624693210dcf0743b0e31c273d181936beb0d09c58660b5241efc737ef.exe	cmd.exe
PID 1652 wrote to memory of 1484	1652	daf29c624693210dcf0743b0e31c273d181936beb0d09c58660b5241efc737ef.exe	cmd.exe
PID 1652 wrote to memory of 1484	1652	daf29c624693210dcf0743b0e31c273d181936beb0d09c58660b5241efc737ef.exe	cmd.exe
PID 1484 wrote to memory of 1220	1484	cmd.exe	reg.exe
PID 1484 wrote to memory of 1220	1484	cmd.exe	reg.exe
PID 1484 wrote to memory of 1220	1484	cmd.exe	reg.exe
PID 1484 wrote to memory of 1220	1484	cmd.exe	reg.exe
PID 1652 wrote to memory of 1972	1652	daf29c624693210dcf0743b0e31c273d181936beb0d09c58660b5241efc737ef.exe	cmd.exe
PID 1652 wrote to memory of 1972	1652	daf29c624693210dcf0743b0e31c273d181936beb0d09c58660b5241efc737ef.exe	cmd.exe
PID 1652 wrote to memory of 1972	1652	daf29c624693210dcf0743b0e31c273d181936beb0d09c58660b5241efc737ef.exe	cmd.exe
PID 1652 wrote to memory of 1972	1652	daf29c624693210dcf0743b0e31c273d181936beb0d09c58660b5241efc737ef.exe	cmd.exe
PID 1652 wrote to memory of 1972	1652	daf29c624693210dcf0743b0e31c273d181936beb0d09c58660b5241efc737ef.exe	cmd.exe
PID 1652 wrote to memory of 1972	1652	daf29c624693210dcf0743b0e31c273d181936beb0d09c58660b5241efc737ef.exe	cmd.exe
PID 1652 wrote to memory of 1972	1652	daf29c624693210dcf0743b0e31c273d181936beb0d09c58660b5241efc737ef.exe	cmd.exe
PID 1972 wrote to memory of 1796	1972	cmd.exe	PING.EXE
PID 1972 wrote to memory of 1796	1972	cmd.exe	PING.EXE
PID 1972 wrote to memory of 1796	1972	cmd.exe	PING.EXE
PID 1972 wrote to memory of 1796	1972	cmd.exe	PING.EXE
PID 1972 wrote to memory of 468	1972	cmd.exe	adobeupdate.exe
PID 1972 wrote to memory of 468	1972	cmd.exe	adobeupdate.exe
PID 1972 wrote to memory of 468	1972	cmd.exe	adobeupdate.exe
PID 1972 wrote to memory of 468	1972	cmd.exe	adobeupdate.exe
PID 1972 wrote to memory of 468	1972	cmd.exe	adobeupdate.exe
PID 1972 wrote to memory of 468	1972	cmd.exe	adobeupdate.exe
PID 1972 wrote to memory of 468	1972	cmd.exe	adobeupdate.exe
PID 468 wrote to memory of 788	468	adobeupdate.exe	cmd.exe
PID 468 wrote to memory of 788	468	adobeupdate.exe	cmd.exe
PID 468 wrote to memory of 788	468	adobeupdate.exe	cmd.exe
PID 468 wrote to memory of 788	468	adobeupdate.exe	cmd.exe
PID 468 wrote to memory of 788	468	adobeupdate.exe	cmd.exe
PID 468 wrote to memory of 788	468	adobeupdate.exe	cmd.exe
PID 468 wrote to memory of 788	468	adobeupdate.exe	cmd.exe
PID 468 wrote to memory of 1892	468	adobeupdate.exe	iexplore.exe
PID 468 wrote to memory of 1892	468	adobeupdate.exe	iexplore.exe
PID 468 wrote to memory of 1892	468	adobeupdate.exe	iexplore.exe
PID 468 wrote to memory of 1892	468	adobeupdate.exe	iexplore.exe
PID 468 wrote to memory of 1892	468	adobeupdate.exe	iexplore.exe
PID 468 wrote to memory of 1892	468	adobeupdate.exe	iexplore.exe
PID 468 wrote to memory of 1892	468	adobeupdate.exe	iexplore.exe
PID 468 wrote to memory of 1892	468	adobeupdate.exe	iexplore.exe
PID 468 wrote to memory of 1892	468	adobeupdate.exe	iexplore.exe
PID 468 wrote to memory of 1892	468	adobeupdate.exe	iexplore.exe
PID 468 wrote to memory of 1892	468	adobeupdate.exe	iexplore.exe
PID 468 wrote to memory of 1892	468	adobeupdate.exe	iexplore.exe
PID 788 wrote to memory of 660	788	cmd.exe	reg.exe
PID 788 wrote to memory of 660	788	cmd.exe	reg.exe
PID 788 wrote to memory of 660	788	cmd.exe	reg.exe
PID 788 wrote to memory of 660	788	cmd.exe	reg.exe
PID 788 wrote to memory of 660	788	cmd.exe	reg.exe
PID 788 wrote to memory of 660	788	cmd.exe	reg.exe
PID 788 wrote to memory of 660	788	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\daf29c624693210dcf0743b0e31c273d181936beb0d09c58660b5241efc737ef.exe
"C:\Users\Admin\AppData\Local\Temp\daf29c624693210dcf0743b0e31c273d181936beb0d09c58660b5241efc737ef.exe"
1⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Adds Run key to start application
- Modifies WinLogon
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1484

C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
3⤵
- Modifies registry key
PID:1220

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\SysWOW64\PING.EXE
PING 127.0.0.1 -n 2
3⤵
- Runs ping.exe
PID:1796

C:\Users\Admin\AppData\Local\Temp\adobe\adobeupdate.exe
"C:\Users\Admin\AppData\Local\Temp\adobe\adobeupdate.exe"
3⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies WinLogon
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:468

C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
4⤵
- Suspicious use of WriteProcessMemory
PID:788

C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
5⤵
- Modifies registry key
PID:660

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
4⤵
PID:1892

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

Modify Registry

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\adobe\adobeupdate.exe

MD5
8ef0778cfb358be6b7d9b25104ad9e87

SHA1
48fa290678c95010bcf198fdc2d4cb3d485b37c5

SHA256
daf29c624693210dcf0743b0e31c273d181936beb0d09c58660b5241efc737ef

SHA512
1e49f8e39d3b6d2a3c346f69abc42a5e2b824674a953c4ec6997b8c54827c2c5dea31857ec7b04e60e965f337e0e52cc85acd1d279fbfe1813b84271e075c1f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\adobe\adobeupdate.exe

MD5
8ef0778cfb358be6b7d9b25104ad9e87

SHA1
48fa290678c95010bcf198fdc2d4cb3d485b37c5

SHA256
daf29c624693210dcf0743b0e31c273d181936beb0d09c58660b5241efc737ef

SHA512
1e49f8e39d3b6d2a3c346f69abc42a5e2b824674a953c4ec6997b8c54827c2c5dea31857ec7b04e60e965f337e0e52cc85acd1d279fbfe1813b84271e075c1f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.bat

MD5
15711be021933dd8289ed3d9c5accc04

SHA1
ecf1957d52f74195041ecdca2420b40a18179bf3

SHA256
07ae23157efa3108e56aed1de41a0f0c43377e615279a3fc82ad4f13d90a89ad

SHA512
74a69edff6685ddd13bcf2c0b0cb3219793df98e3753b950bd180ec8888b7efd046bee8f80393c2d8b6a43ba5cfd58da4bd1d6dee035a52ee74fe382ab74e14d

Download Submit
\Users\Admin\AppData\Local\Temp\adobe\adobeupdate.exe

MD5
8ef0778cfb358be6b7d9b25104ad9e87

SHA1
48fa290678c95010bcf198fdc2d4cb3d485b37c5

SHA256
daf29c624693210dcf0743b0e31c273d181936beb0d09c58660b5241efc737ef

SHA512
1e49f8e39d3b6d2a3c346f69abc42a5e2b824674a953c4ec6997b8c54827c2c5dea31857ec7b04e60e965f337e0e52cc85acd1d279fbfe1813b84271e075c1f1

Download Submit
\Users\Admin\AppData\Local\Temp\adobe\adobeupdate.exe

MD5
8ef0778cfb358be6b7d9b25104ad9e87

SHA1
48fa290678c95010bcf198fdc2d4cb3d485b37c5

SHA256
daf29c624693210dcf0743b0e31c273d181936beb0d09c58660b5241efc737ef

SHA512
1e49f8e39d3b6d2a3c346f69abc42a5e2b824674a953c4ec6997b8c54827c2c5dea31857ec7b04e60e965f337e0e52cc85acd1d279fbfe1813b84271e075c1f1

Download Submit
\Users\Admin\AppData\Local\Temp\adobe\adobeupdate.exe

MD5
8ef0778cfb358be6b7d9b25104ad9e87

SHA1
48fa290678c95010bcf198fdc2d4cb3d485b37c5

SHA256
daf29c624693210dcf0743b0e31c273d181936beb0d09c58660b5241efc737ef

SHA512
1e49f8e39d3b6d2a3c346f69abc42a5e2b824674a953c4ec6997b8c54827c2c5dea31857ec7b04e60e965f337e0e52cc85acd1d279fbfe1813b84271e075c1f1

Download Submit
\Users\Admin\AppData\Local\Temp\adobe\adobeupdate.exe

MD5
8ef0778cfb358be6b7d9b25104ad9e87

SHA1
48fa290678c95010bcf198fdc2d4cb3d485b37c5

SHA256
daf29c624693210dcf0743b0e31c273d181936beb0d09c58660b5241efc737ef

SHA512
1e49f8e39d3b6d2a3c346f69abc42a5e2b824674a953c4ec6997b8c54827c2c5dea31857ec7b04e60e965f337e0e52cc85acd1d279fbfe1813b84271e075c1f1

Download Submit
memory/468-67-0x0000000000000000-mapping.dmp

Download
memory/468-80-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/660-78-0x0000000000000000-mapping.dmp

Download
memory/788-73-0x0000000000000000-mapping.dmp

Download
memory/1220-61-0x0000000000000000-mapping.dmp

Download
memory/1484-60-0x0000000000000000-mapping.dmp

Download
memory/1652-59-0x0000000075561000-0x0000000075563000-memory.dmp

Filesize
8KB

Download
memory/1796-64-0x0000000000000000-mapping.dmp

Download
memory/1892-74-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1892-76-0x00000000004192EC-mapping.dmp

Download
memory/1972-62-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads