cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86

General

Target

cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
Size

2.4MB
MD5

2e1753b96c9e7c1a90f1c2a31d054769
SHA1

bf202c1dad2b1039b63dfb018bb6fdc21dd0d58b
SHA256

cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86
SHA512

f3552c29934200d6eac21b86f4258943d4a54c945893b34ca02955b4bad4bab891b4247bd3abf0ea038bdfee0b73d976d8b9fa43d67a483058a3a87302d81392

Score

10^/10

adobe phishing upx

Malware Config

Signatures

Detected adobe phishing page
phishing adobe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1452-131-0x0000000000C20000-0x00000000013AA000-memory.dmp	upx
behavioral2/memory/1452-132-0x0000000000C20000-0x00000000013AA000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

Processes:

cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe

description	ioc	process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 11 IoCs

adware spyware

Modify Registry

T1112

Processes:

cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe = "11001"	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\adobe.com	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\adobe.com\NumberOfSubdomains = "1"	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\DOMStorage\auth.services.adobe.com	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\auth.services.adobe.com\ = "48"	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\adobe.com\Total = "48"	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\DOMStorage\adobe.com	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "48"	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe

pid	process
1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

Processes:

cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
Token: SeIncreaseQuotaPrivilege	1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
Token: SeIncreaseQuotaPrivilege	1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
Token: SeIncreaseQuotaPrivilege	1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
Token: SeIncreaseQuotaPrivilege	1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
Token: SeIncreaseQuotaPrivilege	1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
Token: SeIncreaseQuotaPrivilege	1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
Token: SeIncreaseQuotaPrivilege	1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
Token: SeIncreaseQuotaPrivilege	1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
Token: SeIncreaseQuotaPrivilege	1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
Token: SeIncreaseQuotaPrivilege	1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
Token: SeIncreaseQuotaPrivilege	1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
Token: SeIncreaseQuotaPrivilege	1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
Token: SeIncreaseQuotaPrivilege	1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
Token: SeIncreaseQuotaPrivilege	1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
Token: SeIncreaseQuotaPrivilege	1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
Token: SeIncreaseQuotaPrivilege	1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
Token: SeIncreaseQuotaPrivilege	1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
Token: SeIncreaseQuotaPrivilege	1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
Token: SeIncreaseQuotaPrivilege	1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
Token: SeIncreaseQuotaPrivilege	1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
Token: SeIncreaseQuotaPrivilege	1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
Token: SeIncreaseQuotaPrivilege	1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
Token: SeIncreaseQuotaPrivilege	1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
Token: SeIncreaseQuotaPrivilege	1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
Token: SeIncreaseQuotaPrivilege	1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
Token: SeIncreaseQuotaPrivilege	1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
Token: SeIncreaseQuotaPrivilege	1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
Token: SeIncreaseQuotaPrivilege	1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
Token: SeIncreaseQuotaPrivilege	1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
Token: SeIncreaseQuotaPrivilege	1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
Token: SeIncreaseQuotaPrivilege	1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
Token: SeIncreaseQuotaPrivilege	1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
Token: SeIncreaseQuotaPrivilege	1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
Token: SeIncreaseQuotaPrivilege	1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
Token: SeIncreaseQuotaPrivilege	1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe

pid	process
1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
1452	cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe

C:\Users\Admin\AppData\Local\Temp\cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe
"C:\Users\Admin\AppData\Local\Temp\cf8ffbe2d1b8da0bae72254d521c615e53441de89a9a91eb716687a2d12aff86.exe"
1⤵
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1452

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1452-131-0x0000000000C20000-0x00000000013AA000-memory.dmp

Filesize
7.5MB

Download
memory/1452-132-0x0000000000C20000-0x00000000013AA000-memory.dmp

Filesize
7.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads