c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a

General

Target

c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
Size

2.4MB
MD5

565cb3d84fbe8d2d66392c2f7b35da5d
SHA1

fcbe940a4278634f3f7302132e9885bc1748197f
SHA256

c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a
SHA512

af4d31fc050eb4bb575801152f7711171f10009d4d5dd05328d561e3fc24595087baa986f69b3a94b23451ce1b59263fb7b8c0aba176918d3c3b2c10f526981c

Score

10^/10

adobe phishing upx

Malware Config

Signatures

Detected adobe phishing page
phishing adobe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3240-130-0x0000000000570000-0x0000000000CFA000-memory.dmp	upx
behavioral2/memory/3240-131-0x0000000000570000-0x0000000000CFA000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 11 IoCs

adware spyware

Modify Registry

T1112

Processes:

c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Internet Explorer\DOMStorage\auth.services.adobe.com	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
Key created	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe = "11001"	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
Key created	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Internet Explorer\DOMStorage\adobe.com	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
Key created	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
Key created	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\adobe.com	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\adobe.com\NumberOfSubdomains = "1"	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
Key created	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\auth.services.adobe.com\ = "48"	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\adobe.com\Total = "48"	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "48"	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe

pid	process
3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

Processes:

c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
Token: SeIncreaseQuotaPrivilege	3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
Token: SeIncreaseQuotaPrivilege	3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
Token: SeIncreaseQuotaPrivilege	3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
Token: SeIncreaseQuotaPrivilege	3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
Token: SeIncreaseQuotaPrivilege	3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
Token: SeIncreaseQuotaPrivilege	3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
Token: SeIncreaseQuotaPrivilege	3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
Token: SeIncreaseQuotaPrivilege	3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
Token: SeIncreaseQuotaPrivilege	3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
Token: SeIncreaseQuotaPrivilege	3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
Token: SeIncreaseQuotaPrivilege	3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
Token: SeIncreaseQuotaPrivilege	3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
Token: SeIncreaseQuotaPrivilege	3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
Token: SeIncreaseQuotaPrivilege	3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
Token: SeIncreaseQuotaPrivilege	3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
Token: SeIncreaseQuotaPrivilege	3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
Token: SeIncreaseQuotaPrivilege	3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
Token: SeIncreaseQuotaPrivilege	3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
Token: SeIncreaseQuotaPrivilege	3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
Token: SeIncreaseQuotaPrivilege	3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
Token: SeIncreaseQuotaPrivilege	3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
Token: SeIncreaseQuotaPrivilege	3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
Token: SeIncreaseQuotaPrivilege	3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
Token: SeIncreaseQuotaPrivilege	3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
Token: SeIncreaseQuotaPrivilege	3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
Token: SeIncreaseQuotaPrivilege	3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
Token: SeIncreaseQuotaPrivilege	3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
Token: SeIncreaseQuotaPrivilege	3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
Token: SeIncreaseQuotaPrivilege	3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
Token: SeIncreaseQuotaPrivilege	3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
Token: SeIncreaseQuotaPrivilege	3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe

pid	process
3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
3240	c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe

C:\Users\Admin\AppData\Local\Temp\c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe
"C:\Users\Admin\AppData\Local\Temp\c0f404aa531cd2e5cb81b688329df720da4fc79ae1c8c612a25016884863957a.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3240

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3240-130-0x0000000000570000-0x0000000000CFA000-memory.dmp

Filesize
7.5MB

Download
memory/3240-131-0x0000000000570000-0x0000000000CFA000-memory.dmp

Filesize
7.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads