0be25452b584ab6fffb2e98dea3f91ba0e0b2905ecdec9eda64b63beaf26ffff

Analysis

max time kernel
83s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
06/11/2022, 21:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0be25452b584ab6fffb2e98dea3f91ba0e0b2905ecdec9eda64b63beaf26ffff.exe
Size

927KB
MD5

0cd34fd97842c9ba96de6646735b9c70
SHA1

c208f071736d49235e3b9123aa8feaea7d63789a
SHA256

0be25452b584ab6fffb2e98dea3f91ba0e0b2905ecdec9eda64b63beaf26ffff
SHA512

a76d378d1cb3cc1a07ad4a43cce5b2e6731917d06490d0563ea26b94de68fc3e5a4ce20f8ab17c4e80ba31650386001af1b43d506467d8e9d2dd90d4f3e81efd
SSDEEP

12288:6/0DcVYk8zFcetqZQBAUQecDOkuKh5bKdcRVn/NRN2OX0Nr/1/I0l95yr3ozgnMN:TTkqcetqSBdcWJcz//N525wm52q3b

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	0be25452b584ab6fffb2e98dea3f91ba0e0b2905ecdec9eda64b63beaf26ffff.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\Temp	AdobeARM.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\Backup	AdobeARM.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
5004	0be25452b584ab6fffb2e98dea3f91ba0e0b2905ecdec9eda64b63beaf26ffff.exe
5004	0be25452b584ab6fffb2e98dea3f91ba0e0b2905ecdec9eda64b63beaf26ffff.exe
5004	0be25452b584ab6fffb2e98dea3f91ba0e0b2905ecdec9eda64b63beaf26ffff.exe
5004	0be25452b584ab6fffb2e98dea3f91ba0e0b2905ecdec9eda64b63beaf26ffff.exe
5004	0be25452b584ab6fffb2e98dea3f91ba0e0b2905ecdec9eda64b63beaf26ffff.exe
5004	0be25452b584ab6fffb2e98dea3f91ba0e0b2905ecdec9eda64b63beaf26ffff.exe
5004	0be25452b584ab6fffb2e98dea3f91ba0e0b2905ecdec9eda64b63beaf26ffff.exe
5004	0be25452b584ab6fffb2e98dea3f91ba0e0b2905ecdec9eda64b63beaf26ffff.exe
5004	0be25452b584ab6fffb2e98dea3f91ba0e0b2905ecdec9eda64b63beaf26ffff.exe
5004	0be25452b584ab6fffb2e98dea3f91ba0e0b2905ecdec9eda64b63beaf26ffff.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4800	AdobeARM.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5004 wrote to memory of 4800	5004	0be25452b584ab6fffb2e98dea3f91ba0e0b2905ecdec9eda64b63beaf26ffff.exe	81
PID 5004 wrote to memory of 4800	5004	0be25452b584ab6fffb2e98dea3f91ba0e0b2905ecdec9eda64b63beaf26ffff.exe	81
PID 5004 wrote to memory of 4800	5004	0be25452b584ab6fffb2e98dea3f91ba0e0b2905ecdec9eda64b63beaf26ffff.exe	81
PID 4800 wrote to memory of 1940	4800	AdobeARM.exe	89
PID 4800 wrote to memory of 1940	4800	AdobeARM.exe	89
PID 4800 wrote to memory of 1940	4800	AdobeARM.exe	89

C:\Users\Admin\AppData\Local\Temp\0be25452b584ab6fffb2e98dea3f91ba0e0b2905ecdec9eda64b63beaf26ffff.exe
"C:\Users\Admin\AppData\Local\Temp\0be25452b584ab6fffb2e98dea3f91ba0e0b2905ecdec9eda64b63beaf26ffff.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5004
- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
  "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4800
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"
    3⤵
    PID:1940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AdobeARM.log

Filesize
358B

MD5
d5864ce6cd2ef2f7d12e7259ddc6f66f

SHA1
3b862bf84cd2ee5ec92f3f920088f4b8f626a368

SHA256
9724c002db31525c3d7c99ee6c7c576615aa1389c419f64dd1032557671fd1ec

SHA512
a8769c309e3e9037b8e5cc659958997b57eef31f00f6fc206b08742dc9b0b030e39c87b6041de4fb56f45a7131a092b5bb02e3cadb01e95658529678ad54eec3

Download Submit
memory/5004-132-0x0000000000400000-0x00000000006B6000-memory.dmp

Filesize
2.7MB

Download
memory/5004-134-0x0000000000400000-0x00000000006B6000-memory.dmp

Filesize
2.7MB

Download