4be75ab3133900a14763d39fdbd6e3b1555330492ae3accf17ca46dcaf5745e6

Analysis

max time kernel
61s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2022 11:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4be75ab3133900a14763d39fdbd6e3b1555330492ae3accf17ca46dcaf5745e6.exe
Size

927KB
MD5

138cc98d032de296cac267721969e580
SHA1

d8babacb1c4c5c2ca6ae515789fc89c85f537024
SHA256

4be75ab3133900a14763d39fdbd6e3b1555330492ae3accf17ca46dcaf5745e6
SHA512

ad09c0e8f2dd174a202939f2c0edda0cf45f5dd8f39098aeb8eef9a25d410f64c1e8867318ebab8927be0ad3ea78ab184eaae3dbdee9f1c8e113782fbe728b6c
SSDEEP

24576:DWbwS8k1lPw7UuamrpfCZXap0ABWAsT7BTuN3GS:m8k/Pw11wZqOQOhM

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	4be75ab3133900a14763d39fdbd6e3b1555330492ae3accf17ca46dcaf5745e6.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\Backup	AdobeARM.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\Temp	AdobeARM.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
400	4be75ab3133900a14763d39fdbd6e3b1555330492ae3accf17ca46dcaf5745e6.exe
400	4be75ab3133900a14763d39fdbd6e3b1555330492ae3accf17ca46dcaf5745e6.exe
400	4be75ab3133900a14763d39fdbd6e3b1555330492ae3accf17ca46dcaf5745e6.exe
400	4be75ab3133900a14763d39fdbd6e3b1555330492ae3accf17ca46dcaf5745e6.exe
400	4be75ab3133900a14763d39fdbd6e3b1555330492ae3accf17ca46dcaf5745e6.exe
400	4be75ab3133900a14763d39fdbd6e3b1555330492ae3accf17ca46dcaf5745e6.exe
400	4be75ab3133900a14763d39fdbd6e3b1555330492ae3accf17ca46dcaf5745e6.exe
400	4be75ab3133900a14763d39fdbd6e3b1555330492ae3accf17ca46dcaf5745e6.exe
400	4be75ab3133900a14763d39fdbd6e3b1555330492ae3accf17ca46dcaf5745e6.exe
400	4be75ab3133900a14763d39fdbd6e3b1555330492ae3accf17ca46dcaf5745e6.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2332	AdobeARM.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 400 wrote to memory of 2332	400	4be75ab3133900a14763d39fdbd6e3b1555330492ae3accf17ca46dcaf5745e6.exe	82
PID 400 wrote to memory of 2332	400	4be75ab3133900a14763d39fdbd6e3b1555330492ae3accf17ca46dcaf5745e6.exe	82
PID 400 wrote to memory of 2332	400	4be75ab3133900a14763d39fdbd6e3b1555330492ae3accf17ca46dcaf5745e6.exe	82
PID 2332 wrote to memory of 4528	2332	AdobeARM.exe	88
PID 2332 wrote to memory of 4528	2332	AdobeARM.exe	88
PID 2332 wrote to memory of 4528	2332	AdobeARM.exe	88

C:\Users\Admin\AppData\Local\Temp\4be75ab3133900a14763d39fdbd6e3b1555330492ae3accf17ca46dcaf5745e6.exe
"C:\Users\Admin\AppData\Local\Temp\4be75ab3133900a14763d39fdbd6e3b1555330492ae3accf17ca46dcaf5745e6.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:400
- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
  "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"
    3⤵
    PID:4528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AdobeARM.log

Filesize
358B

MD5
187f867ed76cb4b90152276800d28c5d

SHA1
335fa0f6026ea1db561481c5367bdc13474ff865

SHA256
94801300253348ac52cf141eed8901ce8b848a1159f0b5492a348e987e3b312c

SHA512
35e796bc4ff05d8a5dd07a542e7f4643173201d4e25249a6309c39c9fc694f4214caedb8762bddec7514e215eadeebebd98a3bf013e4bcec2bc866a0887b1f5f

Download Submit
memory/400-132-0x0000000000400000-0x00000000006B6000-memory.dmp

Filesize
2.7MB

Download
memory/400-134-0x0000000000400000-0x00000000006B6000-memory.dmp

Filesize
2.7MB

Download
memory/2332-133-0x0000000000000000-mapping.dmp

Download
memory/4528-136-0x0000000000000000-mapping.dmp

Download