c38ed236f8fc2bed3ea8e22a5b0daf138914eeb8bf454a8506419522929c7347

General

Target

c38ed236f8fc2bed3ea8e22a5b0daf138914eeb8bf454a8506419522929c7347.exe
Size

142KB
MD5

64335a5b82acdbddced384a6e76de72d
SHA1

1e482058480020e80ee73dfcea7df454da593a8d
SHA256

c38ed236f8fc2bed3ea8e22a5b0daf138914eeb8bf454a8506419522929c7347
SHA512

e69ac4e6d6817a1d3cf41a4433738cc723fd1c39254001c3e50dd6e71184c0b164b355bed1919ffe61ceb99c696ef4ca246710ce0d27fcff981e9e902da945f1
SSDEEP

3072:C2ilEbgcWBm6bcRRRRRRRRRRRRRRRRRRRRtuZ++++++++++++++++++++++++++V:Vb+vcRRRRRRRRRRRRRRRRRRRRtU++++2

Score

8^/10

evasion persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Tempdali.exeadobe akroubat.exe

pid process

1452 Tempdali.exe
3852 adobe akroubat.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

3576 netsh.exe

pid	process
1452	Tempdali.exe
3852	adobe akroubat.exe

pid	process
3576	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c38ed236f8fc2bed3ea8e22a5b0daf138914eeb8bf454a8506419522929c7347.exeTempdali.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	c38ed236f8fc2bed3ea8e22a5b0daf138914eeb8bf454a8506419522929c7347.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	Tempdali.exe

Drops startup file 2 IoCs

Processes:

adobe akroubat.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ce8d30653ca77fee617f481a5d72692c.exe	adobe akroubat.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ce8d30653ca77fee617f481a5d72692c.exe	adobe akroubat.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

adobe akroubat.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ce8d30653ca77fee617f481a5d72692c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\adobe akroubat.exe\" .."	adobe akroubat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ce8d30653ca77fee617f481a5d72692c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\adobe akroubat.exe\" .."	adobe akroubat.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

adobe akroubat.exe

pid	process
3852	adobe akroubat.exe
3852	adobe akroubat.exe
3852	adobe akroubat.exe
3852	adobe akroubat.exe
3852	adobe akroubat.exe
3852	adobe akroubat.exe
3852	adobe akroubat.exe
3852	adobe akroubat.exe
3852	adobe akroubat.exe
3852	adobe akroubat.exe
3852	adobe akroubat.exe
3852	adobe akroubat.exe
3852	adobe akroubat.exe
3852	adobe akroubat.exe
3852	adobe akroubat.exe
3852	adobe akroubat.exe
3852	adobe akroubat.exe
3852	adobe akroubat.exe
3852	adobe akroubat.exe
3852	adobe akroubat.exe
3852	adobe akroubat.exe
3852	adobe akroubat.exe
3852	adobe akroubat.exe
3852	adobe akroubat.exe
3852	adobe akroubat.exe
3852	adobe akroubat.exe
3852	adobe akroubat.exe
3852	adobe akroubat.exe
3852	adobe akroubat.exe
3852	adobe akroubat.exe
3852	adobe akroubat.exe
3852	adobe akroubat.exe
3852	adobe akroubat.exe
3852	adobe akroubat.exe
3852	adobe akroubat.exe
3852	adobe akroubat.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

adobe akroubat.exe

description pid process

Token: SeDebugPrivilege 3852 adobe akroubat.exe

description	pid	process
Token: SeDebugPrivilege	3852	adobe akroubat.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

c38ed236f8fc2bed3ea8e22a5b0daf138914eeb8bf454a8506419522929c7347.exeTempdali.exeadobe akroubat.exe

description	pid	process	target process
PID 428 wrote to memory of 1452	428	c38ed236f8fc2bed3ea8e22a5b0daf138914eeb8bf454a8506419522929c7347.exe	Tempdali.exe
PID 428 wrote to memory of 1452	428	c38ed236f8fc2bed3ea8e22a5b0daf138914eeb8bf454a8506419522929c7347.exe	Tempdali.exe
PID 428 wrote to memory of 1452	428	c38ed236f8fc2bed3ea8e22a5b0daf138914eeb8bf454a8506419522929c7347.exe	Tempdali.exe
PID 1452 wrote to memory of 3852	1452	Tempdali.exe	adobe akroubat.exe
PID 1452 wrote to memory of 3852	1452	Tempdali.exe	adobe akroubat.exe
PID 1452 wrote to memory of 3852	1452	Tempdali.exe	adobe akroubat.exe
PID 3852 wrote to memory of 3576	3852	adobe akroubat.exe	netsh.exe
PID 3852 wrote to memory of 3576	3852	adobe akroubat.exe	netsh.exe
PID 3852 wrote to memory of 3576	3852	adobe akroubat.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\c38ed236f8fc2bed3ea8e22a5b0daf138914eeb8bf454a8506419522929c7347.exe
"C:\Users\Admin\AppData\Local\Temp\c38ed236f8fc2bed3ea8e22a5b0daf138914eeb8bf454a8506419522929c7347.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:428

C:\Users\Admin\AppData\Local\Tempdali.exe
"C:\Users\Admin\AppData\Local\Tempdali.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1452

C:\Users\Admin\AppData\Local\Temp\adobe akroubat.exe
"C:\Users\Admin\AppData\Local\Temp\adobe akroubat.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3852

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\adobe akroubat.exe" "adobe akroubat.exe" ENABLE
4⤵
- Modifies Windows Firewall
PID:3576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\adobe akroubat.exe
Filesize
30KB

MD5
35e1160cbbfb03c4e32534cb499b49be

SHA1
a2e82fba1067c98461535f4db596519a918d0be5

SHA256
13bf48038527e9ed70b715062a64ea9c596652792631bbf833c8fd4d6c70cc8b

SHA512
4ccaf26d094014004437a161fb18027c1ba56178744af46387af18cdedc15c5cc816908cb79f868bde0be8b240c1fb9813dec6e8f93369004b15bb7c5beb88c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\adobe akroubat.exe
Filesize
30KB

MD5
35e1160cbbfb03c4e32534cb499b49be

SHA1
a2e82fba1067c98461535f4db596519a918d0be5

SHA256
13bf48038527e9ed70b715062a64ea9c596652792631bbf833c8fd4d6c70cc8b

SHA512
4ccaf26d094014004437a161fb18027c1ba56178744af46387af18cdedc15c5cc816908cb79f868bde0be8b240c1fb9813dec6e8f93369004b15bb7c5beb88c0

Download Submit
C:\Users\Admin\AppData\Local\Tempdali.exe
Filesize
30KB

MD5
35e1160cbbfb03c4e32534cb499b49be

SHA1
a2e82fba1067c98461535f4db596519a918d0be5

SHA256
13bf48038527e9ed70b715062a64ea9c596652792631bbf833c8fd4d6c70cc8b

SHA512
4ccaf26d094014004437a161fb18027c1ba56178744af46387af18cdedc15c5cc816908cb79f868bde0be8b240c1fb9813dec6e8f93369004b15bb7c5beb88c0

Download Submit
C:\Users\Admin\AppData\Local\Tempdali.exe
Filesize
30KB

MD5
35e1160cbbfb03c4e32534cb499b49be

SHA1
a2e82fba1067c98461535f4db596519a918d0be5

SHA256
13bf48038527e9ed70b715062a64ea9c596652792631bbf833c8fd4d6c70cc8b

SHA512
4ccaf26d094014004437a161fb18027c1ba56178744af46387af18cdedc15c5cc816908cb79f868bde0be8b240c1fb9813dec6e8f93369004b15bb7c5beb88c0

Download Submit
memory/428-134-0x0000000005D60000-0x0000000006304000-memory.dmp

Filesize
5.6MB

Download
memory/428-136-0x0000000005690000-0x000000000569A000-memory.dmp

Filesize
40KB

Download
memory/428-137-0x00000000059F0000-0x0000000005A46000-memory.dmp

Filesize
344KB

Download
memory/428-135-0x00000000057B0000-0x0000000005842000-memory.dmp

Filesize
584KB

Download
memory/428-132-0x0000000000CC0000-0x0000000000CEC000-memory.dmp

Filesize
176KB

Download
memory/428-133-0x0000000005710000-0x00000000057AC000-memory.dmp

Filesize
624KB

Download
memory/1452-138-0x0000000000000000-mapping.dmp

Download
memory/1452-141-0x0000000070380000-0x0000000070931000-memory.dmp

Filesize
5.7MB

Download
memory/1452-145-0x0000000070380000-0x0000000070931000-memory.dmp

Filesize
5.7MB

Download
memory/3576-147-0x0000000000000000-mapping.dmp

Download
memory/3852-142-0x0000000000000000-mapping.dmp

Download
memory/3852-146-0x0000000070380000-0x0000000070931000-memory.dmp

Filesize
5.7MB

Download
memory/3852-148-0x0000000070380000-0x0000000070931000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads