2dbee898aa3a7cb9f60abe508b368cb3d4d9eb18a9294ec615490f9985393e6f

Analysis

max time kernel
96s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 08:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2dbee898aa3a7cb9f60abe508b368cb3d4d9eb18a9294ec615490f9985393e6f.exe
Size

687KB
MD5

4107781b55a031594009ff61e5be3b2c
SHA1

d125a4f007f9c4ad7551811e483ae9882b9ad08e
SHA256

2dbee898aa3a7cb9f60abe508b368cb3d4d9eb18a9294ec615490f9985393e6f
SHA512

84297edd6d709342d1c480af4917e3d36d7e6a717ef96c786eb0aa1f8057c4ebb4a342819d401ba0ee9df947e62ef67560f2ce1bb40434e7dde6b3130bf5e67b
SSDEEP

12288:FkG9NSL/d1cPYolyyb0VGXRkm0q7zBgcJd1w5Xt1wmv7RW2Xc7z7tI:iqNE/d1cPYoleYBkmHKud1wzzRF+z

Score

8^/10

evasion persistence trojan

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

AdobeARM.exe

pid process

1940 AdobeARM.exe

pid	process
1940	AdobeARM.exe

Loads dropped DLL 2 IoCs

Processes:

2dbee898aa3a7cb9f60abe508b368cb3d4d9eb18a9294ec615490f9985393e6f.exe

pid	process
1572	2dbee898aa3a7cb9f60abe508b368cb3d4d9eb18a9294ec615490f9985393e6f.exe
1572	2dbee898aa3a7cb9f60abe508b368cb3d4d9eb18a9294ec615490f9985393e6f.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

2dbee898aa3a7cb9f60abe508b368cb3d4d9eb18a9294ec615490f9985393e6f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\iTunesHelper = "C:\\Program Files (x86)\\iTunes\\iTunesHelper.exe"	2dbee898aa3a7cb9f60abe508b368cb3d4d9eb18a9294ec615490f9985393e6f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe ARM = "C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\AdobeARM.exe"	2dbee898aa3a7cb9f60abe508b368cb3d4d9eb18a9294ec615490f9985393e6f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TkBellExe = "C:\\Program Files (x86)\\Common Files\\Real\\Update_OB\\realsched.exe"	2dbee898aa3a7cb9f60abe508b368cb3d4d9eb18a9294ec615490f9985393e6f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched = "C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jusched.exe"	2dbee898aa3a7cb9f60abe508b368cb3d4d9eb18a9294ec615490f9985393e6f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UnlockerAssistant = "C:\\Program Files (x86)\\Unlocker\\UnlockerAssistant.exe"	2dbee898aa3a7cb9f60abe508b368cb3d4d9eb18a9294ec615490f9985393e6f.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

2dbee898aa3a7cb9f60abe508b368cb3d4d9eb18a9294ec615490f9985393e6f.exeAdobeARM.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2dbee898aa3a7cb9f60abe508b368cb3d4d9eb18a9294ec615490f9985393e6f.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	AdobeARM.exe

Drops file in Program Files directory 5 IoCs

Processes:

2dbee898aa3a7cb9f60abe508b368cb3d4d9eb18a9294ec615490f9985393e6f.exe

description	ioc	process
File created	C:\Program Files (x86)\iTunes\iTunesHelper.exe	2dbee898aa3a7cb9f60abe508b368cb3d4d9eb18a9294ec615490f9985393e6f.exe
File created	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2dbee898aa3a7cb9f60abe508b368cb3d4d9eb18a9294ec615490f9985393e6f.exe
File created	C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe	2dbee898aa3a7cb9f60abe508b368cb3d4d9eb18a9294ec615490f9985393e6f.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2dbee898aa3a7cb9f60abe508b368cb3d4d9eb18a9294ec615490f9985393e6f.exe
File created	C:\Program Files (x86)\Unlocker\UnlockerAssistant.exe	2dbee898aa3a7cb9f60abe508b368cb3d4d9eb18a9294ec615490f9985393e6f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

2dbee898aa3a7cb9f60abe508b368cb3d4d9eb18a9294ec615490f9985393e6f.exeAdobeARM.exe

pid	process
1572	2dbee898aa3a7cb9f60abe508b368cb3d4d9eb18a9294ec615490f9985393e6f.exe
1940	AdobeARM.exe
1940	AdobeARM.exe
1940	AdobeARM.exe
1940	AdobeARM.exe
1940	AdobeARM.exe
1940	AdobeARM.exe
1940	AdobeARM.exe
1940	AdobeARM.exe
1940	AdobeARM.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2dbee898aa3a7cb9f60abe508b368cb3d4d9eb18a9294ec615490f9985393e6f.exeAdobeARM.exe

description	pid	process
Token: SeDebugPrivilege	1572	2dbee898aa3a7cb9f60abe508b368cb3d4d9eb18a9294ec615490f9985393e6f.exe
Token: SeDebugPrivilege	1940	AdobeARM.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

2dbee898aa3a7cb9f60abe508b368cb3d4d9eb18a9294ec615490f9985393e6f.exevbc.exeAdobeARM.exevbc.exe

description	pid	process	target process
PID 1572 wrote to memory of 1920	1572	2dbee898aa3a7cb9f60abe508b368cb3d4d9eb18a9294ec615490f9985393e6f.exe	vbc.exe
PID 1572 wrote to memory of 1920	1572	2dbee898aa3a7cb9f60abe508b368cb3d4d9eb18a9294ec615490f9985393e6f.exe	vbc.exe
PID 1572 wrote to memory of 1920	1572	2dbee898aa3a7cb9f60abe508b368cb3d4d9eb18a9294ec615490f9985393e6f.exe	vbc.exe
PID 1572 wrote to memory of 1920	1572	2dbee898aa3a7cb9f60abe508b368cb3d4d9eb18a9294ec615490f9985393e6f.exe	vbc.exe
PID 1920 wrote to memory of 1968	1920	vbc.exe	cvtres.exe
PID 1920 wrote to memory of 1968	1920	vbc.exe	cvtres.exe
PID 1920 wrote to memory of 1968	1920	vbc.exe	cvtres.exe
PID 1920 wrote to memory of 1968	1920	vbc.exe	cvtres.exe
PID 1572 wrote to memory of 1940	1572	2dbee898aa3a7cb9f60abe508b368cb3d4d9eb18a9294ec615490f9985393e6f.exe	AdobeARM.exe
PID 1572 wrote to memory of 1940	1572	2dbee898aa3a7cb9f60abe508b368cb3d4d9eb18a9294ec615490f9985393e6f.exe	AdobeARM.exe
PID 1572 wrote to memory of 1940	1572	2dbee898aa3a7cb9f60abe508b368cb3d4d9eb18a9294ec615490f9985393e6f.exe	AdobeARM.exe
PID 1572 wrote to memory of 1940	1572	2dbee898aa3a7cb9f60abe508b368cb3d4d9eb18a9294ec615490f9985393e6f.exe	AdobeARM.exe
PID 1940 wrote to memory of 892	1940	AdobeARM.exe	vbc.exe
PID 1940 wrote to memory of 892	1940	AdobeARM.exe	vbc.exe
PID 1940 wrote to memory of 892	1940	AdobeARM.exe	vbc.exe
PID 1940 wrote to memory of 892	1940	AdobeARM.exe	vbc.exe
PID 892 wrote to memory of 520	892	vbc.exe	cvtres.exe
PID 892 wrote to memory of 520	892	vbc.exe	cvtres.exe
PID 892 wrote to memory of 520	892	vbc.exe	cvtres.exe
PID 892 wrote to memory of 520	892	vbc.exe	cvtres.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

2dbee898aa3a7cb9f60abe508b368cb3d4d9eb18a9294ec615490f9985393e6f.exeAdobeARM.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUninstallerDetection = "0"	2dbee898aa3a7cb9f60abe508b368cb3d4d9eb18a9294ec615490f9985393e6f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUninstallerDetection = "0"	AdobeARM.exe

C:\Users\Admin\AppData\Local\Temp\2dbee898aa3a7cb9f60abe508b368cb3d4d9eb18a9294ec615490f9985393e6f.exe
"C:\Users\Admin\AppData\Local\Temp\2dbee898aa3a7cb9f60abe508b368cb3d4d9eb18a9294ec615490f9985393e6f.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1572

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ljrs4wbs.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1920

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES279F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc279E.tmp"
3⤵
PID:1968

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1940

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rq09x4i-.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:892

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2915.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2914.tmp"
4⤵
PID:520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
Filesize
168KB

MD5
4cd8232df82af26e95747a3648c45428

SHA1
7a45d0e91b5ec12c21a3754d1a24be6a892bd414

SHA256
0500cc9044c7cbdb2b3fc47f3142ea2e003e1133513f0230d7abe645c677bbc0

SHA512
04739e6fd91a2dd91e91236b8d1d9a8dde84a6c6023440f9cf06cbe62d63a7e7f83fd5ea10542d1252acc079b1092a6171652120b592b6bf18cb59bca9e61324

Download Submit
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
Filesize
168KB

MD5
4cd8232df82af26e95747a3648c45428

SHA1
7a45d0e91b5ec12c21a3754d1a24be6a892bd414

SHA256
0500cc9044c7cbdb2b3fc47f3142ea2e003e1133513f0230d7abe645c677bbc0

SHA512
04739e6fd91a2dd91e91236b8d1d9a8dde84a6c6023440f9cf06cbe62d63a7e7f83fd5ea10542d1252acc079b1092a6171652120b592b6bf18cb59bca9e61324

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES279F.tmp
Filesize
1KB

MD5
f860d12daff48190000a965d69a521ef

SHA1
a6ac019994324f9d06ee96eed317f75531e3d6b6

SHA256
73a29e51aa9f0d23042070826424fad5aac7047131f98cc2cdb11c294542fbab

SHA512
4d77ce0b4f69e85145017f0fe7424c36e5badc02343d7f812d9d237c64b43336751297cacd79270de502c8521a2f66b044e57b34f091f15272f53a51c922169e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2915.tmp
Filesize
1KB

MD5
85d5268a99c79becae529a793f2b4d55

SHA1
952134254321f48c382346ec0c6280103d2451b2

SHA256
848a887e42dbb49708e0743b94c5ded8b28ec501effc5006512e90d3777f1dda

SHA512
6d1ca3dc33c65e552258d3821f12b98da90282dd721c1b1e98fbc79d6e69049d9ae460290aec27d0d97e4b4f9b682160b0a90fb301a1520beb424174962a6f86

Download Submit
C:\Users\Admin\AppData\Local\Temp\ljrs4wbs.0.vb
Filesize
46KB

MD5
e5162d693c0c498c9d4a24f66a6ad529

SHA1
73671da8332f4851af7343ac26f684c5d71afa15

SHA256
0eb82f88b3c2c20a1d8008ca653d5a8496e03000ade544fd0c545aeabb860899

SHA512
8945132aa79d05a8622f1fba8ce73486bb70f429922ce5b9903769b7a72796551109f68bb05ea181769317420b2e242569a88d626594fd348f3bf3f0de3e5017

Download Submit
C:\Users\Admin\AppData\Local\Temp\ljrs4wbs.cmdline
Filesize
276B

MD5
9e1c1d2d35d30b2db65d60eeb5e0c2c8

SHA1
0cc12e8d127328c67561f8c3dd13ce2ac4014ef0

SHA256
0344046598e1c7cc5a0996ad6d0f9df42ada0369bca7ad5dd3e66a9de5865222

SHA512
941cdd8c01ac8e84ba38d2f9fce86297ecbbc3d41b84964a768ac178a75e943243dda3a6449fcf37a02ebf3be513f96153a23745563294649040c9de66762f60

Download Submit
C:\Users\Admin\AppData\Local\Temp\ljrs4wbs.dll
Filesize
36KB

MD5
21ed1ad287849a817773e2224e63d8d4

SHA1
5196f7b526a03ec07558d7c708ca4a2c239127ca

SHA256
99080bc32092d4754dfbc4ad974cb3319c835249193a9ba0d61746697da8003d

SHA512
4f488cb8d85fc99c3edd204f7330cf32db9ae1f9041ee9756f284863d9f11771bf87757c7428d5ec97df85bc56b86c51b45ae8ab7bd7a1467f3c5cd9b5265bf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\rq09x4i-.0.vb
Filesize
73KB

MD5
44ab3de5a8a0d0d058d7e80d859133ee

SHA1
1de91c62492ea9c5840b596ab7bf87ad9c9a27ea

SHA256
017941ac1649ad547a852fc08ead4e5a34a5715a1c7d737541a99e181daf84a0

SHA512
741d74f0115af5a2f71a9d75499dae89600e3907ebaaf6c94635fc6e96322604d2529da5d29778c25ed23e329e28574d34d5bc383d775f6ea1b7328a43f615f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\rq09x4i-.cmdline
Filesize
276B

MD5
2a57c429e3ce9e3e87b86dfb16aefe41

SHA1
2078b030157676783309ada664bf616d585f3c09

SHA256
6563a043d6efcd2115bdb151c8defd2b87c1e304f879efc4676ccca87bafdf0a

SHA512
86a2fcb335f609140b62bc7891883d6fc840323a2bf12e111f61f5c2a68a45972f6d3fa6c0dc24e95533f3f92d7963959da68c16f1074f17c69567a0a93fa1e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\rq09x4i-.dll
Filesize
48KB

MD5
b678ea6d23f5b53da4e0f7dbf1380fe6

SHA1
67f450f9d5b022ef344cf692fb386e74fcc5b163

SHA256
5261d2ea919a739c84823b1895e8ed2535ead9c72142ac07a8f79b4f5c82456e

SHA512
32f60992b5c2f1fc0deff3090cf0b6a83f4ab20ca39b1bd095a5790ed8a7e0dece87026bdf9247f556462d331fb9c3896ddd36437ccd7cb2e0022fba3c743a6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc279E.tmp
Filesize
652B

MD5
3d446a6d871c50785b7b256e3ca88573

SHA1
10e0c0b038efe85308235d5717b0c8a864e8f07b

SHA256
15c860ec10d2c5e6f975526b674f6d838d1fd6276d738ae04b91be3dd680f293

SHA512
dcd7696fa5654b0221d10899db506e46a7cdd67e26fd6272c77406592dfc2d203d8985291e8afb04a3dedf3962b44bc1e9e03005804e7cde612129da4d8365f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2914.tmp
Filesize
652B

MD5
4c6777b25a432cd8a5e4ced3549c223b

SHA1
d2c46a1955f34a93d06dc2584bfc292a90612992

SHA256
69b0be044d723c4752c495554c11395688dcf3f1c1e883693d2a5f88764c99ef

SHA512
149ef69dd9856fcb9aa2a48378d9f67254cb95f9cab90f67fc15cf140f19ded5df2f29eeac831f3fb7669e74f1d9115406a2e591f3346bd4ba0b4e943a4b6101

Download Submit
\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
Filesize
168KB

MD5
4cd8232df82af26e95747a3648c45428

SHA1
7a45d0e91b5ec12c21a3754d1a24be6a892bd414

SHA256
0500cc9044c7cbdb2b3fc47f3142ea2e003e1133513f0230d7abe645c677bbc0

SHA512
04739e6fd91a2dd91e91236b8d1d9a8dde84a6c6023440f9cf06cbe62d63a7e7f83fd5ea10542d1252acc079b1092a6171652120b592b6bf18cb59bca9e61324

Download Submit
\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
Filesize
168KB

MD5
4cd8232df82af26e95747a3648c45428

SHA1
7a45d0e91b5ec12c21a3754d1a24be6a892bd414

SHA256
0500cc9044c7cbdb2b3fc47f3142ea2e003e1133513f0230d7abe645c677bbc0

SHA512
04739e6fd91a2dd91e91236b8d1d9a8dde84a6c6023440f9cf06cbe62d63a7e7f83fd5ea10542d1252acc079b1092a6171652120b592b6bf18cb59bca9e61324

Download Submit
memory/520-72-0x0000000000000000-mapping.dmp

Download
memory/892-69-0x0000000000000000-mapping.dmp

Download
memory/1572-54-0x0000000076121000-0x0000000076123000-memory.dmp

Filesize
8KB

Download
memory/1572-57-0x00000000748B0000-0x0000000074E5B000-memory.dmp

Filesize
5.7MB

Download
memory/1572-77-0x00000000748B0000-0x0000000074E5B000-memory.dmp

Filesize
5.7MB

Download
memory/1920-55-0x0000000000000000-mapping.dmp

Download
memory/1940-76-0x00000000748B0000-0x0000000074E5B000-memory.dmp

Filesize
5.7MB

Download
memory/1940-65-0x0000000000000000-mapping.dmp

Download
memory/1940-78-0x00000000748B0000-0x0000000074E5B000-memory.dmp

Filesize
5.7MB

Download
memory/1968-59-0x0000000000000000-mapping.dmp

Download