Analysis
-
max time kernel
159s -
max time network
177s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 08:08
Static task
static1
Behavioral task
behavioral1
Sample
2dbee898aa3a7cb9f60abe508b368cb3d4d9eb18a9294ec615490f9985393e6f.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
2dbee898aa3a7cb9f60abe508b368cb3d4d9eb18a9294ec615490f9985393e6f.exe
Resource
win10v2004-20221111-en
General
-
Target
2dbee898aa3a7cb9f60abe508b368cb3d4d9eb18a9294ec615490f9985393e6f.exe
-
Size
687KB
-
MD5
4107781b55a031594009ff61e5be3b2c
-
SHA1
d125a4f007f9c4ad7551811e483ae9882b9ad08e
-
SHA256
2dbee898aa3a7cb9f60abe508b368cb3d4d9eb18a9294ec615490f9985393e6f
-
SHA512
84297edd6d709342d1c480af4917e3d36d7e6a717ef96c786eb0aa1f8057c4ebb4a342819d401ba0ee9df947e62ef67560f2ce1bb40434e7dde6b3130bf5e67b
-
SSDEEP
12288:FkG9NSL/d1cPYolyyb0VGXRkm0q7zBgcJd1w5Xt1wmv7RW2Xc7z7tI:iqNE/d1cPYoleYBkmHKud1wzzRF+z
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
AdobeARM.exepid process 4532 AdobeARM.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2dbee898aa3a7cb9f60abe508b368cb3d4d9eb18a9294ec615490f9985393e6f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation 2dbee898aa3a7cb9f60abe508b368cb3d4d9eb18a9294ec615490f9985393e6f.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
2dbee898aa3a7cb9f60abe508b368cb3d4d9eb18a9294ec615490f9985393e6f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TkBellExe = "C:\\Program Files (x86)\\Common Files\\Real\\Update_OB\\realsched.exe" 2dbee898aa3a7cb9f60abe508b368cb3d4d9eb18a9294ec615490f9985393e6f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched = "C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\jusched.exe" 2dbee898aa3a7cb9f60abe508b368cb3d4d9eb18a9294ec615490f9985393e6f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UnlockerAssistant = "C:\\Program Files (x86)\\Unlocker\\UnlockerAssistant.exe" 2dbee898aa3a7cb9f60abe508b368cb3d4d9eb18a9294ec615490f9985393e6f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iTunesHelper = "C:\\Program Files (x86)\\iTunes\\iTunesHelper.exe" 2dbee898aa3a7cb9f60abe508b368cb3d4d9eb18a9294ec615490f9985393e6f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe ARM = "C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\AdobeARM.exe" 2dbee898aa3a7cb9f60abe508b368cb3d4d9eb18a9294ec615490f9985393e6f.exe -
Processes:
2dbee898aa3a7cb9f60abe508b368cb3d4d9eb18a9294ec615490f9985393e6f.exeAdobeARM.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2dbee898aa3a7cb9f60abe508b368cb3d4d9eb18a9294ec615490f9985393e6f.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA AdobeARM.exe -
Drops file in Program Files directory 7 IoCs
Processes:
2dbee898aa3a7cb9f60abe508b368cb3d4d9eb18a9294ec615490f9985393e6f.exedescription ioc process File created C:\Program Files (x86)\iTunes\iTunesHelper.exe 2dbee898aa3a7cb9f60abe508b368cb3d4d9eb18a9294ec615490f9985393e6f.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe 2dbee898aa3a7cb9f60abe508b368cb3d4d9eb18a9294ec615490f9985393e6f.exe File created C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe 2dbee898aa3a7cb9f60abe508b368cb3d4d9eb18a9294ec615490f9985393e6f.exe File created C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe 2dbee898aa3a7cb9f60abe508b368cb3d4d9eb18a9294ec615490f9985393e6f.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe 2dbee898aa3a7cb9f60abe508b368cb3d4d9eb18a9294ec615490f9985393e6f.exe File created C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe 2dbee898aa3a7cb9f60abe508b368cb3d4d9eb18a9294ec615490f9985393e6f.exe File created C:\Program Files (x86)\Unlocker\UnlockerAssistant.exe 2dbee898aa3a7cb9f60abe508b368cb3d4d9eb18a9294ec615490f9985393e6f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
2dbee898aa3a7cb9f60abe508b368cb3d4d9eb18a9294ec615490f9985393e6f.exeAdobeARM.exepid process 2084 2dbee898aa3a7cb9f60abe508b368cb3d4d9eb18a9294ec615490f9985393e6f.exe 2084 2dbee898aa3a7cb9f60abe508b368cb3d4d9eb18a9294ec615490f9985393e6f.exe 2084 2dbee898aa3a7cb9f60abe508b368cb3d4d9eb18a9294ec615490f9985393e6f.exe 4532 AdobeARM.exe 4532 AdobeARM.exe 4532 AdobeARM.exe 4532 AdobeARM.exe 4532 AdobeARM.exe 4532 AdobeARM.exe 4532 AdobeARM.exe 4532 AdobeARM.exe 4532 AdobeARM.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2dbee898aa3a7cb9f60abe508b368cb3d4d9eb18a9294ec615490f9985393e6f.exeAdobeARM.exedescription pid process Token: SeDebugPrivilege 2084 2dbee898aa3a7cb9f60abe508b368cb3d4d9eb18a9294ec615490f9985393e6f.exe Token: SeDebugPrivilege 4532 AdobeARM.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
2dbee898aa3a7cb9f60abe508b368cb3d4d9eb18a9294ec615490f9985393e6f.exevbc.exeAdobeARM.exevbc.exedescription pid process target process PID 2084 wrote to memory of 4280 2084 2dbee898aa3a7cb9f60abe508b368cb3d4d9eb18a9294ec615490f9985393e6f.exe vbc.exe PID 2084 wrote to memory of 4280 2084 2dbee898aa3a7cb9f60abe508b368cb3d4d9eb18a9294ec615490f9985393e6f.exe vbc.exe PID 2084 wrote to memory of 4280 2084 2dbee898aa3a7cb9f60abe508b368cb3d4d9eb18a9294ec615490f9985393e6f.exe vbc.exe PID 4280 wrote to memory of 4332 4280 vbc.exe cvtres.exe PID 4280 wrote to memory of 4332 4280 vbc.exe cvtres.exe PID 4280 wrote to memory of 4332 4280 vbc.exe cvtres.exe PID 2084 wrote to memory of 4532 2084 2dbee898aa3a7cb9f60abe508b368cb3d4d9eb18a9294ec615490f9985393e6f.exe AdobeARM.exe PID 2084 wrote to memory of 4532 2084 2dbee898aa3a7cb9f60abe508b368cb3d4d9eb18a9294ec615490f9985393e6f.exe AdobeARM.exe PID 2084 wrote to memory of 4532 2084 2dbee898aa3a7cb9f60abe508b368cb3d4d9eb18a9294ec615490f9985393e6f.exe AdobeARM.exe PID 4532 wrote to memory of 4112 4532 AdobeARM.exe vbc.exe PID 4532 wrote to memory of 4112 4532 AdobeARM.exe vbc.exe PID 4532 wrote to memory of 4112 4532 AdobeARM.exe vbc.exe PID 4112 wrote to memory of 4428 4112 vbc.exe cvtres.exe PID 4112 wrote to memory of 4428 4112 vbc.exe cvtres.exe PID 4112 wrote to memory of 4428 4112 vbc.exe cvtres.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
2dbee898aa3a7cb9f60abe508b368cb3d4d9eb18a9294ec615490f9985393e6f.exeAdobeARM.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUninstallerDetection = "0" 2dbee898aa3a7cb9f60abe508b368cb3d4d9eb18a9294ec615490f9985393e6f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUninstallerDetection = "0" AdobeARM.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2dbee898aa3a7cb9f60abe508b368cb3d4d9eb18a9294ec615490f9985393e6f.exe"C:\Users\Admin\AppData\Local\Temp\2dbee898aa3a7cb9f60abe508b368cb3d4d9eb18a9294ec615490f9985393e6f.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2084 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5uo8yem1.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC97F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2E73C287B78D442982563288C333F44D.TMP"3⤵PID:4332
-
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4532 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mppzzyrm.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF2E0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9E01CE733A4097BBB3DC3848EE822.TMP"4⤵PID:4428
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exeFilesize
168KB
MD54cd8232df82af26e95747a3648c45428
SHA17a45d0e91b5ec12c21a3754d1a24be6a892bd414
SHA2560500cc9044c7cbdb2b3fc47f3142ea2e003e1133513f0230d7abe645c677bbc0
SHA51204739e6fd91a2dd91e91236b8d1d9a8dde84a6c6023440f9cf06cbe62d63a7e7f83fd5ea10542d1252acc079b1092a6171652120b592b6bf18cb59bca9e61324
-
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exeFilesize
168KB
MD54cd8232df82af26e95747a3648c45428
SHA17a45d0e91b5ec12c21a3754d1a24be6a892bd414
SHA2560500cc9044c7cbdb2b3fc47f3142ea2e003e1133513f0230d7abe645c677bbc0
SHA51204739e6fd91a2dd91e91236b8d1d9a8dde84a6c6023440f9cf06cbe62d63a7e7f83fd5ea10542d1252acc079b1092a6171652120b592b6bf18cb59bca9e61324
-
C:\Users\Admin\AppData\Local\Temp\5uo8yem1.0.vbFilesize
46KB
MD5e5162d693c0c498c9d4a24f66a6ad529
SHA173671da8332f4851af7343ac26f684c5d71afa15
SHA2560eb82f88b3c2c20a1d8008ca653d5a8496e03000ade544fd0c545aeabb860899
SHA5128945132aa79d05a8622f1fba8ce73486bb70f429922ce5b9903769b7a72796551109f68bb05ea181769317420b2e242569a88d626594fd348f3bf3f0de3e5017
-
C:\Users\Admin\AppData\Local\Temp\5uo8yem1.cmdlineFilesize
276B
MD57caa2d2aec2988bac4cf91461b6017ff
SHA1a88b6e5a7f1cd5e2a5bc2b11bbe31bfc4d43929d
SHA25617c3816ce04f04a3b74521ee690bfaff13a550f052cb93f61ea44b8c71399abf
SHA51291800d1d7b1752965bacef2a0049458958f91c8538111f72446a24dacd263df05373fcd8f2d425d97a9af11a2cfaffdf95b37814bc8b9c6539d2dfae584f47cd
-
C:\Users\Admin\AppData\Local\Temp\5uo8yem1.dllFilesize
36KB
MD5f35589261a83912fb51bc445cb9dff80
SHA1ba6a9faec537e7b3985a0e9d91e11023ef643d00
SHA25620eaf400c404cd32401a0b0aac53402d7a443cebbd3dd11abdb0cf2e5a82f7b9
SHA512d671ed1c273b153c7f3c69df3b9a48d5159970882d83309c72ccaf14fdb5882d630e28d1c3302127f5c21d7b481e276f6881d653edc15f2a5feb5495673b0956
-
C:\Users\Admin\AppData\Local\Temp\RESC97F.tmpFilesize
1KB
MD5beef3dfe846f7bc30d141eda0f64deb6
SHA1d6eac998ed8a3a749383bbe15660c8f30efde361
SHA2563219c14afa8ae5895250aae732a43b69614d1089df47f2104541a355cdcdf4b5
SHA512bb83d82f5b31b909cc5e18fc86663270c86e08bf7d85ff4adb3cd76cedfb3de76300baff86ff6b87db387c7537d45c694beeee77beb6e04acb1c2d6d8483fd82
-
C:\Users\Admin\AppData\Local\Temp\RESF2E0.tmpFilesize
1KB
MD5b21ba404952c6acc1cd8c3fb10afd558
SHA1a3ba518d06fd093de015edaa926b131e42f37e03
SHA256cd44bf64782679fbae51711bec9d3a635c311399ff2519554c54743ca64bcdb6
SHA5128d5a57163e0f5fee0d2269db97aa49ca6942afee5c74df39dcb6587f5ffbe30847e6499f40b07ef29110face7a1b31c6b8b75f870a0091bd871f804a48c0f472
-
C:\Users\Admin\AppData\Local\Temp\mppzzyrm.0.vbFilesize
73KB
MD544ab3de5a8a0d0d058d7e80d859133ee
SHA11de91c62492ea9c5840b596ab7bf87ad9c9a27ea
SHA256017941ac1649ad547a852fc08ead4e5a34a5715a1c7d737541a99e181daf84a0
SHA512741d74f0115af5a2f71a9d75499dae89600e3907ebaaf6c94635fc6e96322604d2529da5d29778c25ed23e329e28574d34d5bc383d775f6ea1b7328a43f615f6
-
C:\Users\Admin\AppData\Local\Temp\mppzzyrm.cmdlineFilesize
276B
MD582b733fe934f83f686935397ff6d5a6d
SHA1972c7262c95f85f5a8c9e0cc0d199a9c1e3a2b3f
SHA256e23bbd20d3c1d707d7cb4902192997120eb5f98aae305f5264cbab54feda611d
SHA51249d006237a604aedc08299f9c26bcaabc84068e693462d1c4db4650cb513d1725d57b6f011ef4383b7b2d14bc3493181e4eefea3fa6413a4621d2e5e24ff901e
-
C:\Users\Admin\AppData\Local\Temp\mppzzyrm.dllFilesize
48KB
MD55082a0020dc1589499e2faa9caeeec76
SHA12d11badfef9798ada2c03227c49061ae80d89ae4
SHA256f305fd40cb55579508cecb21efb0a735d50feb843f099c49c6066558f64e1150
SHA512915521e5d749c142254ca5a892b86fa865ae3afdfb1b30ffdbfd4714e8ee9a3335c393597b9ae8597a39abefe2a94d4905af44d08bb86470bb5f62633ece0f88
-
C:\Users\Admin\AppData\Local\Temp\vbc2E73C287B78D442982563288C333F44D.TMPFilesize
652B
MD5aa10299db575ef9202b03a881a78f655
SHA15b4bc778b01a8000d190f2062e040d52047b508d
SHA256e114be7d47c031759ff260d49a136b50c00352608b14d5789bba0f60f8e3b906
SHA5121f6f470891a002817a3cc48808edf3ccfd2e6d23c47d4181364e1373ea30257018f26789b4a55d4039fea12d006580b4b3625381fc430b8fe132fa6394795713
-
C:\Users\Admin\AppData\Local\Temp\vbc9E01CE733A4097BBB3DC3848EE822.TMPFilesize
652B
MD51ca3326952f7089a518c290e7c6f927c
SHA1eeb04234f0a20c024fcaea207c30e7676e91466f
SHA256c380140934e7a9c7108aa038649f4be299c9784ffae32a2e80d4eb810869c951
SHA512d010d12eebe86ec7fca1e777bd902454769cb8af4dd55c8565b9cec3bd8143a1e6213f8784ec3f4451e3ca7477becc0ba5832249f3fb4f60de8e508769cb2eea
-
memory/2084-132-0x00000000751A0000-0x0000000075751000-memory.dmpFilesize
5.7MB
-
memory/2084-147-0x00000000751A0000-0x0000000075751000-memory.dmpFilesize
5.7MB
-
memory/4112-144-0x0000000000000000-mapping.dmp
-
memory/4280-133-0x0000000000000000-mapping.dmp
-
memory/4332-136-0x0000000000000000-mapping.dmp
-
memory/4428-148-0x0000000000000000-mapping.dmp
-
memory/4532-143-0x00000000751A0000-0x0000000075751000-memory.dmpFilesize
5.7MB
-
memory/4532-140-0x0000000000000000-mapping.dmp
-
memory/4532-152-0x00000000751A0000-0x0000000075751000-memory.dmpFilesize
5.7MB