c56ca67251970674698333a43d619c8d656ead35fa19695977f9ac1073c25c84

Analysis

max time kernel
13s
max time network
30s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
04/12/2022, 13:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c56ca67251970674698333a43d619c8d656ead35fa19695977f9ac1073c25c84.exe
Size

707KB
MD5

0d61aeb5bba24affabeb5a3cb07ac5e6
SHA1

8ce1803b15ef63d5d525b8f60a738a9f2b772775
SHA256

c56ca67251970674698333a43d619c8d656ead35fa19695977f9ac1073c25c84
SHA512

345cf2c0506954b89ece8e94c4c06bb65ab7fcc770a249e9cdf4452950d12b51a4007a588e9d91d9af02a37f5a12c43413eb65426e3c630d115986d52681014b
SSDEEP

12288:g47scdTI2ImihFcGYwLS50tLTXC/gTn009X8fi3NWVSjEhId:Ds+4FDSCJXiglx8fi9WkjEhId

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2012	Adobe.exe
832	Adobe.exe

Loads dropped DLL 2 IoCs

pid	Process
1704	c56ca67251970674698333a43d619c8d656ead35fa19695977f9ac1073c25c84.exe
1704	c56ca67251970674698333a43d619c8d656ead35fa19695977f9ac1073c25c84.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Adobe.exe	c56ca67251970674698333a43d619c8d656ead35fa19695977f9ac1073c25c84.exe
File opened for modification	C:\Windows\SysWOW64\Adobe.exe	Adobe.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2012 set thread context of 832	2012	Adobe.exe	29

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2012	Adobe.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 2012	1704	c56ca67251970674698333a43d619c8d656ead35fa19695977f9ac1073c25c84.exe	28
PID 1704 wrote to memory of 2012	1704	c56ca67251970674698333a43d619c8d656ead35fa19695977f9ac1073c25c84.exe	28
PID 1704 wrote to memory of 2012	1704	c56ca67251970674698333a43d619c8d656ead35fa19695977f9ac1073c25c84.exe	28
PID 1704 wrote to memory of 2012	1704	c56ca67251970674698333a43d619c8d656ead35fa19695977f9ac1073c25c84.exe	28
PID 2012 wrote to memory of 832	2012	Adobe.exe	29
PID 2012 wrote to memory of 832	2012	Adobe.exe	29
PID 2012 wrote to memory of 832	2012	Adobe.exe	29
PID 2012 wrote to memory of 832	2012	Adobe.exe	29
PID 2012 wrote to memory of 832	2012	Adobe.exe	29
PID 2012 wrote to memory of 832	2012	Adobe.exe	29
PID 2012 wrote to memory of 832	2012	Adobe.exe	29
PID 2012 wrote to memory of 832	2012	Adobe.exe	29

C:\Users\Admin\AppData\Local\Temp\c56ca67251970674698333a43d619c8d656ead35fa19695977f9ac1073c25c84.exe
"C:\Users\Admin\AppData\Local\Temp\c56ca67251970674698333a43d619c8d656ead35fa19695977f9ac1073c25c84.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Windows\SysWOW64\Adobe.exe
  C:\Windows\system32\
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Windows\SysWOW64\Adobe.exe
    C:\Windows\SysWOW64\Adobe.exe
    3⤵
    - Executes dropped EXE
    PID:832

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adobe.exe

Filesize
586KB

MD5
b2ebdcfbfe246875dfcfe345b68f7b07

SHA1
7e4a6c5f88f157d2e4e013f2c157af4f09218891

SHA256
2e3f110898b28abf2b3688831b85023bb7b8f2d3209e5fbdd9f4ef9a22d44c32

SHA512
8f0de7bab02678b27c00d80e817b5e05dd24c95030fbbe0456dac2a506edf62fce9a34f02a6c0d7a0095ee1b7e546306a738dec1169dfcfb4125f85678cf4be8

Download Submit
C:\Windows\SysWOW64\Adobe.exe

Filesize
586KB

MD5
b2ebdcfbfe246875dfcfe345b68f7b07

SHA1
7e4a6c5f88f157d2e4e013f2c157af4f09218891

SHA256
2e3f110898b28abf2b3688831b85023bb7b8f2d3209e5fbdd9f4ef9a22d44c32

SHA512
8f0de7bab02678b27c00d80e817b5e05dd24c95030fbbe0456dac2a506edf62fce9a34f02a6c0d7a0095ee1b7e546306a738dec1169dfcfb4125f85678cf4be8

Download Submit
C:\Windows\SysWOW64\Adobe.exe

Filesize
586KB

MD5
b2ebdcfbfe246875dfcfe345b68f7b07

SHA1
7e4a6c5f88f157d2e4e013f2c157af4f09218891

SHA256
2e3f110898b28abf2b3688831b85023bb7b8f2d3209e5fbdd9f4ef9a22d44c32

SHA512
8f0de7bab02678b27c00d80e817b5e05dd24c95030fbbe0456dac2a506edf62fce9a34f02a6c0d7a0095ee1b7e546306a738dec1169dfcfb4125f85678cf4be8

Download Submit
\Windows\SysWOW64\Adobe.exe

Filesize
586KB

MD5
b2ebdcfbfe246875dfcfe345b68f7b07

SHA1
7e4a6c5f88f157d2e4e013f2c157af4f09218891

SHA256
2e3f110898b28abf2b3688831b85023bb7b8f2d3209e5fbdd9f4ef9a22d44c32

SHA512
8f0de7bab02678b27c00d80e817b5e05dd24c95030fbbe0456dac2a506edf62fce9a34f02a6c0d7a0095ee1b7e546306a738dec1169dfcfb4125f85678cf4be8

Download Submit
\Windows\SysWOW64\Adobe.exe

Filesize
586KB

MD5
b2ebdcfbfe246875dfcfe345b68f7b07

SHA1
7e4a6c5f88f157d2e4e013f2c157af4f09218891

SHA256
2e3f110898b28abf2b3688831b85023bb7b8f2d3209e5fbdd9f4ef9a22d44c32

SHA512
8f0de7bab02678b27c00d80e817b5e05dd24c95030fbbe0456dac2a506edf62fce9a34f02a6c0d7a0095ee1b7e546306a738dec1169dfcfb4125f85678cf4be8

Download Submit
memory/832-65-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/832-64-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/832-63-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/832-62-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/832-69-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1704-54-0x0000000075A91000-0x0000000075A93000-memory.dmp

Filesize
8KB

Download