919eca4e74525fe9a5caafcb0be729be64a9773d4607a2fb615f128f64b1faaf

General

Target

ConnectShellSetup11.exe
Size

609KB
MD5

00b6898bf01716f6fe6c1fc1e7256905
SHA1

aedd9210f27091f9b8ad654b4558609c2688379d
SHA256

919eca4e74525fe9a5caafcb0be729be64a9773d4607a2fb615f128f64b1faaf
SHA512

48a0c45996f5165ccd86d2d6454f8738072f4911556e822a0ff6ba8f293802fca39290659c30a394796857bbe8734b6f9fa1bc74ef4dc66d16bb87643c9d18a5
SSDEEP

12288:EA88Vmz5maLaNuGIoS30Dw6SVjgJfNJtPOu/u2/xLyRJWTLgRT06raYED/CyZeU/:EA3SeIvifNJxOuRTlN/CWuWO3A

Score

8^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

connectdetector.exe

pid	Process
1792	connectdetector.exe

Loads dropped DLL 3 IoCs

Processes:

ConnectShellSetup11.exe

pid	Process
1696	ConnectShellSetup11.exe
1696	ConnectShellSetup11.exe
1696	ConnectShellSetup11.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ConnectShellSetup11.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ConnectDetector = "\"C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Connect\\connectdetector.exe\""	ConnectShellSetup11.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 9 IoCs

Processes:

ConnectShellSetup11.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\connectpro\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Connect\\Connect.exe,1"	ConnectShellSetup11.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\connectpro\shell	ConnectShellSetup11.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\connectpro\shell\open\command	ConnectShellSetup11.exe
Key created	\Registry\User\S-1-5-21-4063495947-34355257-727531523-1000_Classes\connectpro	ConnectShellSetup11.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\connectpro\ = "URL:Adobe Connect"	ConnectShellSetup11.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\connectpro\URL Protocol	ConnectShellSetup11.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\connectpro\DefaultIcon	ConnectShellSetup11.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\connectpro\shell\open	ConnectShellSetup11.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\connectpro\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Connect\\Connect.exe\" \"%1\""	ConnectShellSetup11.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

ConnectShellSetup11.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	ConnectShellSetup11.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	ConnectShellSetup11.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

ConnectShellSetup11.exe

pid	Process
1696	ConnectShellSetup11.exe
1696	ConnectShellSetup11.exe
1696	ConnectShellSetup11.exe
1696	ConnectShellSetup11.exe
1696	ConnectShellSetup11.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

ConnectShellSetup11.exe

description	pid	Process	procid_target
PID 1696 wrote to memory of 1792	1696	ConnectShellSetup11.exe	29
PID 1696 wrote to memory of 1792	1696	ConnectShellSetup11.exe	29
PID 1696 wrote to memory of 1792	1696	ConnectShellSetup11.exe	29
PID 1696 wrote to memory of 1792	1696	ConnectShellSetup11.exe	29

C:\Users\Admin\AppData\Local\Temp\ConnectShellSetup11.exe
"C:\Users\Admin\AppData\Local\Temp\ConnectShellSetup11.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Users\Admin\AppData\Roaming\Adobe\Connect\connectdetector.exe
  C:\Users\Admin\AppData\Roaming\Adobe\Connect\connectdetector.exe
  2⤵
  - Executes dropped EXE
  PID:1792

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Connect\ConnectDetector.exe

Filesize
644KB

MD5
77a4c18414964e80b8bbbadf52319578

SHA1
389a72b64274b2c171548a6c899d4bbb0ee17cdf

SHA256
1bb861dca97f170e7b454e136936a9838133ee7977887403f45362e019ba9f2f

SHA512
61acc7ab259975915d312e16f63781bb9c5b841da162e7f27e6174481eea2af31f64b44cb1d30269b5f36c42d1ecf49a91764754fb6e899b0582c8b5727709d9

Download Submit
\Users\Admin\AppData\Roaming\Adobe\Connect\Connect.exe

Filesize
35.3MB

MD5
6b2652f2f1395cc69f6059d5e8248d8b

SHA1
0510d81ee1eeaf0cee41a54a3eccb3c01314e635

SHA256
62fe0232955662e7f06351a8b7dadc7fdf0b603b1f42f2ca7953a2398e2664ae

SHA512
4227ca344d4f52eefb30e8afb09a487a6b68db104e1e41e443647c89e9a75075874d5c599d91c778d10ca857fff019a077ad1763b722303f1332cb83e1a04daa

Download Submit
\Users\Admin\AppData\Roaming\Adobe\Connect\Connect.exe

Filesize
35.3MB

MD5
6b2652f2f1395cc69f6059d5e8248d8b

SHA1
0510d81ee1eeaf0cee41a54a3eccb3c01314e635

SHA256
62fe0232955662e7f06351a8b7dadc7fdf0b603b1f42f2ca7953a2398e2664ae

SHA512
4227ca344d4f52eefb30e8afb09a487a6b68db104e1e41e443647c89e9a75075874d5c599d91c778d10ca857fff019a077ad1763b722303f1332cb83e1a04daa

Download Submit
\Users\Admin\AppData\Roaming\Adobe\Connect\ConnectDetector.exe

Filesize
644KB

MD5
77a4c18414964e80b8bbbadf52319578

SHA1
389a72b64274b2c171548a6c899d4bbb0ee17cdf

SHA256
1bb861dca97f170e7b454e136936a9838133ee7977887403f45362e019ba9f2f

SHA512
61acc7ab259975915d312e16f63781bb9c5b841da162e7f27e6174481eea2af31f64b44cb1d30269b5f36c42d1ecf49a91764754fb6e899b0582c8b5727709d9

Download Submit
memory/1696-54-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download
memory/1792-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads