88a0f31ad2339a7eca80af7150fc91076a6c7a3e44e3651c0173e200855fb9ff

General

Target

PhotoshopElements_2022_LS30_win64-20.0.exe
Size

7.0MB
MD5

63bbd35d120650a6502f8101c0e796fb
SHA1

2214201d094e8d4192d8ae8271240c64da5e7940
SHA256

9cacc2aaf3ca95c6a9eb1e7a14e69d08fb564e1c490a767a925d75bd4adee5c6
SHA512

accb40f15ad4901f90535ade90e7a6b1296e5571b249b93b30ff1468a4091aa54a91728c6a932fafa4aef4f5fd7975409d656796b601a9a4614dd53421838acb
SSDEEP

196608:94Gpm7m3Wp8ayFmwwZIBXZbum1iIW0I2kr5gOX/fuB68dyAzmwCXUIfmYM1:94L7m6LZ2XZb1ip3r5gOXLAyw0fjS

Score

10^/10

adobe phishing upx

Malware Config

Signatures

Detected adobe phishing page
phishing adobe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2820-132-0x0000000000FB0000-0x0000000001B36000-memory.dmp	upx
behavioral2/memory/4640-139-0x0000000000FB0000-0x0000000001B36000-memory.dmp	upx
behavioral2/memory/2820-140-0x0000000000FB0000-0x0000000001B36000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

PhotoshopElements_2022_LS30_win64-20.0.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	PhotoshopElements_2022_LS30_win64-20.0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 12 IoCs

adware spyware

Modify Registry

T1112

Processes:

PhotoshopElements_2022_LS30_win64-20.0.exePhotoshopElements_2022_LS30_win64-20.0.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	PhotoshopElements_2022_LS30_win64-20.0.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DOMStorage\adobe.com	PhotoshopElements_2022_LS30_win64-20.0.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\adobe.com	PhotoshopElements_2022_LS30_win64-20.0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\adobe.com\NumberOfSubdomains = "1"	PhotoshopElements_2022_LS30_win64-20.0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "48"	PhotoshopElements_2022_LS30_win64-20.0.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DOMStorage\auth.services.adobe.com	PhotoshopElements_2022_LS30_win64-20.0.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	PhotoshopElements_2022_LS30_win64-20.0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\PhotoshopElements_2022_LS30_win64-20.0.exe = "11001"	PhotoshopElements_2022_LS30_win64-20.0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\adobe.com\Total = "48"	PhotoshopElements_2022_LS30_win64-20.0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\auth.services.adobe.com\ = "48"	PhotoshopElements_2022_LS30_win64-20.0.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	PhotoshopElements_2022_LS30_win64-20.0.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	PhotoshopElements_2022_LS30_win64-20.0.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

PhotoshopElements_2022_LS30_win64-20.0.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	PhotoshopElements_2022_LS30_win64-20.0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	PhotoshopElements_2022_LS30_win64-20.0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	PhotoshopElements_2022_LS30_win64-20.0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	PhotoshopElements_2022_LS30_win64-20.0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	PhotoshopElements_2022_LS30_win64-20.0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	PhotoshopElements_2022_LS30_win64-20.0.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

PhotoshopElements_2022_LS30_win64-20.0.exe

pid	process
2820	PhotoshopElements_2022_LS30_win64-20.0.exe
2820	PhotoshopElements_2022_LS30_win64-20.0.exe
2820	PhotoshopElements_2022_LS30_win64-20.0.exe
2820	PhotoshopElements_2022_LS30_win64-20.0.exe
2820	PhotoshopElements_2022_LS30_win64-20.0.exe
2820	PhotoshopElements_2022_LS30_win64-20.0.exe
2820	PhotoshopElements_2022_LS30_win64-20.0.exe
2820	PhotoshopElements_2022_LS30_win64-20.0.exe
2820	PhotoshopElements_2022_LS30_win64-20.0.exe
2820	PhotoshopElements_2022_LS30_win64-20.0.exe
2820	PhotoshopElements_2022_LS30_win64-20.0.exe
2820	PhotoshopElements_2022_LS30_win64-20.0.exe
2820	PhotoshopElements_2022_LS30_win64-20.0.exe
2820	PhotoshopElements_2022_LS30_win64-20.0.exe
2820	PhotoshopElements_2022_LS30_win64-20.0.exe
2820	PhotoshopElements_2022_LS30_win64-20.0.exe
2820	PhotoshopElements_2022_LS30_win64-20.0.exe
2820	PhotoshopElements_2022_LS30_win64-20.0.exe
2820	PhotoshopElements_2022_LS30_win64-20.0.exe
2820	PhotoshopElements_2022_LS30_win64-20.0.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

PhotoshopElements_2022_LS30_win64-20.0.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2820	PhotoshopElements_2022_LS30_win64-20.0.exe
Token: SeIncreaseQuotaPrivilege	2820	PhotoshopElements_2022_LS30_win64-20.0.exe
Token: SeIncreaseQuotaPrivilege	2820	PhotoshopElements_2022_LS30_win64-20.0.exe
Token: SeIncreaseQuotaPrivilege	2820	PhotoshopElements_2022_LS30_win64-20.0.exe
Token: SeIncreaseQuotaPrivilege	2820	PhotoshopElements_2022_LS30_win64-20.0.exe
Token: SeIncreaseQuotaPrivilege	2820	PhotoshopElements_2022_LS30_win64-20.0.exe
Token: SeIncreaseQuotaPrivilege	2820	PhotoshopElements_2022_LS30_win64-20.0.exe
Token: SeIncreaseQuotaPrivilege	2820	PhotoshopElements_2022_LS30_win64-20.0.exe
Token: SeIncreaseQuotaPrivilege	2820	PhotoshopElements_2022_LS30_win64-20.0.exe
Token: SeIncreaseQuotaPrivilege	2820	PhotoshopElements_2022_LS30_win64-20.0.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

PhotoshopElements_2022_LS30_win64-20.0.exe

pid process

2820 PhotoshopElements_2022_LS30_win64-20.0.exe
2820 PhotoshopElements_2022_LS30_win64-20.0.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

PhotoshopElements_2022_LS30_win64-20.0.exe

description	pid	process	target process
PID 2820 wrote to memory of 4640	2820	PhotoshopElements_2022_LS30_win64-20.0.exe	PhotoshopElements_2022_LS30_win64-20.0.exe
PID 2820 wrote to memory of 4640	2820	PhotoshopElements_2022_LS30_win64-20.0.exe	PhotoshopElements_2022_LS30_win64-20.0.exe
PID 2820 wrote to memory of 4640	2820	PhotoshopElements_2022_LS30_win64-20.0.exe	PhotoshopElements_2022_LS30_win64-20.0.exe

C:\Users\Admin\AppData\Local\Temp\PhotoshopElements_2022_LS30_win64-20.0.exe
"C:\Users\Admin\AppData\Local\Temp\PhotoshopElements_2022_LS30_win64-20.0.exe"
1⤵
- Checks computer location settings
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2820

C:\Users\Admin\AppData\Local\Temp\PhotoshopElements_2022_LS30_win64-20.0.exe
"C:\Users\Admin\AppData\Local\Temp\PhotoshopElements_2022_LS30_win64-20.0.exe" --pipename={62B39E6A-9C4C-421F-95CB-CF7B304F3963}
2⤵
- Modifies Internet Explorer settings
PID:4640

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Install Root Certificate

1

T1130

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D
Filesize
471B

MD5
4bb1a02bedb6eca3cb27170b4558b066

SHA1
365f55f813757313837024286c5292fda72b3264

SHA256
8bf84562aec46dfb86620a71f8d4850c544c1a31743fde2f758e0dfa92e8f492

SHA512
d63a82a466e5288164aaead9be940f535b0a0215eb5f8d0769e4286ed5181d674181729f33e57943c279c637534cda756cec042e718e63c934c09a96856fafc9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DA3B6E45325D5FFF28CF6BAD6065C907_ED10BEFF82F38B24F19F2ADE7B2EBF34
Filesize
471B

MD5
2fd5c0ed44d75f3bdb32fb147c433922

SHA1
fd6e872982e9471fc647819853151e1001b89715

SHA256
b1809bbec06bc8331e5d82a24296d711956975da7844826cf33c0e039b0c309e

SHA512
5a6395514b47a621bdfd1d308507008f2b790e0bdc92b9fcae9f14e7ab181b4a15ee7a25e2c740740099e76e400015eec8e63608b462c8f8f8ef2da5546813c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D
Filesize
426B

MD5
0c8b8cef2863eb10d869e0d3885b91c3

SHA1
41447aefff45b5c7c02ab848517c1ab737312716

SHA256
2c10e83ad8a6e7603ceb7084ce95883da496d9a565c050290e76d523b51adcd6

SHA512
1cdff61746b077d7a2405c8e8cf85c436f022d1c878fd684a00bccc2962c0a9e34980fb3924b30219ebd071af210a19d75dd5496e4095f1ec629d83eaad5db14

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DA3B6E45325D5FFF28CF6BAD6065C907_ED10BEFF82F38B24F19F2ADE7B2EBF34
Filesize
438B

MD5
12361f8eeb6a70c43705d73e9fcf134a

SHA1
a9be027e80a0e840712a235e77f758101cfef417

SHA256
30ab1ad5e1458a28c61a877e6e795707ff5c36ff8e8c0b4abd3b8fe2d176cec5

SHA512
ae6383a3d3688fab5c0b6337366ae05107626e2361fe1536c94fe99e15f504e1d3a00f006eb7f5877c54f5234e09542db1548878aea1f9b83551bbce4f1c9646

Download Submit
C:\Users\Admin\AppData\Local\Temp\CreativeCloud\ACC\AdobeDownload\HDInstaller.log
Filesize
9KB

MD5
b33cafdfbf4e7e9b20b0dbbcdb2506f2

SHA1
16767fcac3eedda7b9d6ae212cbaa2646a5fa493

SHA256
f6b99d5db03c5aac70d2c06bb01217822836075879966a5651aa6db6a48bc2a7

SHA512
33946befdb7066840d8ac1f989e1a82b81685c4afa6bfc88c1ebac118a6be6d6deaf11f54fb63b13e2d7062d0efa83c428d0cd94c124ec942411df96710af998

Download Submit
memory/2820-132-0x0000000000FB0000-0x0000000001B36000-memory.dmp

Filesize
11.5MB

Download
memory/2820-140-0x0000000000FB0000-0x0000000001B36000-memory.dmp

Filesize
11.5MB

Download
memory/4640-133-0x0000000000000000-mapping.dmp

Download
memory/4640-139-0x0000000000FB0000-0x0000000001B36000-memory.dmp

Filesize
11.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads