8aa76e787b8749290d0fdaaf6d5a2626f8fe359469d462f22fcf573f7183ac66

Analysis

max time kernel
104s
max time network
106s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
13-02-2023 23:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ConnectSetup.exe
Size

287KB
MD5

270d3021cdab3d056773a7d4a1911d0f
SHA1

766f9e23b7ab0095928a5009ed6cc92955d703ad
SHA256

8aa76e787b8749290d0fdaaf6d5a2626f8fe359469d462f22fcf573f7183ac66
SHA512

9ddfab50ea2b5c5c4a98cd242ba76be992eadc26849646d082f53ab4025736215c5593b41ad7b27d7ea84139e76280b2c75f3d9e0212cbf5588fecd90afdc8e8
SSDEEP

6144:a0+v7MjXF2+OYzoBEpN/CyZeUbgVWXuV4byG4dV9:aAjXF2CAED/CyZeUbEWXuWbnyn

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
3692	adobeconnectaddin.exe
4604	adobeconnectaddin.exe
4708	connect.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	connect.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	connect.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\connect.exe = "11001"	connect.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\connectpro\shell\open	adobeconnectaddin.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\connectpro\shell\open\command	adobeconnectaddin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\connectpro\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Connect\\connect.exe\" \"%1\""	adobeconnectaddin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\connectpro\URL Protocol	adobeconnectaddin.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\connectpro\DefaultIcon	adobeconnectaddin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\connectpro\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Connect\\connect.exe,1"	adobeconnectaddin.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\connectpro	adobeconnectaddin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\connectpro\ = "URL:Adobe Connect"	adobeconnectaddin.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\connectpro\shell	adobeconnectaddin.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4192	ConnectSetup.exe
4192	ConnectSetup.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4176	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4176	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4708	connect.exe
4708	connect.exe
4708	connect.exe
4708	connect.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4192 wrote to memory of 3692	4192	ConnectSetup.exe	66
PID 4192 wrote to memory of 3692	4192	ConnectSetup.exe	66
PID 4192 wrote to memory of 3692	4192	ConnectSetup.exe	66
PID 4192 wrote to memory of 4604	4192	ConnectSetup.exe	67
PID 4192 wrote to memory of 4604	4192	ConnectSetup.exe	67
PID 4192 wrote to memory of 4604	4192	ConnectSetup.exe	67

C:\Users\Admin\AppData\Local\Temp\ConnectSetup.exe
"C:\Users\Admin\AppData\Local\Temp\ConnectSetup.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4192
- C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\adobeconnectaddin\adobeconnectaddin.exe
  "C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\adobeconnectaddin\adobeconnectaddin.exe" /nolaunch
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:3692
- C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\adobeconnectaddin\adobeconnectaddin.exe
  "C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\adobeconnectaddin\adobeconnectaddin.exe" /CreateStartMenu /nolaunch
  2⤵
  - Executes dropped EXE
  PID:4604

C:\Users\Admin\AppData\Roaming\Adobe\Connect\connect.exe
"C:\Users\Admin\AppData\Roaming\Adobe\Connect\connect.exe"
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4708

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x1e4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4176

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\69C6F6EC64E114822DF688DC12CDD86C

Filesize
779B

MD5
52459475bbead1cc9bba0ff24722c884

SHA1
1e6cddf21f19f4819050782cd075b72fc96abd7e

SHA256
23866b98ab3cc0c8db11f876560468be263c7bfd29c2de29cb36e6eb68c5c67b

SHA512
9fd1c809e66ae2443bdc9adb6e3bcc7b50a26eb6f518d317bd1b9a152cc9164145637fc393fdd6e4473e84dce947d638127259684a49bdd33dc5458385e6dbb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\69C6F6EC64E114822DF688DC12CDD86C

Filesize
246B

MD5
701ac0cda4e726436f762152cb401fcb

SHA1
786cea9012fa5b8220253628379a245841ac658a

SHA256
58ca09ad52ca0f3732a8749e5dec4d0f23c164f6d9f4649e720f081a29e544ea

SHA512
4bf3eafea4937ca58a139f35a07b03511b0a5ed04d5afc7e219c9f16bde65aa770e05084b7be7f1d5cfe2fa46c4cab26dbc8b9c5c12c483357a114a0da763427

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Connect\connect.exe

Filesize
17.4MB

MD5
2d5850ca99bbc9e75f04b99b41cd6bcd

SHA1
40141de8872afd1e09c438edb8d02a3422a56017

SHA256
ed5db5497c66b3f70dd2107336d355e759b16dad81a31053b5cd48e6f310835b

SHA512
d015aeb6c348163b0c0ce38d337d80b05a6cb171f1a19f99f476c5a35407b0013a04120872889b766036f49795c03d193c9e26aa4b967198930d57cddf0f3338

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Connect\connect.exe

Filesize
17.4MB

MD5
2d5850ca99bbc9e75f04b99b41cd6bcd

SHA1
40141de8872afd1e09c438edb8d02a3422a56017

SHA256
ed5db5497c66b3f70dd2107336d355e759b16dad81a31053b5cd48e6f310835b

SHA512
d015aeb6c348163b0c0ce38d337d80b05a6cb171f1a19f99f476c5a35407b0013a04120872889b766036f49795c03d193c9e26aa4b967198930d57cddf0f3338

Download Submit
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\adobeconnectaddin\InstallLog.log

Filesize
782B

MD5
0084c8238279a26c5ca4fc02bd81fd92

SHA1
d3464adf414b2fd018a81437f963b937d86bff99

SHA256
c038e59346d7fa41c9775712f61a0ce068a148840bb6c7cbcad39f08e89da948

SHA512
0594ef218f84c7cb7bf7e2a3c84174a29a438992dd9c4b4f4013a12463496311cf04f021320d536abbb9d70fa1d7c0c4d6c5330a8d6836b7920058f06e10fbfd

Download Submit
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\adobeconnectaddin\adobeconnectaddin.exe

Filesize
17.5MB

MD5
604822783cccee8637a517179565d56d

SHA1
e41592d903a795a2576d3c1a1fbc994357238c92

SHA256
eb90cb6f71eb674eb3b40c4dc2e5567311880030d6c2ea348b25fa7299cf9e15

SHA512
c852fa3f085f2b5bd4fc6129d0c8fc737f0927474804dfdd04f588ebec98216e4ea2996efff37fbbbfcbbe8cadf8dc6ffb3a8b8036d855ea9cb6e3c1a2fc3445

Download Submit
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\adobeconnectaddin\adobeconnectaddin.exe

Filesize
17.5MB

MD5
604822783cccee8637a517179565d56d

SHA1
e41592d903a795a2576d3c1a1fbc994357238c92

SHA256
eb90cb6f71eb674eb3b40c4dc2e5567311880030d6c2ea348b25fa7299cf9e15

SHA512
c852fa3f085f2b5bd4fc6129d0c8fc737f0927474804dfdd04f588ebec98216e4ea2996efff37fbbbfcbbe8cadf8dc6ffb3a8b8036d855ea9cb6e3c1a2fc3445

Download Submit
memory/4192-151-0x0000000077330000-0x00000000774BE000-memory.dmp

Filesize
1.6MB

Download
memory/4192-136-0x0000000077330000-0x00000000774BE000-memory.dmp

Filesize
1.6MB

Download
memory/4192-125-0x0000000077330000-0x00000000774BE000-memory.dmp

Filesize
1.6MB

Download
memory/4192-126-0x0000000077330000-0x00000000774BE000-memory.dmp

Filesize
1.6MB

Download
memory/4192-127-0x0000000077330000-0x00000000774BE000-memory.dmp

Filesize
1.6MB

Download
memory/4192-155-0x0000000077330000-0x00000000774BE000-memory.dmp

Filesize
1.6MB

Download
memory/4192-129-0x0000000077330000-0x00000000774BE000-memory.dmp

Filesize
1.6MB

Download
memory/4192-130-0x0000000077330000-0x00000000774BE000-memory.dmp

Filesize
1.6MB

Download
memory/4192-131-0x0000000077330000-0x00000000774BE000-memory.dmp

Filesize
1.6MB

Download
memory/4192-132-0x0000000077330000-0x00000000774BE000-memory.dmp

Filesize
1.6MB

Download
memory/4192-133-0x0000000077330000-0x00000000774BE000-memory.dmp

Filesize
1.6MB

Download
memory/4192-134-0x0000000077330000-0x00000000774BE000-memory.dmp

Filesize
1.6MB

Download
memory/4192-135-0x0000000077330000-0x00000000774BE000-memory.dmp

Filesize
1.6MB

Download
memory/4192-156-0x0000000077330000-0x00000000774BE000-memory.dmp

Filesize
1.6MB

Download
memory/4192-137-0x0000000077330000-0x00000000774BE000-memory.dmp

Filesize
1.6MB

Download
memory/4192-138-0x0000000077330000-0x00000000774BE000-memory.dmp

Filesize
1.6MB

Download
memory/4192-139-0x0000000077330000-0x00000000774BE000-memory.dmp

Filesize
1.6MB

Download
memory/4192-140-0x0000000077330000-0x00000000774BE000-memory.dmp

Filesize
1.6MB

Download
memory/4192-141-0x0000000077330000-0x00000000774BE000-memory.dmp

Filesize
1.6MB

Download
memory/4192-142-0x0000000077330000-0x00000000774BE000-memory.dmp

Filesize
1.6MB

Download
memory/4192-143-0x0000000077330000-0x00000000774BE000-memory.dmp

Filesize
1.6MB

Download
memory/4192-144-0x0000000077330000-0x00000000774BE000-memory.dmp

Filesize
1.6MB

Download
memory/4192-145-0x0000000077330000-0x00000000774BE000-memory.dmp

Filesize
1.6MB

Download
memory/4192-146-0x0000000077330000-0x00000000774BE000-memory.dmp

Filesize
1.6MB

Download
memory/4192-147-0x0000000077330000-0x00000000774BE000-memory.dmp

Filesize
1.6MB

Download
memory/4192-157-0x0000000077330000-0x00000000774BE000-memory.dmp

Filesize
1.6MB

Download
memory/4192-149-0x0000000077330000-0x00000000774BE000-memory.dmp

Filesize
1.6MB

Download
memory/4192-152-0x0000000077330000-0x00000000774BE000-memory.dmp

Filesize
1.6MB

Download
memory/4192-123-0x0000000077330000-0x00000000774BE000-memory.dmp

Filesize
1.6MB

Download
memory/4192-150-0x0000000077330000-0x00000000774BE000-memory.dmp

Filesize
1.6MB

Download
memory/4192-153-0x0000000077330000-0x00000000774BE000-memory.dmp

Filesize
1.6MB

Download
memory/4192-154-0x0000000077330000-0x00000000774BE000-memory.dmp

Filesize
1.6MB

Download
memory/4192-128-0x0000000077330000-0x00000000774BE000-memory.dmp

Filesize
1.6MB

Download
memory/4192-124-0x0000000077330000-0x00000000774BE000-memory.dmp

Filesize
1.6MB

Download
memory/4192-148-0x0000000077330000-0x00000000774BE000-memory.dmp

Filesize
1.6MB

Download
memory/4192-158-0x0000000077330000-0x00000000774BE000-memory.dmp

Filesize
1.6MB

Download
memory/4192-159-0x0000000077330000-0x00000000774BE000-memory.dmp

Filesize
1.6MB

Download
memory/4192-160-0x0000000077330000-0x00000000774BE000-memory.dmp

Filesize
1.6MB

Download
memory/4192-161-0x0000000077330000-0x00000000774BE000-memory.dmp

Filesize
1.6MB

Download
memory/4192-162-0x0000000077330000-0x00000000774BE000-memory.dmp

Filesize
1.6MB

Download
memory/4192-163-0x0000000077330000-0x00000000774BE000-memory.dmp

Filesize
1.6MB

Download
memory/4192-164-0x0000000077330000-0x00000000774BE000-memory.dmp

Filesize
1.6MB

Download
memory/4192-165-0x0000000077330000-0x00000000774BE000-memory.dmp

Filesize
1.6MB

Download
memory/4192-166-0x0000000077330000-0x00000000774BE000-memory.dmp

Filesize
1.6MB

Download
memory/4192-167-0x0000000077330000-0x00000000774BE000-memory.dmp

Filesize
1.6MB

Download
memory/4192-168-0x0000000077330000-0x00000000774BE000-memory.dmp

Filesize
1.6MB

Download
memory/4192-169-0x0000000077330000-0x00000000774BE000-memory.dmp

Filesize
1.6MB

Download
memory/4192-170-0x0000000077330000-0x00000000774BE000-memory.dmp

Filesize
1.6MB

Download
memory/4192-171-0x0000000077330000-0x00000000774BE000-memory.dmp

Filesize
1.6MB

Download
memory/4192-172-0x0000000077330000-0x00000000774BE000-memory.dmp

Filesize
1.6MB

Download
memory/4192-173-0x0000000077330000-0x00000000774BE000-memory.dmp

Filesize
1.6MB

Download
memory/4192-175-0x0000000077330000-0x00000000774BE000-memory.dmp

Filesize
1.6MB

Download
memory/4192-174-0x0000000077330000-0x00000000774BE000-memory.dmp

Filesize
1.6MB

Download
memory/4192-176-0x0000000077330000-0x00000000774BE000-memory.dmp

Filesize
1.6MB

Download
memory/4192-177-0x0000000077330000-0x00000000774BE000-memory.dmp

Filesize
1.6MB

Download
memory/4192-178-0x0000000077330000-0x00000000774BE000-memory.dmp

Filesize
1.6MB

Download
memory/4192-179-0x0000000077330000-0x00000000774BE000-memory.dmp

Filesize
1.6MB

Download
memory/4192-180-0x0000000077330000-0x00000000774BE000-memory.dmp

Filesize
1.6MB

Download
memory/4192-181-0x0000000077330000-0x00000000774BE000-memory.dmp

Filesize
1.6MB

Download
memory/4192-182-0x0000000077330000-0x00000000774BE000-memory.dmp

Filesize
1.6MB

Download
memory/4192-122-0x0000000077330000-0x00000000774BE000-memory.dmp

Filesize
1.6MB

Download
memory/4192-121-0x0000000077330000-0x00000000774BE000-memory.dmp

Filesize
1.6MB

Download
memory/4192-120-0x0000000077330000-0x00000000774BE000-memory.dmp

Filesize
1.6MB

Download
memory/4192-183-0x0000000077330000-0x00000000774BE000-memory.dmp

Filesize
1.6MB

Download