Overview

overview

8

Static

static

1

ConnectSetup.exe

windows10-1703-x64

8

ConnectSetup.exe

windows7-x64

8

ConnectSetup.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    63s
  • max time network
    111s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    13-02-2023 23:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ConnectSetup.exe

  • Size

    287KB

  • MD5

    270d3021cdab3d056773a7d4a1911d0f

  • SHA1

    766f9e23b7ab0095928a5009ed6cc92955d703ad

  • SHA256

    8aa76e787b8749290d0fdaaf6d5a2626f8fe359469d462f22fcf573f7183ac66

  • SHA512

    9ddfab50ea2b5c5c4a98cd242ba76be992eadc26849646d082f53ab4025736215c5593b41ad7b27d7ea84139e76280b2c75f3d9e0212cbf5588fecd90afdc8e8

  • SSDEEP

    6144:a0+v7MjXF2+OYzoBEpN/CyZeUbgVWXuV4byG4dV9:aAjXF2CAED/CyZeUbEWXuWbnyn

Score
8/10
discovery

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 9 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ConnectSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\ConnectSetup.exe"
    1⤵
    • Loads dropped DLL
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1484
    • C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\adobeconnectaddin\adobeconnectaddin.exe
      "C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\adobeconnectaddin\adobeconnectaddin.exe" /nolaunch
      2⤵
      • Executes dropped EXE
      • Modifies registry class
      PID:1924
    • C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\adobeconnectaddin\adobeconnectaddin.exe
      "C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\adobeconnectaddin\adobeconnectaddin.exe" /CreateStartMenu /nolaunch
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:616
  • C:\Users\Admin\AppData\Roaming\Adobe\Connect\connect.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Connect\connect.exe"
    1⤵
    • Executes dropped EXE
    • Checks processor information in registry
    • Modifies Internet Explorer settings
    • Suspicious use of SetWindowsHookEx
    PID:1904
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x524
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:728

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    d41969da30d3bd49eb2d94821b4486d3

    SHA1

    9cda1344a70fe247bca54da5bc3edd0791bc6e53

    SHA256

    abbe02dd7464b71fa7c056a214d25c7f04e07b6572f5044defbbe028b0f6250c

    SHA512

    fa3d9ba34f66cb2f92e715a07f7450b087f65e339e5261fefa0e6b258c3fa4cfec4e4057d5f1801de037f95359af5cfa2be13d53b555de1ba53612461b0ff84b

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Adobe\Connect\connect.exe
    Filesize

    17.4MB

    MD5

    2d5850ca99bbc9e75f04b99b41cd6bcd

    SHA1

    40141de8872afd1e09c438edb8d02a3422a56017

    SHA256

    ed5db5497c66b3f70dd2107336d355e759b16dad81a31053b5cd48e6f310835b

    SHA512

    d015aeb6c348163b0c0ce38d337d80b05a6cb171f1a19f99f476c5a35407b0013a04120872889b766036f49795c03d193c9e26aa4b967198930d57cddf0f3338

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Adobe\Connect\connect.exe
    Filesize

    17.4MB

    MD5

    2d5850ca99bbc9e75f04b99b41cd6bcd

    SHA1

    40141de8872afd1e09c438edb8d02a3422a56017

    SHA256

    ed5db5497c66b3f70dd2107336d355e759b16dad81a31053b5cd48e6f310835b

    SHA512

    d015aeb6c348163b0c0ce38d337d80b05a6cb171f1a19f99f476c5a35407b0013a04120872889b766036f49795c03d193c9e26aa4b967198930d57cddf0f3338

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\adobeconnectaddin\InstallLog.log
    Filesize

    936B

    MD5

    41af4924167d1d4f805e8024bcec59a9

    SHA1

    7d7c4206647fff741d86813895618c423807d0e8

    SHA256

    2806616b41c3cf767860b036a7f48c7edde03112109eb8791b2bc9b1a997359a

    SHA512

    7d40efc1cee043408974bbed0f0ef5d6c04c115eb4c125b62aef021f0b5732fff58eadc97659920c239242eff8a8f58dcfcc6c97daa457837843416fd14638c8

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\adobeconnectaddin\adobeconnectaddin.exe
    Filesize

    17.5MB

    MD5

    604822783cccee8637a517179565d56d

    SHA1

    e41592d903a795a2576d3c1a1fbc994357238c92

    SHA256

    eb90cb6f71eb674eb3b40c4dc2e5567311880030d6c2ea348b25fa7299cf9e15

    SHA512

    c852fa3f085f2b5bd4fc6129d0c8fc737f0927474804dfdd04f588ebec98216e4ea2996efff37fbbbfcbbe8cadf8dc6ffb3a8b8036d855ea9cb6e3c1a2fc3445

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\adobeconnectaddin\adobeconnectaddin.exe
    Filesize

    17.5MB

    MD5

    604822783cccee8637a517179565d56d

    SHA1

    e41592d903a795a2576d3c1a1fbc994357238c92

    SHA256

    eb90cb6f71eb674eb3b40c4dc2e5567311880030d6c2ea348b25fa7299cf9e15

    SHA512

    c852fa3f085f2b5bd4fc6129d0c8fc737f0927474804dfdd04f588ebec98216e4ea2996efff37fbbbfcbbe8cadf8dc6ffb3a8b8036d855ea9cb6e3c1a2fc3445

    Download Submit
  • \Users\Admin\AppData\Roaming\Adobe\Connect\connect.exe
    Filesize

    17.4MB

    MD5

    2d5850ca99bbc9e75f04b99b41cd6bcd

    SHA1

    40141de8872afd1e09c438edb8d02a3422a56017

    SHA256

    ed5db5497c66b3f70dd2107336d355e759b16dad81a31053b5cd48e6f310835b

    SHA512

    d015aeb6c348163b0c0ce38d337d80b05a6cb171f1a19f99f476c5a35407b0013a04120872889b766036f49795c03d193c9e26aa4b967198930d57cddf0f3338

    Download Submit
  • \Users\Admin\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\adobeconnectaddin\adobeconnectaddin.exe
    Filesize

    17.5MB

    MD5

    604822783cccee8637a517179565d56d

    SHA1

    e41592d903a795a2576d3c1a1fbc994357238c92

    SHA256

    eb90cb6f71eb674eb3b40c4dc2e5567311880030d6c2ea348b25fa7299cf9e15

    SHA512

    c852fa3f085f2b5bd4fc6129d0c8fc737f0927474804dfdd04f588ebec98216e4ea2996efff37fbbbfcbbe8cadf8dc6ffb3a8b8036d855ea9cb6e3c1a2fc3445

    Download Submit
  • \Users\Admin\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\adobeconnectaddin\adobeconnectaddin.exe
    Filesize

    17.5MB

    MD5

    604822783cccee8637a517179565d56d

    SHA1

    e41592d903a795a2576d3c1a1fbc994357238c92

    SHA256

    eb90cb6f71eb674eb3b40c4dc2e5567311880030d6c2ea348b25fa7299cf9e15

    SHA512

    c852fa3f085f2b5bd4fc6129d0c8fc737f0927474804dfdd04f588ebec98216e4ea2996efff37fbbbfcbbe8cadf8dc6ffb3a8b8036d855ea9cb6e3c1a2fc3445

    Download Submit
  • memory/616-60-0x0000000000000000-mapping.dmp
    Download
  • memory/1484-54-0x0000000076BA1000-0x0000000076BA3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1904-95-0x0000000002EC0000-0x0000000002ECA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1904-92-0x0000000002EC0000-0x0000000002ECA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1904-91-0x0000000002EC0000-0x0000000002ECA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1904-93-0x0000000002EC0000-0x0000000002ECA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1904-94-0x0000000002EC0000-0x0000000002ECA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1904-68-0x0000000074CB1000-0x0000000074CB3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1904-97-0x0000000002EC0000-0x0000000002ECA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1904-98-0x0000000002EC0000-0x0000000002ECA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1904-99-0x0000000002EC0000-0x0000000002ECA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1904-100-0x0000000002EC0000-0x0000000002ECA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1904-101-0x0000000002EC0000-0x0000000002ECA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1924-56-0x0000000000000000-mapping.dmp
    Download