8aa76e787b8749290d0fdaaf6d5a2626f8fe359469d462f22fcf573f7183ac66

Analysis

max time kernel
63s
max time network
111s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
13-02-2023 23:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ConnectSetup.exe
Size

287KB
MD5

270d3021cdab3d056773a7d4a1911d0f
SHA1

766f9e23b7ab0095928a5009ed6cc92955d703ad
SHA256

8aa76e787b8749290d0fdaaf6d5a2626f8fe359469d462f22fcf573f7183ac66
SHA512

9ddfab50ea2b5c5c4a98cd242ba76be992eadc26849646d082f53ab4025736215c5593b41ad7b27d7ea84139e76280b2c75f3d9e0212cbf5588fecd90afdc8e8
SSDEEP

6144:a0+v7MjXF2+OYzoBEpN/CyZeUbgVWXuV4byG4dV9:aAjXF2CAED/CyZeUbEWXuWbnyn

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
1924	adobeconnectaddin.exe
616	adobeconnectaddin.exe
1904	connect.exe

Loads dropped DLL 3 IoCs

pid	Process
1484	ConnectSetup.exe
1484	ConnectSetup.exe
616	adobeconnectaddin.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	connect.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	connect.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	connect.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	connect.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	connect.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\connect.exe = "11001"	connect.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\connectpro	adobeconnectaddin.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\connectpro\DefaultIcon	adobeconnectaddin.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\connectpro\shell\open	adobeconnectaddin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\connectpro\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Connect\\connect.exe\" \"%1\""	adobeconnectaddin.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\connectpro\shell\open\command	adobeconnectaddin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\connectpro\ = "URL:Adobe Connect"	adobeconnectaddin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\connectpro\URL Protocol	adobeconnectaddin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\connectpro\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Connect\\connect.exe,1"	adobeconnectaddin.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\connectpro\shell	adobeconnectaddin.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	ConnectSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	ConnectSetup.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1484	ConnectSetup.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	728	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	728	AUDIODG.EXE
Token: 33	728	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	728	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1484	ConnectSetup.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1904	connect.exe
1904	connect.exe
1904	connect.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1484 wrote to memory of 1924	1484	ConnectSetup.exe	29
PID 1484 wrote to memory of 1924	1484	ConnectSetup.exe	29
PID 1484 wrote to memory of 1924	1484	ConnectSetup.exe	29
PID 1484 wrote to memory of 1924	1484	ConnectSetup.exe	29
PID 1484 wrote to memory of 1924	1484	ConnectSetup.exe	29
PID 1484 wrote to memory of 1924	1484	ConnectSetup.exe	29
PID 1484 wrote to memory of 1924	1484	ConnectSetup.exe	29
PID 1484 wrote to memory of 616	1484	ConnectSetup.exe	30
PID 1484 wrote to memory of 616	1484	ConnectSetup.exe	30
PID 1484 wrote to memory of 616	1484	ConnectSetup.exe	30
PID 1484 wrote to memory of 616	1484	ConnectSetup.exe	30
PID 1484 wrote to memory of 616	1484	ConnectSetup.exe	30
PID 1484 wrote to memory of 616	1484	ConnectSetup.exe	30
PID 1484 wrote to memory of 616	1484	ConnectSetup.exe	30

C:\Users\Admin\AppData\Local\Temp\ConnectSetup.exe
"C:\Users\Admin\AppData\Local\Temp\ConnectSetup.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1484
- C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\adobeconnectaddin\adobeconnectaddin.exe
  "C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\adobeconnectaddin\adobeconnectaddin.exe" /nolaunch
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:1924
- C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\adobeconnectaddin\adobeconnectaddin.exe
  "C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\adobeconnectaddin\adobeconnectaddin.exe" /CreateStartMenu /nolaunch
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:616

C:\Users\Admin\AppData\Roaming\Adobe\Connect\connect.exe
"C:\Users\Admin\AppData\Roaming\Adobe\Connect\connect.exe"
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1904

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x524
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d41969da30d3bd49eb2d94821b4486d3

SHA1
9cda1344a70fe247bca54da5bc3edd0791bc6e53

SHA256
abbe02dd7464b71fa7c056a214d25c7f04e07b6572f5044defbbe028b0f6250c

SHA512
fa3d9ba34f66cb2f92e715a07f7450b087f65e339e5261fefa0e6b258c3fa4cfec4e4057d5f1801de037f95359af5cfa2be13d53b555de1ba53612461b0ff84b

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Connect\connect.exe

Filesize
17.4MB

MD5
2d5850ca99bbc9e75f04b99b41cd6bcd

SHA1
40141de8872afd1e09c438edb8d02a3422a56017

SHA256
ed5db5497c66b3f70dd2107336d355e759b16dad81a31053b5cd48e6f310835b

SHA512
d015aeb6c348163b0c0ce38d337d80b05a6cb171f1a19f99f476c5a35407b0013a04120872889b766036f49795c03d193c9e26aa4b967198930d57cddf0f3338

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Connect\connect.exe

Filesize
17.4MB

MD5
2d5850ca99bbc9e75f04b99b41cd6bcd

SHA1
40141de8872afd1e09c438edb8d02a3422a56017

SHA256
ed5db5497c66b3f70dd2107336d355e759b16dad81a31053b5cd48e6f310835b

SHA512
d015aeb6c348163b0c0ce38d337d80b05a6cb171f1a19f99f476c5a35407b0013a04120872889b766036f49795c03d193c9e26aa4b967198930d57cddf0f3338

Download Submit
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\adobeconnectaddin\InstallLog.log

Filesize
936B

MD5
41af4924167d1d4f805e8024bcec59a9

SHA1
7d7c4206647fff741d86813895618c423807d0e8

SHA256
2806616b41c3cf767860b036a7f48c7edde03112109eb8791b2bc9b1a997359a

SHA512
7d40efc1cee043408974bbed0f0ef5d6c04c115eb4c125b62aef021f0b5732fff58eadc97659920c239242eff8a8f58dcfcc6c97daa457837843416fd14638c8

Download Submit
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\adobeconnectaddin\adobeconnectaddin.exe

Filesize
17.5MB

MD5
604822783cccee8637a517179565d56d

SHA1
e41592d903a795a2576d3c1a1fbc994357238c92

SHA256
eb90cb6f71eb674eb3b40c4dc2e5567311880030d6c2ea348b25fa7299cf9e15

SHA512
c852fa3f085f2b5bd4fc6129d0c8fc737f0927474804dfdd04f588ebec98216e4ea2996efff37fbbbfcbbe8cadf8dc6ffb3a8b8036d855ea9cb6e3c1a2fc3445

Download Submit
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\adobeconnectaddin\adobeconnectaddin.exe

Filesize
17.5MB

MD5
604822783cccee8637a517179565d56d

SHA1
e41592d903a795a2576d3c1a1fbc994357238c92

SHA256
eb90cb6f71eb674eb3b40c4dc2e5567311880030d6c2ea348b25fa7299cf9e15

SHA512
c852fa3f085f2b5bd4fc6129d0c8fc737f0927474804dfdd04f588ebec98216e4ea2996efff37fbbbfcbbe8cadf8dc6ffb3a8b8036d855ea9cb6e3c1a2fc3445

Download Submit
\Users\Admin\AppData\Roaming\Adobe\Connect\connect.exe

Filesize
17.4MB

MD5
2d5850ca99bbc9e75f04b99b41cd6bcd

SHA1
40141de8872afd1e09c438edb8d02a3422a56017

SHA256
ed5db5497c66b3f70dd2107336d355e759b16dad81a31053b5cd48e6f310835b

SHA512
d015aeb6c348163b0c0ce38d337d80b05a6cb171f1a19f99f476c5a35407b0013a04120872889b766036f49795c03d193c9e26aa4b967198930d57cddf0f3338

Download Submit
\Users\Admin\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\adobeconnectaddin\adobeconnectaddin.exe

Filesize
17.5MB

MD5
604822783cccee8637a517179565d56d

SHA1
e41592d903a795a2576d3c1a1fbc994357238c92

SHA256
eb90cb6f71eb674eb3b40c4dc2e5567311880030d6c2ea348b25fa7299cf9e15

SHA512
c852fa3f085f2b5bd4fc6129d0c8fc737f0927474804dfdd04f588ebec98216e4ea2996efff37fbbbfcbbe8cadf8dc6ffb3a8b8036d855ea9cb6e3c1a2fc3445

Download Submit
\Users\Admin\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\adobeconnectaddin\adobeconnectaddin.exe

Filesize
17.5MB

MD5
604822783cccee8637a517179565d56d

SHA1
e41592d903a795a2576d3c1a1fbc994357238c92

SHA256
eb90cb6f71eb674eb3b40c4dc2e5567311880030d6c2ea348b25fa7299cf9e15

SHA512
c852fa3f085f2b5bd4fc6129d0c8fc737f0927474804dfdd04f588ebec98216e4ea2996efff37fbbbfcbbe8cadf8dc6ffb3a8b8036d855ea9cb6e3c1a2fc3445

Download Submit
memory/1484-54-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

Filesize
8KB

Download
memory/1904-95-0x0000000002EC0000-0x0000000002ECA000-memory.dmp

Filesize
40KB

Download
memory/1904-92-0x0000000002EC0000-0x0000000002ECA000-memory.dmp

Filesize
40KB

Download
memory/1904-91-0x0000000002EC0000-0x0000000002ECA000-memory.dmp

Filesize
40KB

Download
memory/1904-93-0x0000000002EC0000-0x0000000002ECA000-memory.dmp

Filesize
40KB

Download
memory/1904-94-0x0000000002EC0000-0x0000000002ECA000-memory.dmp

Filesize
40KB

Download
memory/1904-68-0x0000000074CB1000-0x0000000074CB3000-memory.dmp

Filesize
8KB

Download
memory/1904-97-0x0000000002EC0000-0x0000000002ECA000-memory.dmp

Filesize
40KB

Download
memory/1904-98-0x0000000002EC0000-0x0000000002ECA000-memory.dmp

Filesize
40KB

Download
memory/1904-99-0x0000000002EC0000-0x0000000002ECA000-memory.dmp

Filesize
40KB

Download
memory/1904-100-0x0000000002EC0000-0x0000000002ECA000-memory.dmp

Filesize
40KB

Download
memory/1904-101-0x0000000002EC0000-0x0000000002ECA000-memory.dmp

Filesize
40KB

Download