Overview

overview

8

Static

static

1

ConnectSetup.exe

windows10-1703-x64

8

ConnectSetup.exe

windows7-x64

8

ConnectSetup.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    141s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-02-2023 23:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ConnectSetup.exe

  • Size

    287KB

  • MD5

    270d3021cdab3d056773a7d4a1911d0f

  • SHA1

    766f9e23b7ab0095928a5009ed6cc92955d703ad

  • SHA256

    8aa76e787b8749290d0fdaaf6d5a2626f8fe359469d462f22fcf573f7183ac66

  • SHA512

    9ddfab50ea2b5c5c4a98cd242ba76be992eadc26849646d082f53ab4025736215c5593b41ad7b27d7ea84139e76280b2c75f3d9e0212cbf5588fecd90afdc8e8

  • SSDEEP

    6144:a0+v7MjXF2+OYzoBEpN/CyZeUbgVWXuV4byG4dV9:aAjXF2CAED/CyZeUbEWXuWbnyn

Score
8/10
discovery

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 47 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ConnectSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\ConnectSetup.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:944
    • C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\adobeconnectaddin\adobeconnectaddin.exe
      "C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\adobeconnectaddin\adobeconnectaddin.exe" /nolaunch
      2⤵
      • Executes dropped EXE
      • Modifies registry class
      PID:3844
    • C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\adobeconnectaddin\adobeconnectaddin.exe
      "C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\adobeconnectaddin\adobeconnectaddin.exe" /CreateStartMenu /nolaunch
      2⤵
      • Executes dropped EXE
      PID:2432
  • C:\Users\Admin\AppData\Roaming\Adobe\Connect\connect.exe
    "C:\Users\Admin\AppData\Roaming\Adobe\Connect\connect.exe"
    1⤵
    • Executes dropped EXE
    • Checks processor information in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4976
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x498 0x504
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3504

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Adobe\Connect\connect.exe
    Filesize

    17.4MB

    MD5

    2d5850ca99bbc9e75f04b99b41cd6bcd

    SHA1

    40141de8872afd1e09c438edb8d02a3422a56017

    SHA256

    ed5db5497c66b3f70dd2107336d355e759b16dad81a31053b5cd48e6f310835b

    SHA512

    d015aeb6c348163b0c0ce38d337d80b05a6cb171f1a19f99f476c5a35407b0013a04120872889b766036f49795c03d193c9e26aa4b967198930d57cddf0f3338

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Adobe\Connect\connect.exe
    Filesize

    17.4MB

    MD5

    2d5850ca99bbc9e75f04b99b41cd6bcd

    SHA1

    40141de8872afd1e09c438edb8d02a3422a56017

    SHA256

    ed5db5497c66b3f70dd2107336d355e759b16dad81a31053b5cd48e6f310835b

    SHA512

    d015aeb6c348163b0c0ce38d337d80b05a6cb171f1a19f99f476c5a35407b0013a04120872889b766036f49795c03d193c9e26aa4b967198930d57cddf0f3338

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\adobeconnectaddin\InstallLog.log
    Filesize

    936B

    MD5

    41af4924167d1d4f805e8024bcec59a9

    SHA1

    7d7c4206647fff741d86813895618c423807d0e8

    SHA256

    2806616b41c3cf767860b036a7f48c7edde03112109eb8791b2bc9b1a997359a

    SHA512

    7d40efc1cee043408974bbed0f0ef5d6c04c115eb4c125b62aef021f0b5732fff58eadc97659920c239242eff8a8f58dcfcc6c97daa457837843416fd14638c8

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\adobeconnectaddin\adobeconnectaddin.exe
    Filesize

    17.5MB

    MD5

    604822783cccee8637a517179565d56d

    SHA1

    e41592d903a795a2576d3c1a1fbc994357238c92

    SHA256

    eb90cb6f71eb674eb3b40c4dc2e5567311880030d6c2ea348b25fa7299cf9e15

    SHA512

    c852fa3f085f2b5bd4fc6129d0c8fc737f0927474804dfdd04f588ebec98216e4ea2996efff37fbbbfcbbe8cadf8dc6ffb3a8b8036d855ea9cb6e3c1a2fc3445

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\adobeconnectaddin\adobeconnectaddin.exe
    Filesize

    17.5MB

    MD5

    604822783cccee8637a517179565d56d

    SHA1

    e41592d903a795a2576d3c1a1fbc994357238c92

    SHA256

    eb90cb6f71eb674eb3b40c4dc2e5567311880030d6c2ea348b25fa7299cf9e15

    SHA512

    c852fa3f085f2b5bd4fc6129d0c8fc737f0927474804dfdd04f588ebec98216e4ea2996efff37fbbbfcbbe8cadf8dc6ffb3a8b8036d855ea9cb6e3c1a2fc3445

    Download Submit
  • memory/2432-134-0x0000000000000000-mapping.dmp
    Download
  • memory/3844-132-0x0000000000000000-mapping.dmp
    Download