93754ee8f8b2400dd631d9401a9fc6e29fdc62beb5cd582e43a983195d908bfd

General

Target

93754ee8f8b2400dd631d9401a9fc6e29fdc62beb5cd582e43a983195d908bfd.exe
Size

4.2MB
MD5

eb181ed6b1755b1db034c1dcf1410ab5
SHA1

8bbfd9b94291dad20ad959cfa9c42341256dfa27
SHA256

93754ee8f8b2400dd631d9401a9fc6e29fdc62beb5cd582e43a983195d908bfd
SHA512

015bb841e654a96828a3b6fb68df92af5a6528e55285b3faebe3e6721849f0ec35dcec1684a7b91eed7a06a8bd26fed48923f5b8dea82859dc7852fa52b5be39
SSDEEP

49152:L7x28PbFFbDmcVY9yIsI/qaQjI6DpiRp5ZtCaMRka7eQxh+KDQy8YTc7cN6oe4CY:LQutKcm9yB4iIEiB2+a7eUkub

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2076	AdobeAdobe-type6.8.7.5.exe
1372	AdobeAdobe-type6.8.7.5.exe

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2952	icacls.exe
3836	icacls.exe
4292	icacls.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1872 set thread context of 2264	1872	93754ee8f8b2400dd631d9401a9fc6e29fdc62beb5cd582e43a983195d908bfd.exe	67

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2080	schtasks.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1872 wrote to memory of 2264	1872	93754ee8f8b2400dd631d9401a9fc6e29fdc62beb5cd582e43a983195d908bfd.exe	67
PID 1872 wrote to memory of 2264	1872	93754ee8f8b2400dd631d9401a9fc6e29fdc62beb5cd582e43a983195d908bfd.exe	67
PID 1872 wrote to memory of 2264	1872	93754ee8f8b2400dd631d9401a9fc6e29fdc62beb5cd582e43a983195d908bfd.exe	67
PID 1872 wrote to memory of 2264	1872	93754ee8f8b2400dd631d9401a9fc6e29fdc62beb5cd582e43a983195d908bfd.exe	67
PID 1872 wrote to memory of 2264	1872	93754ee8f8b2400dd631d9401a9fc6e29fdc62beb5cd582e43a983195d908bfd.exe	67
PID 2264 wrote to memory of 2952	2264	MSBuild.exe	68
PID 2264 wrote to memory of 2952	2264	MSBuild.exe	68
PID 2264 wrote to memory of 2952	2264	MSBuild.exe	68
PID 2264 wrote to memory of 3836	2264	MSBuild.exe	70
PID 2264 wrote to memory of 3836	2264	MSBuild.exe	70
PID 2264 wrote to memory of 3836	2264	MSBuild.exe	70
PID 2264 wrote to memory of 4292	2264	MSBuild.exe	72
PID 2264 wrote to memory of 4292	2264	MSBuild.exe	72
PID 2264 wrote to memory of 4292	2264	MSBuild.exe	72
PID 2264 wrote to memory of 2080	2264	MSBuild.exe	74
PID 2264 wrote to memory of 2080	2264	MSBuild.exe	74
PID 2264 wrote to memory of 2080	2264	MSBuild.exe	74
PID 2264 wrote to memory of 2076	2264	MSBuild.exe	76
PID 2264 wrote to memory of 2076	2264	MSBuild.exe	76

C:\Users\Admin\AppData\Local\Temp\93754ee8f8b2400dd631d9401a9fc6e29fdc62beb5cd582e43a983195d908bfd.exe
"C:\Users\Admin\AppData\Local\Temp\93754ee8f8b2400dd631d9401a9fc6e29fdc62beb5cd582e43a983195d908bfd.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\AdobeAdobe-type6.8.7.5" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:2952
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\AdobeAdobe-type6.8.7.5" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:3836
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\AdobeAdobe-type6.8.7.5" /inheritance:e /deny "admin:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:4292
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /CREATE /TN "AdobeAdobe-type6.8.7.5\AdobeAdobe-type6.8.7.5" /TR "C:\ProgramData\AdobeAdobe-type6.8.7.5\AdobeAdobe-type6.8.7.5.exe" /SC MINUTE
    3⤵
    - Creates scheduled task(s)
    PID:2080
- - C:\ProgramData\AdobeAdobe-type6.8.7.5\AdobeAdobe-type6.8.7.5.exe
    "C:\ProgramData\AdobeAdobe-type6.8.7.5\AdobeAdobe-type6.8.7.5.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - Executes dropped EXE
    PID:2076

C:\ProgramData\AdobeAdobe-type6.8.7.5\AdobeAdobe-type6.8.7.5.exe
C:\ProgramData\AdobeAdobe-type6.8.7.5\AdobeAdobe-type6.8.7.5.exe
1⤵
- Executes dropped EXE
PID:1372

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AdobeAdobe-type6.8.7.5\AdobeAdobe-type6.8.7.5.exe

Filesize
594.2MB

MD5
6cddff8bc5fbb491f06f091d0d53563c

SHA1
9db733da96e1cb65975fd05bb73830a10f0f82d9

SHA256
bffd287984cd1b5a1447cf36927b68998a7493b563582ca6c567efc890138a3b

SHA512
6fdc84e63c7c6d80fa34c823dbf64bfc789eec3e208833390e6c0732bf11665097f062510d62d35aef2f5a710a0097d6010c662d41517b13d360965a891dbc3c

Download Submit
C:\ProgramData\AdobeAdobe-type6.8.7.5\AdobeAdobe-type6.8.7.5.exe

Filesize
508.4MB

MD5
3bf46bdfe09d3989136c18864a43ed05

SHA1
7d9f840fb250593ea0f2ed6c55ad072d46cf1a6b

SHA256
bafe3127d4b03d2a3e51d122cbe8184492bf98f17e1f35a1cbe680abe770db20

SHA512
f7b14283a7b4bbc63f29bc972cc33ee17d78ef5bec97b6dc8e38afaa2fcd65006747938311104b2ba23cd2b9f88237c064bdd549bc021b4aa6644b2fb7c2a6ea

Download Submit
C:\ProgramData\AdobeAdobe-type6.8.7.5\AdobeAdobe-type6.8.7.5.exe

Filesize
380.9MB

MD5
d1458bc4bd0c1ca08024b3d76983efe9

SHA1
61f00b3cb0bb304cfe4d144589946d2bbac90858

SHA256
fbb22d83be04364d83afd62cc4f0e168994d6eae4e6b97ad7637ebfcabb46bb7

SHA512
fac3ba9a85436357e6523acb02dddc03b1cedf1fa9718f49d08545902a15184888f7b2414f48fde9a90c4edfb5141ab73aa8d2ee121058f95a8c1c9d50dfeaa8

Download Submit
memory/2264-119-0x0000000000510000-0x0000000000938000-memory.dmp

Filesize
4.2MB

Download
memory/2264-124-0x0000000005300000-0x00000000057FE000-memory.dmp

Filesize
5.0MB

Download
memory/2264-125-0x0000000004EF0000-0x0000000004F82000-memory.dmp

Filesize
584KB

Download
memory/2264-126-0x0000000005080000-0x0000000005090000-memory.dmp

Filesize
64KB

Download
memory/2264-127-0x0000000005050000-0x000000000505A000-memory.dmp

Filesize
40KB

Download
memory/2264-128-0x0000000005080000-0x0000000005090000-memory.dmp

Filesize
64KB

Download
memory/2264-129-0x0000000005080000-0x0000000005090000-memory.dmp

Filesize
64KB

Download
memory/2264-130-0x0000000005080000-0x0000000005090000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads