Analysis
-
max time kernel
18s -
max time network
44s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
13-03-2023 09:06
Static task
static1
General
-
Target
adobe.exe
-
Size
475.6MB
-
MD5
3450e33a31a58590b7b0f76d95f1c15b
-
SHA1
ee672c96f12484c3dae64fd964a4427b3cc6565b
-
SHA256
2ba9e1fa5bac1c4ff40a3d1301e730cff2007f7bbec73997b60b679c46f304de
-
SHA512
fa3558fce1eb2549586477f080ed3f1dcc730c6d30eb9fc10c1a9b7c67ab8c906f245618855711fa26ed41216a8863f348d75af24fe8dbf5783508ac5013efa7
-
SSDEEP
49152:ZC6nMrcpEgloAXxQ8+vHe1NkQLUEHgnpY:ZNBjloAhR+/m+Ugn
Malware Config
Extracted
systembc
45.138.74.200:4001
212.8.244.5:4001
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
adobe.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation adobe.exe -
Executes dropped EXE 1 IoCs
Processes:
Filedifi siteyig.exepid process 672 Filedifi siteyig.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
adobe.exeFiledifi siteyig.exepid process 2376 adobe.exe 2376 adobe.exe 2376 adobe.exe 2376 adobe.exe 2376 adobe.exe 2376 adobe.exe 2376 adobe.exe 2376 adobe.exe 2376 adobe.exe 2376 adobe.exe 672 Filedifi siteyig.exe 672 Filedifi siteyig.exe 672 Filedifi siteyig.exe 672 Filedifi siteyig.exe 672 Filedifi siteyig.exe 672 Filedifi siteyig.exe 672 Filedifi siteyig.exe 672 Filedifi siteyig.exe 672 Filedifi siteyig.exe 672 Filedifi siteyig.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
adobe.execmd.exedescription pid process target process PID 2376 wrote to memory of 3292 2376 adobe.exe schtasks.exe PID 2376 wrote to memory of 3292 2376 adobe.exe schtasks.exe PID 2376 wrote to memory of 3292 2376 adobe.exe schtasks.exe PID 2376 wrote to memory of 672 2376 adobe.exe Filedifi siteyig.exe PID 2376 wrote to memory of 672 2376 adobe.exe Filedifi siteyig.exe PID 2376 wrote to memory of 672 2376 adobe.exe Filedifi siteyig.exe PID 2376 wrote to memory of 1628 2376 adobe.exe cmd.exe PID 2376 wrote to memory of 1628 2376 adobe.exe cmd.exe PID 2376 wrote to memory of 1628 2376 adobe.exe cmd.exe PID 1628 wrote to memory of 3304 1628 cmd.exe chcp.com PID 1628 wrote to memory of 3304 1628 cmd.exe chcp.com PID 1628 wrote to memory of 3304 1628 cmd.exe chcp.com
Processes
-
C:\Users\Admin\AppData\Local\Temp\adobe.exe"C:\Users\Admin\AppData\Local\Temp\adobe.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\Jis loyakaga codaf nata cabiki\Filedifi siteyig.exe"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Jis loyakaga codaf nata cabiki\Filedifi siteyig.exe"C:\Users\Admin\Jis loyakaga codaf nata cabiki\Filedifi siteyig.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\adobe.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\fontview.exe"C:\Windows\SYSWOW64\fontview.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\240567468.dllFilesize
334KB
MD54cb75f40755bf606f8a5f1b0bc1db511
SHA10e4fd3965245063a55ab411016a98c52e3498bca
SHA2564c3b45b602867d875c6377fca5823a5134f991858d69efce61cccf63b3eadc3f
SHA5122e54c0c7dba5cd54362a0d9a9407431faed52aba86acefe3843e509c316e9f51f12f6f17d2762f42d3c5e1f588bb774d0c9683c7f9527cf33a8a0c12634cef48
-
C:\Users\Admin\Jis loyakaga codaf nata cabiki\Filedifi siteyig.exeFilesize
106.4MB
MD581b828f81ffc24f3dc7e4c408f883f29
SHA1c4c2d220ec3624b811dd8f778d8cff5c6059725b
SHA2564c6c9aff748477ba78c0c90c6e06caa1a3b4cb9aa78d2bdb53916e421b28565d
SHA51219dcd2783e8e6d26fcd6aac0c89194e7a14e3765d34e749b6d840a08e2a7b7d661cd14cdc540179dd7d1734fbca17d3bbb6f16ed9bdeb0a2618d0fa6ef6f6659
-
C:\Users\Admin\Jis loyakaga codaf nata cabiki\Filedifi siteyig.exeFilesize
115.6MB
MD5a55c2eb1ff89145324afe972bdea5148
SHA130c5a24de32793a6998384aec12efdfb26f42f15
SHA2560e44c8ba87f6fa6d410b3f5dde4a9c75ce92f05d7d034bc85b077ade053cfa84
SHA5125803e9c5717a6f25a10e6fb4c5b5e9f394a7318f814bad1497237a1d0897db73a592c4cc87c4a7c0e3cbc8b3cf6b1ed027f3f3915d7085c02331589ce16d92a7
-
C:\Users\Admin\Jis loyakaga codaf nata cabiki\Filedifi siteyig.exeFilesize
111.5MB
MD55283ee8e518e4ffd132386b9c85f91eb
SHA19eef4bd93127b94f0ebd3964e5f2f82f4afd470a
SHA256a5621ceb7adc05be72ab67b03c9002f54715db073be8bde087179a0d71169bb1
SHA512a81412bdae1d20e793585e5104307e1cb22a0e32d6cb9ee27031c811e3dea349f7944c5a65222c031ce77d6e893d6c69641dcc08c5606c90b313a03d38779503
-
memory/672-144-0x000000000D8B0000-0x000000000D919000-memory.dmpFilesize
420KB
-
memory/2512-145-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/2512-147-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/2512-148-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/2512-149-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/3336-154-0x0000000000820000-0x0000000000853000-memory.dmpFilesize
204KB