4a771b16ce3b955467c07ab64bc791581898939ee4411d67f18ed9d69bf38e78

Analysis

max time kernel
70s
max time network
75s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
22-03-2023 01:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Photoshop_Set-Up.exe
Size

2.0MB
MD5

78af92c3211199652ba4ff55f605634a
SHA1

098deca61e9076b408f956baef378aa014cfec4f
SHA256

4a771b16ce3b955467c07ab64bc791581898939ee4411d67f18ed9d69bf38e78
SHA512

127315d132b2b28824967e747548931be4d4c0f20282c105fb1268d57e925a6ae7454dd28b6af7e6935e07166a4412f9711922d35cf87c170cdd15ef99f9d6e6
SSDEEP

49152:oaJxgViXV043IpyGedVdS3/9aEuFRZq7/BFoZJs0hXHKr7:oakV9Ms9afwECr7

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1996-106-0x0000000000330000-0x000000000085F000-memory.dmp	upx
behavioral1/memory/1996-197-0x0000000000330000-0x000000000085F000-memory.dmp	upx
behavioral1/memory/1996-208-0x0000000000330000-0x000000000085F000-memory.dmp	upx
behavioral1/memory/1996-213-0x0000000000330000-0x000000000085F000-memory.dmp	upx
behavioral1/memory/1996-228-0x0000000000330000-0x000000000085F000-memory.dmp	upx
behavioral1/memory/1996-231-0x0000000000330000-0x000000000085F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

Processes:

Photoshop_Set-Up.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	Photoshop_Set-Up.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main	Photoshop_Set-Up.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	Photoshop_Set-Up.exe
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	Photoshop_Set-Up.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Photoshop_Set-Up.exe = "11001"	Photoshop_Set-Up.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Photoshop_Set-Up.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	Photoshop_Set-Up.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	Photoshop_Set-Up.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

Processes:

Photoshop_Set-Up.exe

pid	process
1996	Photoshop_Set-Up.exe
1996	Photoshop_Set-Up.exe
1996	Photoshop_Set-Up.exe
1996	Photoshop_Set-Up.exe
1996	Photoshop_Set-Up.exe
1996	Photoshop_Set-Up.exe
1996	Photoshop_Set-Up.exe
1996	Photoshop_Set-Up.exe
1996	Photoshop_Set-Up.exe
1996	Photoshop_Set-Up.exe
1996	Photoshop_Set-Up.exe
1996	Photoshop_Set-Up.exe
1996	Photoshop_Set-Up.exe
1996	Photoshop_Set-Up.exe
1996	Photoshop_Set-Up.exe
1996	Photoshop_Set-Up.exe
1996	Photoshop_Set-Up.exe
1996	Photoshop_Set-Up.exe
1996	Photoshop_Set-Up.exe
1996	Photoshop_Set-Up.exe
1996	Photoshop_Set-Up.exe
1996	Photoshop_Set-Up.exe
1996	Photoshop_Set-Up.exe
1996	Photoshop_Set-Up.exe
1996	Photoshop_Set-Up.exe
1996	Photoshop_Set-Up.exe
1996	Photoshop_Set-Up.exe
1996	Photoshop_Set-Up.exe
1996	Photoshop_Set-Up.exe
1996	Photoshop_Set-Up.exe
1996	Photoshop_Set-Up.exe
1996	Photoshop_Set-Up.exe
1996	Photoshop_Set-Up.exe
1996	Photoshop_Set-Up.exe
1996	Photoshop_Set-Up.exe
1996	Photoshop_Set-Up.exe
1996	Photoshop_Set-Up.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

Photoshop_Set-Up.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1996	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	1996	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	1996	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	1996	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	1996	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	1996	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	1996	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	1996	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	1996	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	1996	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	1996	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	1996	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	1996	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	1996	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	1996	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	1996	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	1996	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	1996	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	1996	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	1996	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	1996	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	1996	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	1996	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	1996	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	1996	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	1996	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	1996	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	1996	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	1996	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	1996	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	1996	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	1996	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	1996	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	1996	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	1996	Photoshop_Set-Up.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Photoshop_Set-Up.exe

pid process

1996 Photoshop_Set-Up.exe
1996 Photoshop_Set-Up.exe

C:\Users\Admin\AppData\Local\Temp\Photoshop_Set-Up.exe
"C:\Users\Admin\AppData\Local\Temp\Photoshop_Set-Up.exe"
1⤵
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1996

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Adobe\OOBE\temp_ins_lbs_wid
Filesize
38B

MD5
1494418b4b7ab402e15f510b6c419e7a

SHA1
f4fe1597abea18249e3a6af0c0100653dd548f65

SHA256
3228fe20b7359536d34ba715d898d804040ce52afd9128de985eed5984b32787

SHA512
1535cf2280d59c34bf7dddb2f3e5b61eb9466b78893891f21f7620f6988ff38cd080bd51b1d35d6df9744a152b7a80e453c5326a2875142611eff0c14d01a1de

Download Submit
C:\Users\Admin\AppData\Local\Adobe\OOBE\temp_lbs_wid
Filesize
38B

MD5
1693907d9bf0d3970a38f5d565c1f6ca

SHA1
c768bdcb076e46dfa20a0d898023228ebc1ebc3b

SHA256
b8b4f40466a0b4260b33a19e2b578315f2b602aac917fd12ea2c975513de93a6

SHA512
64174930d7d3d2de524f4181d99c60b7bd38f1c0a55923a553d90f9257481ae4abc9a434d11e27b0ddd641dd2747fe684cdf9a735708d2769aac21ded4dbdc60

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3FCC9C0F-2337-4AB1-89FB-37BDBA857743}\js\main.js
Filesize
7KB

MD5
6186a070edb4bbbf6d45ab337bcb7a48

SHA1
819cec2c6e5dab991f74a1fad84e24a48e1b8668

SHA256
a8d7f18869a8e17f734d69dc2e92c5e39ce275bb469466a8ff8829869c2bb72f

SHA512
12cd811c7a0c0533f39f7f3ef12c180a376b0546c6e3fd37d2a441fa64ebe3fe079b3468d34abbbc2488299a2fb620482554ab62559313e8ffdd442f46d4911d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3FCC9C0F-2337-4AB1-89FB-37BDBA857743}\js\mainController.js
Filesize
18KB

MD5
0fc8ee5525924ad5e81ed0e8de83cfb7

SHA1
2b49ef921252e0a14b64321adcd3b57c56be10b8

SHA256
95a8d2dec864fbd214c337ac00a278acfa8c147e1deebfac6e3274b918623f25

SHA512
c966123ea10118a73c985eacf47bf6570f5330c405eeacab0095a97c588684ee9ba3f9299fae98fc834b7288959b139c04ee66fa7001c723641ec0447ace41cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3FCC9C0F-2337-4AB1-89FB-37BDBA857743}\js\overlayController.js
Filesize
18KB

MD5
26ad0e942ca8f72a667728a8f0ddcb40

SHA1
2a055e4778f33919b0de70ef6a1c2730f12d5197

SHA256
e66bf21005d38af6831ca23e03a594b07c036ad2476d4c92fcacff35e5e3886b

SHA512
924a71e561ca3fc10c139c25f1c21affd603ddce79fa736603e139ab6fa4eed8fa0461f36a42498e27d5d20bc45c83072f5f25405894347236ace8cda47f20d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3FCC9C0F-2337-4AB1-89FB-37BDBA857743}\js\utils.js
Filesize
4KB

MD5
11671543588b007e7be2af6c784cb8ac

SHA1
84c86bb07a59ea951a510a7a7ac816b478598bd2

SHA256
bc354f2e25fe40ae21745c51b06d8f34643e238ee67fb94f5cd59c9b56ac17f5

SHA512
31af704991693747a74a32bdcfebabf31d98e2a47e69fe21a53c852b4c30de1c526ab602c530010e37751b59f6ff308c46443bb48fa30ed688c384fa0df35afd

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3FCC9C0F-2337-4AB1-89FB-37BDBA857743}\lib\angular.min.js
Filesize
164KB

MD5
460bfef99b405c239b8899cb8564b82f

SHA1
47284797cd14f803aac4070e28fb77eb009ebfaa

SHA256
17f913d3f84223eee4267c50b3381d9ef266318ef1d4b5477d061fce71880083

SHA512
a6960249fad08d288f9b65a40c5c61b31c9408e8de6fed71c2eb35f63e568b2a1357a955f29fca312bd459faeaee422a70c317626e56884c3db57e0314ef3cdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3FCC9C0F-2337-4AB1-89FB-37BDBA857743}\lib\jquery.custom-scrollbar.min.js
Filesize
14KB

MD5
ab3adf4aff09a1c562a29db05795c8ab

SHA1
f6c3f470aea0678945cb889f518a0e9a5ce44342

SHA256
d05e193674c6fc31de0503cbc0b152600f22689ad7ad72adb35fcc7c25d4b01b

SHA512
44dfc748d0bd84f123f9d3f62d5ea137d9128d5bdbe45da9a8666d09039eb179acf0dbb3030e09896fd61e7aa5ae6dfaffe9258d80949a64d0a7e45037791fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3FCC9C0F-2337-4AB1-89FB-37BDBA857743}\lib\jquery.min.js
Filesize
84KB

MD5
6407e5047d51c05aff0294dbfa08070f

SHA1
f4ca7e7c8c64486423ac74b7d8674c61892b8f48

SHA256
c607ffd463124f60d8569dc49738df743dc304fac7ffa19477b4794ce0fd5486

SHA512
b87541d35cfcba4d5831d5cb48f729a2d0b850617956970becd5027865f6ffb1e21315e27be28017d0c6e70a2d522acd90a6986bd13fb04ccba9937f016420e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3FCC9C0F-2337-4AB1-89FB-37BDBA857743}\lib\jquery.placeholder.min.js
Filesize
3KB

MD5
e13f16e89fff39422bbb2cb08a015d30

SHA1
e7cacaf84f53997dd096afd1c5f350fd3e7c6ce9

SHA256
24320add10244d1834052c7e75b853aa2d164601c9d09220a9f9ac1f0ae44afe

SHA512
aad811f03f59f799da4b8fc4f859b51c39f132b7ddbffadabe4ec2373bd340617d6fe98761d1fb86d77606791663b387d98a60fba9cee5d99c34f683bcb8d1f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3FCC9C0F-2337-4AB1-89FB-37BDBA857743}\main.html
Filesize
19KB

MD5
8e17657cc1ec6a2e2f2881585bf254ab

SHA1
dea1d0c56dd01b1bb36f1974a35ae92c3ac07d5b

SHA256
3570b9a348799202d2747c09b001f1ae6a9c456e6ba982e3b58ac4543807da8c

SHA512
dc77e6297dee26c941e6ffc8352623701327345701babd06f44e0367f0427a907eb3634227d021b412f02bbefc621835f4d9eb430bbbf504a708f076621b4463

Download Submit
memory/1996-107-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download
memory/1996-197-0x0000000000330000-0x000000000085F000-memory.dmp

Filesize
5.2MB

Download
memory/1996-199-0x0000000003310000-0x000000000331A000-memory.dmp

Filesize
40KB

Download
memory/1996-198-0x0000000003310000-0x000000000331A000-memory.dmp

Filesize
40KB

Download
memory/1996-208-0x0000000000330000-0x000000000085F000-memory.dmp

Filesize
5.2MB

Download
memory/1996-209-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download
memory/1996-212-0x0000000003310000-0x000000000331A000-memory.dmp

Filesize
40KB

Download
memory/1996-213-0x0000000000330000-0x000000000085F000-memory.dmp

Filesize
5.2MB

Download
memory/1996-106-0x0000000000330000-0x000000000085F000-memory.dmp

Filesize
5.2MB

Download
memory/1996-228-0x0000000000330000-0x000000000085F000-memory.dmp

Filesize
5.2MB

Download
memory/1996-231-0x0000000000330000-0x000000000085F000-memory.dmp

Filesize
5.2MB

Download