4a771b16ce3b955467c07ab64bc791581898939ee4411d67f18ed9d69bf38e78

Analysis

max time kernel
63s
max time network
66s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
22-03-2023 01:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Photoshop_Set-Up.exe
Size

2.0MB
MD5

78af92c3211199652ba4ff55f605634a
SHA1

098deca61e9076b408f956baef378aa014cfec4f
SHA256

4a771b16ce3b955467c07ab64bc791581898939ee4411d67f18ed9d69bf38e78
SHA512

127315d132b2b28824967e747548931be4d4c0f20282c105fb1268d57e925a6ae7454dd28b6af7e6935e07166a4412f9711922d35cf87c170cdd15ef99f9d6e6
SSDEEP

49152:oaJxgViXV043IpyGedVdS3/9aEuFRZq7/BFoZJs0hXHKr7:oakV9Ms9afwECr7

Score

10^/10

adobe phishing upx

Malware Config

Signatures

Detected adobe phishing page
phishing adobe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4700-181-0x0000000000BA0000-0x00000000010CF000-memory.dmp	upx
behavioral2/memory/4700-297-0x0000000000BA0000-0x00000000010CF000-memory.dmp	upx
behavioral2/memory/4700-322-0x0000000000BA0000-0x00000000010CF000-memory.dmp	upx
behavioral2/memory/4700-364-0x0000000000BA0000-0x00000000010CF000-memory.dmp	upx
behavioral2/memory/4700-371-0x0000000000BA0000-0x00000000010CF000-memory.dmp	upx
behavioral2/memory/4700-412-0x0000000000BA0000-0x00000000010CF000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

Processes:

Photoshop_Set-Up.exe

description ioc process

File created C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF Photoshop_Set-Up.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	Photoshop_Set-Up.exe

Modifies Internet Explorer settings 1 TTPs 11 IoCs

adware spyware

Modify Registry

T1112

Processes:

Photoshop_Set-Up.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	Photoshop_Set-Up.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\DOMStorage\auth.services.adobe.com	Photoshop_Set-Up.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\auth.services.adobe.com\ = "48"	Photoshop_Set-Up.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\adobe.com\Total = "48"	Photoshop_Set-Up.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	Photoshop_Set-Up.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\adobe.com	Photoshop_Set-Up.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	Photoshop_Set-Up.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\adobe.com\NumberOfSubdomains = "1"	Photoshop_Set-Up.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "48"	Photoshop_Set-Up.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Photoshop_Set-Up.exe = "11001"	Photoshop_Set-Up.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\DOMStorage\adobe.com	Photoshop_Set-Up.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Photoshop_Set-Up.exe

pid	process
4700	Photoshop_Set-Up.exe
4700	Photoshop_Set-Up.exe
4700	Photoshop_Set-Up.exe
4700	Photoshop_Set-Up.exe
4700	Photoshop_Set-Up.exe
4700	Photoshop_Set-Up.exe
4700	Photoshop_Set-Up.exe
4700	Photoshop_Set-Up.exe
4700	Photoshop_Set-Up.exe
4700	Photoshop_Set-Up.exe
4700	Photoshop_Set-Up.exe
4700	Photoshop_Set-Up.exe
4700	Photoshop_Set-Up.exe
4700	Photoshop_Set-Up.exe
4700	Photoshop_Set-Up.exe
4700	Photoshop_Set-Up.exe
4700	Photoshop_Set-Up.exe
4700	Photoshop_Set-Up.exe
4700	Photoshop_Set-Up.exe
4700	Photoshop_Set-Up.exe
4700	Photoshop_Set-Up.exe
4700	Photoshop_Set-Up.exe
4700	Photoshop_Set-Up.exe
4700	Photoshop_Set-Up.exe
4700	Photoshop_Set-Up.exe
4700	Photoshop_Set-Up.exe
4700	Photoshop_Set-Up.exe
4700	Photoshop_Set-Up.exe
4700	Photoshop_Set-Up.exe
4700	Photoshop_Set-Up.exe
4700	Photoshop_Set-Up.exe
4700	Photoshop_Set-Up.exe
4700	Photoshop_Set-Up.exe
4700	Photoshop_Set-Up.exe
4700	Photoshop_Set-Up.exe
4700	Photoshop_Set-Up.exe
4700	Photoshop_Set-Up.exe
4700	Photoshop_Set-Up.exe
4700	Photoshop_Set-Up.exe
4700	Photoshop_Set-Up.exe
4700	Photoshop_Set-Up.exe
4700	Photoshop_Set-Up.exe
4700	Photoshop_Set-Up.exe
4700	Photoshop_Set-Up.exe
4700	Photoshop_Set-Up.exe
4700	Photoshop_Set-Up.exe
4700	Photoshop_Set-Up.exe
4700	Photoshop_Set-Up.exe
4700	Photoshop_Set-Up.exe
4700	Photoshop_Set-Up.exe
4700	Photoshop_Set-Up.exe
4700	Photoshop_Set-Up.exe
4700	Photoshop_Set-Up.exe
4700	Photoshop_Set-Up.exe
4700	Photoshop_Set-Up.exe
4700	Photoshop_Set-Up.exe
4700	Photoshop_Set-Up.exe
4700	Photoshop_Set-Up.exe
4700	Photoshop_Set-Up.exe
4700	Photoshop_Set-Up.exe
4700	Photoshop_Set-Up.exe
4700	Photoshop_Set-Up.exe
4700	Photoshop_Set-Up.exe
4700	Photoshop_Set-Up.exe

Suspicious use of AdjustPrivilegeToken 54 IoCs

Processes:

Photoshop_Set-Up.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4700	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	4700	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	4700	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	4700	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	4700	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	4700	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	4700	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	4700	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	4700	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	4700	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	4700	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	4700	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	4700	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	4700	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	4700	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	4700	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	4700	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	4700	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	4700	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	4700	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	4700	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	4700	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	4700	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	4700	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	4700	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	4700	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	4700	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	4700	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	4700	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	4700	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	4700	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	4700	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	4700	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	4700	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	4700	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	4700	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	4700	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	4700	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	4700	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	4700	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	4700	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	4700	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	4700	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	4700	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	4700	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	4700	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	4700	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	4700	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	4700	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	4700	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	4700	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	4700	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	4700	Photoshop_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	4700	Photoshop_Set-Up.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Photoshop_Set-Up.exe

pid process

4700 Photoshop_Set-Up.exe
4700 Photoshop_Set-Up.exe

C:\Users\Admin\AppData\Local\Temp\Photoshop_Set-Up.exe
"C:\Users\Admin\AppData\Local\Temp\Photoshop_Set-Up.exe"
1⤵
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4700

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Adobe\OOBE\temp_ins_lbs_wid
Filesize
38B

MD5
83cddd5e861331eaea034cf9c3e3de8b

SHA1
585d3027c9899872ba3a4559d33ecb3f54a1a053

SHA256
12bbed42a6002bd22356fc6f3791da3f695f8f24ccd87a3ecfd9bf23da225007

SHA512
7eb9f922246162ae48e0614684e41a9121b109e4725a0fdc1466312033c67c770f73732186227291774cb8ba492ccfd5ed08d0b87a197ff212af9326ce7350f1

Download Submit
C:\Users\Admin\AppData\Local\Adobe\OOBE\temp_lbs_wid
Filesize
38B

MD5
f389491eece9d32b7a75594750350001

SHA1
a2aa876b51b134d736ef6d200c244f69714f0513

SHA256
9ae9c6f40e742c5e77472e87dcc4a9ca4f1946fc388954195fb1adac6fab58e8

SHA512
86c4a480992faf72c86c56950fedec7218834aed26efdc09022eca289931095665ed557f2cfb102f8c5077d69216b6d11c7b206621e62ddf5ec6d45a60f6801c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UUIKWEAJ\styles.2c45be1a[1].css
Filesize
517KB

MD5
34aa20c80f82b277882a884aee2d9419

SHA1
2be7b76fe1e9c4c7601f61e0101e0a7ce9bc59d4

SHA256
012947f7fb0987035c5677d4cada914e2cca49758cb518472f6518a6edfc996b

SHA512
f4655986d876f2767ec1e73b65709a6edd7ebc65fe218ee307b50fbad6a8e0ce53b58f45e7b8c35cd804f80567595b4efbac36b37ed338e2463a983daad4afa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\{15E255C8-D3FD-4415-BF7A-6D605E010E62}\js\main.js
Filesize
7KB

MD5
6186a070edb4bbbf6d45ab337bcb7a48

SHA1
819cec2c6e5dab991f74a1fad84e24a48e1b8668

SHA256
a8d7f18869a8e17f734d69dc2e92c5e39ce275bb469466a8ff8829869c2bb72f

SHA512
12cd811c7a0c0533f39f7f3ef12c180a376b0546c6e3fd37d2a441fa64ebe3fe079b3468d34abbbc2488299a2fb620482554ab62559313e8ffdd442f46d4911d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{15E255C8-D3FD-4415-BF7A-6D605E010E62}\js\mainController.js
Filesize
18KB

MD5
0fc8ee5525924ad5e81ed0e8de83cfb7

SHA1
2b49ef921252e0a14b64321adcd3b57c56be10b8

SHA256
95a8d2dec864fbd214c337ac00a278acfa8c147e1deebfac6e3274b918623f25

SHA512
c966123ea10118a73c985eacf47bf6570f5330c405eeacab0095a97c588684ee9ba3f9299fae98fc834b7288959b139c04ee66fa7001c723641ec0447ace41cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\{15E255C8-D3FD-4415-BF7A-6D605E010E62}\js\overlayController.js
Filesize
18KB

MD5
26ad0e942ca8f72a667728a8f0ddcb40

SHA1
2a055e4778f33919b0de70ef6a1c2730f12d5197

SHA256
e66bf21005d38af6831ca23e03a594b07c036ad2476d4c92fcacff35e5e3886b

SHA512
924a71e561ca3fc10c139c25f1c21affd603ddce79fa736603e139ab6fa4eed8fa0461f36a42498e27d5d20bc45c83072f5f25405894347236ace8cda47f20d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\{15E255C8-D3FD-4415-BF7A-6D605E010E62}\js\utils.js
Filesize
4KB

MD5
11671543588b007e7be2af6c784cb8ac

SHA1
84c86bb07a59ea951a510a7a7ac816b478598bd2

SHA256
bc354f2e25fe40ae21745c51b06d8f34643e238ee67fb94f5cd59c9b56ac17f5

SHA512
31af704991693747a74a32bdcfebabf31d98e2a47e69fe21a53c852b4c30de1c526ab602c530010e37751b59f6ff308c46443bb48fa30ed688c384fa0df35afd

Download Submit
C:\Users\Admin\AppData\Local\Temp\{15E255C8-D3FD-4415-BF7A-6D605E010E62}\lib\angular.min.js
Filesize
164KB

MD5
460bfef99b405c239b8899cb8564b82f

SHA1
47284797cd14f803aac4070e28fb77eb009ebfaa

SHA256
17f913d3f84223eee4267c50b3381d9ef266318ef1d4b5477d061fce71880083

SHA512
a6960249fad08d288f9b65a40c5c61b31c9408e8de6fed71c2eb35f63e568b2a1357a955f29fca312bd459faeaee422a70c317626e56884c3db57e0314ef3cdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\{15E255C8-D3FD-4415-BF7A-6D605E010E62}\lib\jquery.custom-scrollbar.min.js
Filesize
14KB

MD5
ab3adf4aff09a1c562a29db05795c8ab

SHA1
f6c3f470aea0678945cb889f518a0e9a5ce44342

SHA256
d05e193674c6fc31de0503cbc0b152600f22689ad7ad72adb35fcc7c25d4b01b

SHA512
44dfc748d0bd84f123f9d3f62d5ea137d9128d5bdbe45da9a8666d09039eb179acf0dbb3030e09896fd61e7aa5ae6dfaffe9258d80949a64d0a7e45037791fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{15E255C8-D3FD-4415-BF7A-6D605E010E62}\lib\jquery.min.js
Filesize
84KB

MD5
6407e5047d51c05aff0294dbfa08070f

SHA1
f4ca7e7c8c64486423ac74b7d8674c61892b8f48

SHA256
c607ffd463124f60d8569dc49738df743dc304fac7ffa19477b4794ce0fd5486

SHA512
b87541d35cfcba4d5831d5cb48f729a2d0b850617956970becd5027865f6ffb1e21315e27be28017d0c6e70a2d522acd90a6986bd13fb04ccba9937f016420e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\{15E255C8-D3FD-4415-BF7A-6D605E010E62}\lib\jquery.placeholder.min.js
Filesize
3KB

MD5
e13f16e89fff39422bbb2cb08a015d30

SHA1
e7cacaf84f53997dd096afd1c5f350fd3e7c6ce9

SHA256
24320add10244d1834052c7e75b853aa2d164601c9d09220a9f9ac1f0ae44afe

SHA512
aad811f03f59f799da4b8fc4f859b51c39f132b7ddbffadabe4ec2373bd340617d6fe98761d1fb86d77606791663b387d98a60fba9cee5d99c34f683bcb8d1f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\{15E255C8-D3FD-4415-BF7A-6D605E010E62}\main.html
Filesize
19KB

MD5
8e17657cc1ec6a2e2f2881585bf254ab

SHA1
dea1d0c56dd01b1bb36f1974a35ae92c3ac07d5b

SHA256
3570b9a348799202d2747c09b001f1ae6a9c456e6ba982e3b58ac4543807da8c

SHA512
dc77e6297dee26c941e6ffc8352623701327345701babd06f44e0367f0427a907eb3634227d021b412f02bbefc621835f4d9eb430bbbf504a708f076621b4463

Download Submit
memory/4700-255-0x000000000B6A0000-0x000000000B6A1000-memory.dmp

Filesize
4KB

Download
memory/4700-265-0x000000000B6A0000-0x000000000B6A1000-memory.dmp

Filesize
4KB

Download
memory/4700-261-0x000000000B6A0000-0x000000000B6A1000-memory.dmp

Filesize
4KB

Download
memory/4700-260-0x000000000B6A0000-0x000000000B6A1000-memory.dmp

Filesize
4KB

Download
memory/4700-262-0x000000000B6A0000-0x000000000B6A1000-memory.dmp

Filesize
4KB

Download
memory/4700-263-0x000000000B6A0000-0x000000000B6A1000-memory.dmp

Filesize
4KB

Download
memory/4700-264-0x000000000B6A0000-0x000000000B6A1000-memory.dmp

Filesize
4KB

Download
memory/4700-256-0x000000000B6A0000-0x000000000B6A1000-memory.dmp

Filesize
4KB

Download
memory/4700-266-0x000000000B6A0000-0x000000000B6A1000-memory.dmp

Filesize
4KB

Download
memory/4700-254-0x000000000B6A0000-0x000000000B6A1000-memory.dmp

Filesize
4KB

Download
memory/4700-297-0x0000000000BA0000-0x00000000010CF000-memory.dmp

Filesize
5.2MB

Download
memory/4700-181-0x0000000000BA0000-0x00000000010CF000-memory.dmp

Filesize
5.2MB

Download
memory/4700-322-0x0000000000BA0000-0x00000000010CF000-memory.dmp

Filesize
5.2MB

Download
memory/4700-364-0x0000000000BA0000-0x00000000010CF000-memory.dmp

Filesize
5.2MB

Download
memory/4700-371-0x0000000000BA0000-0x00000000010CF000-memory.dmp

Filesize
5.2MB

Download
memory/4700-412-0x0000000000BA0000-0x00000000010CF000-memory.dmp

Filesize
5.2MB

Download