49e2753acd651334356e95b9fbefc50029ca6e5dfeee6356211b262ab658347f

General

Target

setup.exe
Size

56.3MB
MD5

954fd032f2f26f841f96d09ff92e7c20
SHA1

4366ecfc93ba48db7a61c7f7c76f6e15d7c33dba
SHA256

49e2753acd651334356e95b9fbefc50029ca6e5dfeee6356211b262ab658347f
SHA512

ceee818b39c141509f52c816407b61bbe24ab01fba8edc5c62b0735e4b19f8c502e33f567a3cd175092bd838c48b8088018603d171fbb87404359a4c73160588
SSDEEP

786432:XgMtNGezeUts0hj6CWd1FLpoeGMXTmc+F8DS6UuO62Q7I/DU2ySyjMub+m128Ftt:QMHLlaTCiEMpUWr7IrpyLjr+qFzbpQG

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Modify Existing Service

T1031

pid	Process
324	netsh.exe
1536	netsh.exe

Executes dropped EXE 2 IoCs

pid	Process
1392	SetACL.exe
1156	SetACL.exe

Loads dropped DLL 4 IoCs

pid	Process
1372	setup.exe
788	Process not Found
1504	setup.exe
1376	Process not Found

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeBackupPrivilege	1392	SetACL.exe
Token: SeRestorePrivilege	1392	SetACL.exe
Token: SeSecurityPrivilege	1392	SetACL.exe
Token: SeBackupPrivilege	1156	SetACL.exe
Token: SeRestorePrivilege	1156	SetACL.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1204 wrote to memory of 324	1204	setup.exe	30
PID 1204 wrote to memory of 324	1204	setup.exe	30
PID 1204 wrote to memory of 324	1204	setup.exe	30
PID 1204 wrote to memory of 1536	1204	setup.exe	32
PID 1204 wrote to memory of 1536	1204	setup.exe	32
PID 1204 wrote to memory of 1536	1204	setup.exe	32
PID 1204 wrote to memory of 584	1204	setup.exe	34
PID 1204 wrote to memory of 584	1204	setup.exe	34
PID 1204 wrote to memory of 584	1204	setup.exe	34
PID 1204 wrote to memory of 1680	1204	setup.exe	37
PID 1204 wrote to memory of 1680	1204	setup.exe	37
PID 1204 wrote to memory of 1680	1204	setup.exe	37
PID 1204 wrote to memory of 1372	1204	setup.exe	36
PID 1204 wrote to memory of 1372	1204	setup.exe	36
PID 1204 wrote to memory of 1372	1204	setup.exe	36
PID 1372 wrote to memory of 1392	1372	setup.exe	40
PID 1372 wrote to memory of 1392	1372	setup.exe	40
PID 1372 wrote to memory of 1392	1372	setup.exe	40
PID 1204 wrote to memory of 1504	1204	setup.exe	41
PID 1204 wrote to memory of 1504	1204	setup.exe	41
PID 1204 wrote to memory of 1504	1204	setup.exe	41
PID 1504 wrote to memory of 1156	1504	setup.exe	42
PID 1504 wrote to memory of 1156	1504	setup.exe	42
PID 1504 wrote to memory of 1156	1504	setup.exe	42

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Windows\System32\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall delete rule name="Adobe Unlicensed Pop-up" dir=out
  2⤵
  - Modifies Windows Firewall
  PID:324
- C:\Windows\System32\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Adobe Unlicensed Pop-up" dir=out action=block remoteip=52.22.41.97,52.6.155.20,3.219.243.226,3.233.129.217,18.213.11.84,50.16.47.176,34.237.241.83,54.224.241.105 enable=yes
  2⤵
  - Modifies Windows Firewall
  PID:1536
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c CD /d "%sfxpath:~0,-20%\Adobe 2023" && Set-up.exe
  2⤵
  PID:584
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe" -sfxwaitall:1 "C:\Users\Admin\AppData\Local\Temp\Adobe Temp\SetACL.exe" -on "C:\Program Files\WindowsApps" -ot file -actn list -lst "f:sddl;w:d,s,o" -bckp "C:\Users\Admin\AppData\Local\Temp\Adobe Temp\regrights.bkp"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1372
- - C:\Users\Admin\AppData\Local\Temp\Adobe Temp\SetACL.exe
    "C:\Users\Admin\AppData\Local\Temp\Adobe Temp\SetACL.exe" -on "C:\Program Files\WindowsApps" -ot file -actn list -lst "f:sddl;w:d,s,o" -bckp "C:\Users\Admin\AppData\Local\Temp\Adobe Temp\regrights.bkp"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1392
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c IF EXIST "C:\Program Files\Maxon Cinema 4D 2023\Cinema 4D.exe" ( REN "C:\Program Files\Maxon Cinema 4D 2023\Cinema 4D.exe" "Cinema 4D.yes" && XCOPY /y /r "C:\Users\Admin\AppData\Local\Temp\Adobe Temp\Cinema 4D.exe" "C:\Program Files\Maxon Cinema 4D 2023" )
  2⤵
  PID:1680
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe" -sfxwaitall:1 "C:\Users\Admin\AppData\Local\Temp\Adobe Temp\SetACL.exe" -on "C:\Program Files\WindowsApps" -ot file -actn setowner -ownr "n:BPOQNXYB\Admin"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1504
- - C:\Users\Admin\AppData\Local\Temp\Adobe Temp\SetACL.exe
    "C:\Users\Admin\AppData\Local\Temp\Adobe Temp\SetACL.exe" -on "C:\Program Files\WindowsApps" -ot file -actn setowner -ownr "n:BPOQNXYB\Admin"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1156

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1184

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Adobe Temp\SetACL.exe

Filesize
446KB

MD5
585469f5f4871c02cc09cafa250d4251

SHA1
bbe610009c2b1e44a4cc8ab59cbaf5ff7607aaa1

SHA256
55ecd80cb9067ee166e183a92444b65fe3f97f9469060ded4cd2ef6fdf61d748

SHA512
54fe6646ba6a00a28354e5009e644a86a8244f8405f56b5a2f6471997078f1d9effdf38e6b6600d8ec19a5f2d23fa2765ccd231e4b0040dbbf3638884bb5008d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adobe Temp\SetACL.exe

Filesize
446KB

MD5
585469f5f4871c02cc09cafa250d4251

SHA1
bbe610009c2b1e44a4cc8ab59cbaf5ff7607aaa1

SHA256
55ecd80cb9067ee166e183a92444b65fe3f97f9469060ded4cd2ef6fdf61d748

SHA512
54fe6646ba6a00a28354e5009e644a86a8244f8405f56b5a2f6471997078f1d9effdf38e6b6600d8ec19a5f2d23fa2765ccd231e4b0040dbbf3638884bb5008d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adobe Temp\SetACL.exe

Filesize
446KB

MD5
585469f5f4871c02cc09cafa250d4251

SHA1
bbe610009c2b1e44a4cc8ab59cbaf5ff7607aaa1

SHA256
55ecd80cb9067ee166e183a92444b65fe3f97f9469060ded4cd2ef6fdf61d748

SHA512
54fe6646ba6a00a28354e5009e644a86a8244f8405f56b5a2f6471997078f1d9effdf38e6b6600d8ec19a5f2d23fa2765ccd231e4b0040dbbf3638884bb5008d

Download Submit
\Users\Admin\AppData\Local\Temp\Adobe Temp\SetACL.exe

Filesize
446KB

MD5
585469f5f4871c02cc09cafa250d4251

SHA1
bbe610009c2b1e44a4cc8ab59cbaf5ff7607aaa1

SHA256
55ecd80cb9067ee166e183a92444b65fe3f97f9469060ded4cd2ef6fdf61d748

SHA512
54fe6646ba6a00a28354e5009e644a86a8244f8405f56b5a2f6471997078f1d9effdf38e6b6600d8ec19a5f2d23fa2765ccd231e4b0040dbbf3638884bb5008d

Download Submit
\Users\Admin\AppData\Local\Temp\Adobe Temp\SetACL.exe

Filesize
446KB

MD5
585469f5f4871c02cc09cafa250d4251

SHA1
bbe610009c2b1e44a4cc8ab59cbaf5ff7607aaa1

SHA256
55ecd80cb9067ee166e183a92444b65fe3f97f9469060ded4cd2ef6fdf61d748

SHA512
54fe6646ba6a00a28354e5009e644a86a8244f8405f56b5a2f6471997078f1d9effdf38e6b6600d8ec19a5f2d23fa2765ccd231e4b0040dbbf3638884bb5008d

Download Submit
\Users\Admin\AppData\Local\Temp\Adobe Temp\SetACL.exe

Filesize
446KB

MD5
585469f5f4871c02cc09cafa250d4251

SHA1
bbe610009c2b1e44a4cc8ab59cbaf5ff7607aaa1

SHA256
55ecd80cb9067ee166e183a92444b65fe3f97f9469060ded4cd2ef6fdf61d748

SHA512
54fe6646ba6a00a28354e5009e644a86a8244f8405f56b5a2f6471997078f1d9effdf38e6b6600d8ec19a5f2d23fa2765ccd231e4b0040dbbf3638884bb5008d

Download Submit
\Users\Admin\AppData\Local\Temp\Adobe Temp\SetACL.exe

Filesize
446KB

MD5
585469f5f4871c02cc09cafa250d4251

SHA1
bbe610009c2b1e44a4cc8ab59cbaf5ff7607aaa1

SHA256
55ecd80cb9067ee166e183a92444b65fe3f97f9469060ded4cd2ef6fdf61d748

SHA512
54fe6646ba6a00a28354e5009e644a86a8244f8405f56b5a2f6471997078f1d9effdf38e6b6600d8ec19a5f2d23fa2765ccd231e4b0040dbbf3638884bb5008d

Download Submit

Resubmissions

Analysis

Sharing