49e2753acd651334356e95b9fbefc50029ca6e5dfeee6356211b262ab658347f

Resubmissions

24/03/2023, 21:52

230324-1q6ljabg3s 8

24/03/2023, 21:49

230324-1pschsbg2w 8

Analysis

max time kernel
51s
max time network
57s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24/03/2023, 21:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

56.3MB
MD5

954fd032f2f26f841f96d09ff92e7c20
SHA1

4366ecfc93ba48db7a61c7f7c76f6e15d7c33dba
SHA256

49e2753acd651334356e95b9fbefc50029ca6e5dfeee6356211b262ab658347f
SHA512

ceee818b39c141509f52c816407b61bbe24ab01fba8edc5c62b0735e4b19f8c502e33f567a3cd175092bd838c48b8088018603d171fbb87404359a4c73160588
SSDEEP

786432:XgMtNGezeUts0hj6CWd1FLpoeGMXTmc+F8DS6UuO62Q7I/DU2ySyjMub+m128Ftt:QMHLlaTCiEMpUWr7IrpyLjr+qFzbpQG

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Modify Existing Service

T1031

pid	Process
4028	netsh.exe
4248	netsh.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	setup.exe

Executes dropped EXE 4 IoCs

pid	Process
2976	SetACL.exe
4044	SetACL.exe
1676	SetACL.exe
4528	SetACL.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
1556	taskkill.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeBackupPrivilege	2976	SetACL.exe
Token: SeRestorePrivilege	2976	SetACL.exe
Token: SeSecurityPrivilege	2976	SetACL.exe
Token: SeSecurityPrivilege	2976	SetACL.exe
Token: SeBackupPrivilege	4044	SetACL.exe
Token: SeRestorePrivilege	4044	SetACL.exe
Token: SeTakeOwnershipPrivilege	4044	SetACL.exe
Token: SeDebugPrivilege	1556	taskkill.exe
Token: SeBackupPrivilege	1676	SetACL.exe
Token: SeRestorePrivilege	1676	SetACL.exe
Token: SeBackupPrivilege	4528	SetACL.exe
Token: SeRestorePrivilege	4528	SetACL.exe
Token: SeTakeOwnershipPrivilege	4528	SetACL.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 4344 wrote to memory of 4028	4344	setup.exe	89
PID 4344 wrote to memory of 4028	4344	setup.exe	89
PID 4344 wrote to memory of 4248	4344	setup.exe	92
PID 4344 wrote to memory of 4248	4344	setup.exe	92
PID 4344 wrote to memory of 3780	4344	setup.exe	94
PID 4344 wrote to memory of 3780	4344	setup.exe	94
PID 4344 wrote to memory of 4180	4344	setup.exe	96
PID 4344 wrote to memory of 4180	4344	setup.exe	96
PID 4344 wrote to memory of 4140	4344	setup.exe	98
PID 4344 wrote to memory of 4140	4344	setup.exe	98
PID 4140 wrote to memory of 2976	4140	setup.exe	99
PID 4140 wrote to memory of 2976	4140	setup.exe	99
PID 4344 wrote to memory of 3548	4344	setup.exe	101
PID 4344 wrote to memory of 3548	4344	setup.exe	101
PID 3548 wrote to memory of 4044	3548	setup.exe	102
PID 3548 wrote to memory of 4044	3548	setup.exe	102
PID 4344 wrote to memory of 3712	4344	setup.exe	106
PID 4344 wrote to memory of 3712	4344	setup.exe	106
PID 3712 wrote to memory of 1556	3712	setup.exe	107
PID 3712 wrote to memory of 1556	3712	setup.exe	107
PID 4344 wrote to memory of 2272	4344	setup.exe	109
PID 4344 wrote to memory of 2272	4344	setup.exe	109
PID 2272 wrote to memory of 1676	2272	setup.exe	110
PID 2272 wrote to memory of 1676	2272	setup.exe	110
PID 4344 wrote to memory of 1124	4344	setup.exe	112
PID 4344 wrote to memory of 1124	4344	setup.exe	112
PID 1124 wrote to memory of 4236	1124	setup.exe	113
PID 1124 wrote to memory of 4236	1124	setup.exe	113
PID 4344 wrote to memory of 636	4344	setup.exe	115
PID 4344 wrote to memory of 636	4344	setup.exe	115
PID 636 wrote to memory of 4528	636	setup.exe	117
PID 636 wrote to memory of 4528	636	setup.exe	117

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4344
- C:\Windows\System32\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall delete rule name="Adobe Unlicensed Pop-up" dir=out
  2⤵
  - Modifies Windows Firewall
  PID:4028
- C:\Windows\System32\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Adobe Unlicensed Pop-up" dir=out action=block remoteip=52.22.41.97,52.6.155.20,3.219.243.226,3.233.129.217,18.213.11.84,50.16.47.176,34.237.241.83,54.224.241.105 enable=yes
  2⤵
  - Modifies Windows Firewall
  PID:4248
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c CD /d "%sfxpath:~0,-20%\Adobe 2023" && Set-up.exe
  2⤵
  PID:3780
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c IF EXIST "C:\Program Files\Maxon Cinema 4D 2023\Cinema 4D.exe" ( REN "C:\Program Files\Maxon Cinema 4D 2023\Cinema 4D.exe" "Cinema 4D.yes" && XCOPY /y /r "C:\Users\Admin\AppData\Local\Temp\Adobe Temp\Cinema 4D.exe" "C:\Program Files\Maxon Cinema 4D 2023" )
  2⤵
  PID:4180
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe" -sfxwaitall:1 "C:\Users\Admin\AppData\Local\Temp\Adobe Temp\SetACL.exe" -on "C:\Program Files\WindowsApps" -ot file -actn list -lst "f:sddl;w:d,s,o" -bckp "C:\Users\Admin\AppData\Local\Temp\Adobe Temp\regrights.bkp"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4140
- - C:\Users\Admin\AppData\Local\Temp\Adobe Temp\SetACL.exe
    "C:\Users\Admin\AppData\Local\Temp\Adobe Temp\SetACL.exe" -on "C:\Program Files\WindowsApps" -ot file -actn list -lst "f:sddl;w:d,s,o" -bckp "C:\Users\Admin\AppData\Local\Temp\Adobe Temp\regrights.bkp"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2976
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe" -sfxwaitall:1 "C:\Users\Admin\AppData\Local\Temp\Adobe Temp\SetACL.exe" -on "C:\Program Files\WindowsApps" -ot file -actn setowner -ownr "n:OZADSVWH\Admin"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3548
- - C:\Users\Admin\AppData\Local\Temp\Adobe Temp\SetACL.exe
    "C:\Users\Admin\AppData\Local\Temp\Adobe Temp\SetACL.exe" -on "C:\Program Files\WindowsApps" -ot file -actn setowner -ownr "n:OZADSVWH\Admin"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4044
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe" -sfxwaitall:1 "TASKKILL" /f /im XD.exe
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3712
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im XD.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1556
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe" -sfxwaitall:1 "C:\Users\Admin\AppData\Local\Temp\Adobe Temp\SetACL.exe" -on "C:\Program Files\WindowsApps" -ot file -actn ace -ace " "n:OZADSVWH\Admin;p:full"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2272
- - C:\Users\Admin\AppData\Local\Temp\Adobe Temp\SetACL.exe
    "C:\Users\Admin\AppData\Local\Temp\Adobe Temp\SetACL.exe" -on "C:\Program Files\WindowsApps" -ot file -actn ace -ace " "n:OZADSVWH\Admin;p:full"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1676
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe" -sfxwaitall:1 "rewrite.cmd"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Adobe Temp\rewrite.cmd" "
    3⤵
    PID:4236
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe" -sfxwaitall:1 "C:\Users\Admin\AppData\Local\Temp\Adobe Temp\SetACL.exe" -on "C:\Program Files\WindowsApps" -ot file -actn restore -bckp "C:\Users\Admin\AppData\Local\Temp\Adobe Temp\regrights.bkp"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:636
- - C:\Users\Admin\AppData\Local\Temp\Adobe Temp\SetACL.exe
    "C:\Users\Admin\AppData\Local\Temp\Adobe Temp\SetACL.exe" -on "C:\Program Files\WindowsApps" -ot file -actn restore -bckp "C:\Users\Admin\AppData\Local\Temp\Adobe Temp\regrights.bkp"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Adobe Temp\SetACL.exe

Filesize
446KB

MD5
585469f5f4871c02cc09cafa250d4251

SHA1
bbe610009c2b1e44a4cc8ab59cbaf5ff7607aaa1

SHA256
55ecd80cb9067ee166e183a92444b65fe3f97f9469060ded4cd2ef6fdf61d748

SHA512
54fe6646ba6a00a28354e5009e644a86a8244f8405f56b5a2f6471997078f1d9effdf38e6b6600d8ec19a5f2d23fa2765ccd231e4b0040dbbf3638884bb5008d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adobe Temp\SetACL.exe

Filesize
446KB

MD5
585469f5f4871c02cc09cafa250d4251

SHA1
bbe610009c2b1e44a4cc8ab59cbaf5ff7607aaa1

SHA256
55ecd80cb9067ee166e183a92444b65fe3f97f9469060ded4cd2ef6fdf61d748

SHA512
54fe6646ba6a00a28354e5009e644a86a8244f8405f56b5a2f6471997078f1d9effdf38e6b6600d8ec19a5f2d23fa2765ccd231e4b0040dbbf3638884bb5008d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adobe Temp\SetACL.exe

Filesize
446KB

MD5
585469f5f4871c02cc09cafa250d4251

SHA1
bbe610009c2b1e44a4cc8ab59cbaf5ff7607aaa1

SHA256
55ecd80cb9067ee166e183a92444b65fe3f97f9469060ded4cd2ef6fdf61d748

SHA512
54fe6646ba6a00a28354e5009e644a86a8244f8405f56b5a2f6471997078f1d9effdf38e6b6600d8ec19a5f2d23fa2765ccd231e4b0040dbbf3638884bb5008d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adobe Temp\SetACL.exe

Filesize
446KB

MD5
585469f5f4871c02cc09cafa250d4251

SHA1
bbe610009c2b1e44a4cc8ab59cbaf5ff7607aaa1

SHA256
55ecd80cb9067ee166e183a92444b65fe3f97f9469060ded4cd2ef6fdf61d748

SHA512
54fe6646ba6a00a28354e5009e644a86a8244f8405f56b5a2f6471997078f1d9effdf38e6b6600d8ec19a5f2d23fa2765ccd231e4b0040dbbf3638884bb5008d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adobe Temp\SetACL.exe

Filesize
446KB

MD5
585469f5f4871c02cc09cafa250d4251

SHA1
bbe610009c2b1e44a4cc8ab59cbaf5ff7607aaa1

SHA256
55ecd80cb9067ee166e183a92444b65fe3f97f9469060ded4cd2ef6fdf61d748

SHA512
54fe6646ba6a00a28354e5009e644a86a8244f8405f56b5a2f6471997078f1d9effdf38e6b6600d8ec19a5f2d23fa2765ccd231e4b0040dbbf3638884bb5008d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adobe Temp\regrights.bkp

Filesize
1KB

MD5
170cb538ac555436b9375d0ec5d4db3a

SHA1
9e594e48a78c4cb78df307015dd8292b18556e13

SHA256
87d446878296a5ace87a9d7346c4c1f2f23513ace43562095ffeff3b7fb710b8

SHA512
f4c8b6e0156705555e75e3f5754d244fd17b7e7063e3d8f96661701e49c481e3176daa469f99b62cb4f5373ba44912a05600816d01597e7e5007c6b2ba40ef14

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adobe Temp\rewrite.cmd

Filesize
384B

MD5
fb1fe6be5e57ae1a7bbcabfd71eda57f

SHA1
7ac604430875193985eb6ad103d3cd7604329c63

SHA256
b8566d6e542aa254eb43bef10d0d23c5a8a9b273aaa407cdb8d5717a0af170ab

SHA512
3392eee4ff5564b439085c65b22234bcbe10901ffd4b35ee04d5f0f7394585dc924b4dd581c695e5ef564653a911059493c23d8ed944efdd53e5c4467a3ab8a6

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads