49e2753acd651334356e95b9fbefc50029ca6e5dfeee6356211b262ab658347f

Resubmissions

24/03/2023, 21:52

230324-1q6ljabg3s 8

24/03/2023, 21:49

230324-1pschsbg2w 8

Analysis

max time kernel
68s
max time network
62s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
24/03/2023, 21:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

56.3MB
MD5

954fd032f2f26f841f96d09ff92e7c20
SHA1

4366ecfc93ba48db7a61c7f7c76f6e15d7c33dba
SHA256

49e2753acd651334356e95b9fbefc50029ca6e5dfeee6356211b262ab658347f
SHA512

ceee818b39c141509f52c816407b61bbe24ab01fba8edc5c62b0735e4b19f8c502e33f567a3cd175092bd838c48b8088018603d171fbb87404359a4c73160588
SSDEEP

786432:XgMtNGezeUts0hj6CWd1FLpoeGMXTmc+F8DS6UuO62Q7I/DU2ySyjMub+m128Ftt:QMHLlaTCiEMpUWr7IrpyLjr+qFzbpQG

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Modify Existing Service

T1031

pid	Process
4320	netsh.exe
1016	netsh.exe

Executes dropped EXE 4 IoCs

pid	Process
1300	SetACL.exe
4540	SetACL.exe
4076	SetACL.exe
4824	SetACL.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
1500	taskkill.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeBackupPrivilege	1300	SetACL.exe
Token: SeRestorePrivilege	1300	SetACL.exe
Token: SeSecurityPrivilege	1300	SetACL.exe
Token: SeBackupPrivilege	4540	SetACL.exe
Token: SeRestorePrivilege	4540	SetACL.exe
Token: SeTakeOwnershipPrivilege	4540	SetACL.exe
Token: SeDebugPrivilege	1500	taskkill.exe
Token: SeBackupPrivilege	4076	SetACL.exe
Token: SeRestorePrivilege	4076	SetACL.exe
Token: SeBackupPrivilege	4824	SetACL.exe
Token: SeRestorePrivilege	4824	SetACL.exe
Token: SeTakeOwnershipPrivilege	4824	SetACL.exe
Token: SeSecurityPrivilege	4824	SetACL.exe
Token: SeSecurityPrivilege	4824	SetACL.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 4100 wrote to memory of 1016	4100	setup.exe	68
PID 4100 wrote to memory of 1016	4100	setup.exe	68
PID 4100 wrote to memory of 4320	4100	setup.exe	72
PID 4100 wrote to memory of 4320	4100	setup.exe	72
PID 4100 wrote to memory of 3908	4100	setup.exe	70
PID 4100 wrote to memory of 3908	4100	setup.exe	70
PID 4100 wrote to memory of 2792	4100	setup.exe	76
PID 4100 wrote to memory of 2792	4100	setup.exe	76
PID 4100 wrote to memory of 2856	4100	setup.exe	75
PID 4100 wrote to memory of 2856	4100	setup.exe	75
PID 2856 wrote to memory of 1300	2856	setup.exe	77
PID 2856 wrote to memory of 1300	2856	setup.exe	77
PID 4100 wrote to memory of 3476	4100	setup.exe	79
PID 4100 wrote to memory of 3476	4100	setup.exe	79
PID 3476 wrote to memory of 4540	3476	setup.exe	80
PID 3476 wrote to memory of 4540	3476	setup.exe	80
PID 4100 wrote to memory of 3804	4100	setup.exe	82
PID 4100 wrote to memory of 3804	4100	setup.exe	82
PID 3804 wrote to memory of 1500	3804	setup.exe	83
PID 3804 wrote to memory of 1500	3804	setup.exe	83
PID 4100 wrote to memory of 4732	4100	setup.exe	86
PID 4100 wrote to memory of 4732	4100	setup.exe	86
PID 4732 wrote to memory of 4076	4732	setup.exe	87
PID 4732 wrote to memory of 4076	4732	setup.exe	87
PID 4100 wrote to memory of 2692	4100	setup.exe	90
PID 4100 wrote to memory of 2692	4100	setup.exe	90
PID 2692 wrote to memory of 4796	2692	setup.exe	91
PID 2692 wrote to memory of 4796	2692	setup.exe	91
PID 4100 wrote to memory of 5044	4100	setup.exe	93
PID 4100 wrote to memory of 5044	4100	setup.exe	93
PID 5044 wrote to memory of 4824	5044	setup.exe	94
PID 5044 wrote to memory of 4824	5044	setup.exe	94

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4100
- C:\Windows\System32\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall delete rule name="Adobe Unlicensed Pop-up" dir=out
  2⤵
  - Modifies Windows Firewall
  PID:1016
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c CD /d "%sfxpath:~0,-20%\Adobe 2023" && Set-up.exe
  2⤵
  PID:3908
- C:\Windows\System32\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Adobe Unlicensed Pop-up" dir=out action=block remoteip=52.22.41.97,52.6.155.20,3.219.243.226,3.233.129.217,18.213.11.84,50.16.47.176,34.237.241.83,54.224.241.105 enable=yes
  2⤵
  - Modifies Windows Firewall
  PID:4320
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe" -sfxwaitall:1 "C:\Users\Admin\AppData\Local\Temp\Adobe Temp\SetACL.exe" -on "C:\Program Files\WindowsApps" -ot file -actn list -lst "f:sddl;w:d,s,o" -bckp "C:\Users\Admin\AppData\Local\Temp\Adobe Temp\regrights.bkp"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2856
- - C:\Users\Admin\AppData\Local\Temp\Adobe Temp\SetACL.exe
    "C:\Users\Admin\AppData\Local\Temp\Adobe Temp\SetACL.exe" -on "C:\Program Files\WindowsApps" -ot file -actn list -lst "f:sddl;w:d,s,o" -bckp "C:\Users\Admin\AppData\Local\Temp\Adobe Temp\regrights.bkp"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1300
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c IF EXIST "C:\Program Files\Maxon Cinema 4D 2023\Cinema 4D.exe" ( REN "C:\Program Files\Maxon Cinema 4D 2023\Cinema 4D.exe" "Cinema 4D.yes" && XCOPY /y /r "C:\Users\Admin\AppData\Local\Temp\Adobe Temp\Cinema 4D.exe" "C:\Program Files\Maxon Cinema 4D 2023" )
  2⤵
  PID:2792
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe" -sfxwaitall:1 "C:\Users\Admin\AppData\Local\Temp\Adobe Temp\SetACL.exe" -on "C:\Program Files\WindowsApps" -ot file -actn setowner -ownr "n:EIEEIFYE\Admin"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3476
- - C:\Users\Admin\AppData\Local\Temp\Adobe Temp\SetACL.exe
    "C:\Users\Admin\AppData\Local\Temp\Adobe Temp\SetACL.exe" -on "C:\Program Files\WindowsApps" -ot file -actn setowner -ownr "n:EIEEIFYE\Admin"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4540
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe" -sfxwaitall:1 "TASKKILL" /f /im XD.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3804
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im XD.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1500
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe" -sfxwaitall:1 "C:\Users\Admin\AppData\Local\Temp\Adobe Temp\SetACL.exe" -on "C:\Program Files\WindowsApps" -ot file -actn ace -ace " "n:EIEEIFYE\Admin;p:full"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4732
- - C:\Users\Admin\AppData\Local\Temp\Adobe Temp\SetACL.exe
    "C:\Users\Admin\AppData\Local\Temp\Adobe Temp\SetACL.exe" -on "C:\Program Files\WindowsApps" -ot file -actn ace -ace " "n:EIEEIFYE\Admin;p:full"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4076
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe" -sfxwaitall:1 "rewrite.cmd"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Adobe Temp\rewrite.cmd" "
    3⤵
    PID:4796
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe" -sfxwaitall:1 "C:\Users\Admin\AppData\Local\Temp\Adobe Temp\SetACL.exe" -on "C:\Program Files\WindowsApps" -ot file -actn restore -bckp "C:\Users\Admin\AppData\Local\Temp\Adobe Temp\regrights.bkp"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5044
- - C:\Users\Admin\AppData\Local\Temp\Adobe Temp\SetACL.exe
    "C:\Users\Admin\AppData\Local\Temp\Adobe Temp\SetACL.exe" -on "C:\Program Files\WindowsApps" -ot file -actn restore -bckp "C:\Users\Admin\AppData\Local\Temp\Adobe Temp\regrights.bkp"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4824

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4268

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Adobe Temp\SetACL.exe

Filesize
446KB

MD5
585469f5f4871c02cc09cafa250d4251

SHA1
bbe610009c2b1e44a4cc8ab59cbaf5ff7607aaa1

SHA256
55ecd80cb9067ee166e183a92444b65fe3f97f9469060ded4cd2ef6fdf61d748

SHA512
54fe6646ba6a00a28354e5009e644a86a8244f8405f56b5a2f6471997078f1d9effdf38e6b6600d8ec19a5f2d23fa2765ccd231e4b0040dbbf3638884bb5008d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adobe Temp\SetACL.exe

Filesize
446KB

MD5
585469f5f4871c02cc09cafa250d4251

SHA1
bbe610009c2b1e44a4cc8ab59cbaf5ff7607aaa1

SHA256
55ecd80cb9067ee166e183a92444b65fe3f97f9469060ded4cd2ef6fdf61d748

SHA512
54fe6646ba6a00a28354e5009e644a86a8244f8405f56b5a2f6471997078f1d9effdf38e6b6600d8ec19a5f2d23fa2765ccd231e4b0040dbbf3638884bb5008d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adobe Temp\SetACL.exe

Filesize
446KB

MD5
585469f5f4871c02cc09cafa250d4251

SHA1
bbe610009c2b1e44a4cc8ab59cbaf5ff7607aaa1

SHA256
55ecd80cb9067ee166e183a92444b65fe3f97f9469060ded4cd2ef6fdf61d748

SHA512
54fe6646ba6a00a28354e5009e644a86a8244f8405f56b5a2f6471997078f1d9effdf38e6b6600d8ec19a5f2d23fa2765ccd231e4b0040dbbf3638884bb5008d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adobe Temp\SetACL.exe

Filesize
446KB

MD5
585469f5f4871c02cc09cafa250d4251

SHA1
bbe610009c2b1e44a4cc8ab59cbaf5ff7607aaa1

SHA256
55ecd80cb9067ee166e183a92444b65fe3f97f9469060ded4cd2ef6fdf61d748

SHA512
54fe6646ba6a00a28354e5009e644a86a8244f8405f56b5a2f6471997078f1d9effdf38e6b6600d8ec19a5f2d23fa2765ccd231e4b0040dbbf3638884bb5008d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adobe Temp\SetACL.exe

Filesize
446KB

MD5
585469f5f4871c02cc09cafa250d4251

SHA1
bbe610009c2b1e44a4cc8ab59cbaf5ff7607aaa1

SHA256
55ecd80cb9067ee166e183a92444b65fe3f97f9469060ded4cd2ef6fdf61d748

SHA512
54fe6646ba6a00a28354e5009e644a86a8244f8405f56b5a2f6471997078f1d9effdf38e6b6600d8ec19a5f2d23fa2765ccd231e4b0040dbbf3638884bb5008d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adobe Temp\regrights.bkp

Filesize
1KB

MD5
11aea905bd891a424a935d7551c9d75b

SHA1
12836044da18caae2f96b3aafdd4369c07ba75e4

SHA256
0e2f000f6e53ca22eba7ede04c66075ca0325a77b3915b8904aca7922d037a5c

SHA512
ade8805eadaf27f51ebc68c84b1858810f728f842b49f6b5a6af9919736a513c92ddba1344f445725e6eaad5eb5f894395232bf94238606d50c907eed6d21ce3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adobe Temp\rewrite.cmd

Filesize
384B

MD5
fb1fe6be5e57ae1a7bbcabfd71eda57f

SHA1
7ac604430875193985eb6ad103d3cd7604329c63

SHA256
b8566d6e542aa254eb43bef10d0d23c5a8a9b273aaa407cdb8d5717a0af170ab

SHA512
3392eee4ff5564b439085c65b22234bcbe10901ffd4b35ee04d5f0f7394585dc924b4dd581c695e5ef564653a911059493c23d8ed944efdd53e5c4467a3ab8a6

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads