086341bff44d09b4e39cc5f703113396603a16e0e530d6abb7a99a90f25e0d53

Analysis

max time kernel
38s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
13-04-2023 17:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PhotoshopPortable.exe
Size

90KB
MD5

3677cff3773afcc12c050cba38693954
SHA1

59e5e8d70d7e094848e4286c510abec1935de9f7
SHA256

086341bff44d09b4e39cc5f703113396603a16e0e530d6abb7a99a90f25e0d53
SHA512

9dcad36fb38e3454539e28129f05346dcfc3f7de027aeeb51263ef3fa948f36cb781b2dd5354b8bd841e95fa420a67da882ad0f70aef4b7a996ccdb6d13b3306
SSDEEP

1536:t1E/rzW2pakRmB7BW3nKscGbAm/TcQKEtp99gQ53nCqYCUfNLbHB941qy9g1Vl/t:t1E/rS2paccKntcG0mrJltpHnCsK19QE

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
1708	PhotoshopPortable.exe
1708	PhotoshopPortable.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\SLCache\	PhotoshopPortable.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Adobe PCD\cache\	PhotoshopPortable.exe
File opened for modification	C:\Program Files\Common Files\Adobe\	PhotoshopPortable.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Adobe Photoshop CC 2018\32 bit Photoshop dlls\	PhotoshopPortable.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Color\	PhotoshopPortable.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Startup Scripts CC\	PhotoshopPortable.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Adobe PCD\	PhotoshopPortable.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Adobe Photoshop CC 2018\	PhotoshopPortable.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Color Profiles\	PhotoshopPortable.exe
File opened for modification	C:\Program Files\Common Files\Adobe\HelpCfg\	PhotoshopPortable.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 46 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.srf\PersistentHandler	PhotoshopPortable.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.asp-Backup	PhotoshopPortable.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.psd\PersistentHandler\ = "{098f2470-bae0-11cd-b579-08002b30bfeb}"	PhotoshopPortable.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.srf\PersistentHandler\ = "{eec97550-47a9-11cf-b952-00aa0051fe20}"	PhotoshopPortable.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.api-Backup	PhotoshopPortable.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.asp-Backup\ = "aspfile"	PhotoshopPortable.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.asp-Backup\PersistentHandler	PhotoshopPortable.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.psd-Backup\PersistentHandler\ = "{098f2470-bae0-11cd-b579-08002b30bfeb}"	PhotoshopPortable.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.psd\PersistentHandler	PhotoshopPortable.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.api-Backup\AcroExch.Plugin	PhotoshopPortable.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.psd	PhotoshopPortable.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.api-Backup\AcroExch.Plugin\ShellNew	PhotoshopPortable.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.api	PhotoshopPortable.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.api\AcroExch.Plugin\SHELLNEW	PhotoshopPortable.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.asp\PersistentHandler	PhotoshopPortable.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.psd-Backup\PersistentHandler	PhotoshopPortable.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.psd	PhotoshopPortable.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.asp\PersistentHandler	PhotoshopPortable.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.asp\PersistentHandler\ = "{eec97550-47a9-11cf-b952-00aa0051fe20}"	PhotoshopPortable.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.api-Backup\AcroExch.Plugin	PhotoshopPortable.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.asp-Backup\PersistentHandler	PhotoshopPortable.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.psd-Backup	PhotoshopPortable.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.srf-Backup	PhotoshopPortable.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.api\AcroExch.Plugin	PhotoshopPortable.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.srf-Backup	PhotoshopPortable.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.api\ = "AcroExch.Plugin"	PhotoshopPortable.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.api\AcroExch.Plugin	PhotoshopPortable.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.api-Backup\AcroExch.Plugin\SHELLNEW	PhotoshopPortable.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.psd-Backup\PersistentHandler	PhotoshopPortable.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.srf\PersistentHandler	PhotoshopPortable.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.srf-Backup\PersistentHandler	PhotoshopPortable.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.asp-Backup	PhotoshopPortable.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.asp	PhotoshopPortable.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.srf-Backup\PersistentHandler\ = "{eec97550-47a9-11cf-b952-00aa0051fe20}"	PhotoshopPortable.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.srf	PhotoshopPortable.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.api-Backup	PhotoshopPortable.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.asp	PhotoshopPortable.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.api-Backup\ = "AcroExch.Plugin"	PhotoshopPortable.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.srf-Backup\PersistentHandler	PhotoshopPortable.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.api	PhotoshopPortable.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.asp-Backup\PersistentHandler\ = "{eec97550-47a9-11cf-b952-00aa0051fe20}"	PhotoshopPortable.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.psd-Backup	PhotoshopPortable.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.api\AcroExch.Plugin\ShellNew	PhotoshopPortable.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.asp\ = "aspfile"	PhotoshopPortable.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.psd\PersistentHandler	PhotoshopPortable.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.srf	PhotoshopPortable.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
1708	PhotoshopPortable.exe
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
584	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1708	PhotoshopPortable.exe
Token: SeDebugPrivilege	584	taskmgr.exe

Suspicious use of FindShellTrayWindow 32 IoCs

pid	Process
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe
584	taskmgr.exe

C:\Users\Admin\AppData\Local\Temp\PhotoshopPortable.exe
"C:\Users\Admin\AppData\Local\Temp\PhotoshopPortable.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1708

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:584

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsdFE3F.tmp\System.dll

Filesize
11KB

MD5
3f176d1ee13b0d7d6bd92e1c7a0b9bae

SHA1
fe582246792774c2c9dd15639ffa0aca90d6fd0b

SHA256
fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e

SHA512
0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdFE3F.tmp\registry.dll

Filesize
24KB

MD5
2b7007ed0262ca02ef69d8990815cbeb

SHA1
2eabe4f755213666dbbbde024a5235ddde02b47f

SHA256
0b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d

SHA512
aa75ee59ca0b8530eb7298b74e5f334ae9d14129f603b285a3170b82103cfdcc175af8185317e6207142517769e69a24b34fcdf0f58ed50a4960cbe8c22a0aca

Download Submit
\Users\Admin\AppData\Local\Temp\nsdFE3F.tmp\System.dll

Filesize
11KB

MD5
3f176d1ee13b0d7d6bd92e1c7a0b9bae

SHA1
fe582246792774c2c9dd15639ffa0aca90d6fd0b

SHA256
fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e

SHA512
0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

Download Submit
\Users\Admin\AppData\Local\Temp\nsdFE3F.tmp\registry.dll

Filesize
24KB

MD5
2b7007ed0262ca02ef69d8990815cbeb

SHA1
2eabe4f755213666dbbbde024a5235ddde02b47f

SHA256
0b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d

SHA512
aa75ee59ca0b8530eb7298b74e5f334ae9d14129f603b285a3170b82103cfdcc175af8185317e6207142517769e69a24b34fcdf0f58ed50a4960cbe8c22a0aca

Download Submit
memory/584-72-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/584-73-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/584-74-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/584-75-0x0000000002060000-0x0000000002061000-memory.dmp

Filesize
4KB

Download
memory/1708-63-0x0000000000440000-0x0000000000499000-memory.dmp

Filesize
356KB

Download