83713d3fe3357cfbdc0e6746913fa986c4dfa07fcadf277681b2463371145a95

General

Target

Clip1.exe
Size

10.2MB
MD5

f46576d61cf2bf484657ce44311b8e78
SHA1

0c5f38f05b8f872b45d52b820758b2505783effb
SHA256

83713d3fe3357cfbdc0e6746913fa986c4dfa07fcadf277681b2463371145a95
SHA512

31b7d9b51b626fc2f6439d82aea1807f90358fa07fd3e730d0904245d29cb0ba9cb7dff6ce8e8945799948437a65a194d8bd95f2134e5e4751f5b9368876a39b
SSDEEP

196608:fn8VwPdQQ7q5KwF2ZN0Rw5BBP2NHiGLFshH+hOA2dymUEY54JGmtOFGQFoA:OwK7xqa2BPwHiGL+hH+8AUymUHmJNfCH

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
768	AdobeFavorites-version7.5.5.0.exe

Loads dropped DLL 1 IoCs

pid	Process
1244	Clip1.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Run	Clip1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Run\AdobeFavorites-version7.5.5.0 = "C:\\ProgramData\\AdobeFavorites-version7.5.5.0\\AdobeFavorites-version7.5.5.0.exe"	Clip1.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1244	Clip1.exe
768	AdobeFavorites-version7.5.5.0.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1244 wrote to memory of 768	1244	Clip1.exe	27
PID 1244 wrote to memory of 768	1244	Clip1.exe	27
PID 1244 wrote to memory of 768	1244	Clip1.exe	27
PID 1244 wrote to memory of 768	1244	Clip1.exe	27

C:\Users\Admin\AppData\Local\Temp\Clip1.exe
"C:\Users\Admin\AppData\Local\Temp\Clip1.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1244
- C:\ProgramData\AdobeFavorites-version7.5.5.0\AdobeFavorites-version7.5.5.0.exe
  C:\ProgramData\AdobeFavorites-version7.5.5.0\AdobeFavorites-version7.5.5.0.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:768

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AdobeFavorites-version7.5.5.0\AdobeFavorites-version7.5.5.0.exe

Filesize
587.4MB

MD5
27f65d1658b8931f07a682af5c026f82

SHA1
603b5effd78fe3c6cae0fda36a79b160bc2db688

SHA256
f4e55b0fb7feb9e41a962ddc79e235d68123c53f6fe2f5b2f999413773f898f4

SHA512
c99007243d752305201b03ed50d4b44d8801fd266f05dc93a507c198fe6ad562367151474b971d683d944054cf049b334913b4da0556d2fbe052c056d01f758b

Download Submit
C:\ProgramData\AdobeFavorites-version7.5.5.0\AdobeFavorites-version7.5.5.0.exe

Filesize
691.4MB

MD5
001c43611d0cfd76044b91281bf45863

SHA1
c105f5456153daf843a8ec970f32bd211f313141

SHA256
5928c1fdb80793ada1ec8a77731ce6c168ebdfb1da3fc9eacbaba04903590f39

SHA512
94556afb5ecd74b31fda250f1540738fa4853f12f2c75e0d76eb0d1312d37cd7cb691cf658aaf5955651dc572f0640eeb92c664f3b64e4ff84359bdf05989cde

Download Submit
\ProgramData\AdobeFavorites-version7.5.5.0\AdobeFavorites-version7.5.5.0.exe

Filesize
682.8MB

MD5
7abdf222c90a29670bc93ec0b0de4c52

SHA1
d88aec51fdab5797f1f95fded28113d7befd1b09

SHA256
becfd2195ec3a5e4cf144176c5d97c7d3f7d924b5b947a421c1670b1b9d74475

SHA512
12de7093791950a7f0fc43ecd1ab94ee7264c104f7ff5a5a3510ccb1000aa43c4aada0d29295a8c22f019861e2261b06b7f3ad7b9ac57afe58e923514807e479

Download Submit
memory/768-93-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/768-96-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/768-101-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/768-102-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/768-92-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/768-98-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/768-95-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/768-99-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/768-86-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/768-87-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/768-89-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/768-90-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/768-105-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/768-106-0x0000000001190000-0x0000000002371000-memory.dmp

Filesize
17.9MB

Download
memory/1244-62-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/1244-64-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/1244-74-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1244-73-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1244-71-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/1244-70-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/1244-68-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/1244-67-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/1244-65-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/1244-75-0x0000000000E70000-0x0000000002051000-memory.dmp

Filesize
17.9MB

Download
memory/1244-55-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1244-61-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/1244-60-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/1244-59-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1244-58-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1244-57-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1244-56-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1244-54-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing