d80b10e3ca6ec15589db173fc95ae5b345fdc0251d15ac0560c25235f91b383c

Analysis

max time kernel
61s
max time network
109s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
18/05/2023, 06:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d80b10e3ca6ec15589db173fc95ae5b345fdc0251d15ac0560c25235f91b383c.exe
Size

4.7MB
MD5

525d57a2e4ebb98b92a8157d512955c1
SHA1

3155f6c01df7f87a6f36db29b1e32876497c9944
SHA256

d80b10e3ca6ec15589db173fc95ae5b345fdc0251d15ac0560c25235f91b383c
SHA512

ae1de05908222ddfcb73c8eaeba149f0c38eb227f1f891b2ea1d796060da0b3d3478a80e266139f9f64702f4337242b1ba83d20fb8bb3a76b98b3ccc73000579
SSDEEP

49152:bivYD2/rd60+CoCsehNpwMcSgIDHf+A4VfgWaGP6U8ClMdld:mnl+IS6Uod3

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4036	AdobeUSOPrivate-ver5.3.8.7.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Windows\CurrentVersion\Run	d80b10e3ca6ec15589db173fc95ae5b345fdc0251d15ac0560c25235f91b383c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Windows\CurrentVersion\Run\AdobeUSOPrivate-ver5.3.8.7 = "C:\\ProgramData\\AdobeUSOPrivate-ver5.3.8.7\\AdobeUSOPrivate-ver5.3.8.7.exe"	d80b10e3ca6ec15589db173fc95ae5b345fdc0251d15ac0560c25235f91b383c.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4116 wrote to memory of 4036	4116	d80b10e3ca6ec15589db173fc95ae5b345fdc0251d15ac0560c25235f91b383c.exe	66
PID 4116 wrote to memory of 4036	4116	d80b10e3ca6ec15589db173fc95ae5b345fdc0251d15ac0560c25235f91b383c.exe	66

C:\Users\Admin\AppData\Local\Temp\d80b10e3ca6ec15589db173fc95ae5b345fdc0251d15ac0560c25235f91b383c.exe
"C:\Users\Admin\AppData\Local\Temp\d80b10e3ca6ec15589db173fc95ae5b345fdc0251d15ac0560c25235f91b383c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4116
- C:\ProgramData\AdobeUSOPrivate-ver5.3.8.7\AdobeUSOPrivate-ver5.3.8.7.exe
  C:\ProgramData\AdobeUSOPrivate-ver5.3.8.7\AdobeUSOPrivate-ver5.3.8.7.exe
  2⤵
  - Executes dropped EXE
  PID:4036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AdobeUSOPrivate-ver5.3.8.7\AdobeUSOPrivate-ver5.3.8.7.exe

Filesize
754.7MB

MD5
b5819575e0c1f3f027fc2685f310cfe5

SHA1
21159ed49f698752641bd2bca3b8916f60f77806

SHA256
57fd8873d710c3001a1240e72cfa60be6d1337a2d0f90577ca1e75552d6416ac

SHA512
15a936bb8e3a75112ab829c25b9dd30f3c95ce11f7089255beb7c99099ce8a5e8fad4a3d249f88cbc83beb9aa02334ed2b547a040e9e2f0aef20a7167b4a2f53

Download Submit
C:\ProgramData\AdobeUSOPrivate-ver5.3.8.7\AdobeUSOPrivate-ver5.3.8.7.exe

Filesize
754.7MB

MD5
b5819575e0c1f3f027fc2685f310cfe5

SHA1
21159ed49f698752641bd2bca3b8916f60f77806

SHA256
57fd8873d710c3001a1240e72cfa60be6d1337a2d0f90577ca1e75552d6416ac

SHA512
15a936bb8e3a75112ab829c25b9dd30f3c95ce11f7089255beb7c99099ce8a5e8fad4a3d249f88cbc83beb9aa02334ed2b547a040e9e2f0aef20a7167b4a2f53

Download Submit