2754d7ba0dc89162aad3bd19b494b29fa69cca370caf5943cd5dbfbad8ebdfe0

Analysis

max time kernel
37s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
18/05/2023, 13:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2754d7ba0dc89162aad3bd19b494b29fa69cca370caf5943cd5dbfbad8ebdfe0.exe
Size

7.0MB
MD5

8ca300eb351d4ec09c361cc489c2e6b4
SHA1

d9dbc4660a5f465f4db1decd8022315c618c20c3
SHA256

2754d7ba0dc89162aad3bd19b494b29fa69cca370caf5943cd5dbfbad8ebdfe0
SHA512

eae05e950f47703ce0d6b58b8660c958d3271b8997ffbe8eb55b1d0cb71b51e125ebba7ad07cb47868941532250b29da9074258b49e91cc369640339621ff7a0
SSDEEP

98304:eB1j5NSDeNWvTI6ClMLy53eqFUq28IVvL+S29BZ7292:45NSiNWb27vN28IVvL+LrH

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1360	FavoritesAdobe-ver6.7.4.6.exe

Loads dropped DLL 1 IoCs

pid	Process
828	2754d7ba0dc89162aad3bd19b494b29fa69cca370caf5943cd5dbfbad8ebdfe0.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Windows\CurrentVersion\Run	2754d7ba0dc89162aad3bd19b494b29fa69cca370caf5943cd5dbfbad8ebdfe0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Windows\CurrentVersion\Run\FavoritesAdobe-ver6.7.4.6 = "C:\\ProgramData\\FavoritesAdobe-ver6.7.4.6\\FavoritesAdobe-ver6.7.4.6.exe"	2754d7ba0dc89162aad3bd19b494b29fa69cca370caf5943cd5dbfbad8ebdfe0.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 828 wrote to memory of 1360	828	2754d7ba0dc89162aad3bd19b494b29fa69cca370caf5943cd5dbfbad8ebdfe0.exe	28
PID 828 wrote to memory of 1360	828	2754d7ba0dc89162aad3bd19b494b29fa69cca370caf5943cd5dbfbad8ebdfe0.exe	28
PID 828 wrote to memory of 1360	828	2754d7ba0dc89162aad3bd19b494b29fa69cca370caf5943cd5dbfbad8ebdfe0.exe	28

C:\Users\Admin\AppData\Local\Temp\2754d7ba0dc89162aad3bd19b494b29fa69cca370caf5943cd5dbfbad8ebdfe0.exe
"C:\Users\Admin\AppData\Local\Temp\2754d7ba0dc89162aad3bd19b494b29fa69cca370caf5943cd5dbfbad8ebdfe0.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:828
- C:\ProgramData\FavoritesAdobe-ver6.7.4.6\FavoritesAdobe-ver6.7.4.6.exe
  C:\ProgramData\FavoritesAdobe-ver6.7.4.6\FavoritesAdobe-ver6.7.4.6.exe
  2⤵
  - Executes dropped EXE
  PID:1360

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\FavoritesAdobe-ver6.7.4.6\FavoritesAdobe-ver6.7.4.6.exe

Filesize
493.6MB

MD5
4b9c910b152dd61a4939a58bd3801d0e

SHA1
0a63d5cd58db2d5ca1e77b3351d3dfb15d7aea6d

SHA256
b5282c1ea2d6d845e1876901f2e1eabc0fa301827dab928cc77bb7e0acabc94f

SHA512
0fb279336f55bb43347dfc0f6735779b5d5cfee27690745640d6ff3ac86e1d13566f8e28e2858e45fefbfd1a17f0a3bbedd0e4891f8462ca49ec344a58c1fe6a

Download Submit
\ProgramData\FavoritesAdobe-ver6.7.4.6\FavoritesAdobe-ver6.7.4.6.exe

Filesize
494.1MB

MD5
3b0bb1118c0223db7d0098363161d92f

SHA1
43a65b49508a187dd509214ce5e8d2c29acc7b3a

SHA256
66b476fa6a7b32a5064556339531a9bc69a36f126b29e9bfa37dec232efd3cdd

SHA512
b34ae027b7cbd5e99fd9a6f8dde9e00a79d763faf628ea99c375f84ea2898796c954179d971cfe5a176d3c75b1dce542b072f183c91587e33d6196bbb23f912b

Download Submit
memory/828-54-0x0000000140000000-0x0000000140708000-memory.dmp

Filesize
7.0MB

Download
memory/1360-62-0x0000000140000000-0x0000000140708000-memory.dmp

Filesize
7.0MB

Download