19a26372a1e8e124365fb79f04cafeea94f89b5fcd2953570cb39efe490f1169

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
18/05/2023, 13:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

19a26372a1e8e124365fb79f04cafeea94f89b5fcd2953570cb39efe490f1169.exe
Size

4.7MB
MD5

2623b2d34b0dd5a3f2e4966fc8a02357
SHA1

0a771728006e61308840747fb1de9f0453a5cbb3
SHA256

19a26372a1e8e124365fb79f04cafeea94f89b5fcd2953570cb39efe490f1169
SHA512

3e70d9044a1795f432c6a86f59d3e128c4482e3465fe7b1a5ca93c4aa11198271d446e4f70ee4fdbdc27986f38ea86f20ae573384f3991d34fca97c6abc72856
SSDEEP

49152:6G6/2U4wSvwyLr40GK3BScph1gWJpq/kRfqS56kWp1cflUnCkrnmOqK:gm7ffzMklxkLmOq

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3820	AdobeDocuments-ver6.7.8.0.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows\CurrentVersion\Run	19a26372a1e8e124365fb79f04cafeea94f89b5fcd2953570cb39efe490f1169.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobeDocuments-ver6.7.8.0 = "C:\\ProgramData\\AdobeDocuments-ver6.7.8.0\\AdobeDocuments-ver6.7.8.0.exe"	19a26372a1e8e124365fb79f04cafeea94f89b5fcd2953570cb39efe490f1169.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4144 wrote to memory of 3820	4144	19a26372a1e8e124365fb79f04cafeea94f89b5fcd2953570cb39efe490f1169.exe	85
PID 4144 wrote to memory of 3820	4144	19a26372a1e8e124365fb79f04cafeea94f89b5fcd2953570cb39efe490f1169.exe	85

C:\Users\Admin\AppData\Local\Temp\19a26372a1e8e124365fb79f04cafeea94f89b5fcd2953570cb39efe490f1169.exe
"C:\Users\Admin\AppData\Local\Temp\19a26372a1e8e124365fb79f04cafeea94f89b5fcd2953570cb39efe490f1169.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4144
- C:\ProgramData\AdobeDocuments-ver6.7.8.0\AdobeDocuments-ver6.7.8.0.exe
  C:\ProgramData\AdobeDocuments-ver6.7.8.0\AdobeDocuments-ver6.7.8.0.exe
  2⤵
  - Executes dropped EXE
  PID:3820

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AdobeDocuments-ver6.7.8.0\AdobeDocuments-ver6.7.8.0.exe

Filesize
754.7MB

MD5
e97deca680688b3895a35f47359fa786

SHA1
f5a29b30df94a27fc78de4a3a5f2f3279eb987ee

SHA256
bdf5563636e2b98887cfef83eea73c21c444e728bc2c156eed36752b22d7a01b

SHA512
ea7ebb68ab291dd9d732102578f35ab08e97db1b726af22a275b3a036eeecff3b3438a8f55ba0e3683233aa0ed430222da2c729d1e48a688a17501ffef8b7061

Download Submit
C:\ProgramData\AdobeDocuments-ver6.7.8.0\AdobeDocuments-ver6.7.8.0.exe

Filesize
754.7MB

MD5
e97deca680688b3895a35f47359fa786

SHA1
f5a29b30df94a27fc78de4a3a5f2f3279eb987ee

SHA256
bdf5563636e2b98887cfef83eea73c21c444e728bc2c156eed36752b22d7a01b

SHA512
ea7ebb68ab291dd9d732102578f35ab08e97db1b726af22a275b3a036eeecff3b3438a8f55ba0e3683233aa0ed430222da2c729d1e48a688a17501ffef8b7061

Download Submit