0f7512b2261f407ea682a3ca598ae838ccccfdb40547464abc22746847e77a97

Analysis

max time kernel
138s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
18/05/2023, 18:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f7512b2261f407ea682a3ca598ae838ccccfdb40547464abc22746847e77a97.exe
Size

4.7MB
MD5

cf1b708122d2a2e1f51eded01e2d7c60
SHA1

c3302eeeb5e24ab9c48bdcbc1b2e8b24da79a626
SHA256

0f7512b2261f407ea682a3ca598ae838ccccfdb40547464abc22746847e77a97
SHA512

458132d8d715be6e5bd9295ca1c2ae27a5c5b9f5a0795e4e12a9171ac0db607fe232076eab42551bbd2272584a07a5ef3822dc24b19581c7418b46c37c7440c7
SSDEEP

49152:f4l/heNNkUbWbnyTNNuleoUybPjUmvChhNuFAWzDMmtb2Y6R9fE/sabbG+SRdSMQ:4SqsY0oodjl

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
732	AdobeUSOPrivate-ver9.1.6.0.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows\CurrentVersion\Run	0f7512b2261f407ea682a3ca598ae838ccccfdb40547464abc22746847e77a97.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobeUSOPrivate-ver9.1.6.0 = "C:\\ProgramData\\AdobeUSOPrivate-ver9.1.6.0\\AdobeUSOPrivate-ver9.1.6.0.exe"	0f7512b2261f407ea682a3ca598ae838ccccfdb40547464abc22746847e77a97.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 732	2604	0f7512b2261f407ea682a3ca598ae838ccccfdb40547464abc22746847e77a97.exe	84
PID 2604 wrote to memory of 732	2604	0f7512b2261f407ea682a3ca598ae838ccccfdb40547464abc22746847e77a97.exe	84

C:\Users\Admin\AppData\Local\Temp\0f7512b2261f407ea682a3ca598ae838ccccfdb40547464abc22746847e77a97.exe
"C:\Users\Admin\AppData\Local\Temp\0f7512b2261f407ea682a3ca598ae838ccccfdb40547464abc22746847e77a97.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2604
- C:\ProgramData\AdobeUSOPrivate-ver9.1.6.0\AdobeUSOPrivate-ver9.1.6.0.exe
  C:\ProgramData\AdobeUSOPrivate-ver9.1.6.0\AdobeUSOPrivate-ver9.1.6.0.exe
  2⤵
  - Executes dropped EXE
  PID:732

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AdobeUSOPrivate-ver9.1.6.0\AdobeUSOPrivate-ver9.1.6.0.exe

Filesize
754.7MB

MD5
3786fe0307c3dbd685b68ad8e69049cb

SHA1
adce1842a654e52316ecaf7b74f12379f725ef02

SHA256
9b6a8890542f8bbc068032b165459ba7267020550594bf10c00cf603b2949ab0

SHA512
24c290d8635565e4454f576ce7b977df3907325cd620b45af4099655fd63636b9759fed04801287d71d03885a4dbbcf1f9d8a661c9a43bf5460d7923bd2cabe7

Download Submit
C:\ProgramData\AdobeUSOPrivate-ver9.1.6.0\AdobeUSOPrivate-ver9.1.6.0.exe

Filesize
754.7MB

MD5
3786fe0307c3dbd685b68ad8e69049cb

SHA1
adce1842a654e52316ecaf7b74f12379f725ef02

SHA256
9b6a8890542f8bbc068032b165459ba7267020550594bf10c00cf603b2949ab0

SHA512
24c290d8635565e4454f576ce7b977df3907325cd620b45af4099655fd63636b9759fed04801287d71d03885a4dbbcf1f9d8a661c9a43bf5460d7923bd2cabe7

Download Submit