26079b74cfe39260d97fbaff76a6f10f26052acc5a010f02fdf65f0be0e2b0e4

Analysis

max time kernel
37s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
26/05/2023, 04:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26079b74cfe39260d97fbaff76a6f10f26052acc5a010f02fdf65f0be0e2b0e4.exe
Size

7.0MB
MD5

7277ef80632a3ab506e321211d0c4b24
SHA1

aa5f385e871fd70328ec5f90bb33b39812b2c315
SHA256

26079b74cfe39260d97fbaff76a6f10f26052acc5a010f02fdf65f0be0e2b0e4
SHA512

76d29cfc409009d153b817ee0f728d4a45dab6ae51528f9f89682b1578aeace26e22ac3997d5be2f56663e863747d3478a32a63e1249c714a148b3bc0f94d79f
SSDEEP

98304:IHPgElJCxPXITofy9fUtEYrUgkRr5LLF37gwBywSAUF0ph4UEpOijjBnL6Z:yJK4oa98NkRrFWlwSAUepqUEkVZ

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1756	AdobeDesktop-UPJR4.5.0.9.exe

Loads dropped DLL 1 IoCs

pid	Process
1592	26079b74cfe39260d97fbaff76a6f10f26052acc5a010f02fdf65f0be0e2b0e4.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Windows\CurrentVersion\Run	26079b74cfe39260d97fbaff76a6f10f26052acc5a010f02fdf65f0be0e2b0e4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Windows\CurrentVersion\Run\AdobeDesktop-UPJR4.5.0.9 = "C:\\ProgramData\\AdobeDesktop-UPJR4.5.0.9\\AdobeDesktop-UPJR4.5.0.9.exe"	26079b74cfe39260d97fbaff76a6f10f26052acc5a010f02fdf65f0be0e2b0e4.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1592 wrote to memory of 1756	1592	26079b74cfe39260d97fbaff76a6f10f26052acc5a010f02fdf65f0be0e2b0e4.exe	28
PID 1592 wrote to memory of 1756	1592	26079b74cfe39260d97fbaff76a6f10f26052acc5a010f02fdf65f0be0e2b0e4.exe	28
PID 1592 wrote to memory of 1756	1592	26079b74cfe39260d97fbaff76a6f10f26052acc5a010f02fdf65f0be0e2b0e4.exe	28

C:\Users\Admin\AppData\Local\Temp\26079b74cfe39260d97fbaff76a6f10f26052acc5a010f02fdf65f0be0e2b0e4.exe
"C:\Users\Admin\AppData\Local\Temp\26079b74cfe39260d97fbaff76a6f10f26052acc5a010f02fdf65f0be0e2b0e4.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1592
- C:\ProgramData\AdobeDesktop-UPJR4.5.0.9\AdobeDesktop-UPJR4.5.0.9.exe
  C:\ProgramData\AdobeDesktop-UPJR4.5.0.9\AdobeDesktop-UPJR4.5.0.9.exe
  2⤵
  - Executes dropped EXE
  PID:1756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AdobeDesktop-UPJR4.5.0.9\AdobeDesktop-UPJR4.5.0.9.exe

Filesize
757.0MB

MD5
021e32768ee63960469385c561676aea

SHA1
f61fddba670ee84f1d3eafeb0654c1603ed5102d

SHA256
ed158477cdd1effae06641045eda25a1c1e0c5b60f70f815e9564071b64d397e

SHA512
0b53c927ecd0bb2ac3ca31a47ed88c6da683b9b59da849925afb2444d0c2021b868d36b6bb8fbaf03036cd5587ab5614e9ba3b6dc765d8f96ebd65faa5a5f322

Download Submit
\ProgramData\AdobeDesktop-UPJR4.5.0.9\AdobeDesktop-UPJR4.5.0.9.exe

Filesize
757.0MB

MD5
021e32768ee63960469385c561676aea

SHA1
f61fddba670ee84f1d3eafeb0654c1603ed5102d

SHA256
ed158477cdd1effae06641045eda25a1c1e0c5b60f70f815e9564071b64d397e

SHA512
0b53c927ecd0bb2ac3ca31a47ed88c6da683b9b59da849925afb2444d0c2021b868d36b6bb8fbaf03036cd5587ab5614e9ba3b6dc765d8f96ebd65faa5a5f322

Download Submit
memory/1592-54-0x000000013F760000-0x000000013FE65000-memory.dmp

Filesize
7.0MB

Download
memory/1756-59-0x000000013FB30000-0x0000000140235000-memory.dmp

Filesize
7.0MB

Download