Analysis
-
max time kernel
142s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
26-05-2023 11:29
Static task
static1
Behavioral task
behavioral1
Sample
9a28f0b1e09ffb82f27417b769461b9fd714999e8b34ca489ac7bc10595e5a6f.exe
Resource
win10v2004-20230220-en
General
-
Target
9a28f0b1e09ffb82f27417b769461b9fd714999e8b34ca489ac7bc10595e5a6f.exe
-
Size
7.0MB
-
MD5
04a61b0ee9db0c48d5f3e4d56695c544
-
SHA1
3d3a3d2fa8ce824087fbadb2c02336887bae8fd0
-
SHA256
9a28f0b1e09ffb82f27417b769461b9fd714999e8b34ca489ac7bc10595e5a6f
-
SHA512
86b371e82b1e59cd3dba4f1dd1694c705f1bff996e362e654af4ed2c850e00b6f7b6f27e1a4de62a477b1471b49eef5b0e8f937e28624ec5648ef4e47201d1b1
-
SSDEEP
98304:C8j4sQ4jTC9zKcIyAPIvRnKqeZWQgh8PnmFVpCRxrZaTubplO2FOYS:1j+PIyDoBY8mFzhTkplO2F0
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
AdobePackages-7RBN0.5.1.3.exepid process 2008 AdobePackages-7RBN0.5.1.3.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
9a28f0b1e09ffb82f27417b769461b9fd714999e8b34ca489ac7bc10595e5a6f.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows\CurrentVersion\Run 9a28f0b1e09ffb82f27417b769461b9fd714999e8b34ca489ac7bc10595e5a6f.exe Set value (str) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobePackages-7RBN0.5.1.3 = "C:\\ProgramData\\AdobePackages-7RBN0.5.1.3\\AdobePackages-7RBN0.5.1.3.exe" 9a28f0b1e09ffb82f27417b769461b9fd714999e8b34ca489ac7bc10595e5a6f.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
9a28f0b1e09ffb82f27417b769461b9fd714999e8b34ca489ac7bc10595e5a6f.exedescription pid process target process PID 1452 wrote to memory of 2008 1452 9a28f0b1e09ffb82f27417b769461b9fd714999e8b34ca489ac7bc10595e5a6f.exe AdobePackages-7RBN0.5.1.3.exe PID 1452 wrote to memory of 2008 1452 9a28f0b1e09ffb82f27417b769461b9fd714999e8b34ca489ac7bc10595e5a6f.exe AdobePackages-7RBN0.5.1.3.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9a28f0b1e09ffb82f27417b769461b9fd714999e8b34ca489ac7bc10595e5a6f.exe"C:\Users\Admin\AppData\Local\Temp\9a28f0b1e09ffb82f27417b769461b9fd714999e8b34ca489ac7bc10595e5a6f.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\AdobePackages-7RBN0.5.1.3\AdobePackages-7RBN0.5.1.3.exeC:\ProgramData\AdobePackages-7RBN0.5.1.3\AdobePackages-7RBN0.5.1.3.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\AdobePackages-7RBN0.5.1.3\AdobePackages-7RBN0.5.1.3.exeFilesize
757.0MB
MD5f4e1b57b7b4a6d8382736e8ef3640ad2
SHA128ce9c560fcaf80babca05ae40c300c51fa31a18
SHA2567c44eb51b3b41a4b20739ada925518b4d8d1216a8974c9a35849924961a21a30
SHA512565bd5845e524931e47a8fb03be4ac7979b69b618a0d09de38206973fb0b266f12c5294c8f7065b6b5f805ba286a6c7505101130d6dd8f50b95828dda473176b
-
C:\ProgramData\AdobePackages-7RBN0.5.1.3\AdobePackages-7RBN0.5.1.3.exeFilesize
757.0MB
MD5f4e1b57b7b4a6d8382736e8ef3640ad2
SHA128ce9c560fcaf80babca05ae40c300c51fa31a18
SHA2567c44eb51b3b41a4b20739ada925518b4d8d1216a8974c9a35849924961a21a30
SHA512565bd5845e524931e47a8fb03be4ac7979b69b618a0d09de38206973fb0b266f12c5294c8f7065b6b5f805ba286a6c7505101130d6dd8f50b95828dda473176b
-
memory/1452-133-0x00007FF696DA0000-0x00007FF6974AB000-memory.dmpFilesize
7.0MB
-
memory/2008-138-0x00007FF7ED020000-0x00007FF7ED72B000-memory.dmpFilesize
7.0MB