9a28f0b1e09ffb82f27417b769461b9fd714999e8b34ca489ac7bc10595e5a6f

Analysis

max time kernel
142s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2023 11:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9a28f0b1e09ffb82f27417b769461b9fd714999e8b34ca489ac7bc10595e5a6f.exe
Size

7.0MB
MD5

04a61b0ee9db0c48d5f3e4d56695c544
SHA1

3d3a3d2fa8ce824087fbadb2c02336887bae8fd0
SHA256

9a28f0b1e09ffb82f27417b769461b9fd714999e8b34ca489ac7bc10595e5a6f
SHA512

86b371e82b1e59cd3dba4f1dd1694c705f1bff996e362e654af4ed2c850e00b6f7b6f27e1a4de62a477b1471b49eef5b0e8f937e28624ec5648ef4e47201d1b1
SSDEEP

98304:C8j4sQ4jTC9zKcIyAPIvRnKqeZWQgh8PnmFVpCRxrZaTubplO2FOYS:1j+PIyDoBY8mFzhTkplO2F0

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

AdobePackages-7RBN0.5.1.3.exe

pid process

2008 AdobePackages-7RBN0.5.1.3.exe

pid	process
2008	AdobePackages-7RBN0.5.1.3.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

9a28f0b1e09ffb82f27417b769461b9fd714999e8b34ca489ac7bc10595e5a6f.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows\CurrentVersion\Run	9a28f0b1e09ffb82f27417b769461b9fd714999e8b34ca489ac7bc10595e5a6f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobePackages-7RBN0.5.1.3 = "C:\\ProgramData\\AdobePackages-7RBN0.5.1.3\\AdobePackages-7RBN0.5.1.3.exe"	9a28f0b1e09ffb82f27417b769461b9fd714999e8b34ca489ac7bc10595e5a6f.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

9a28f0b1e09ffb82f27417b769461b9fd714999e8b34ca489ac7bc10595e5a6f.exe

description	pid	process	target process
PID 1452 wrote to memory of 2008	1452	9a28f0b1e09ffb82f27417b769461b9fd714999e8b34ca489ac7bc10595e5a6f.exe	AdobePackages-7RBN0.5.1.3.exe
PID 1452 wrote to memory of 2008	1452	9a28f0b1e09ffb82f27417b769461b9fd714999e8b34ca489ac7bc10595e5a6f.exe	AdobePackages-7RBN0.5.1.3.exe

C:\Users\Admin\AppData\Local\Temp\9a28f0b1e09ffb82f27417b769461b9fd714999e8b34ca489ac7bc10595e5a6f.exe
"C:\Users\Admin\AppData\Local\Temp\9a28f0b1e09ffb82f27417b769461b9fd714999e8b34ca489ac7bc10595e5a6f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1452

C:\ProgramData\AdobePackages-7RBN0.5.1.3\AdobePackages-7RBN0.5.1.3.exe
C:\ProgramData\AdobePackages-7RBN0.5.1.3\AdobePackages-7RBN0.5.1.3.exe
2⤵
- Executes dropped EXE
PID:2008

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AdobePackages-7RBN0.5.1.3\AdobePackages-7RBN0.5.1.3.exe
Filesize
757.0MB

MD5
f4e1b57b7b4a6d8382736e8ef3640ad2

SHA1
28ce9c560fcaf80babca05ae40c300c51fa31a18

SHA256
7c44eb51b3b41a4b20739ada925518b4d8d1216a8974c9a35849924961a21a30

SHA512
565bd5845e524931e47a8fb03be4ac7979b69b618a0d09de38206973fb0b266f12c5294c8f7065b6b5f805ba286a6c7505101130d6dd8f50b95828dda473176b

Download Submit
C:\ProgramData\AdobePackages-7RBN0.5.1.3\AdobePackages-7RBN0.5.1.3.exe
Filesize
757.0MB

MD5
f4e1b57b7b4a6d8382736e8ef3640ad2

SHA1
28ce9c560fcaf80babca05ae40c300c51fa31a18

SHA256
7c44eb51b3b41a4b20739ada925518b4d8d1216a8974c9a35849924961a21a30

SHA512
565bd5845e524931e47a8fb03be4ac7979b69b618a0d09de38206973fb0b266f12c5294c8f7065b6b5f805ba286a6c7505101130d6dd8f50b95828dda473176b

Download Submit
memory/1452-133-0x00007FF696DA0000-0x00007FF6974AB000-memory.dmp

Filesize
7.0MB

Download
memory/2008-138-0x00007FF7ED020000-0x00007FF7ED72B000-memory.dmp

Filesize
7.0MB

Download