43bce624eb4809b65b128f3e8541ba484bf2fb41388c0a80dff48c2568ef9faf

Analysis

max time kernel
125s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
26/05/2023, 14:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

43bce624eb4809b65b128f3e8541ba484bf2fb41388c0a80dff48c2568ef9faf.exe
Size

6.9MB
MD5

13cc585059bbbfa6d0f92b8e331719bd
SHA1

e4bd437a685f39fbe40f3fdf5b282f47608fb760
SHA256

43bce624eb4809b65b128f3e8541ba484bf2fb41388c0a80dff48c2568ef9faf
SHA512

a51f0e1df990828ec26115901f20d82e97cb66a68387967a37145352fbd7731d43c1c06023959177a6c1100deefc6a2d0eee52cae2b05876938e60c08b6852ff
SSDEEP

98304:EONyfkb9IK/j/XLG52RO/cBihQWqV9dI2vOqn7wKxH5JulgSJJiz2SLSbRk:19b7XLGj/8KQfVM2v77T15girL++

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4472	SoftwareDistributionAdobe-JIC6A7.3.0.7.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Windows\CurrentVersion\Run	43bce624eb4809b65b128f3e8541ba484bf2fb41388c0a80dff48c2568ef9faf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SoftwareDistributionAdobe-JIC6A7.3.0.7 = "C:\\ProgramData\\SoftwareDistributionAdobe-JIC6A7.3.0.7\\SoftwareDistributionAdobe-JIC6A7.3.0.7.exe"	43bce624eb4809b65b128f3e8541ba484bf2fb41388c0a80dff48c2568ef9faf.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3436 wrote to memory of 4472	3436	43bce624eb4809b65b128f3e8541ba484bf2fb41388c0a80dff48c2568ef9faf.exe	85
PID 3436 wrote to memory of 4472	3436	43bce624eb4809b65b128f3e8541ba484bf2fb41388c0a80dff48c2568ef9faf.exe	85

C:\Users\Admin\AppData\Local\Temp\43bce624eb4809b65b128f3e8541ba484bf2fb41388c0a80dff48c2568ef9faf.exe
"C:\Users\Admin\AppData\Local\Temp\43bce624eb4809b65b128f3e8541ba484bf2fb41388c0a80dff48c2568ef9faf.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3436
- C:\ProgramData\SoftwareDistributionAdobe-JIC6A7.3.0.7\SoftwareDistributionAdobe-JIC6A7.3.0.7.exe
  C:\ProgramData\SoftwareDistributionAdobe-JIC6A7.3.0.7\SoftwareDistributionAdobe-JIC6A7.3.0.7.exe
  2⤵
  - Executes dropped EXE
  PID:4472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SoftwareDistributionAdobe-JIC6A7.3.0.7\SoftwareDistributionAdobe-JIC6A7.3.0.7.exe

Filesize
756.9MB

MD5
1789dcb5009428a3d6d8e30945e4df2f

SHA1
7ca6159656d5fea6c8f598ed5f8ab80707d2e1f5

SHA256
1d1ffdca0252646c3a2f9c3df8dcf7600939be5673b813c3fba4ac61db1d0c9b

SHA512
5eb654b045676b90b339d53045d632a948a1f10ff0c87ff4b15f127ea1555307d288b7589199b8bad54b860f4c08646c65134314da62cb9c2f6cec3b0131387a

Download Submit
C:\ProgramData\SoftwareDistributionAdobe-JIC6A7.3.0.7\SoftwareDistributionAdobe-JIC6A7.3.0.7.exe

Filesize
756.9MB

MD5
1789dcb5009428a3d6d8e30945e4df2f

SHA1
7ca6159656d5fea6c8f598ed5f8ab80707d2e1f5

SHA256
1d1ffdca0252646c3a2f9c3df8dcf7600939be5673b813c3fba4ac61db1d0c9b

SHA512
5eb654b045676b90b339d53045d632a948a1f10ff0c87ff4b15f127ea1555307d288b7589199b8bad54b860f4c08646c65134314da62cb9c2f6cec3b0131387a

Download Submit
memory/3436-133-0x00007FF73E650000-0x00007FF73ED44000-memory.dmp

Filesize
7.0MB

Download
memory/4472-138-0x00007FF7FBB30000-0x00007FF7FC224000-memory.dmp

Filesize
7.0MB

Download