e3e1359104bbda6f7095b6dc5d35134d52a9a1a0101c88530bcb7cbebbe51a9c

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
07-08-2023 08:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FireflyAI_JC.exe
Size

45.7MB
MD5

5d058ac0a96ea904495b4ad08e725fe9
SHA1

c70ecff66304842c3a0cb07181343f261a23feb0
SHA256

e3e1359104bbda6f7095b6dc5d35134d52a9a1a0101c88530bcb7cbebbe51a9c
SHA512

537df99ecdc6470ce000646797e2b9f357e755cd89e3d6204150c8b6544fe36fbd9f460acd0ac1af719da22af109bca2b04ce9c0f62b715604040aad64f50704
SSDEEP

786432:E5CUXgrAXasuqWaL2vPdgnIFUR9A5UqrkBGnk9kEgsYNzhMjxnfQysN:bsVXz+1qIFUCyBGkeEgdzw/4

Score

8^/10

evasion

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	cmd.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
3024	netsh.exe

Executes dropped EXE 1 IoCs

pid	Process
616	sqlite3.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\caps\hdpim.db	sqlite3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
680	reg.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
616	sqlite3.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: 35	1520	cmd.exe
Token: 35	1520	cmd.exe
Token: 35	1520	cmd.exe
Token: 35	1520	cmd.exe
Token: 35	1520	cmd.exe
Token: 35	1520	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 2324	2668	FireflyAI_JC.exe	28
PID 2668 wrote to memory of 2324	2668	FireflyAI_JC.exe	28
PID 2668 wrote to memory of 2324	2668	FireflyAI_JC.exe	28
PID 2324 wrote to memory of 1520	2324	FireflyAI_JC.exe	29
PID 2324 wrote to memory of 1520	2324	FireflyAI_JC.exe	29
PID 2324 wrote to memory of 1520	2324	FireflyAI_JC.exe	29
PID 1520 wrote to memory of 2252	1520	cmd.exe	31
PID 1520 wrote to memory of 2252	1520	cmd.exe	31
PID 1520 wrote to memory of 2252	1520	cmd.exe	31
PID 2252 wrote to memory of 680	2252	cmd.exe	32
PID 2252 wrote to memory of 680	2252	cmd.exe	32
PID 2252 wrote to memory of 680	2252	cmd.exe	32
PID 2252 wrote to memory of 2200	2252	cmd.exe	33
PID 2252 wrote to memory of 2200	2252	cmd.exe	33
PID 2252 wrote to memory of 2200	2252	cmd.exe	33
PID 1520 wrote to memory of 836	1520	cmd.exe	34
PID 1520 wrote to memory of 836	1520	cmd.exe	34
PID 1520 wrote to memory of 836	1520	cmd.exe	34
PID 1520 wrote to memory of 2416	1520	cmd.exe	35
PID 1520 wrote to memory of 2416	1520	cmd.exe	35
PID 1520 wrote to memory of 2416	1520	cmd.exe	35
PID 1520 wrote to memory of 1048	1520	cmd.exe	36
PID 1520 wrote to memory of 1048	1520	cmd.exe	36
PID 1520 wrote to memory of 1048	1520	cmd.exe	36
PID 1520 wrote to memory of 1168	1520	cmd.exe	37
PID 1520 wrote to memory of 1168	1520	cmd.exe	37
PID 1520 wrote to memory of 1168	1520	cmd.exe	37
PID 1520 wrote to memory of 1096	1520	cmd.exe	38
PID 1520 wrote to memory of 1096	1520	cmd.exe	38
PID 1520 wrote to memory of 1096	1520	cmd.exe	38
PID 1520 wrote to memory of 1480	1520	cmd.exe	39
PID 1520 wrote to memory of 1480	1520	cmd.exe	39
PID 1520 wrote to memory of 1480	1520	cmd.exe	39
PID 1520 wrote to memory of 1220	1520	cmd.exe	40
PID 1520 wrote to memory of 1220	1520	cmd.exe	40
PID 1520 wrote to memory of 1220	1520	cmd.exe	40
PID 1520 wrote to memory of 1360	1520	cmd.exe	41
PID 1520 wrote to memory of 1360	1520	cmd.exe	41
PID 1520 wrote to memory of 1360	1520	cmd.exe	41
PID 1520 wrote to memory of 1920	1520	cmd.exe	42
PID 1520 wrote to memory of 1920	1520	cmd.exe	42
PID 1520 wrote to memory of 1920	1520	cmd.exe	42
PID 1520 wrote to memory of 1788	1520	cmd.exe	43
PID 1520 wrote to memory of 1788	1520	cmd.exe	43
PID 1520 wrote to memory of 1788	1520	cmd.exe	43
PID 1520 wrote to memory of 1308	1520	cmd.exe	44
PID 1520 wrote to memory of 1308	1520	cmd.exe	44
PID 1520 wrote to memory of 1308	1520	cmd.exe	44
PID 1520 wrote to memory of 964	1520	cmd.exe	45
PID 1520 wrote to memory of 964	1520	cmd.exe	45
PID 1520 wrote to memory of 964	1520	cmd.exe	45
PID 1520 wrote to memory of 1304	1520	cmd.exe	46
PID 1520 wrote to memory of 1304	1520	cmd.exe	46
PID 1520 wrote to memory of 1304	1520	cmd.exe	46
PID 1520 wrote to memory of 1620	1520	cmd.exe	47
PID 1520 wrote to memory of 1620	1520	cmd.exe	47
PID 1520 wrote to memory of 1620	1520	cmd.exe	47
PID 1520 wrote to memory of 2524	1520	cmd.exe	48
PID 1520 wrote to memory of 2524	1520	cmd.exe	48
PID 1520 wrote to memory of 2524	1520	cmd.exe	48
PID 1520 wrote to memory of 1260	1520	cmd.exe	49
PID 1520 wrote to memory of 1260	1520	cmd.exe	49
PID 1520 wrote to memory of 1260	1520	cmd.exe	49
PID 1520 wrote to memory of 2388	1520	cmd.exe	50

C:\Users\Admin\AppData\Local\Temp\FireflyAI_JC.exe
"C:\Users\Admin\AppData\Local\Temp\FireflyAI_JC.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Users\Admin\AppData\Local\Temp\FireflyAI_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\FireflyAI_JC.exe" -sfxwaitall:1 "replace.cmd"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\Adobe Temp\replace.cmd" "
    3⤵
    - Drops file in Drivers directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1520
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c REG QUERY HKLM\SOFTWARE\Adobe\Photoshop\170.0 /s | FINDSTR /irc:ApplicationPath
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2252
    - - C:\Windows\system32\reg.exe
        
        REG QUERY HKLM\SOFTWARE\Adobe\Photoshop\170.0 /s
        5⤵
        Modifies registry key
        
        PID:680
    - - C:\Windows\system32\findstr.exe
        
        FINDSTR /irc:ApplicationPath
        5⤵
        
        PID:2200
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Required "Required"
      4⤵
      PID:836
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\cs_CZ "Locales\cs_CZ"
      4⤵
      PID:2416
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\da_DK "Locales\da_DK"
      4⤵
      PID:1048
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\de_DE "Locales\de_DE"
      4⤵
      PID:1168
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\en_AE "Locales\en_AE"
      4⤵
      PID:1096
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\en_GB "Locales\en_GB"
      4⤵
      PID:1480
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\en_IL "Locales\en_IL"
      4⤵
      PID:1220
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\en_US "Locales\en_US"
      4⤵
      PID:1360
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\es_ES "Locales\es_ES"
      4⤵
      PID:1920
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\es_MX "Locales\es_MX"
      4⤵
      PID:1788
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\fi_FI "Locales\fi_FI"
      4⤵
      PID:1308
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\fr_CA "Locales\fr_CA"
      4⤵
      PID:964
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\fr_FR "Locales\fr_FR"
      4⤵
      PID:1304
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\fr_MA "Locales\fr_MA"
      4⤵
      PID:1620
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\hu_HU "Locales\hu_HU"
      4⤵
      PID:2524
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\it_IT "Locales\it_IT"
      4⤵
      PID:1260
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\ja_JP "Locales\ja_JP"
      4⤵
      PID:2388
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\ko_KR "Locales\ko_KR"
      4⤵
      PID:1820
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\nb_NO "Locales\nb_NO"
      4⤵
      PID:1556
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\nl_NL "Locales\nl_NL"
      4⤵
      PID:2604
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\pl_PL "Locales\pl_PL"
      4⤵
      PID:276
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\pt_BR "Locales\pt_BR"
      4⤵
      PID:1708
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\ru_RU "Locales\ru_RU"
      4⤵
      PID:2448
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\sv_SE "Locales\sv_SE"
      4⤵
      PID:1884
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\tr_TR "Locales\tr_TR"
      4⤵
      PID:1720
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\uk_UA "Locales\uk_UA"
      4⤵
      PID:1904
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\zh_CN "Locales\zh_CN"
      4⤵
      PID:904
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\zh_TW "Locales\zh_TW"
      4⤵
      PID:948
  - - C:\Users\Admin\AppData\Local\Temp\Adobe Temp\sqlite3.exe
      sqlite3.exe "C:\Program Files (x86)\Common Files\Adobe\caps\hdpim.db"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      PID:616
  - - C:\Windows\system32\netsh.exe
      NETSH advfirewall firewall delete rule name="Adobe Unlicensed Pop-up" dir=out
      4⤵
      Modifies Windows Firewall
      PID:3024
  - - C:\Windows\system32\find.exe
      FIND /c /i "ic.adobe.io" C:\Windows\system32\drivers\etc\hosts
      4⤵
      PID:2180
  - - C:\Windows\system32\find.exe
      FIND /c /i "1hzopx6nz7.adobe.io" C:\Windows\system32\drivers\etc\hosts
      4⤵
      PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Adobe Temp\Locales\en_AE\Support Files\Shortcuts\Win\Default Keyboard Shortcuts.kys

Filesize
19KB

MD5
e1e71e61d5388774c468d5bf0bafb7c1

SHA1
126c4794b14d74c4566f4f1d88e019d5a024eec6

SHA256
60a04127dd07fd8994c57823e0c34a7e93baab4428fb6fee85b8e6a91773c7b5

SHA512
63a1350e7c09683e03c9126b4d35ffb399040d8318d45a273df72e50b474741fdd075f6dd5762834ca79ba51e577107352a6c74c12ef487b008412a121d699ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adobe Temp\Locales\en_GB\Support Files\Shortcuts\Win\OS Shortcuts.txt

Filesize
96B

MD5
303d07950ebdb1129ed20b56517eec03

SHA1
af8ae6e4068d13bd59aa282cdd7a10b4a1f46b92

SHA256
999dd9c1b23bba7418102e894e7773176fb6b95d783ad1530924bf63249284da

SHA512
1e695f05a23e3194aa4a57295b6914c46ff785a08e1dc4b1b280470f8d55b4c3446eb75b6850fad9ee52d7e2843e8710e68dcccf10c03a84d2a15727a0be9242

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adobe Temp\Locales\en_IL\Support Files\tw10428_Photoshop_en_IL.dat

Filesize
4.3MB

MD5
844e1f4e0f0c51c0fdb49dec014e5e9d

SHA1
f012c0918a5c71f3111d62c927d9bb8b519859cb

SHA256
5448f910cebe6c5ff8463ea929035f262332dcccae4277c02346e7f77010ae3f

SHA512
34a0160eb1edf29db6ee4ebb4af4f944900c9b4459f68c1ad65102f2e325a4ade622808b06cab3d881c65bc05854e852ee11f8d36f6d1f13d82607c5534fe2d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adobe Temp\Locales\fr_MA\Support Files\Shortcuts\Win\OS Shortcuts.txt

Filesize
62B

MD5
8390d32666562a7f99f17b6893e6df80

SHA1
a8402c23d66f348314dcbb722a1d8435fcd3e745

SHA256
8f43479b5bb5047ba774c7c4f5dcf86967655642bb401ea44d78a75b1935ad0b

SHA512
729f6c2f79fea8dcb3d0b0912d39ccdef7d1417b56c2912ed7ff93c3537fcd6bf9451c3c5783c72b1572924fe99a65e230d7d5ca08ad074f542fdfc1179a7f47

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adobe Temp\Locales\fr_MA\Support Files\tw10428_Photoshop_fr_MA.dat

Filesize
4.8MB

MD5
32d58ef11ea5ea1d3c412feb53f8f7df

SHA1
f919f2e5dee6bc95dac93b401da42f1ce74e3d73

SHA256
c61f0b39cc3565fc577e5abedc71461be4d5bb0bb9d471f735854dfd7843c963

SHA512
617f91c4401afbe1971e2192fe215aa206002524f24313c16b7562b4d917ae749016148294b4186b6e5d157243d8c0b7a6e050eb60cd8c7328899efd1a785ba0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adobe Temp\Locales\nb_NO\Support Files\Shortcuts\Win\OS Shortcuts.txt

Filesize
79B

MD5
6e77a75580a4451bb6f15b31e555f75c

SHA1
4822d8c407fcb0ebf3311a79029fa83455e2ee2e

SHA256
e9dbca0116cef1d354dab6e54b9b7414d1df6bf6a79bc9329137391a227bd7bf

SHA512
2aa08ba3332751cd61b1e0fbb2c6f33b39ef740163457fdf59998a92561d378b3d4ccf11ee7a0b36b660a64e27dfb57f372f898398561acc787830c4fd65d849

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adobe Temp\PSRes.dll

Filesize
834KB

MD5
00a191229680f944baba5fe2c5c86b82

SHA1
9278b6cb1d94fcbb34731769de5389fb7315d8d6

SHA256
862deaf1e9e3918eb54602acc0baa5914626960fb3871de3e0db6177d8d2cf65

SHA512
40bdf64b8fbabf6ac7c6d090bb95337af3f459933e59700e3a4f2d9f787247267ec4ded38074680b9b9dbe82d6a0d1af116a2f60f97fb31dd09ae92aea75150d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adobe Temp\PSViews.dll

Filesize
3.0MB

MD5
6a4fbd903bad66f65ea3d5bc38377e4c

SHA1
8e18afe4a0aa5e0e216a893512f0610b3df9542a

SHA256
7b3c9d991c24b55820a871103d84044dd5c420e2f68bdd5430c52a80438f0eb5

SHA512
63f466f6d92a08c49d1a08ede5f3c02f9b571f54e1c720e0300b03d432ae7da8b869070d3c2e9618ce8e0ee0eb82ee0585b92798570a099abd75404f22512191

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adobe Temp\Photoshop.exe

Filesize
165.5MB

MD5
a883d52f064d3305bb802c7cc14e6067

SHA1
16d392944f784faa796ff2666111f7616b22a769

SHA256
f4e734cd3d7cbd4a148448cee22e46584cef80e5d08e5f6ac832e12c326deb34

SHA512
5044b4712fafe19a5827ab5306088c0fffb009c111e147ad9b81001bca69bcbca0366c47dfad59988276c70010dba0997b46136f56c40a5d78610c1126ffcd2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adobe Temp\hdpim.sql

Filesize
14KB

MD5
9542879bc87ce745aced4028f76eea0c

SHA1
5238cdd7246065356bfdba57c75f43528c52eb90

SHA256
195be10d7034196eef1fc861a2de8c76200a1af9928354ab0ddaae7391f1fc53

SHA512
0b91336a69dcee713ecc9681a571e3b6dd34ef65488fe523eb08acf450cb47e30b5791b87ecb9358bd8d224208030a94c5c9f2764186df989bf7e36fc115f16a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adobe Temp\replace.cmd

Filesize
4KB

MD5
0e867a0312dbe36cb952272dd9d88ba1

SHA1
c4d68c2e374d34e451f0bf906a2d2bd924a94042

SHA256
202f4dc1744aa3548b537630c6c961cf583060be8c0e7351c755afc3842ece02

SHA512
1091e33ca4d3c7c2b3546fee3515b57b16a453ec13afbc8a4705c1c53ae0a3beaeb678bb5fb4460b337fb94714389b15bf1d1691a22be46e802a5e6171f1b7fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adobe Temp\sqlite3.exe

Filesize
1.1MB

MD5
ec8c73f8c88b66cbbbc9128579aa822c

SHA1
c0617b992fac1e0153f46e49bd4497f8df98503b

SHA256
05b5783917c39417b5db3b3bcdd66b2effdf0bd764350ebaefc032804b825597

SHA512
3fdadbc5e9f38172c12cc5469513b55e734fdf12a7a3a2269c9e1796b53c7fe8ba9e153ed5d0b85c3ebff8ce3b923fd8144c777bd864fbd61ff12fce0e5ac788

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adobe Temp\sqlite3.exe

Filesize
1.1MB

MD5
ec8c73f8c88b66cbbbc9128579aa822c

SHA1
c0617b992fac1e0153f46e49bd4497f8df98503b

SHA256
05b5783917c39417b5db3b3bcdd66b2effdf0bd764350ebaefc032804b825597

SHA512
3fdadbc5e9f38172c12cc5469513b55e734fdf12a7a3a2269c9e1796b53c7fe8ba9e153ed5d0b85c3ebff8ce3b923fd8144c777bd864fbd61ff12fce0e5ac788

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
1002B

MD5
75147b2c10798e33713aca292b36be3f

SHA1
889a9e03129ee329bad6b3421bfbe09fadcfca27

SHA256
a66152836d6870d2abe645b61343eb7b8f6424cdcf12a213975e1e79d3fde0de

SHA512
dfa0236c1952e9a920e9c8f3f3d44c9c4a95960e4554dc1ffff591e153c802d38cf5cb18f9f08011dc3a35cbade0bc8182d145b40c5cc374eae346ea625effc7

Download Submit
memory/616-311-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads