e3e1359104bbda6f7095b6dc5d35134d52a9a1a0101c88530bcb7cbebbe51a9c

Analysis

max time kernel
137s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
07/08/2023, 08:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FireflyAI_JC.exe
Size

45.7MB
MD5

5d058ac0a96ea904495b4ad08e725fe9
SHA1

c70ecff66304842c3a0cb07181343f261a23feb0
SHA256

e3e1359104bbda6f7095b6dc5d35134d52a9a1a0101c88530bcb7cbebbe51a9c
SHA512

537df99ecdc6470ce000646797e2b9f357e755cd89e3d6204150c8b6544fe36fbd9f460acd0ac1af719da22af109bca2b04ce9c0f62b715604040aad64f50704
SSDEEP

786432:E5CUXgrAXasuqWaL2vPdgnIFUR9A5UqrkBGnk9kEgsYNzhMjxnfQysN:bsVXz+1qIFUCyBGkeEgdzw/4

Score

8^/10

evasion

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	cmd.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2248	netsh.exe

Executes dropped EXE 1 IoCs

pid	Process
484	sqlite3.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\caps\hdpim.db	sqlite3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3992	reg.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: 35	4352	cmd.exe
Token: 35	4352	cmd.exe
Token: 35	4352	cmd.exe
Token: 35	4352	cmd.exe
Token: 35	4352	cmd.exe
Token: 35	4352	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 4016	2604	FireflyAI_JC.exe	88
PID 2604 wrote to memory of 4016	2604	FireflyAI_JC.exe	88
PID 4016 wrote to memory of 4352	4016	FireflyAI_JC.exe	89
PID 4016 wrote to memory of 4352	4016	FireflyAI_JC.exe	89
PID 4352 wrote to memory of 3388	4352	cmd.exe	91
PID 4352 wrote to memory of 3388	4352	cmd.exe	91
PID 3388 wrote to memory of 3992	3388	cmd.exe	92
PID 3388 wrote to memory of 3992	3388	cmd.exe	92
PID 3388 wrote to memory of 3000	3388	cmd.exe	93
PID 3388 wrote to memory of 3000	3388	cmd.exe	93
PID 4352 wrote to memory of 1960	4352	cmd.exe	94
PID 4352 wrote to memory of 1960	4352	cmd.exe	94
PID 4352 wrote to memory of 872	4352	cmd.exe	95
PID 4352 wrote to memory of 872	4352	cmd.exe	95
PID 4352 wrote to memory of 3396	4352	cmd.exe	96
PID 4352 wrote to memory of 3396	4352	cmd.exe	96
PID 4352 wrote to memory of 2340	4352	cmd.exe	97
PID 4352 wrote to memory of 2340	4352	cmd.exe	97
PID 4352 wrote to memory of 4956	4352	cmd.exe	98
PID 4352 wrote to memory of 4956	4352	cmd.exe	98
PID 4352 wrote to memory of 5104	4352	cmd.exe	99
PID 4352 wrote to memory of 5104	4352	cmd.exe	99
PID 4352 wrote to memory of 3412	4352	cmd.exe	100
PID 4352 wrote to memory of 3412	4352	cmd.exe	100
PID 4352 wrote to memory of 676	4352	cmd.exe	101
PID 4352 wrote to memory of 676	4352	cmd.exe	101
PID 4352 wrote to memory of 4788	4352	cmd.exe	102
PID 4352 wrote to memory of 4788	4352	cmd.exe	102
PID 4352 wrote to memory of 4960	4352	cmd.exe	103
PID 4352 wrote to memory of 4960	4352	cmd.exe	103
PID 4352 wrote to memory of 1944	4352	cmd.exe	104
PID 4352 wrote to memory of 1944	4352	cmd.exe	104
PID 4352 wrote to memory of 1352	4352	cmd.exe	106
PID 4352 wrote to memory of 1352	4352	cmd.exe	106
PID 4352 wrote to memory of 1560	4352	cmd.exe	107
PID 4352 wrote to memory of 1560	4352	cmd.exe	107
PID 4352 wrote to memory of 3004	4352	cmd.exe	108
PID 4352 wrote to memory of 3004	4352	cmd.exe	108
PID 4352 wrote to memory of 232	4352	cmd.exe	109
PID 4352 wrote to memory of 232	4352	cmd.exe	109
PID 4352 wrote to memory of 4240	4352	cmd.exe	111
PID 4352 wrote to memory of 4240	4352	cmd.exe	111
PID 4352 wrote to memory of 4332	4352	cmd.exe	112
PID 4352 wrote to memory of 4332	4352	cmd.exe	112
PID 4352 wrote to memory of 5008	4352	cmd.exe	113
PID 4352 wrote to memory of 5008	4352	cmd.exe	113
PID 4352 wrote to memory of 4136	4352	cmd.exe	114
PID 4352 wrote to memory of 4136	4352	cmd.exe	114
PID 4352 wrote to memory of 1364	4352	cmd.exe	115
PID 4352 wrote to memory of 1364	4352	cmd.exe	115
PID 4352 wrote to memory of 3824	4352	cmd.exe	116
PID 4352 wrote to memory of 3824	4352	cmd.exe	116
PID 4352 wrote to memory of 4184	4352	cmd.exe	117
PID 4352 wrote to memory of 4184	4352	cmd.exe	117
PID 4352 wrote to memory of 780	4352	cmd.exe	118
PID 4352 wrote to memory of 780	4352	cmd.exe	118
PID 4352 wrote to memory of 220	4352	cmd.exe	119
PID 4352 wrote to memory of 220	4352	cmd.exe	119
PID 4352 wrote to memory of 3516	4352	cmd.exe	120
PID 4352 wrote to memory of 3516	4352	cmd.exe	120
PID 4352 wrote to memory of 4944	4352	cmd.exe	121
PID 4352 wrote to memory of 4944	4352	cmd.exe	121
PID 4352 wrote to memory of 3972	4352	cmd.exe	122
PID 4352 wrote to memory of 3972	4352	cmd.exe	122

C:\Users\Admin\AppData\Local\Temp\FireflyAI_JC.exe
"C:\Users\Admin\AppData\Local\Temp\FireflyAI_JC.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Users\Admin\AppData\Local\Temp\FireflyAI_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\FireflyAI_JC.exe" -sfxwaitall:1 "replace.cmd"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Adobe Temp\replace.cmd" "
    3⤵
    - Drops file in Drivers directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4352
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c REG QUERY HKLM\SOFTWARE\Adobe\Photoshop\170.0 /s | FINDSTR /irc:ApplicationPath
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3388
    - - C:\Windows\system32\reg.exe
        
        REG QUERY HKLM\SOFTWARE\Adobe\Photoshop\170.0 /s
        5⤵
        Modifies registry key
        
        PID:3992
    - - C:\Windows\system32\findstr.exe
        
        FINDSTR /irc:ApplicationPath
        5⤵
        
        PID:3000
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Required "Required"
      4⤵
      PID:1960
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\cs_CZ "Locales\cs_CZ"
      4⤵
      PID:872
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\da_DK "Locales\da_DK"
      4⤵
      PID:3396
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\de_DE "Locales\de_DE"
      4⤵
      PID:2340
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\en_AE "Locales\en_AE"
      4⤵
      PID:4956
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\en_GB "Locales\en_GB"
      4⤵
      PID:5104
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\en_IL "Locales\en_IL"
      4⤵
      PID:3412
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\en_US "Locales\en_US"
      4⤵
      PID:676
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\es_ES "Locales\es_ES"
      4⤵
      PID:4788
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\es_MX "Locales\es_MX"
      4⤵
      PID:4960
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\fi_FI "Locales\fi_FI"
      4⤵
      PID:1944
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\fr_CA "Locales\fr_CA"
      4⤵
      PID:1352
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\fr_FR "Locales\fr_FR"
      4⤵
      PID:1560
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\fr_MA "Locales\fr_MA"
      4⤵
      PID:3004
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\hu_HU "Locales\hu_HU"
      4⤵
      PID:232
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\it_IT "Locales\it_IT"
      4⤵
      PID:4240
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\ja_JP "Locales\ja_JP"
      4⤵
      PID:4332
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\ko_KR "Locales\ko_KR"
      4⤵
      PID:5008
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\nb_NO "Locales\nb_NO"
      4⤵
      PID:4136
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\nl_NL "Locales\nl_NL"
      4⤵
      PID:1364
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\pl_PL "Locales\pl_PL"
      4⤵
      PID:3824
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\pt_BR "Locales\pt_BR"
      4⤵
      PID:4184
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\ru_RU "Locales\ru_RU"
      4⤵
      PID:780
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\sv_SE "Locales\sv_SE"
      4⤵
      PID:220
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\tr_TR "Locales\tr_TR"
      4⤵
      PID:3516
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\uk_UA "Locales\uk_UA"
      4⤵
      PID:4944
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\zh_CN "Locales\zh_CN"
      4⤵
      PID:3972
  - - C:\Windows\system32\xcopy.exe
      XCOPY /eihry Locales\zh_TW "Locales\zh_TW"
      4⤵
      PID:404
  - - C:\Users\Admin\AppData\Local\Temp\Adobe Temp\sqlite3.exe
      sqlite3.exe "C:\Program Files (x86)\Common Files\Adobe\caps\hdpim.db"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:484
  - - C:\Windows\system32\netsh.exe
      NETSH advfirewall firewall delete rule name="Adobe Unlicensed Pop-up" dir=out
      4⤵
      Modifies Windows Firewall
      PID:2248
  - - C:\Windows\system32\find.exe
      FIND /c /i "ic.adobe.io" C:\Windows\system32\drivers\etc\hosts
      4⤵
      PID:4544
  - - C:\Windows\system32\find.exe
      FIND /c /i "1hzopx6nz7.adobe.io" C:\Windows\system32\drivers\etc\hosts
      4⤵
      PID:2488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Adobe Temp\Locales\en_AE\Support Files\Shortcuts\Win\Default Keyboard Shortcuts.kys

Filesize
19KB

MD5
e1e71e61d5388774c468d5bf0bafb7c1

SHA1
126c4794b14d74c4566f4f1d88e019d5a024eec6

SHA256
60a04127dd07fd8994c57823e0c34a7e93baab4428fb6fee85b8e6a91773c7b5

SHA512
63a1350e7c09683e03c9126b4d35ffb399040d8318d45a273df72e50b474741fdd075f6dd5762834ca79ba51e577107352a6c74c12ef487b008412a121d699ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adobe Temp\Locales\en_GB\Support Files\Shortcuts\Win\OS Shortcuts.txt

Filesize
96B

MD5
303d07950ebdb1129ed20b56517eec03

SHA1
af8ae6e4068d13bd59aa282cdd7a10b4a1f46b92

SHA256
999dd9c1b23bba7418102e894e7773176fb6b95d783ad1530924bf63249284da

SHA512
1e695f05a23e3194aa4a57295b6914c46ff785a08e1dc4b1b280470f8d55b4c3446eb75b6850fad9ee52d7e2843e8710e68dcccf10c03a84d2a15727a0be9242

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adobe Temp\Locales\en_IL\Support Files\tw10428_Photoshop_en_IL.dat

Filesize
4.3MB

MD5
844e1f4e0f0c51c0fdb49dec014e5e9d

SHA1
f012c0918a5c71f3111d62c927d9bb8b519859cb

SHA256
5448f910cebe6c5ff8463ea929035f262332dcccae4277c02346e7f77010ae3f

SHA512
34a0160eb1edf29db6ee4ebb4af4f944900c9b4459f68c1ad65102f2e325a4ade622808b06cab3d881c65bc05854e852ee11f8d36f6d1f13d82607c5534fe2d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adobe Temp\Locales\es_ES\Support Files\Shortcuts\Win\OS Shortcuts.txt

Filesize
79B

MD5
77f7f250b5f11ccbcfe7be885de67e9f

SHA1
caa24c5a1acf4dad73415dc5429ac4198e7db63e

SHA256
31fd8d2f4c5170bd2d0cbf106d1b3ebd15da6a3c6fe4ae85cf4b6d0de8bd0c30

SHA512
00afc6bfdadfd911d0c0fc0082895db615e36ea715a560066b0f41a97a31281cc836658f5c199deff3fde5ec1e2b3c90039b3389b7f40aadd0a0e8bdc7e910fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adobe Temp\Locales\es_ES\Support Files\tw10428_Photoshop_es_ES.dat

Filesize
4.7MB

MD5
be9771f695b9d3d914dad522c88b29e6

SHA1
3190fd5cbb472256978057189381b5a787397711

SHA256
d4cd5570b98281b776dd9019fefedfd9fc5348b101103fb432c2d38f09394688

SHA512
ddbb3c298424352b07021e4f4301002ea67b6d95827cc2ae040513876da9256b41741e67205d88c9cb291fc1b137dc5954eb4014118dcfef1f7fd278377dbe53

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adobe Temp\Locales\fr_MA\Support Files\Shortcuts\Win\OS Shortcuts.txt

Filesize
62B

MD5
8390d32666562a7f99f17b6893e6df80

SHA1
a8402c23d66f348314dcbb722a1d8435fcd3e745

SHA256
8f43479b5bb5047ba774c7c4f5dcf86967655642bb401ea44d78a75b1935ad0b

SHA512
729f6c2f79fea8dcb3d0b0912d39ccdef7d1417b56c2912ed7ff93c3537fcd6bf9451c3c5783c72b1572924fe99a65e230d7d5ca08ad074f542fdfc1179a7f47

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adobe Temp\Locales\fr_MA\Support Files\tw10428_Photoshop_fr_MA.dat

Filesize
4.8MB

MD5
32d58ef11ea5ea1d3c412feb53f8f7df

SHA1
f919f2e5dee6bc95dac93b401da42f1ce74e3d73

SHA256
c61f0b39cc3565fc577e5abedc71461be4d5bb0bb9d471f735854dfd7843c963

SHA512
617f91c4401afbe1971e2192fe215aa206002524f24313c16b7562b4d917ae749016148294b4186b6e5d157243d8c0b7a6e050eb60cd8c7328899efd1a785ba0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adobe Temp\Locales\nb_NO\Support Files\Shortcuts\Win\OS Shortcuts.txt

Filesize
79B

MD5
6e77a75580a4451bb6f15b31e555f75c

SHA1
4822d8c407fcb0ebf3311a79029fa83455e2ee2e

SHA256
e9dbca0116cef1d354dab6e54b9b7414d1df6bf6a79bc9329137391a227bd7bf

SHA512
2aa08ba3332751cd61b1e0fbb2c6f33b39ef740163457fdf59998a92561d378b3d4ccf11ee7a0b36b660a64e27dfb57f372f898398561acc787830c4fd65d849

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adobe Temp\PSRes.dll

Filesize
834KB

MD5
00a191229680f944baba5fe2c5c86b82

SHA1
9278b6cb1d94fcbb34731769de5389fb7315d8d6

SHA256
862deaf1e9e3918eb54602acc0baa5914626960fb3871de3e0db6177d8d2cf65

SHA512
40bdf64b8fbabf6ac7c6d090bb95337af3f459933e59700e3a4f2d9f787247267ec4ded38074680b9b9dbe82d6a0d1af116a2f60f97fb31dd09ae92aea75150d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adobe Temp\PSViews.dll

Filesize
3.0MB

MD5
6a4fbd903bad66f65ea3d5bc38377e4c

SHA1
8e18afe4a0aa5e0e216a893512f0610b3df9542a

SHA256
7b3c9d991c24b55820a871103d84044dd5c420e2f68bdd5430c52a80438f0eb5

SHA512
63f466f6d92a08c49d1a08ede5f3c02f9b571f54e1c720e0300b03d432ae7da8b869070d3c2e9618ce8e0ee0eb82ee0585b92798570a099abd75404f22512191

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adobe Temp\Photoshop.exe

Filesize
165.5MB

MD5
a883d52f064d3305bb802c7cc14e6067

SHA1
16d392944f784faa796ff2666111f7616b22a769

SHA256
f4e734cd3d7cbd4a148448cee22e46584cef80e5d08e5f6ac832e12c326deb34

SHA512
5044b4712fafe19a5827ab5306088c0fffb009c111e147ad9b81001bca69bcbca0366c47dfad59988276c70010dba0997b46136f56c40a5d78610c1126ffcd2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adobe Temp\hdpim.sql

Filesize
14KB

MD5
9542879bc87ce745aced4028f76eea0c

SHA1
5238cdd7246065356bfdba57c75f43528c52eb90

SHA256
195be10d7034196eef1fc861a2de8c76200a1af9928354ab0ddaae7391f1fc53

SHA512
0b91336a69dcee713ecc9681a571e3b6dd34ef65488fe523eb08acf450cb47e30b5791b87ecb9358bd8d224208030a94c5c9f2764186df989bf7e36fc115f16a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adobe Temp\replace.cmd

Filesize
4KB

MD5
0e867a0312dbe36cb952272dd9d88ba1

SHA1
c4d68c2e374d34e451f0bf906a2d2bd924a94042

SHA256
202f4dc1744aa3548b537630c6c961cf583060be8c0e7351c755afc3842ece02

SHA512
1091e33ca4d3c7c2b3546fee3515b57b16a453ec13afbc8a4705c1c53ae0a3beaeb678bb5fb4460b337fb94714389b15bf1d1691a22be46e802a5e6171f1b7fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adobe Temp\sqlite3.exe

Filesize
1.1MB

MD5
ec8c73f8c88b66cbbbc9128579aa822c

SHA1
c0617b992fac1e0153f46e49bd4497f8df98503b

SHA256
05b5783917c39417b5db3b3bcdd66b2effdf0bd764350ebaefc032804b825597

SHA512
3fdadbc5e9f38172c12cc5469513b55e734fdf12a7a3a2269c9e1796b53c7fe8ba9e153ed5d0b85c3ebff8ce3b923fd8144c777bd864fbd61ff12fce0e5ac788

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adobe Temp\sqlite3.exe

Filesize
1.1MB

MD5
ec8c73f8c88b66cbbbc9128579aa822c

SHA1
c0617b992fac1e0153f46e49bd4497f8df98503b

SHA256
05b5783917c39417b5db3b3bcdd66b2effdf0bd764350ebaefc032804b825597

SHA512
3fdadbc5e9f38172c12cc5469513b55e734fdf12a7a3a2269c9e1796b53c7fe8ba9e153ed5d0b85c3ebff8ce3b923fd8144c777bd864fbd61ff12fce0e5ac788

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
1KB

MD5
6503021da439cfdca49135394fb68cc1

SHA1
bdd4de3bac42cf8d05b910166fe667265c19b09d

SHA256
db0d1665a3f1cec205695f636063d7bf8b9af33fc49eefbef442f364e5b3c3d4

SHA512
55dfb87eb569bbd3a9cb6c88e8c35f3e6afaf41ac98fadec19433ac1c507688473c5d579315b8404ab2ec5e7c7af2dca9a7507b47febdc1e657a01f76627eb5d

Download Submit
memory/484-391-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads