4f8deecb6b6a3a0f211a2cf6c8ebbad09a33d4d226285e912b1e525a99aff258

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 16:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1/Adobe PhotoShop/Photo.vbs
Size

278KB
MD5

54fc0bbff5ede27bcf1e0c69e0f82285
SHA1

0150600a3a51beb27d20ec2f58edca7693050f12
SHA256

4ffa4a112e32582fcb724f4feb263d935c7230b76031ac372a0a5c0a9bf36157
SHA512

d68c339a3a5ba4fc973611872857de66f21405dcd50d53980e10f9f4724bf19151503f5a5b684fc15c8bbd9c777a8a0e1f20555061be524c1ac0eaff3e8829fd
SSDEEP

1536:l6pXKvd4afHosQrOyfgyVUJtAsHIA1dXBeyTw/B/6bF4pCw37uRfF618F7k7w/+Z:R+RotDqjGsU5GGFsU5zs

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WScript.exe

Blocklisted process makes network request 7 IoCs

flow	pid	Process
5	1244	WScript.exe
9	1244	WScript.exe
12	1244	WScript.exe
15	1244	WScript.exe
18	1244	WScript.exe
21	1244	WScript.exe
24	1244	WScript.exe

Loads dropped DLL 38 IoCs

pid	Process
1244	WScript.exe
1244	WScript.exe
1244	WScript.exe
1244	WScript.exe
1244	WScript.exe
1244	WScript.exe
1244	WScript.exe
1244	WScript.exe
1244	WScript.exe
1244	WScript.exe
1244	WScript.exe
1244	WScript.exe
1244	WScript.exe
1244	WScript.exe
1244	WScript.exe
1244	WScript.exe
1244	WScript.exe
1244	WScript.exe
1244	WScript.exe
1244	WScript.exe
1244	WScript.exe
1244	WScript.exe
1244	WScript.exe
1244	WScript.exe
1244	WScript.exe
1244	WScript.exe
1244	WScript.exe
1244	WScript.exe
1244	WScript.exe
1244	WScript.exe
1244	WScript.exe
1244	WScript.exe
1244	WScript.exe
1244	WScript.exe
1244	WScript.exe
1244	WScript.exe
1244	WScript.exe
1244	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Adobe PhotoShop = "\"C:\\Users\\Admin\\AppData\\Roaming\\Adobe PhotoShop\\Startrun.pif\" /E:vbScript.enCode \"C:\\Users\\Admin\\AppData\\Roaming\\Adobe PhotoShop\\Photo.Jpeg\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Adobe PhotoShop = "\"C:\\Users\\Admin\\AppData\\Roaming\\Adobe PhotoShop\\Startrun.pif\" /E:vbScript.enCode \"C:\\Users\\Admin\\AppData\\Roaming\\Adobe PhotoShop\\Photo.Jpeg\""	WScript.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1\Adobe PhotoShop\Photo.vbs"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
PID:1244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DCIM.lnk

Filesize
685B

MD5
126cf7f859c68ced34d9c13faec20ea1

SHA1
2e6a21c54d39e072940fab0e52b75a69cf3ba4ed

SHA256
bebde172291389134936eb680125e8699ead8e482f275bda1b9322c949ca1f50

SHA512
295757b557adda359784cd5c7a7aadef3b25e56091012a5be72d9b576f83ef3a62a1cf7af5ea32b78fd520ad99f7c38f4332fb3565b340b8dad59d6baa249a56

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe PhotoShop\Share\MUSIC\Photo.Jpeg

Filesize
278KB

MD5
54fc0bbff5ede27bcf1e0c69e0f82285

SHA1
0150600a3a51beb27d20ec2f58edca7693050f12

SHA256
4ffa4a112e32582fcb724f4feb263d935c7230b76031ac372a0a5c0a9bf36157

SHA512
d68c339a3a5ba4fc973611872857de66f21405dcd50d53980e10f9f4724bf19151503f5a5b684fc15c8bbd9c777a8a0e1f20555061be524c1ac0eaff3e8829fd

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe PhotoShop\Share\VIDEO\YouTube.Flv.lnk

Filesize
1KB

MD5
bb025a5e31747d2671c55b49c0c1d4d2

SHA1
ebd220dd1b80480811a6e92ea2836392236cd183

SHA256
b5e655350aa7262dade8587b214941fef6f7efeae50524d7f8c2a4559be2202b

SHA512
32102e2617888d2d47b21e1e8f7b2c38b580c1233ee9cfd73400d98565946b7ea43c760e422698f2ccea6babc0ced163709d9217cb8cb79dad9feb661d3a5823

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe PhotoShop\runsc.exe

Filesize
165KB

MD5
8886e0697b0a93c521f99099ef643450

SHA1
851bd390bf559e702b8323062dbeb251d9f2f6f7

SHA256
d73f7ee4e6e992a618d02580bdbf4fd6ba7c683d110928001092f4073341e95f

SHA512
fc4a176f49a69c5600c427af72d3d274cfeacef48612b18cda966c3b4dda0b9d59c0fe8114d5ed8e0fec780744346e2cd503d1fd15c0c908908d067214b9d837

Download Submit
F:\DCIM.lnk

Filesize
679B

MD5
f4791ecdf4490733d6aa2ead9e6040b9

SHA1
8c78b95c3e668fb78d0c69985ef7f2de2023b9fe

SHA256
9d2cfe002717ecff3fc385043797f1f26993f7c9444edf01d03b1327f2536b58

SHA512
c86e9cc6cd2cd832244fdc0a8501a74502bab58b666c19dc90b32ca3af9d0ee46a6c776d71dac3b86a24b6c7d76533c4f2a4edde13da0f4093977c4ce7c476e0

Download Submit
\Adobe\runsc.exe

Filesize
39KB

MD5
0756a988a6f72a995847dbcafb789784

SHA1
db64623777df91375078fb49bfa4a72e2b3a6e46

SHA256
abfe1b474e50f456549dd1c98aedfda8d513ee9264c3d10f8d733325c2fd6209

SHA512
c4e2e95ddc0f8b56e83adf90c4f67469a6554c4d7016c00621fbad08ca3508373431029ce611768a36fca00b51abfdf55d7c6fb5bb219afcd21d3d01104a92a9

Download Submit
\Adobe\runsc.exe

Filesize
29KB

MD5
1bacf17821200ced80d72cbb8149f65c

SHA1
bc45f4f91556a56adf917ce9c0522bf18b9f45df

SHA256
4e8f3baca228fb2565013188e6f708232e3c17e4a9ee8af463832ee8c5e02b63

SHA512
991af8a5c24e2d21f47989f6c7ded1078dafb1933c6f5d43a84961c3394b7a3656adffbf4d473f048315aed5022ac4b4430960d586b731963e2999e8dc16c030

Download Submit
\Adobe\runsc.exe

Filesize
128KB

MD5
f9aedf3ae722321b61d6f939ebe5c8c1

SHA1
d82aed132951680f58537a6c2e9b4adaca174b59

SHA256
17b834081e4e7a53e8a3519257357a3dfdfc7ed28b5c23618f6c0f65be90d10c

SHA512
b951c2a40af7039607b200cbaaa4b2d2079d137b8cccfb253f1bfa78ab3f9ff76501033e4e191e4fc1406fe79a8fa6eaf4f9c844b9c8e4af07fdea1b5fc8f27a

Download Submit
\Adobe\runsc.exe

Filesize
142KB

MD5
399d68c7ba5ec004c4629deddf642825

SHA1
6dcf3524fc03dadc0ba820d4dd0d76bf3023a638

SHA256
9a7a20ea65235a1cf481c8f801067c0d71b1876c36ca26328e070b5e60653747

SHA512
fc2e0d5b9325031914441678f9b0cf63594c7a13987fc7525e7dcc3e7a07b0b1986241f7ff9f2eb56b3a50c5cce6f76debe7ac2208d11f646fd2feb1df998066

Download Submit
\Adobe\runsc.exe

Filesize
109KB

MD5
c1337aaf763ae94de0b77ff86ff8fcca

SHA1
0c0e963c5fafe8863ca0649989abae61ea4ba29f

SHA256
7f6a6427d5fd6b3f558c6fde306b9a5f601794274087a5cd90c66a7345bb6753

SHA512
60117f592e5d21a77b9d19bb68e76116ce32b3c921e99a81fb49ef6587b10b577200eb99a6af5c1abeb2e6dcf940b2c6caafa7dd91973e1089324fe0423d0f74

Download Submit
\Adobe\runsc.exe

Filesize
42KB

MD5
3134f105732d1d31d62d043c077a7a88

SHA1
4405aa56bc3c38133b41a0cf194b82f0db399f83

SHA256
0e3a22541e2bae87b7544e371313df09bf5532ba1483df9d5141a7bb5a78175f

SHA512
d5de42ff285e969390dc23cc4c7eb38948b02f0588048d927a86a90d91676e379f4413be5d5c684f79168b0d1a2f18fec3a170a123c632b33c6aa36042ed6887

Download Submit
\Adobe\runsc.exe

Filesize
85KB

MD5
b7e763687e005632fb0edbe19f005e52

SHA1
6bc1379ba4c3e6ad9b1702f391123016151f273d

SHA256
934b26c8c3c6c52bfa248609f63b91d40575045809f5e6b1470de4cbff3d599c

SHA512
5a4109b7e512848fe315bcf1971f17b5e1b38ee8e127c75ef6a6c02c026d6bcb6a666bd776935c903fbb69e27c435e6f193b70003b5416381252a10a95643785

Download Submit
\Adobe\runsc.exe

Filesize
144KB

MD5
9cb8acd5ca20c34fdb92a1f3d6c08e5b

SHA1
86280c0e924b424f2d84099ac313bfb3d4e615c3

SHA256
aaa941fea33a61e1660a42fa1b6f950654e0d5c8f256e835d2fc099a854ac29c

SHA512
834c6ac5bce565b0f90b234ffc96fe1c461d8883d816c22c84d09c7a17084e5a732f22665e7ccf9a4e695f8f9a60b7a29d96c545ff3280242c1395af4c1f48dd

Download Submit
\Adobe\runsc.exe

Filesize
153KB

MD5
1273b0f5fe605fb9990657eac204b00e

SHA1
e9a52ac9258737e50dc27e1b19b036f4d830abf2

SHA256
14c41113491b85670cdf43cf38abfb9f68af1386b1f2c8a72d34e9397e409cf2

SHA512
c8d2682d08ce37c8725bf6d21be26c10fb4e78fa33edd17cfaee3e45a0608e2c951b3fffa7db99573a3bf1ee7e009ab2a7eba30f417b2d4abda902e81a893f00

Download Submit
\Adobe\runsc.exe

Filesize
4KB

MD5
5827296b8a65adfa7c86629468a4b33c

SHA1
ccc953041c1c99d95dd4048fd9c5a98ea60965e3

SHA256
9d06f736196750d1205ac7e867b2784417284270ecab33435a51965532ea6ea9

SHA512
e6fbc2f90bda7bc4dc12fc7dec08c5d83679adb9454ac6c1ba2d42793e9530345b718355474a2cdaec81c0324143746028f04cc355b5f38a4f416a95b20674ba

Download Submit
\Adobe\runsc.exe

Filesize
19KB

MD5
d4a39c38d320cd17b99002d1d46650ee

SHA1
6282f13575aace2536bdddbfa96ce8d964a2d65e

SHA256
a307e85bd2a1a23ec6a193a84ccc449a412d2da0727871b38616a73fd9f34dbe

SHA512
ad0182823baa5204ca41c610ea1c4102a66e9fe977a39ddea3d7553a0fe6e73f94734e04436b53536f1fd71df514fb78438fe087b5b3985ccd24956fbf360666

Download Submit
\Adobe\runsc.exe

Filesize
163KB

MD5
82fecf235e0851229e0e37584c7f959d

SHA1
38e0caa5476feaebf1ecbc27c8644cc5aa5ccb56

SHA256
0145cce2962263437fa1675cc4c94b4c00528a9d6edb78cbb348ed6c8af13e3b

SHA512
b3127f2f9e347a6bceecf3993f0b02e49c621948a3a07104f2e0b00f2da803c67755d54cd7e3b34df463f8ffbffa75195a56a3cfb84045bb2f1996227039a765

Download Submit
\Adobe\runsc.exe

Filesize
163KB

MD5
373ffc0babc449122c349379acf77fe1

SHA1
4b6a0f2b7cb92f58536a8cb6f870beb629a81f3c

SHA256
507c3659916ec806537dd0ab4d1d05b3fe7037fc2e9e8cadf79c9cf19e128d1e

SHA512
3a15a15f0d805774e1abed2a4ebc0adbcf557a891ab36fee24ac9ec551010725bf96cef0819ac2b88a34fb3fd04a6094ea1fdb545a97c08f7c47a1bb03f10303

Download Submit
\Adobe\runsc.exe

Filesize
76KB

MD5
dba5dcf82f703adf5cb52f14a1a51757

SHA1
3cc0d77cd0d3d389845b3749e9dc06d354fdd6af

SHA256
9061bb0830b07afd1a86beeb4478f3fc9c060d7272237d6a6a2e0b741993bb77

SHA512
02294f8ded811edcd292bba6e9df1d1c8eeee448d2089edf85bc641591ac77e227008ce77940ff564263e7c189b625539dc33f9f00c56c72f956abfe451203f7

Download Submit
\Adobe\runsc.exe

Filesize
157KB

MD5
ce3524ef804bb46dbb8c8f37ba7e5fc2

SHA1
b997d64ae1f1f3133b6e2cc505da97d9605b032b

SHA256
ceef9c46eaf9ea159cff721d7842adc6acc34b55d9a41a478f63f345d2321b8f

SHA512
3adb4d960b5323565e92d9d2b447a91b818024f310b65842b11148c0176fe190297bf6f4e071cd6d04bd7d23778b3a8037c2022fcda5b65c16bc6e9a85aacb87

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads