4f8deecb6b6a3a0f211a2cf6c8ebbad09a33d4d226285e912b1e525a99aff258

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 16:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1/Adobe PhotoShop/Share/VIDEO/Photo.vbs
Size

278KB
MD5

54fc0bbff5ede27bcf1e0c69e0f82285
SHA1

0150600a3a51beb27d20ec2f58edca7693050f12
SHA256

4ffa4a112e32582fcb724f4feb263d935c7230b76031ac372a0a5c0a9bf36157
SHA512

d68c339a3a5ba4fc973611872857de66f21405dcd50d53980e10f9f4724bf19151503f5a5b684fc15c8bbd9c777a8a0e1f20555061be524c1ac0eaff3e8829fd
SSDEEP

1536:l6pXKvd4afHosQrOyfgyVUJtAsHIA1dXBeyTw/B/6bF4pCw37uRfF618F7k7w/+Z:R+RotDqjGsU5GGFsU5zs

Score

8^/10

evasion persistence trojan

Malware Config

Signatures

Blocklisted process makes network request 6 IoCs

flow	pid	Process
32	720	WScript.exe
65	720	WScript.exe
81	720	WScript.exe
88	720	WScript.exe
100	720	WScript.exe
105	720	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe PhotoShop = "\"C:\\Users\\Admin\\AppData\\Roaming\\Adobe PhotoShop\\Startrun.pif\" /E:vbScript.enCode \"C:\\Users\\Admin\\AppData\\Roaming\\Adobe PhotoShop\\Photo.Jpeg\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Adobe PhotoShop = "\"C:\\Users\\Admin\\AppData\\Roaming\\Adobe PhotoShop\\Startrun.pif\" /E:vbScript.enCode \"C:\\Users\\Admin\\AppData\\Roaming\\Adobe PhotoShop\\Photo.Jpeg\""	WScript.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1\Adobe PhotoShop\Share\VIDEO\Photo.vbs"
1⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Checks whether UAC is enabled
PID:720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DCIM.lnk

Filesize
722B

MD5
e097167f359ffa287a59b1e8c2a70767

SHA1
051f3b9128de72f80c532add33e785944d05069c

SHA256
a0ed2728570455507909e4a3eb4bff368a7d340427319ab22e6914c8f3610935

SHA512
e4ea37521f288c25f99811d32e5755d4279624f8feebd2478d535f141ad2545e5430935deb5b6a5a7d97260218a5cd313a976691c49552d4516a2a69bf979151

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe PhotoShop\Share\MUSIC\Photo.Jpeg

Filesize
278KB

MD5
54fc0bbff5ede27bcf1e0c69e0f82285

SHA1
0150600a3a51beb27d20ec2f58edca7693050f12

SHA256
4ffa4a112e32582fcb724f4feb263d935c7230b76031ac372a0a5c0a9bf36157

SHA512
d68c339a3a5ba4fc973611872857de66f21405dcd50d53980e10f9f4724bf19151503f5a5b684fc15c8bbd9c777a8a0e1f20555061be524c1ac0eaff3e8829fd

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe PhotoShop\Share\VIDEO\YouTube.Flv.lnk

Filesize
1KB

MD5
85a84f60fcb8a59fa418be60f97e8230

SHA1
7a0cb8beb2f921ded2c4e1e2bc9dd4be7f3519b5

SHA256
2da45c5f112872d7e305f013f7cbf9036480c831ec2404df33f396edea49ce10

SHA512
afcc979aa5cd6e3a0bd1befb88d20c2be2d34c65c9a31beb3e6cb4e8eaa2fe988492f5b641289ca90ca06991d7e0ef4411efee29dbd2384e7d56173363f6d7ef

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe PhotoShop\runsc.exe

Filesize
166KB

MD5
a47cbe969ea935bdd3ab568bb126bc80

SHA1
15f2facfd05daf46d2c63912916bf2887cebd98a

SHA256
34008e2057df8842df210246995385a0441dc1e081d60ad15bd481e062e7f100

SHA512
f5c81e6dc4d916944304fc85136e1ff6dee29a21e50a54fe6280a475343eccbfe094171d62475db5f38e07898c061126158c34d48b9d8f4f57f76d49e564e3fc

Download Submit
F:\DCIM.lnk

Filesize
716B

MD5
dbbad0145a62b8570114b6fe083ec491

SHA1
d54a54928e60649086b3232d98835f0a6ccc9a19

SHA256
ef7f8fc6ad978a6cecd32f5b0237f0f72721010b1b5a362ec7bf370d7b517812

SHA512
ce94929d024b8d85fa70bea33e52720dd0442de72e7d74013b5eec05dd1aced4b836a6f4638d5d86d382a9a2bf678d9b2ae70b74bd411a499efeddb7c27745d2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads