4f8deecb6b6a3a0f211a2cf6c8ebbad09a33d4d226285e912b1e525a99aff258

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 16:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1/Adobe PhotoShop/Share/MOVIES/Photo.vbs
Size

278KB
MD5

54fc0bbff5ede27bcf1e0c69e0f82285
SHA1

0150600a3a51beb27d20ec2f58edca7693050f12
SHA256

4ffa4a112e32582fcb724f4feb263d935c7230b76031ac372a0a5c0a9bf36157
SHA512

d68c339a3a5ba4fc973611872857de66f21405dcd50d53980e10f9f4724bf19151503f5a5b684fc15c8bbd9c777a8a0e1f20555061be524c1ac0eaff3e8829fd
SSDEEP

1536:l6pXKvd4afHosQrOyfgyVUJtAsHIA1dXBeyTw/B/6bF4pCw37uRfF618F7k7w/+Z:R+RotDqjGsU5GGFsU5zs

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WScript.exe

Blocklisted process makes network request 6 IoCs

flow	pid	Process
4	2360	WScript.exe
9	2360	WScript.exe
12	2360	WScript.exe
15	2360	WScript.exe
18	2360	WScript.exe
21	2360	WScript.exe

Loads dropped DLL 36 IoCs

pid	Process
2360	WScript.exe
2360	WScript.exe
2360	WScript.exe
2360	WScript.exe
2360	WScript.exe
2360	WScript.exe
2360	WScript.exe
2360	WScript.exe
2360	WScript.exe
2360	WScript.exe
2360	WScript.exe
2360	WScript.exe
2360	WScript.exe
2360	WScript.exe
2360	WScript.exe
2360	WScript.exe
2360	WScript.exe
2360	WScript.exe
2360	WScript.exe
2360	WScript.exe
2360	WScript.exe
2360	WScript.exe
2360	WScript.exe
2360	WScript.exe
2360	WScript.exe
2360	WScript.exe
2360	WScript.exe
2360	WScript.exe
2360	WScript.exe
2360	WScript.exe
2360	WScript.exe
2360	WScript.exe
2360	WScript.exe
2360	WScript.exe
2360	WScript.exe
2360	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Adobe PhotoShop = "\"C:\\Users\\Admin\\AppData\\Roaming\\Adobe PhotoShop\\Startrun.pif\" /E:vbScript.enCode \"C:\\Users\\Admin\\AppData\\Roaming\\Adobe PhotoShop\\Photo.Jpeg\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Adobe PhotoShop = "\"C:\\Users\\Admin\\AppData\\Roaming\\Adobe PhotoShop\\Startrun.pif\" /E:vbScript.enCode \"C:\\Users\\Admin\\AppData\\Roaming\\Adobe PhotoShop\\Photo.Jpeg\""	WScript.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1\Adobe PhotoShop\Share\MOVIES\Photo.vbs"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DCIM.lnk

Filesize
685B

MD5
4eabb6170f593bb3b4248667aaf57201

SHA1
c8449b48598f12214d9c29534eee3e32afbc757f

SHA256
6fb9c1b3e9c63412af6a91dc97ad75d756865e183cc86d32275b02f957423649

SHA512
5198784c1f89acb5a8f907057ee8b59a33cca5340c2ec0db6adbd84f51e2986279efa3b4af77a386596da17db2cbf70a89610474681bd4065df0b83f90d98918

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe PhotoShop\Share\MUSIC\Photo.Jpeg

Filesize
278KB

MD5
54fc0bbff5ede27bcf1e0c69e0f82285

SHA1
0150600a3a51beb27d20ec2f58edca7693050f12

SHA256
4ffa4a112e32582fcb724f4feb263d935c7230b76031ac372a0a5c0a9bf36157

SHA512
d68c339a3a5ba4fc973611872857de66f21405dcd50d53980e10f9f4724bf19151503f5a5b684fc15c8bbd9c777a8a0e1f20555061be524c1ac0eaff3e8829fd

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe PhotoShop\Share\VIDEO\YouTube.Flv.lnk

Filesize
1KB

MD5
bb025a5e31747d2671c55b49c0c1d4d2

SHA1
ebd220dd1b80480811a6e92ea2836392236cd183

SHA256
b5e655350aa7262dade8587b214941fef6f7efeae50524d7f8c2a4559be2202b

SHA512
32102e2617888d2d47b21e1e8f7b2c38b580c1233ee9cfd73400d98565946b7ea43c760e422698f2ccea6babc0ced163709d9217cb8cb79dad9feb661d3a5823

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe PhotoShop\runsc.exe

Filesize
165KB

MD5
8886e0697b0a93c521f99099ef643450

SHA1
851bd390bf559e702b8323062dbeb251d9f2f6f7

SHA256
d73f7ee4e6e992a618d02580bdbf4fd6ba7c683d110928001092f4073341e95f

SHA512
fc4a176f49a69c5600c427af72d3d274cfeacef48612b18cda966c3b4dda0b9d59c0fe8114d5ed8e0fec780744346e2cd503d1fd15c0c908908d067214b9d837

Download Submit
F:\DCIM.lnk

Filesize
679B

MD5
be60c242ae2bc5cd9fa7008adf705dd3

SHA1
e6059c2445ae01a8dbadc69b3557b4b1c03af7ef

SHA256
59c8a1acce467b57b6c3f83db1959f92d5cc6b4406bd0dcdaad0b0773e405e7c

SHA512
0b19130a236e318d0eb9f3cf57c05524e3ced6f2988a6fc0303bfcd129431b91af6a507b62f55f91fc9b44207d907a233b19262993cc9b2486ad2172fa75aaec

Download Submit
\Adobe\runsc.exe

Filesize
89KB

MD5
a0fd51a330110f249e27f5f457fdcd0a

SHA1
c0b382134a18d86db90d76c6db3639a2e4d3c36c

SHA256
81cd5eef290130b19b6081a0d8044c9e6efdb4b2dfb2d9ea188fd00221eb968d

SHA512
b4983dbc86cad902159ff32e1df9936160fcef5cb14c5f40b0b75edc45fd8f5d00895e7b5a906fadd42fd27fefb2b59aeba520c789cd80e6eeac63f8efaa0b9d

Download Submit
\Adobe\runsc.exe

Filesize
62KB

MD5
ddbd72bc35209ed16c26bed752ca276c

SHA1
032f3bc48ead800c2e99d2ede80cbc5413989397

SHA256
a9e8def219203b6ae1986f99714b41cd13cb4c52bfd5c78bef586e0d21c56668

SHA512
95b85cb046541d08766c1c464a85a90891c9aae91d1ef752d91e8633e4ebc5f9b3f01cae82d5d0e25b67e5ee1837c70d2f8caf0b3e3005260be73d4eb4bd1061

Download Submit
\Adobe\runsc.exe

Filesize
43KB

MD5
2735a02689009edd396af7632769a603

SHA1
030de4f6eb391c317348feeb55580c4f89f1f5a4

SHA256
ad24f25be0a0ccaccd8613697671188624ff3f1426345ef489dfc5a697e6d759

SHA512
3a10616985c8edab9f94149a73f2be99f92a846b7075df765971750b36c7764021511c24d4a44bf0743397724155366b95d05435084689f251f59a9fe1185061

Download Submit
\Adobe\runsc.exe

Filesize
159KB

MD5
575c3891c641477259ffb272bcc8d7ad

SHA1
a3f9b1b563f29c3e38b3a8962f71fb07b9100c19

SHA256
03aab93cd5b2a0077783caa32f107a9efdf437c8005567812bed58e76629e39e

SHA512
6f055c547452ba6b8d9f6111afb1f0d6991cb71bf4bd74f08daed9d78ced56313d92bf311249aae4f3d74c7ab9c1fda503c26d123ee4a9a90815c74f87fd89ea

Download Submit
\Adobe\runsc.exe

Filesize
68KB

MD5
01dab713247d3c2df9c7705c3c1d6628

SHA1
015c60ad91562184d5de9dff65a188fff482c413

SHA256
6e8b36525177393d69ded65b28fca7e889cafd73867f4e7da23b6f903e187c80

SHA512
4e31dd360bfb60484f66041c64d0c0c638c74efe731c634fdede355c748c75e250c8cf3ce8c42354fcd0b5d9fbc9d026d48cea3b30f3dac1e4131d67a7fde851

Download Submit
\Adobe\runsc.exe

Filesize
130KB

MD5
7914a4ca41f9cd574983882b042e9830

SHA1
8ca037650ea03fb316d1784f8ddc5c896e296b0c

SHA256
a39f4aa1f968c7b2811d5f094c347b3d2d1b2da588bb0e01d2b042ffd1d60ba6

SHA512
f90332af94cea69488d484ae2ce75180a294f6ebdd04a3c96aed845844b03143243288268c367372d7ddea6602f670f5a9f32121c4a0f7793af19247bde6c33a

Download Submit
\Adobe\runsc.exe

Filesize
53KB

MD5
f907d2f52836a50c8b460c45a3dff20e

SHA1
1fe4177ae2d259596612436e39db2fe9ae901983

SHA256
7cf4504eb8126a11a94898b0ba20c142356fe433669377dcc816e6e7dd558fe7

SHA512
5eb809622aeba0f7036153e36ce663388b5903283f9022f98faa0828aef36b7998b6fc32e5820b1b98728007af7bc64e0eeaf5f72d90357d553fac621add7748

Download Submit
\Adobe\runsc.exe

Filesize
19KB

MD5
88f2aa1b7d26245dbc046de7b5bdae53

SHA1
299f66d6850c306d729212f7aad6d893eedb27b2

SHA256
356c314fc4a025637640c4d088a222f94f3f18f89eefa88fb2847841c1e51c81

SHA512
b5366ec91b9e0253cddc033d53b0642fc1e9da0168f75891d461e9765ea58874ea3d63f9eb1492aa381a1b696eac8e1528e6487ebddb6f7c1c79585a41cc038a

Download Submit
\Adobe\runsc.exe

Filesize
7KB

MD5
34546d1610df82db21c9d62b1b6bf4d4

SHA1
ca56c3ba4b58fb2edc62434bdc5f8e82e16bef8c

SHA256
c939e540a811f6abfa75bcbf5b7f2d7fe8b3c3a089e47165281dfca04fc5f301

SHA512
cff3705805ba0ef148d3943f0e37c1ea5b34c08622f98dd42d26ae691a2e7859331c0031ffed8757bd45a73fe7bfc9fd78332cb4634608cc00254291b1b2681e

Download Submit
\Adobe\runsc.exe

Filesize
85KB

MD5
c1b3df6eee22ff23d14d5a4b6f1b2e46

SHA1
71677d441a1289f15543b8587ab78765bfde5ee5

SHA256
bf3e5fed734b8364f6f0e7c84118d89ba877c64ac627c69344fa7dd64819b3ea

SHA512
532d2a7aeefb91627438ccae8234eb758d683bb4e516e24760df0e2add79adb048f5927615a7b7c6fe0456361436988fcf7103d3bfec02cf03194cd8dbba2e4d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads