56f3ac3db61aac1b99aed7a0720336d12a57cc65a879673b61e3dc0b35a06c1a

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
28/01/2024, 19:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7dd27f715f05414b8d1681ddc2cd7d79.exe
Size

68KB
MD5

7dd27f715f05414b8d1681ddc2cd7d79
SHA1

5db9a9925d8c6406e4fccfc4d00499dbf936be3c
SHA256

56f3ac3db61aac1b99aed7a0720336d12a57cc65a879673b61e3dc0b35a06c1a
SHA512

8938ce39361794fffea7e4ad09282877572c1bbee4ee120b5f95e0d434eea8c2de61eb0ca41d535be24a7b4dcc6334710131e9c6d2ab06ef2f4bc8a845dd8283
SSDEEP

1536:YSCwFep1p/Rac0dEPH2d41e0+MCrvRr2oNBZ1jyCEO1r:YVwwUdEud41e0+M4vRzN9yCEO1r

Score

8^/10

evasion

Malware Config

Signatures

Looks for VMWare Tools registry key 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	7dd27f715f05414b8d1681ddc2cd7d79.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	Adobelmsvc.exe

Deletes itself 1 IoCs

pid	Process
116	Adobelmsvc.exe

Executes dropped EXE 1 IoCs

pid	Process
116	Adobelmsvc.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\microsoft\backup.ftp	Adobelmsvc.exe
File opened for modification	C:\Windows\SysWOW64\microsoft\backup.tftp	Adobelmsvc.exe
File created	C:\Windows\SysWOW64\microsoft\backup.ftp	Adobelmsvc.exe
File opened for modification	C:\Windows\SysWOW64\ftp.exe	Adobelmsvc.exe
File opened for modification	C:\Windows\SysWOW64\dllcache\ftp.exe	Adobelmsvc.exe
File opened for modification	C:\Windows\SysWOW64\tftp.exe	Adobelmsvc.exe
File opened for modification	C:\Windows\SysWOW64\dllcache\tftp.exe	Adobelmsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system\Adobelmsvc.exe	7dd27f715f05414b8d1681ddc2cd7d79.exe
File opened for modification	C:\Windows\system\Adobelmsvc.exe	7dd27f715f05414b8d1681ddc2cd7d79.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
5648	5816	WerFault.exe	14
3468	116	WerFault.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
116	Adobelmsvc.exe
116	Adobelmsvc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	116	Adobelmsvc.exe

C:\Users\Admin\AppData\Local\Temp\7dd27f715f05414b8d1681ddc2cd7d79.exe
"C:\Users\Admin\AppData\Local\Temp\7dd27f715f05414b8d1681ddc2cd7d79.exe"
1⤵
- Looks for VMWare Tools registry key
- Drops file in Windows directory
PID:5816
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5816 -s 252
  2⤵
  - Program crash
  PID:5648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5816 -ip 5816
1⤵
PID:3556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 116 -ip 116
1⤵
PID:4936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 116 -s 248
1⤵
- Program crash
PID:3468

C:\Windows\system\Adobelmsvc.exe
"C:\Windows\system\Adobelmsvc.exe"
1⤵
- Looks for VMWare Tools registry key
- Deletes itself
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\Adobelmsvc.exe

Filesize
68KB

MD5
7dd27f715f05414b8d1681ddc2cd7d79

SHA1
5db9a9925d8c6406e4fccfc4d00499dbf936be3c

SHA256
56f3ac3db61aac1b99aed7a0720336d12a57cc65a879673b61e3dc0b35a06c1a

SHA512
8938ce39361794fffea7e4ad09282877572c1bbee4ee120b5f95e0d434eea8c2de61eb0ca41d535be24a7b4dcc6334710131e9c6d2ab06ef2f4bc8a845dd8283

Download Submit
memory/116-13-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/116-14-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/116-22-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/116-21-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/116-7-0x0000000000C10000-0x0000000000C12000-memory.dmp

Filesize
8KB

Download
memory/116-9-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/116-10-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/116-11-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/116-6-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/116-12-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/116-20-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/116-15-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/116-16-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/116-17-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/116-18-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/116-19-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/5816-8-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/5816-0-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/5816-1-0x0000000000630000-0x0000000000632000-memory.dmp

Filesize
8KB

Download