Overview

overview

8

Static

static

5

AdobeGenP.exe

windows10-1703-x64

8

Analysis

  • max time kernel
    195s
  • max time network
    256s
  • platform
    windows10-1703_x64
  • resource
    win10-20240221-en
  • resource tags

    arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
  • submitted
    11-03-2024 12:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    AdobeGenP.exe

  • Size

    1.2MB

  • MD5

    ba995555b004b1e952da47fe8367fdd8

  • SHA1

    12b96cabfafdc8e54e555b49b5aa2fcd8fdba306

  • SHA256

    41f955741e33a6a0d0066e57a2692801454d45e3748dafe922b1ab01e464188b

  • SHA512

    115e2848cb142d3698ec4d5fc89bfc3916a0ce66236d333a229db108ade2a699c1db5009df9781dee54b1c611af53ccc2b8e67de748e7ea678da7a9a99ebf58e

  • SSDEEP

    24576:GrORE29TTVx8aBRd1h1orq+GWE0Jc5bDTj1Vyv9Tva/HeqtGfTPh:G2EYTb8atv1orq+pEiSDTj1VyvBa/HeR

Score
8/10
evasion

Malware Config

Signatures

  • Blocklisted process makes network request 4 IoCs
  • Modifies Windows Firewall 2 TTPs 2 IoCs
    evasion
  • Unexpected DNS network traffic destination 4 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AdobeGenP.exe
    "C:\Users\Admin\AppData\Local\Temp\AdobeGenP.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:3080
    • C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe
      PowerShell Set-ExecutionPolicy Bypass -scope Process -Force;(Get-NetRoute | Where-Object DestinationPrefix -eq '0.0.0.0/0' | Get-NetIPInterface | Where-Object ConnectionState -eq 'Connected') -ne $null
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2088
    • C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe
      PowerShell Set-ExecutionPolicy Bypass -scope Process -Force;$ips=@();$soa=(Resolve-DnsName -Name adobe.io -Type SOA).PrimaryServer;Do{$ip=(Resolve-DnsName -Name adobe.io -Server $soa).IPAddress;$ips+=$ip;$ips=$ips|Select -Unique|Sort-Object}While($ips.Count -lt 8);$list=$ips -join ',';$list
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4708
    • C:\Windows\SYSTEM32\netsh.exe
      netsh advfirewall firewall delete rule name="Adobe Unlicensed Pop-up"
      2⤵
      • Modifies Windows Firewall
      PID:1304
    • C:\Windows\SYSTEM32\netsh.exe
      netsh advfirewall firewall add rule name="Adobe Unlicensed Pop-up" dir=out action=block remoteip="18.213.11.84,3.219.243.226,3.233.129.217,34.237.241.83,50.16.47.176,52.22.41.97,52.6.155.20,54.224.241.105"
      2⤵
      • Modifies Windows Firewall
      PID:644

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\PowerShell.exe.log
    Filesize

    3KB

    MD5

    c62a5e23558313431abcc0e932ecbabe

    SHA1

    e263f6755cd996799e092ac5c20a75733101b587

    SHA256

    dbc2277502a23431501bd29737e3a6a707c961f75113d22e2ef0f0af3356b4c8

    SHA512

    a9b2344cb0b5e7e7e31668cbe31c6ea4db60fe1923d4e76123502af8cea1207623833050ed1c6d767a99355b17f5162aa678fd4fba45f62e1537c55e852b3607

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    42e92d980b51dc29179540944d28505c

    SHA1

    fd4f508cec264b9f32dfc26c30f90b65c3caac0c

    SHA256

    b53d8fa57d0a4345707cc7005bd04cf590f47b584fd85186a122cfe97c1c01ea

    SHA512

    869a138abf621bd1aad27ce338cb1ad3cc142311928b6f5629c1d072d057e542d477000666338c16c2ea3fbb754ebacda592d4383835e566353eaf3ead065e94

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lxtnqtcm.efc.ps1
    Filesize

    1B

    MD5

    c4ca4238a0b923820dcc509a6f75849b

    SHA1

    356a192b7913b04c54574d18c28d46e6395428ab

    SHA256

    6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

    SHA512

    4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

    Download Submit

  • memory/2088-13-0x000001D6F8660000-0x000001D6F86D6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/2088-7-0x00007FF9D4840000-0x00007FF9D522C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2088-10-0x000001D6F85B0000-0x000001D6F85D2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2088-30-0x000001D6F8490000-0x000001D6F84A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2088-200-0x00007FF9D4840000-0x00007FF9D522C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2088-9-0x000001D6F8490000-0x000001D6F84A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2088-8-0x000001D6F8490000-0x000001D6F84A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4708-203-0x00007FF9D4840000-0x00007FF9D522C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/4708-207-0x000001D4772A0000-0x000001D4772B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4708-208-0x000001D4772A0000-0x000001D4772B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4708-228-0x000001D4772A0000-0x000001D4772B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4708-241-0x000001D477530000-0x000001D477540000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4708-272-0x00007FF9D4840000-0x00007FF9D522C000-memory.dmp

    Filesize

    9.9MB

    Download