fe948aee2865c647197443970205169d34300becff3265ebe2223208a560dec5

General

Target

cd4fa39d99d58ea96b81c12a8859ba2b.exe
Size

404KB
MD5

cd4fa39d99d58ea96b81c12a8859ba2b
SHA1

5427575465c23cc2b7e38b13d7840d2862b5d324
SHA256

fe948aee2865c647197443970205169d34300becff3265ebe2223208a560dec5
SHA512

a5a839c700cd29df2ba88863a27a18525e44eda7e90988dc3ae999f092615a0ebc1f9b53dc50da759da5e77d001d1b7fc6bf1ccd1cab7b952349f97e278f25a0
SSDEEP

6144:Jl37vQRX5LmYj/6Me8JQnV6W8gTKlF2bbgT3F+G6JFYZYnS3xwC:bvmXNntxQnV6WdKlAAz0FYZYnS3xwC

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	cd4fa39d99d58ea96b81c12a8859ba2b.exe

Executes dropped EXE 3 IoCs

pid	Process
2148	Adobe After Effects Cs5 V10 0 X64 Incl Keymaker-Embrace.exe
1008	7za.exe
2236	ic1.exe

Loads dropped DLL 1 IoCs

pid	Process
1264	cd4fa39d99d58ea96b81c12a8859ba2b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2148	Adobe After Effects Cs5 V10 0 X64 Incl Keymaker-Embrace.exe
2148	Adobe After Effects Cs5 V10 0 X64 Incl Keymaker-Embrace.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1264 wrote to memory of 2148	1264	cd4fa39d99d58ea96b81c12a8859ba2b.exe	99
PID 1264 wrote to memory of 2148	1264	cd4fa39d99d58ea96b81c12a8859ba2b.exe	99
PID 1264 wrote to memory of 2148	1264	cd4fa39d99d58ea96b81c12a8859ba2b.exe	99
PID 1264 wrote to memory of 1008	1264	cd4fa39d99d58ea96b81c12a8859ba2b.exe	100
PID 1264 wrote to memory of 1008	1264	cd4fa39d99d58ea96b81c12a8859ba2b.exe	100
PID 1264 wrote to memory of 1008	1264	cd4fa39d99d58ea96b81c12a8859ba2b.exe	100
PID 1264 wrote to memory of 2236	1264	cd4fa39d99d58ea96b81c12a8859ba2b.exe	102
PID 1264 wrote to memory of 2236	1264	cd4fa39d99d58ea96b81c12a8859ba2b.exe	102

C:\Users\Admin\AppData\Local\Temp\cd4fa39d99d58ea96b81c12a8859ba2b.exe
"C:\Users\Admin\AppData\Local\Temp\cd4fa39d99d58ea96b81c12a8859ba2b.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1264
- C:\Users\Admin\AppData\Local\Temp\Adobe After Effects Cs5 V10 0 X64 Incl Keymaker-Embrace.exe
  "C:\Users\Admin\AppData\Local\Temp\Adobe After Effects Cs5 V10 0 X64 Incl Keymaker-Embrace.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2148
- C:\Users\Admin\AppData\Local\Temp\7za.exe
  C:\Users\Admin\AppData\Local\Temp\7za.exe x C:\Users\Admin\AppData\Local\Temp\a1.7z -aoa -oC:\Users\Admin\AppData\Local\Temp -plolmilf
  2⤵
  - Executes dropped EXE
  PID:1008
- C:\Users\Admin\AppData\Local\Temp\ic1.exe
  "C:\Users\Admin\AppData\Local\Temp\ic1.exe"
  2⤵
  - Executes dropped EXE
  PID:2236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1416 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
1⤵
PID:4408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7za.exe

Filesize
523KB

MD5
e92604e043f51c604b6d1ac3bcd3a202

SHA1
4154dda4a1e2a5ed14303dc3d36f448953ff6d33

SHA256
fa252e501332b7486a972e7e471cf6915daa681af35c6aa102213921093eb2a3

SHA512
ef396d94d83fd7a588c6e645ea5fcfe24390440a03b3bf0ecd05ca6749fd3f9561dfafe725ee0edea51a34d52af26cd311e768aa72f75686cc796abee4757d43

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adobe After Effects Cs5 V10 0 X64 Incl Keymaker-Embrace.exe

Filesize
162KB

MD5
836f373ca91c863133e5575813bca1e3

SHA1
cdfb7b3d972feb15a4eef16a9a92111e4f84855f

SHA256
5d5c47f78fdd9c1cdae3a32d1519b25e405b1c7917157605285596f219a3761a

SHA512
ae677841be28c7b85ccb020b9a16cc380b09b6c367c5f6874f9b7e715a7af09fa24c766a74df1c7703d59b18640fe109c8960daa74b6ddbd0b4405e40fda75d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adobe After Effects Cs5 V10 0 X64 Incl Keymaker-Embrace.exe

Filesize
42KB

MD5
99386baf003540036e71bd25ea2fcb74

SHA1
fc4e57ae83469597225197064f839bc6a48a77f1

SHA256
f146b8cb732e1f2d27d25331925475f0f11d57db583f367e42a2018ba48a6886

SHA512
9cf5ec652d33cbaf59c96c918fb0db1556970394d73acd0e3d1253a47813a4c58ec546f98cccf277446dec45d2318dec32001136d2e9b96130e247d6e9e372e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\a1.7z

Filesize
7KB

MD5
e73e5ecc3958ffe56d1b410b904c5cb6

SHA1
68a4b8b7bf87c5b56c5ae183f880c538ab831080

SHA256
c93868af3ba02f2b60348ee94daa6f5acabe9facfd4659ebeceb03f1cc4ebb86

SHA512
80beda8c24e7cbb3608d85bc393acc08d3772e352b4304d84bc9417f79d3a5b89afe82919e16adfaee3ad9c916282cb683355f87bab2a63cea94fec6ed0a6a74

Download Submit
C:\Users\Admin\AppData\Local\Temp\ic1.exe

Filesize
18KB

MD5
b64b538899d4588a05d7d3db92918448

SHA1
b2d0b29a9c69bac6b22f696474eb031cca664f9a

SHA256
803abec016d53636f2817c972f2c769beb36501fc8bd30c73994958eb94cfb29

SHA512
ba4732c7a25dfdd636009a5ec8597e233c7c2b736b9c08a07dce13de70d9e0e08652b7f323ab590a29b57da12bf6a347675b2103bdfef06a80dbfd555ad09727

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj35B3.tmp\ExecDos.dll

Filesize
5KB

MD5
a7cd6206240484c8436c66afb12bdfbf

SHA1
0bb3e24a7eb0a9e5a8eae06b1c6e7551a7ec9919

SHA256
69ac56d2fdf3c71b766d3cc49b33b36f1287cc2503310811017467dfcb455926

SHA512
b9ee7803301e50a8ec20ab3f87eb9e509ea24d11a69e90005f30c1666acc4ed0a208bd56e372e2e5c6a6d901d45f04a12427303d74761983593d10b344c79904

Download Submit
memory/2236-31-0x000000001BE00000-0x000000001C2CE000-memory.dmp

Filesize
4.8MB

Download
memory/2236-39-0x0000000001100000-0x0000000001110000-memory.dmp

Filesize
64KB

Download
memory/2236-29-0x0000000001100000-0x0000000001110000-memory.dmp

Filesize
64KB

Download
memory/2236-30-0x000000001B820000-0x000000001B8C6000-memory.dmp

Filesize
664KB

Download
memory/2236-27-0x00007FF985DE0000-0x00007FF986781000-memory.dmp

Filesize
9.6MB

Download
memory/2236-32-0x000000001C3B0000-0x000000001C44C000-memory.dmp

Filesize
624KB

Download
memory/2236-33-0x0000000001140000-0x0000000001148000-memory.dmp

Filesize
32KB

Download
memory/2236-34-0x000000001C510000-0x000000001C55C000-memory.dmp

Filesize
304KB

Download
memory/2236-35-0x000000001C5C0000-0x000000001C620000-memory.dmp

Filesize
384KB

Download
memory/2236-28-0x00007FF985DE0000-0x00007FF986781000-memory.dmp

Filesize
9.6MB

Download
memory/2236-40-0x0000000001100000-0x0000000001110000-memory.dmp

Filesize
64KB

Download
memory/2236-41-0x0000000001100000-0x0000000001110000-memory.dmp

Filesize
64KB

Download
memory/2236-42-0x00007FF985DE0000-0x00007FF986781000-memory.dmp

Filesize
9.6MB

Download
memory/2236-43-0x0000000001100000-0x0000000001110000-memory.dmp

Filesize
64KB

Download
memory/2236-44-0x0000000001100000-0x0000000001110000-memory.dmp

Filesize
64KB

Download
memory/2236-45-0x0000000001100000-0x0000000001110000-memory.dmp

Filesize
64KB

Download
memory/2236-46-0x0000000001100000-0x0000000001110000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing