8c090285f4fee9ef2441de1c9a6404ec10afb06aa606194b09ee8b0e615990d6

General

Target

Adobe Photoshop.scr
Size

49KB
MD5

ea2a040747c7fde2a7a96a1a8d346823
SHA1

2e4573e863fbd174fa3e12c8e2d57f2d6dc4f8ea
SHA256

8c090285f4fee9ef2441de1c9a6404ec10afb06aa606194b09ee8b0e615990d6
SHA512

4bfb7cb68a3a5eea737e089d3947a51a1b39d615985505e5d8ab27b214b0f1655bf9f203701694342e5edacb6c204938358460f04a5bc2d2f58ffb6b8961afe2
SSDEEP

768:2NJXw9WvC9nPpT3RSW/Cv2YzidgrRUTO9PIKqz1QB6SRm1RvrkV8TMBGVmL:2NJg9WAPuDziYGK9M1QoSuRIV/YVmL

Score

8^/10

evasion persistence

Malware Config

Signatures

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
3944	attrib.exe
4264	attrib.exe

Executes dropped EXE 1 IoCs

pid	Process
4184	$77Adobe Photoshop.scr

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\sysfig\\$77Adobe Photoshop.scr\""	Adobe Photoshop.scr

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	discord.com
3	discord.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
828	schtasks.exe
5040	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4540	timeout.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4812	Adobe Photoshop.scr
4812	Adobe Photoshop.scr
4812	Adobe Photoshop.scr
4812	Adobe Photoshop.scr
4812	Adobe Photoshop.scr
4812	Adobe Photoshop.scr
4812	Adobe Photoshop.scr
4812	Adobe Photoshop.scr
4812	Adobe Photoshop.scr
4812	Adobe Photoshop.scr
4812	Adobe Photoshop.scr
4812	Adobe Photoshop.scr
4812	Adobe Photoshop.scr
4184	$77Adobe Photoshop.scr

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4812	Adobe Photoshop.scr
Token: SeDebugPrivilege	4184	$77Adobe Photoshop.scr

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4184	$77Adobe Photoshop.scr

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4812 wrote to memory of 4264	4812	Adobe Photoshop.scr	72
PID 4812 wrote to memory of 4264	4812	Adobe Photoshop.scr	72
PID 4812 wrote to memory of 3944	4812	Adobe Photoshop.scr	74
PID 4812 wrote to memory of 3944	4812	Adobe Photoshop.scr	74
PID 4812 wrote to memory of 1824	4812	Adobe Photoshop.scr	76
PID 4812 wrote to memory of 1824	4812	Adobe Photoshop.scr	76
PID 1824 wrote to memory of 4540	1824	cmd.exe	78
PID 1824 wrote to memory of 4540	1824	cmd.exe	78
PID 1824 wrote to memory of 4184	1824	cmd.exe	79
PID 1824 wrote to memory of 4184	1824	cmd.exe	79
PID 4184 wrote to memory of 812	4184	$77Adobe Photoshop.scr	80
PID 4184 wrote to memory of 812	4184	$77Adobe Photoshop.scr	80
PID 4184 wrote to memory of 828	4184	$77Adobe Photoshop.scr	82
PID 4184 wrote to memory of 828	4184	$77Adobe Photoshop.scr	82
PID 4184 wrote to memory of 4040	4184	$77Adobe Photoshop.scr	84
PID 4184 wrote to memory of 4040	4184	$77Adobe Photoshop.scr	84
PID 4184 wrote to memory of 5040	4184	$77Adobe Photoshop.scr	86
PID 4184 wrote to memory of 5040	4184	$77Adobe Photoshop.scr	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4264	attrib.exe
3944	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Adobe Photoshop.scr
"C:\Users\Admin\AppData\Local\Temp\Adobe Photoshop.scr" /S
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4812
- C:\Windows\System32\attrib.exe
  "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\sysfig"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:4264
- C:\Windows\System32\attrib.exe
  "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\sysfig\$77Adobe Photoshop.scr"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:3944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp2E8D.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1824
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:4540
- - C:\Users\Admin\AppData\Roaming\sysfig\$77Adobe Photoshop.scr
    "C:\Users\Admin\AppData\Roaming\sysfig\$77Adobe Photoshop.scr"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4184
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks.exe" /query /TN $77Adobe Photoshop.scr
      4⤵
      PID:812
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks.exe" /Create /SC ONCE /TN "$77Adobe Photoshop.scr" /TR "C:\Users\Admin\AppData\Roaming\sysfig\$77Adobe Photoshop.scr \"\$77Adobe Photoshop.scr\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:828
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks.exe" /query /TN $77Adobe Photoshop.scr
      4⤵
      PID:4040
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /sc daily /tn "Adobe Photoshop_Task-DAILY-21PM" /TR "%MyFile%" /ST 21:00
      4⤵
      Creates scheduled task(s)
      PID:5040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Hide Artifacts

2

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp2E8D.tmp.bat

Filesize
169B

MD5
f0cd79a4e95f3ed5fe9fb6948c4616e9

SHA1
171c78df54e8869bd8d793691c1f32f7e99c7734

SHA256
ee663f1914ffec255064296247c5614332f102441c329ce2455a2af54f0d9801

SHA512
d19159e61b86c6628d3194708d95d2082b20bb74191786f28ed034d85fd62c9e7d7bcc905761e45620078efe2b18db9393587da4d04a0603f6fb23d66d36943f

Download Submit
C:\Users\Admin\AppData\Roaming\sysfig\$77Adobe Photoshop.scr

Filesize
49KB

MD5
ea2a040747c7fde2a7a96a1a8d346823

SHA1
2e4573e863fbd174fa3e12c8e2d57f2d6dc4f8ea

SHA256
8c090285f4fee9ef2441de1c9a6404ec10afb06aa606194b09ee8b0e615990d6

SHA512
4bfb7cb68a3a5eea737e089d3947a51a1b39d615985505e5d8ab27b214b0f1655bf9f203701694342e5edacb6c204938358460f04a5bc2d2f58ffb6b8961afe2

Download Submit
memory/4184-11-0x00007FFCFC0F0000-0x00007FFCFCADC000-memory.dmp

Filesize
9.9MB

Download
memory/4184-12-0x000000001BB00000-0x000000001BB10000-memory.dmp

Filesize
64KB

Download
memory/4812-0-0x0000000000980000-0x0000000000990000-memory.dmp

Filesize
64KB

Download
memory/4812-1-0x00007FFCFC0F0000-0x00007FFCFCADC000-memory.dmp

Filesize
9.9MB

Download
memory/4812-2-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/4812-4-0x00007FFCFC0F0000-0x00007FFCFCADC000-memory.dmp

Filesize
9.9MB

Download
memory/4812-9-0x00007FFCFC0F0000-0x00007FFCFCADC000-memory.dmp

Filesize
9.9MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads