02778afa80c6c18bb693bb46fa88867f38fb2ae816ac6db5e071fc8b38bc0d2b

Analysis

max time kernel
154s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15-04-2024 18:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02778afa80c6c18bb693bb46fa88867f38fb2ae816ac6db5e071fc8b38bc0d2b.exe
Size

653KB
MD5

1b6aa7da8e5647dbcbf79272726879e1
SHA1

4b041b8e2f0ebfe5c8761edea03c7945b12e4bee
SHA256

02778afa80c6c18bb693bb46fa88867f38fb2ae816ac6db5e071fc8b38bc0d2b
SHA512

4895cde54a735910fc045e729d948acec9a8a3ae6f5591ce37d74d9e62ae785b63d4961d731bb8fd0c4bfe753dece1e1f583000496c8c17ad189040a3bf73e28
SSDEEP

12288:Lu3hilMMG0yucvwOLrXLKfTeSdZ5KrAziuRuWxnFW9E71KGQvLQ0R0JwcMBM5jnG:q3hilMMRz2rCTLdCrUuCnFr71KGQzew1

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	02778afa80c6c18bb693bb46fa88867f38fb2ae816ac6db5e071fc8b38bc0d2b.exe

Executes dropped EXE 1 IoCs

pid	Process
2672	2313.tmp

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2313.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\mfc140u.dll	2313.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\ADAL.DLL	2313.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Csi.dll	2313.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\msolui.dll	2313.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\SystemX86\mfc140.dll	2313.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHTMED.EXE	2313.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\OLKFSTUB.DLL	2313.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\ONBttnIE.dll	2313.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\VVIEWDWG.DLL	2313.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\OWSCLT.DLL	2313.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2313.tmp
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll	2313.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Mso20win32client.dll	2313.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\mfc140u.dll	2313.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\NAME.DLL	2313.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\ONLNTCOMLIB.DLL	2313.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\adoberfp.dll	2313.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIDE.dll	2313.tmp
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	2313.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\adal.dll	2313.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	2313.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\OCHelper.dll	2313.tmp
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2313.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Mso30win32client.dll	2313.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Mso50win32client.dll	2313.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\OWSSUPP.DLL	2313.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\SystemX86\mfc140u.dll	2313.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ACE.dll	2313.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.dll	2313.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2313.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Mso40UIwin32client.dll	2313.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MeetingJoinAxOC.dll	2313.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\URLREDIR.DLL	2313.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\filecompare.exe	2313.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AGM.dll	2313.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2313.tmp
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\Temp	AdobeARM.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\16\BIN\FPSRVUTL.DLL	2313.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\dbghelp.dll	2313.tmp
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2313.tmp
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2313.tmp
File opened for modification	C:\Program Files\7-Zip\7z.sfx	2313.tmp
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\Backup	AdobeARM.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Mso98win32client.dll	2313.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\msmdlocal.dll	2313.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\msmgdsrv.dll	2313.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\IEAWSDC.DLL	2313.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\NPSPWRAP.DLL	2313.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	2313.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\msoshext.dll	2313.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\ONNXRuntime-0.5.X.dll	2313.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\16\BIN\FPWEC.DLL	2313.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\MSVCR110.DLL	2313.tmp
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll	2313.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AppSharingHookController.exe	2313.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\NAMEEXT.DLL	2313.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\STSCOPY.DLL	2313.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Portal\PortalConnectCore.dll	2313.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\xmsrv.dll	2313.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL	2313.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\msvcr120.dll	2313.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\msvcr120.dll	2313.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\ADALPREVIOUS.DLL	2313.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4148	02778afa80c6c18bb693bb46fa88867f38fb2ae816ac6db5e071fc8b38bc0d2b.exe
4148	02778afa80c6c18bb693bb46fa88867f38fb2ae816ac6db5e071fc8b38bc0d2b.exe
4148	02778afa80c6c18bb693bb46fa88867f38fb2ae816ac6db5e071fc8b38bc0d2b.exe
4148	02778afa80c6c18bb693bb46fa88867f38fb2ae816ac6db5e071fc8b38bc0d2b.exe
4148	02778afa80c6c18bb693bb46fa88867f38fb2ae816ac6db5e071fc8b38bc0d2b.exe
4148	02778afa80c6c18bb693bb46fa88867f38fb2ae816ac6db5e071fc8b38bc0d2b.exe
4148	02778afa80c6c18bb693bb46fa88867f38fb2ae816ac6db5e071fc8b38bc0d2b.exe
4148	02778afa80c6c18bb693bb46fa88867f38fb2ae816ac6db5e071fc8b38bc0d2b.exe
4148	02778afa80c6c18bb693bb46fa88867f38fb2ae816ac6db5e071fc8b38bc0d2b.exe
4148	02778afa80c6c18bb693bb46fa88867f38fb2ae816ac6db5e071fc8b38bc0d2b.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5024	AdobeARM.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4148 wrote to memory of 2672	4148	02778afa80c6c18bb693bb46fa88867f38fb2ae816ac6db5e071fc8b38bc0d2b.exe	93
PID 4148 wrote to memory of 2672	4148	02778afa80c6c18bb693bb46fa88867f38fb2ae816ac6db5e071fc8b38bc0d2b.exe	93
PID 4148 wrote to memory of 2672	4148	02778afa80c6c18bb693bb46fa88867f38fb2ae816ac6db5e071fc8b38bc0d2b.exe	93
PID 4148 wrote to memory of 5024	4148	02778afa80c6c18bb693bb46fa88867f38fb2ae816ac6db5e071fc8b38bc0d2b.exe	94
PID 4148 wrote to memory of 5024	4148	02778afa80c6c18bb693bb46fa88867f38fb2ae816ac6db5e071fc8b38bc0d2b.exe	94
PID 4148 wrote to memory of 5024	4148	02778afa80c6c18bb693bb46fa88867f38fb2ae816ac6db5e071fc8b38bc0d2b.exe	94
PID 5024 wrote to memory of 3916	5024	AdobeARM.exe	105
PID 5024 wrote to memory of 3916	5024	AdobeARM.exe	105
PID 5024 wrote to memory of 3916	5024	AdobeARM.exe	105

C:\Users\Admin\AppData\Local\Temp\02778afa80c6c18bb693bb46fa88867f38fb2ae816ac6db5e071fc8b38bc0d2b.exe
"C:\Users\Admin\AppData\Local\Temp\02778afa80c6c18bb693bb46fa88867f38fb2ae816ac6db5e071fc8b38bc0d2b.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4148
- C:\Users\Admin\AppData\Local\Temp\2313.tmp
  C:\Users\Admin\AppData\Local\Temp\2313.tmp
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2672
- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
  "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5024
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"
    3⤵
    PID:3916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1416 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
1⤵
PID:1596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\ARM\ArmReport.ini

Filesize
634B

MD5
4600ea83e72c40d5b6d25248895c4d66

SHA1
666d119fa0398adce7093f434fc15437ca6913c5

SHA256
4f9b2f699943dc7a42321fde879d884202e9b3bd8391519cc69bd83d8d485aae

SHA512
08c1e1315bd3be50f47cce09a7b9c36aa38572495cdcbaa1053f6cc14af921437f3972c25d2d5c8df70a5b2e239a62d4cec6b3039de5b99e43b173eab4cb0bc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\2313.tmp

Filesize
145KB

MD5
c610e7ccd6859872c585b2a85d7dc992

SHA1
362b3d4b72e3add687c209c79b500b7c6a246d46

SHA256
14063fc61dc71b9881d75e93a587c27a6daf8779ff5255a24a042beace541041

SHA512
8570aad2ae8b5dcba00fc5ebf3dc0ea117e96cc88a83febd820c5811bf617a6431c1367b3eb88332f43f80b30ebe2c298c22dcc44860a075f7b41bf350236666

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdobeARM.log

Filesize
178B

MD5
2919b6e694965fb3e3c42c0f35fa468b

SHA1
9348823ff682ecfc784487fbaa2900e92b6b0c24

SHA256
75dab166973a97e15a68ce3746f90934e5b237d3ae4b7e5162979c693e99f481

SHA512
b9807713de9b53216d46169719bd26c443f2c3c6066f1b889ec01793a33a7aac071909b112503d55c0402becf27098a963a4f31dac932a0b969c4e3a7d44d473

Download Submit
C:\Users\Admin\AppData\Local\Temp\ArmUI.ini

Filesize
251KB

MD5
864c22fb9a1c0670edf01c6ed3e4fbe4

SHA1
bf636f8baed998a1eb4531af9e833e6d3d8df129

SHA256
b4d4dcd9594d372d7c0c975d80ef5802c88502895ed4b8a26ca62e225f2f18b0

SHA512
ff23616ee67d51daa2640ae638f59a8d331930a29b98c2d1bd3b236d2f651f243f9bae38d58515714886cfbb13b9be721d490aad4f2d10cbba74d7701ab34e09

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp7D88.tmp

Filesize
3KB

MD5
bbb796dd2b53f7fb7ce855bb39535e2f

SHA1
dfb022a179775c82893fe8c4f59df8f6d19bd2fd

SHA256
ff9b4cf04e3202f150f19c1711767361343935da7841c98b876c42fd2cabce9b

SHA512
0d122f454fcbf4524c2756692f0f33dc98f5bd2426839c6f03cd5c5f4fd507a8a15cf489d7a7ceadd1b95cf31b506c04bf03d613a9ba7d76add92766b1dc5c2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpAE5E.tmp

Filesize
3KB

MD5
ec946860cff4f4a6d325a8de7d6254d2

SHA1
7c909f646d9b2d23c58f73ec2bb603cd59dc11fd

SHA256
19fe53c801ad7edc635f61e9e28d07da31780c2480e6f37ecfc63fffe1b250fe

SHA512
38a98b18dbae063bc533a1ff25a3467a7de197651e07e77a1b22cf8ce251282ab31f61dcff5c51ef186cfd115dc506181d480eabffbe92af01dee6282cbee13e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpAF39.tmp

Filesize
3KB

MD5
fc2430057cb1be74c788f10c2d4540c8

SHA1
cab67ee8d5191fbf9f25545825e06c1a822af2f2

SHA256
dcc9d2695125406282ba990fec39403c44b12964acf51b5e0dc7f2080d714398

SHA512
4e2b9709a9e3ca5173abb35816e5a0aebbf2a7aaf971d7f75f3ae66e4a812cbade103baa5016525f5ab83a60c18f8d3c278c90ff83e4afdae419f81673cb5aee

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpB46B.tmp

Filesize
3KB

MD5
a58599260c64cb41ed7d156db8ac13ef

SHA1
fb9396eb1270e9331456a646ebf1419fc283dc06

SHA256
aabf92089e16fdb28706356dbc4efb5a81f5277946f2e67695b31676616ed2d2

SHA512
6970cbc42e7ec64ccdb8e5633b7017b1e9ec0d4ad094869e221e9275b814b1442b84827996190159543bdb5e86df6885c45197c533d657db4660fca8ad761a71

Download Submit
memory/4148-0-0x0000000000A80000-0x0000000000AC5000-memory.dmp

Filesize
276KB

Download
memory/4148-1-0x0000000000A80000-0x0000000000AC5000-memory.dmp

Filesize
276KB

Download
memory/4148-2-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/4148-13-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download