Analysis
-
max time kernel
26s -
max time network
18s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-de -
resource tags
arch:x64arch:x86image:win10v2004-20240426-delocale:de-deos:windows10-2004-x64systemwindows -
submitted
25-05-2024 20:52
Behavioral task
behavioral1
Sample
Аdоbе Рhоtоshор 2024.exe
Resource
win10v2004-20240426-de
General
-
Target
Аdоbе Рhоtоshор 2024.exe
-
Size
172.0MB
-
MD5
bb14f33a26af590f00e915ff3a1e35e6
-
SHA1
414f3a0d345de90a67dd81a743e9201927bcd142
-
SHA256
ea18b965ab43d927a1d690f395f4e2b55a15db9744f68454a86b5508b302c404
-
SHA512
3287f3c8979635cb0ed7d3748b719d418c339665a94be68a937e7fc0856831f6e5120c23a5f96ad890fd93b068b0fd57bfbd8c9a08f2bf6d259617e86c1d7dfc
-
SSDEEP
3145728:ayDd2NHceT9JMuwVK7eBmCd+kbidragqT6ugQGibL1N3ISPGtNtIdDtswZ6Y2zVr:s8eT9HwVKh77dGgq1zGiNNYYiqYzvf/1
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Аdоbе Рhоtоshор 2024.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation Аdоbе Рhоtоshор 2024.exe -
Executes dropped EXE 1 IoCs
Processes:
Рshор.exepid process 4292 Рshор.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/3424-1-0x0000000000A10000-0x0000000001A10000-memory.dmp agile_net -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Аdоbе Рhоtоshор 2024.exedescription pid process Token: SeDebugPrivilege 3424 Аdоbе Рhоtоshор 2024.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
Аdоbе Рhоtоshор 2024.exedescription pid process target process PID 3424 wrote to memory of 4292 3424 Аdоbе Рhоtоshор 2024.exe Рshор.exe PID 3424 wrote to memory of 4292 3424 Аdоbе Рhоtоshор 2024.exe Рshор.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Аdоbе Рhоtоshор 2024.exe"C:\Users\Admin\AppData\Local\Temp\Аdоbе Рhоtоshор 2024.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\Рshор.exe"C:\Windows\Temp\Рshор.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3424-0-0x000000007534E000-0x000000007534F000-memory.dmpFilesize
4KB
-
memory/3424-1-0x0000000000A10000-0x0000000001A10000-memory.dmpFilesize
16.0MB
-
memory/3424-2-0x000000000FF30000-0x000000000FF96000-memory.dmpFilesize
408KB
-
memory/3424-3-0x0000000075340000-0x0000000075AF0000-memory.dmpFilesize
7.7MB
-
memory/3424-4-0x0000000055370000-0x0000000056370000-memory.dmpFilesize
16.0MB
-
memory/3424-5-0x000000000D8F0000-0x000000000D916000-memory.dmpFilesize
152KB
-
memory/3424-6-0x000000001B840000-0x000000001B8B6000-memory.dmpFilesize
472KB
-
memory/3424-7-0x000000001C130000-0x000000001C1F4000-memory.dmpFilesize
784KB
-
memory/3424-8-0x000000001C210000-0x000000001C22E000-memory.dmpFilesize
120KB
-
memory/3424-19-0x000000007534E000-0x000000007534F000-memory.dmpFilesize
4KB