Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240704-en -
resource tags
arch:x64arch:x86image:win11-20240704-enlocale:en-usos:windows11-21h2-x64system -
submitted
06-07-2024 05:19
Static task
static1
Behavioral task
behavioral1
Sample
Adobe Installer.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
Adobe Installer.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
Adobe Installer.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral4
Sample
Adobe Installer.exe
Resource
win11-20240704-en
General
-
Target
Adobe Installer.exe
-
Size
22.9MB
-
MD5
eefcbf5a048a4035bde572a53d4b3796
-
SHA1
39fbc3604afe3703dcb87efc4752050044998277
-
SHA256
22a0e808dc6971d2135da47e2e7ab470b0bcbe0d07e4c91df047d85981847752
-
SHA512
2c3cffd921d9ef573ebec598bb8a780d74e4be1c9aae1d6a0fd2d013353804807f1ace496785d44851b1f833e97e1058875963ac522b5aa4b7afdc4f90762a59
-
SSDEEP
196608:sOQ8raUTGNhy9jdon1nWxhhGYULhwG48:sT8rps09bGYULhL4
Malware Config
Signatures
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Adobe Installer.exedescription pid process target process PID 2940 set thread context of 5036 2940 Adobe Installer.exe BitLockerToGo.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
BitLockerToGo.exepid process 5036 BitLockerToGo.exe 5036 BitLockerToGo.exe 5036 BitLockerToGo.exe 5036 BitLockerToGo.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Adobe Installer.exedescription pid process Token: SeDebugPrivilege 2940 Adobe Installer.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
Adobe Installer.exedescription pid process target process PID 2940 wrote to memory of 5036 2940 Adobe Installer.exe BitLockerToGo.exe PID 2940 wrote to memory of 5036 2940 Adobe Installer.exe BitLockerToGo.exe PID 2940 wrote to memory of 5036 2940 Adobe Installer.exe BitLockerToGo.exe PID 2940 wrote to memory of 5036 2940 Adobe Installer.exe BitLockerToGo.exe PID 2940 wrote to memory of 5036 2940 Adobe Installer.exe BitLockerToGo.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Adobe Installer.exe"C:\Users\Admin\AppData\Local\Temp\Adobe Installer.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeC:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5036
-