7160db2b7a6680480e64f0845512d203a575f807831faf9a652aaef0988f876c

General

Target

AdobeUpdate.exe
Size

116KB
MD5

5ed4728caa339c2a7479102f0c04c087
SHA1

20cd453fcac9d9960b0076715d985a55784a6b53
SHA256

7160db2b7a6680480e64f0845512d203a575f807831faf9a652aaef0988f876c
SHA512

a521eac0d54fbfb9726fad3fafcd7779d455ca46e065a3eafc1a7883961b061550bab8e93ce576904b6c6b2d25cf129ff3d2437ed26a6033ac7c0b4c628dc865
SSDEEP

3072:WG0YiclG1aM2F3W07EBxp+wrppp8pKZOijA81fBRHwHlAqzPWKwv:hiclGwI07580l5WJv

Score

1^/10

Malware Config

Signatures

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4556	taskmgr.exe
4556	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4556	taskmgr.exe
Token: SeSystemProfilePrivilege	4556	taskmgr.exe
Token: SeCreateGlobalPrivilege	4556	taskmgr.exe

Suspicious use of FindShellTrayWindow 13 IoCs

pid	Process
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe

Suspicious use of SendNotifyMessage 13 IoCs

pid	Process
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe
4556	taskmgr.exe

C:\Users\Admin\AppData\Local\Temp\AdobeUpdate.exe
"C:\Users\Admin\AppData\Local\Temp\AdobeUpdate.exe"
1⤵
PID:4920

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4556

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:1156
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  PID:2384
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2384.0.736311818\1090317062" -parentBuildID 20230214051806 -prefsHandle 1772 -prefMapHandle 1764 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d9f905d6-c2e2-4816-ae71-55c156864044} 2384 "\\.\pipe\gecko-crash-server-pipe.2384" 1852 203929f3358 gpu
    3⤵
    PID:4144
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2384.1.783125776\484931851" -parentBuildID 20230214051806 -prefsHandle 2408 -prefMapHandle 2404 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {95623830-854b-458f-a713-c3d23573e628} 2384 "\\.\pipe\gecko-crash-server-pipe.2384" 2420 20386989f58 socket
    3⤵
    PID:2896
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2384.2.1073828053\264583460" -childID 1 -isForBrowser -prefsHandle 3264 -prefMapHandle 2956 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {75718d0d-de9b-4f03-a20a-565f34f3e256} 2384 "\\.\pipe\gecko-crash-server-pipe.2384" 3252 2039650f558 tab
    3⤵
    PID:3952
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2384.3.1310511851\1176605253" -childID 2 -isForBrowser -prefsHandle 4268 -prefMapHandle 4256 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a529afcb-63bd-492f-b355-2eabf07c83f8} 2384 "\\.\pipe\gecko-crash-server-pipe.2384" 4280 20397e91d58 tab
    3⤵
    PID:2268
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2384.4.1386467064\1543542458" -childID 3 -isForBrowser -prefsHandle 4808 -prefMapHandle 4704 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {85970fe3-45eb-4775-93eb-c6af1f503a71} 2384 "\\.\pipe\gecko-crash-server-pipe.2384" 4908 2039a537e58 tab
    3⤵
    PID:728
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2384.5.574601088\1229693324" -childID 4 -isForBrowser -prefsHandle 4888 -prefMapHandle 4884 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {befa0af0-fcf9-4da6-9cdb-31682bafac65} 2384 "\\.\pipe\gecko-crash-server-pipe.2384" 4948 2039a537858 tab
    3⤵
    PID:928
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2384.6.869192209\504179651" -childID 5 -isForBrowser -prefsHandle 5176 -prefMapHandle 5236 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f0560b51-1a6e-4f59-ae28-0ef866f7f1a7} 2384 "\\.\pipe\gecko-crash-server-pipe.2384" 5224 20399966958 tab
    3⤵
    PID:4700
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2384.7.648958163\165416747" -childID 6 -isForBrowser -prefsHandle 5472 -prefMapHandle 5188 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {35c74b8d-7283-4ca1-8447-b50baffc04b5} 2384 "\\.\pipe\gecko-crash-server-pipe.2384" 5508 2039a0bca58 tab
    3⤵
    PID:5156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rcjasbej.default-release\activity-stream.discovery_stream.json.tmp

Filesize
32KB

MD5
481de51c81a5767a2b0ea3745fb3ebd5

SHA1
dda61136685d9c6927de782dd83b3a57bdab6296

SHA256
62dc39397d62bae7d056d56e0b1042104f1a25935c40e65ce668d8844da6d07d

SHA512
cf995b6080d1c8f2e2046683c496c3b26a0b6a650c2bcf4944547872561e39939ce4950ffc16d9ec4adc1c903b93672bba6864e39b9569c5018d2d8cf9661a75

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rcjasbej.default-release\activity-stream.discovery_stream.json.tmp

Filesize
32KB

MD5
98600a7eb3166acae43699d1f435e904

SHA1
298ae9e01c35f897023f3e29652f454214c40c64

SHA256
5605ce38699fa7175f12868471649b10b1e07c20757caa45a4ecee20b0441d01

SHA512
b026abe47c01d9541a1faa5a2eefcfdf9ac104b3e8c5b96cf647eac01aae8273097695b232878efd19d31ccdcf47f74eef109196186bfc1da3de5db0246b669c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rcjasbej.default-release\prefs-1.js

Filesize
6KB

MD5
4ca38c6e5d96533187b350a2be6e41f1

SHA1
3c80c9de0345521e9e5733e084c62bfcaaa9552d

SHA256
79f6a72bf3f0a9642e21f8c2e74ec4777d4274ff8db787803bede42ca9577da9

SHA512
d87fba2709a72cd1936c90b0ac743ee412d33bdc1b19b555627f80543c4f00cea1718c6c748a80427bad19d1d38c569f2ed86afa1c8a6cb1218e94fa2fb17f60

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rcjasbej.default-release\prefs-1.js

Filesize
6KB

MD5
9937351fb25b4f89e5746f7ff7370ffd

SHA1
c58effbf1c46726d60b9274c1fdcded62a8c17d4

SHA256
2c7715ff9cff05b8d60b02dce8e942c55b93b6d881d151d7262e990e1534b02e

SHA512
2638ad2d02bc61991a917a2f5bd924c624fc02f8e77b6cba17fcc797c928098a0592fa8c6a9c7918f3264b8d6f41eb4d5fc186c6c2c483719b1a657de07ad3e3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rcjasbej.default-release\prefs.js

Filesize
6KB

MD5
18ddbae6db7d053eb8684a2420ed6f8c

SHA1
1a685b545d05c955b5c4f3f118d8c98f170e0141

SHA256
be7014df6d629293d75d9d93013f74c4851ed52a339f3a31837fa886a563d4d9

SHA512
fbfc7b686c6e6c88fd83ea38345e750e9cf47299beed4e4820647e1a5c4009bcdb9b59e853d9babd320ff8e49b2bae86989a0dec161d91b0cfc9f63706057043

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rcjasbej.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
f2f5948a6e1f8754befa8355616e3de3

SHA1
3d43d5ea1587b2bf716fb2cb167108df0d391891

SHA256
bf9e5d4e375b87e6f1e90b885517a1f720d7053d0cf9b16166ab056610524e2b

SHA512
ef1f51b5e1645ad8cfd3debe498039ad41b83746e852293a26ce1473a00a9d78e2d41432ce2f410010e401c7334af3b584686db6bcbaabcd9465fe3b714cdb0f

Download Submit
memory/4556-12-0x000001B079E00000-0x000001B079E01000-memory.dmp

Filesize
4KB

Download
memory/4556-9-0x000001B079E00000-0x000001B079E01000-memory.dmp

Filesize
4KB

Download
memory/4556-8-0x000001B079E00000-0x000001B079E01000-memory.dmp

Filesize
4KB

Download
memory/4556-7-0x000001B079E00000-0x000001B079E01000-memory.dmp

Filesize
4KB

Download
memory/4556-10-0x000001B079E00000-0x000001B079E01000-memory.dmp

Filesize
4KB

Download
memory/4556-11-0x000001B079E00000-0x000001B079E01000-memory.dmp

Filesize
4KB

Download
memory/4556-0-0x000001B079E00000-0x000001B079E01000-memory.dmp

Filesize
4KB

Download
memory/4556-6-0x000001B079E00000-0x000001B079E01000-memory.dmp

Filesize
4KB

Download
memory/4556-1-0x000001B079E00000-0x000001B079E01000-memory.dmp

Filesize
4KB

Download
memory/4556-2-0x000001B079E00000-0x000001B079E01000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing