Analysis

  • max time kernel
    273s
  • max time network
    267s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/07/2024, 20:42

General

  • Target

    Adobe GenP 3.4.13 Beta 4.zip

  • Size

    678KB

  • MD5

    32e664a4fe87252393adbe59bbc17438

  • SHA1

    fa5f13b07ba9461fbbffcc9081206d3a3cc87bba

  • SHA256

    5ff14d16853c8c9b95a9d7a337f2196cbeca4d3169725b0f906c91efd272934b

  • SHA512

    b4be2f817b9f9f9c02fe10b4fe9e999a0c219f9977f8f7248d4c3e6a49d7fc0fb6b0c87df46b6d49e9af472a4921b7b8ec7d33cbe1f6ade8a60e956df795ff08

  • SSDEEP

    12288:lhdeAI3Bd5PmVDyrFhM5kweeykDoqacLxi8EakeNrBDnv:l3Az5PmArYyPrdcFFhBDnv

Score
1/10

Malware Config

Signatures

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\Adobe GenP 3.4.13 Beta 4.zip"
    1⤵
      PID:4264
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:4252
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\Adobe GenP 3.4.13 Beta 4\README.txt
        1⤵
          PID:3928
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
          1⤵
          • Enumerates system info in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:792
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8c15c46f8,0x7ff8c15c4708,0x7ff8c15c4718
            2⤵
              PID:1820
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,9438291248635160363,15875452563596946636,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
              2⤵
                PID:3448
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,9438291248635160363,15875452563596946636,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
                2⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:1752
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,9438291248635160363,15875452563596946636,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2948 /prefetch:8
                2⤵
                  PID:4620
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,9438291248635160363,15875452563596946636,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
                  2⤵
                    PID:1668
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,9438291248635160363,15875452563596946636,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
                    2⤵
                      PID:920
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,9438291248635160363,15875452563596946636,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3816 /prefetch:1
                      2⤵
                        PID:4912
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,9438291248635160363,15875452563596946636,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:1
                        2⤵
                          PID:2612
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,9438291248635160363,15875452563596946636,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1824 /prefetch:2
                          2⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:1624
                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,9438291248635160363,15875452563596946636,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4868 /prefetch:8
                          2⤵
                            PID:3392
                          • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,9438291248635160363,15875452563596946636,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4868 /prefetch:8
                            2⤵
                              PID:2004
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,9438291248635160363,15875452563596946636,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1556 /prefetch:1
                              2⤵
                                PID:5104
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,9438291248635160363,15875452563596946636,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4100 /prefetch:1
                                2⤵
                                  PID:808
                              • C:\Windows\System32\CompPkgSrv.exe
                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                1⤵
                                  PID:3340
                                • C:\Windows\System32\CompPkgSrv.exe
                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                  1⤵
                                    PID:3936
                                  • C:\Users\Admin\Documents\Adobe GenP 3.4.13 Beta 4\AdobeGenP-3.4.13.4.exe
                                    "C:\Users\Admin\Documents\Adobe GenP 3.4.13 Beta 4\AdobeGenP-3.4.13.4.exe"
                                    1⤵
                                      PID:5036
                                      • C:\Users\Admin\Documents\Adobe GenP 3.4.13 Beta 4\NSudoLG.exe
                                        "C:\Users\Admin\Documents\Adobe GenP 3.4.13 Beta 4\NSudoLG.exe" -U:T -P:E -M:S "C:\Users\Admin\Documents\Adobe GenP 3.4.13 Beta 4\AdobeGenP-3.4.13.4.exe"
                                        2⤵
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:2348
                                    • C:\Users\Admin\Documents\Adobe GenP 3.4.13 Beta 4\NSudoLG.exe
                                      "C:\Users\Admin\Documents\Adobe GenP 3.4.13 Beta 4\NSudoLG.exe"
                                      1⤵
                                      • Suspicious use of SetWindowsHookEx
                                      PID:2172
                                    • C:\Users\Admin\Documents\Adobe GenP 3.4.13 Beta 4\AdobeGenP-3.4.13.4.exe
                                      "C:\Users\Admin\Documents\Adobe GenP 3.4.13 Beta 4\AdobeGenP-3.4.13.4.exe"
                                      1⤵
                                        PID:32
                                        • C:\Users\Admin\Documents\Adobe GenP 3.4.13 Beta 4\NSudoLG.exe
                                          "C:\Users\Admin\Documents\Adobe GenP 3.4.13 Beta 4\NSudoLG.exe" -U:T -P:E -M:S "C:\Users\Admin\Documents\Adobe GenP 3.4.13 Beta 4\AdobeGenP-3.4.13.4.exe"
                                          2⤵
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2944
                                      • C:\Users\Admin\Documents\Adobe GenP 3.4.13 Beta 4\AdobeGenP-3.4.13.4.exe
                                        "C:\Users\Admin\Documents\Adobe GenP 3.4.13 Beta 4\AdobeGenP-3.4.13.4.exe"
                                        1⤵
                                          PID:4048
                                          • C:\Users\Admin\Documents\Adobe GenP 3.4.13 Beta 4\NSudoLG.exe
                                            "C:\Users\Admin\Documents\Adobe GenP 3.4.13 Beta 4\NSudoLG.exe" -U:T -P:E -M:S "C:\Users\Admin\Documents\Adobe GenP 3.4.13 Beta 4\AdobeGenP-3.4.13.4.exe"
                                            2⤵
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:5020
                                        • C:\Windows\system32\taskmgr.exe
                                          "C:\Windows\system32\taskmgr.exe" /0
                                          1⤵
                                          • Checks SCSI registry key(s)
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          • Suspicious use of FindShellTrayWindow
                                          • Suspicious use of SendNotifyMessage
                                          PID:2132
                                        • C:\Users\Admin\Documents\Adobe GenP 3.4.13 Beta 4\AdobeGenP-3.4.13.4.exe
                                          "C:\Users\Admin\Documents\Adobe GenP 3.4.13 Beta 4\AdobeGenP-3.4.13.4.exe"
                                          1⤵
                                            PID:3456
                                            • C:\Users\Admin\Documents\Adobe GenP 3.4.13 Beta 4\NSudoLG.exe
                                              "C:\Users\Admin\Documents\Adobe GenP 3.4.13 Beta 4\NSudoLG.exe" -U:T -P:E -M:S "C:\Users\Admin\Documents\Adobe GenP 3.4.13 Beta 4\AdobeGenP-3.4.13.4.exe"
                                              2⤵
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:1948
                                          • C:\Users\Admin\Documents\Adobe GenP 3.4.13 Beta 4\AdobeGenP-3.4.13.4.exe
                                            "C:\Users\Admin\Documents\Adobe GenP 3.4.13 Beta 4\AdobeGenP-3.4.13.4.exe"
                                            1⤵
                                            • Modifies registry class
                                            • Suspicious behavior: GetForegroundWindowSpam
                                            • Suspicious use of SetWindowsHookEx
                                            PID:4676

                                          Network

                                          MITRE ATT&CK Enterprise v15

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                            Filesize

                                            152B

                                            MD5

                                            c00b0d6e0f836dfa596c6df9d3b2f8f2

                                            SHA1

                                            69ad27d9b4502630728f98917f67307e9dd12a30

                                            SHA256

                                            578481cd359c669455e24983b13723c25584f58925b47283cb580019ef3142b1

                                            SHA512

                                            0e098ab5f5772fec17880e228a0dccbbaa06dc1af14e0fd827f361599c61899fe07d612a7f7b049ff6661d27fdc495566dd20fc28ceed022b87c212bf00be5da

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                            Filesize

                                            152B

                                            MD5

                                            54f1b76300ce15e44e5cc1a3947f5ca9

                                            SHA1

                                            c978bfaa6ec6dae05464c6426eaa6cb3c3e2f3b7

                                            SHA256

                                            43dec5d87b7ee892a3d99cb61f772ba403882ac0772423f36034e84244c1ca24

                                            SHA512

                                            ac26e5676c675be329eb62b5d5a36a0e6014ab8a6366684b0fc2a59ae5f061f596f462b82eb4e9f135d2235a0cbd4af96680d234eecc873a8397fd81507d277a

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                            Filesize

                                            6KB

                                            MD5

                                            7d97946ca4f01dc5231059eb3600d809

                                            SHA1

                                            eb33b0db32b3907cfc2bfad17d4a52501f5a7764

                                            SHA256

                                            0be2d44dc237b3655c3a8dbabf1f14a2c6e5e0ab83b12d8ef509e2294f8369e9

                                            SHA512

                                            1d5f1604d61b9bce2fb21781a9d46f13974fd8f25e9c4b13bb76cdecf26909957ca98fc91cc2e00e377a3e336d92209bbaa5a9026dcdd1728d48a7709c92fcb2

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                            Filesize

                                            6KB

                                            MD5

                                            6c2b29fd57b004bf17cdc67afc9ccab2

                                            SHA1

                                            5be9207e160122b0f75e998b80692e3c8985bebf

                                            SHA256

                                            9d96dacb1c2f210bd510c349f466848bf57f5f6b828d3311230b70a24eb657ed

                                            SHA512

                                            b0a1485a69b34110dadca12268eba20625891e3504aae401f90e8abff0a6098d525bd0503b630941ce2aaad048b8190cbfe6ee81289fd0c196a7ea278381912b

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                            Filesize

                                            16B

                                            MD5

                                            6752a1d65b201c13b62ea44016eb221f

                                            SHA1

                                            58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                            SHA256

                                            0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                            SHA512

                                            9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                            Filesize

                                            11KB

                                            MD5

                                            287e4ac45b66b2e76360440e0f0f4e2e

                                            SHA1

                                            f3aad9d12602ff8fb4914d84f81ec6b2387e0bb6

                                            SHA256

                                            2663a50f2671469fc670ea04023b56c094d87c2b6cc4b8e1903c49fbf328e87e

                                            SHA512

                                            dfd0b56b5cc154ac28ec6b9287be6516ed6fbccf45952feab578fd69d4f3eb0f99b66ac29fee42a2ed662379ff2b83183b99e11a14809bd7788e8eca1d6e81a8

                                          • C:\Users\Admin\Documents\Adobe GenP 3.4.13 Beta 4\NSudoLG.exe

                                            Filesize

                                            156KB

                                            MD5

                                            7aacfd85b8dff0aa6867bede82cfd147

                                            SHA1

                                            e783f6d4b754ea8424699203b8831bdc9cbdd4e6

                                            SHA256

                                            871e4f28fe39bcad8d295ae46e148be458778c0195ed660b7db18eb595d00bd8

                                            SHA512

                                            59cce358c125368dc5735a28960ddb7ee49835ca19f44255a7ae858ddd8a2db68c72c3f6818eca3678d989041043876e339f9fafe1d81d26001286494a8014f0

                                          • memory/2132-64-0x000001A849C70000-0x000001A849C71000-memory.dmp

                                            Filesize

                                            4KB

                                          • memory/2132-69-0x000001A849C70000-0x000001A849C71000-memory.dmp

                                            Filesize

                                            4KB

                                          • memory/2132-75-0x000001A849C70000-0x000001A849C71000-memory.dmp

                                            Filesize

                                            4KB

                                          • memory/2132-74-0x000001A849C70000-0x000001A849C71000-memory.dmp

                                            Filesize

                                            4KB

                                          • memory/2132-73-0x000001A849C70000-0x000001A849C71000-memory.dmp

                                            Filesize

                                            4KB

                                          • memory/2132-72-0x000001A849C70000-0x000001A849C71000-memory.dmp

                                            Filesize

                                            4KB

                                          • memory/2132-71-0x000001A849C70000-0x000001A849C71000-memory.dmp

                                            Filesize

                                            4KB

                                          • memory/2132-70-0x000001A849C70000-0x000001A849C71000-memory.dmp

                                            Filesize

                                            4KB

                                          • memory/2132-65-0x000001A849C70000-0x000001A849C71000-memory.dmp

                                            Filesize

                                            4KB

                                          • memory/2132-63-0x000001A849C70000-0x000001A849C71000-memory.dmp

                                            Filesize

                                            4KB