e86931616e47545cd08209e6149f26ee1e8ba0744b4934ba6b94ed628a1805cd

Analysis

max time kernel
113s
max time network
94s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
23/07/2024, 13:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AdobeCreativeCloudCleanerTool.exe
Size

8.3MB
MD5

a0b951c6d8a80a0ae49efa06d7ba1a68
SHA1

efd4c997e15b449746b4914d5878d622bc12a67a
SHA256

65277770adfdaf90072932e99e012b848a29df387e7f9f145992aee7d80d7b7f
SHA512

dca631c3a7a47e54a049b63c6cc20dd91f69efcaec62362331a4eaf86ad8efecd4ceb05f48f7770f6608cbb9cf6a5beee02adad7268f2dfdc4186119f6b1f3da
SSDEEP

196608:TA9v2Zf/aT9u8K+JEMHbgXh9i22+8fRHkj7nYUN8h5THnQi:TA9v2Jixu8tJELhD3WRHkYU6NHQi

Score

4^/10

Malware Config

Signatures

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\Adobe\AdobeCreativeCloudCleanerTool\dephelp.exe	AdobeCreativeCloudCleanerTool.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\AdobeCreativeCloudCleanerTool\dephelp.exe	AdobeCreativeCloudCleanerTool.exe
File created	C:\Program Files (x86)\Common Files\Adobe\AdobeCreativeCloudCleanerTool\en_US.txt	AdobeCreativeCloudCleanerTool.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\AdobeCreativeCloudCleanerTool\en_US.txt	AdobeCreativeCloudCleanerTool.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\AdobeCreativeCloudCleanerTool\HFCLib.dll	AdobeCreativeCloudCleanerTool.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\AdobeCreativeCloudCleanerTool\ACToolMain.exe	AdobeCreativeCloudCleanerTool.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\AdobeCreativeCloudCleanerTool\adbcl.exe	AdobeCreativeCloudCleanerTool.exe
File created	C:\Program Files (x86)\Common Files\Adobe\AdobeCreativeCloudCleanerTool\CS4CleanUpAddition.exe	AdobeCreativeCloudCleanerTool.exe
File created	C:\Program Files (x86)\Common Files\Adobe\AdobeCreativeCloudCleanerTool\ja_JP.txt	AdobeCreativeCloudCleanerTool.exe
File created	C:\Program Files (x86)\Common Files\Adobe\AdobeCreativeCloudCleanerTool\PIMDBWrapper.dll	AdobeCreativeCloudCleanerTool.exe
File created	C:\Program Files (x86)\Common Files\Adobe\AdobeCreativeCloudCleanerTool\ACToolMain.exe	AdobeCreativeCloudCleanerTool.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\AdobeCreativeCloudCleanerTool\CS4CleanUpAddition.exe	AdobeCreativeCloudCleanerTool.exe
File created	C:\Program Files (x86)\Common Files\Adobe\AdobeCreativeCloudCleanerTool\HFCLib.dll	AdobeCreativeCloudCleanerTool.exe
File created	C:\Program Files (x86)\Common Files\Adobe\AdobeCreativeCloudCleanerTool\CleanUpRMDIR.exe	AdobeCreativeCloudCleanerTool.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\AdobeCreativeCloudCleanerTool\PIMDBWrapper.dll	AdobeCreativeCloudCleanerTool.exe
File created	C:\Program Files (x86)\Common Files\Adobe\AdobeCreativeCloudCleanerTool\ProdInstallList.xml	AdobeCreativeCloudCleanerTool.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\AdobeCreativeCloudCleanerTool\ProdInstallList.xml	AdobeCreativeCloudCleanerTool.exe
File created	C:\Program Files (x86)\Common Files\Adobe\AdobeCreativeCloudCleanerTool\adbcl.exe	AdobeCreativeCloudCleanerTool.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\AdobeCreativeCloudCleanerTool\CleanUpRMDIR.exe	AdobeCreativeCloudCleanerTool.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\AdobeCreativeCloudCleanerTool\ja_JP.txt	AdobeCreativeCloudCleanerTool.exe

Executes dropped EXE 2 IoCs

pid	Process
896	ACToolMain.exe
3616	ACToolMain.exe

Loads dropped DLL 12 IoCs

pid	Process
3616	ACToolMain.exe
3616	ACToolMain.exe
3616	ACToolMain.exe
3616	ACToolMain.exe
3616	ACToolMain.exe
3616	ACToolMain.exe
3616	ACToolMain.exe
3616	ACToolMain.exe
3616	ACToolMain.exe
3616	ACToolMain.exe
3616	ACToolMain.exe
3616	ACToolMain.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
4076	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4076	taskkill.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 896	2300	AdobeCreativeCloudCleanerTool.exe	83
PID 2300 wrote to memory of 896	2300	AdobeCreativeCloudCleanerTool.exe	83
PID 2300 wrote to memory of 896	2300	AdobeCreativeCloudCleanerTool.exe	83
PID 896 wrote to memory of 3616	896	ACToolMain.exe	84
PID 896 wrote to memory of 3616	896	ACToolMain.exe	84
PID 896 wrote to memory of 3616	896	ACToolMain.exe	84
PID 3616 wrote to memory of 2944	3616	ACToolMain.exe	85
PID 3616 wrote to memory of 2944	3616	ACToolMain.exe	85
PID 3616 wrote to memory of 2944	3616	ACToolMain.exe	85
PID 3616 wrote to memory of 432	3616	ACToolMain.exe	86
PID 3616 wrote to memory of 432	3616	ACToolMain.exe	86
PID 3616 wrote to memory of 432	3616	ACToolMain.exe	86
PID 3616 wrote to memory of 3412	3616	ACToolMain.exe	87
PID 3616 wrote to memory of 3412	3616	ACToolMain.exe	87
PID 3616 wrote to memory of 3412	3616	ACToolMain.exe	87
PID 3616 wrote to memory of 3112	3616	ACToolMain.exe	88
PID 3616 wrote to memory of 3112	3616	ACToolMain.exe	88
PID 3616 wrote to memory of 3112	3616	ACToolMain.exe	88
PID 3616 wrote to memory of 4768	3616	ACToolMain.exe	89
PID 3616 wrote to memory of 4768	3616	ACToolMain.exe	89
PID 3616 wrote to memory of 4768	3616	ACToolMain.exe	89
PID 3616 wrote to memory of 4948	3616	ACToolMain.exe	90
PID 3616 wrote to memory of 4948	3616	ACToolMain.exe	90
PID 3616 wrote to memory of 4948	3616	ACToolMain.exe	90
PID 4948 wrote to memory of 4568	4948	cmd.exe	91
PID 4948 wrote to memory of 4568	4948	cmd.exe	91
PID 4948 wrote to memory of 4568	4948	cmd.exe	91
PID 3616 wrote to memory of 4936	3616	ACToolMain.exe	92
PID 3616 wrote to memory of 4936	3616	ACToolMain.exe	92
PID 3616 wrote to memory of 4936	3616	ACToolMain.exe	92
PID 4936 wrote to memory of 3016	4936	cmd.exe	93
PID 4936 wrote to memory of 3016	4936	cmd.exe	93
PID 4936 wrote to memory of 3016	4936	cmd.exe	93
PID 3616 wrote to memory of 4076	3616	ACToolMain.exe	94
PID 3616 wrote to memory of 4076	3616	ACToolMain.exe	94
PID 3616 wrote to memory of 4076	3616	ACToolMain.exe	94

C:\Users\Admin\AppData\Local\Temp\AdobeCreativeCloudCleanerTool.exe
"C:\Users\Admin\AppData\Local\Temp\AdobeCreativeCloudCleanerTool.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Program Files (x86)\Common Files\Adobe\AdobeCreativeCloudCleanerTool\ACToolMain.exe
  "C:\Program Files (x86)\Common Files\Adobe\AdobeCreativeCloudCleanerTool\ACToolMain.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:896
- - C:\Program Files (x86)\Common Files\Adobe\AdobeCreativeCloudCleanerTool\ACToolMain.exe
    "C:\Program Files (x86)\Common Files\Adobe\AdobeCreativeCloudCleanerTool\ACToolMain.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3616
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:2944
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:432
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:3412
  - - C:\Windows\SysWOW64\cmdkey.exe
      cmdkey /list
      4⤵
      PID:3112
  - - C:\Windows\SysWOW64\cmdkey.exe
      cmdkey /list
      4⤵
      PID:4768
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /delete /TN "AdobeAAMUpdater-1.0-TDJAFPIX-Admin" /F
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4948
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /delete /TN "AdobeAAMUpdater-1.0-TDJAFPIX-Admin" /F
        5⤵
        
        PID:4568
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /delete /TN "AdobeUpdater Task-TDJAFPIX-Admin" /F
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4936
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /delete /TN "AdobeUpdater Task-TDJAFPIX-Admin" /F
        5⤵
        
        PID:3016
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /FI "IMAGENAME eq AAM Updates Notifier.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\Adobe\AdobeCreativeCloudCleanerTool\ACToolMain.exe

Filesize
6.7MB

MD5
a12a8a4c19abfaabaa5848e6be073446

SHA1
28efc412c4a9e84980544938c225959cb0671f63

SHA256
ddf135e1f6ed85914cb19449e1aaecb46ba34515d128544b508e608bd2287016

SHA512
f99258288ff8dd9c2e41a7903bbe6edebbaad16b631aecf56a84b7483d503e30704d918bdb4f7b70147030d4a8a80dedb8add08fe72d81e802ed1de6ad88e7d4

Download Submit
C:\Program Files (x86)\Common Files\Adobe\AdobeCreativeCloudCleanerTool\ProdInstallList.xml

Filesize
6.3MB

MD5
de7cc2fc8d2f1228d587f959ecbbe311

SHA1
964a5b6c400b44450e87768521b8c35719d982a3

SHA256
401e53d748e69fa9247e51d379ffaa54957730b0266f8b1de91308bf015dfc15

SHA512
9934db5f28c4bfed5d408813b0a96f601759546765cc571df1f0d6bf930b360b153290a794381f6e0141a00b895e4da76d09f29035ed64cb12112aa47d72b5c1

Download Submit
C:\Program Files (x86)\Common Files\Adobe\AdobeCreativeCloudCleanerTool\en_US.txt

Filesize
2KB

MD5
30cd177a4424d4229d8a1fb25a6b1e28

SHA1
b888b1d16bde18d24cb23c8b6b19ff59843c5001

SHA256
388ec8c0e2524f39c04bd9eefcb8a9f54be1b84a7f48c6cdcac26ef4fcb476b8

SHA512
749833e12a2d32b8c56275f41b68c0a867ac42064045fb0cec9ff47b0994657e42e90859d0495f1bfe25c34674c5adfbef0af4df0c62ec28dde6226de5736b36

Download Submit
C:\Program Files (x86)\Common Files\Adobe\AdobeCreativeCloudCleanerTool\ja_JP.txt

Filesize
3KB

MD5
5e05dc88dd24e414541c8dd0f895abc8

SHA1
27e139e6f31eae79a51530e99720248dc39314e7

SHA256
09735466b479511f776d332150cd90d444d9d4c6572220ea02d24425a053be5f

SHA512
46ed0efdc64692d8bbb7d171e6d9c5cc460f17affdbff29f4171cb3d1ab8de56dc41c34c9f3252f5bcefedcd0200a1199494fdc7f02491dec068ea46f2bf6250

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8962\ACToolMain.exe.manifest

Filesize
499B

MD5
001ce64d40f5d96cfaed8c3fbca126dd

SHA1
f14664edf8b5d80b12608c36fd8568d59a4ccaa7

SHA256
6351b663c952000efabe581f2c10db0505b2bd973f35f90344a27e1763d3be39

SHA512
176a3c12d27d763486127efa9c8fdbc1c646f7cd52593fb71090c1a5f28bc353311de59a6f5896cf5c254dcf5de193548055ad347fe748e74c034b5eaf917655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8962\MSVCR71.dll

Filesize
340KB

MD5
86f1895ae8c5e8b17d99ece768a70732

SHA1
d5502a1d00787d68f548ddeebbde1eca5e2b38ca

SHA256
8094af5ee310714caebccaeee7769ffb08048503ba478b879edfef5f1a24fefe

SHA512
3b7ce2b67056b6e005472b73447d2226677a8cadae70428873f7efa5ed11a3b3dbf6b1a42c5b05b1f2b1d8e06ff50dfc6532f043af8452ed87687eefbf1791da

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8962\PyWinTypes25.dll

Filesize
120KB

MD5
512d382120cee043f588adb419e74a9a

SHA1
03a945e6fa92656cde8c51f3d3f12c72c0b534c8

SHA256
ce0ab6842646ad2312e50f6af16fe409710a4f4caf90e8d77bc041a6ae1d80a6

SHA512
d6a27f2e4c740d37094af61001f155964d34b69a4994b84a7210583016ba92a7458c9fb28ed57365afb6a25542c4351a47bca6ea8a2310b5760bb0a2d513b2cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8962\_ctypes.pyd

Filesize
80KB

MD5
019603557a38c54685fa9701347f61d5

SHA1
2742f8d4f4389735c673da86ca996d11b8765910

SHA256
14947d2369718a54aea0a39d9d1fbf34be96eb1f61be75d9330620cf2e821ed2

SHA512
ea3e4c05dd3ef4f002ac7dd8fc8330a3fa4ae7bd7a0e997147eecdba38efe528a0a4d09d2665537c3cce570d56a04ae447fc4be7f6818f1b968de110e4fa7a3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8962\_sqlite3.pyd

Filesize
48KB

MD5
6f3edf600b96fadbfcd1936e98e1e062

SHA1
64d3e18f40b32a879ceda276e805db81ad4b732c

SHA256
1aa78b5965f48f77e6a5a36cf40a69dc44683feaacb21e0b3d1dd103cc724017

SHA512
b66ebc69e6d19559b04cfc6e37176b1e0c63036ea6f6d44f340c8b84fce65d27200abf8e167171712017d4ff5a15ded5de22e00639e21fb11aa5dfd097b12e2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8962\pyexpat.pyd

Filesize
132KB

MD5
e91662a90d4051ff68eab6083d39df88

SHA1
718b85de972a3c4120e5dacfb7b25210b1412cdc

SHA256
6d960d05741d971629dd893f0ec75fa5ba11689686a2fccf1eb68ae3ce03c751

SHA512
4ff8c084468a3d33a45f335267c48bdb544e9dda31144be6a8accdbd1ac44cfb779d2df24da0b8bbacf5d1cedb00e3f566ccd942a406c527f6d2bf92351d9188

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8962\python25.dll

Filesize
2.0MB

MD5
d944becdd81caf160e6b2b3604291807

SHA1
656a376eb618cabe3bd255042ab2f2af7dc40985

SHA256
109e0a699a455f819b296cf17bfa89a55c92be9b61978b49a3c9b21c7595e5bc

SHA512
520b413671ef6997431fab54e7b7151674c484517f6879183d45a26d5f85f6beab2708925e4000bef15308845ef4c8e16e163bf1abf16cfdd475c311cde7776f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8962\pythoncom25.dll

Filesize
332KB

MD5
57e1d877a4590ab0cfd08f045196136d

SHA1
9576fb239666c9e44e08bb5605474a46aa42afa8

SHA256
ef537876ffeb4ce20b5dd7a18f444fdcca49562927ad27fe2b63ac0557c35bc1

SHA512
ede517807efb7d286c776e6525aa33bde37af967b4304097a8da456a99faad6f52ccc165fa4e7b0346932dc485f1a8874403814b87b27a593c9c7a8be580e0b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8962\sqlite3.dll

Filesize
254KB

MD5
5e77d83899d0cac845c22bea665fe261

SHA1
7a225cb8bf78d24a7e8263147e65a21fb2a1002f

SHA256
b59aa4a6de3e725f9c044ca0ca60798a81f782cd4263be2420fb411e0043020f

SHA512
1b73a2c54288af6e6df36dbae28f09db010f295b957b65f9016703233f04667a15e45121e5a4e31ea4e098fa525e9dbb13504cc06768b4810edcbe4806132977

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8962\support\gen_py\dicts.dat

Filesize
10B

MD5
f51138fd324f1012a838130c2edf5704

SHA1
2b871cbe2d95bddd3870c6911766cb95270ce18e

SHA256
f81481c4ddd1561601c612b644b63b6220c0664934fbe46155487a1786ede987

SHA512
59aac7b50254147c76111c686caa434fb0cf0538dc928125e7de827902c682396d86e5ed3546a8f3e070a674ba398f483aa06c92c5de66665b3a45b4f3fc5fb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8962\win32api.pyd

Filesize
104KB

MD5
6963b77ba2242514663ae52901a4fe11

SHA1
8086f59c4a7b2174fb7501923f22937e3ecf8215

SHA256
ffa18d3d344c133904854f81a999aee7a7cac4784201aba07ef4f3e1b6fef6d5

SHA512
6261adad18fd4bc2e5e160a737dfef1da99b563743ac353df77b2fe56267270b6ed00be073bdf6b4aae0ad44abd4f8d9c44cd4c43b6b6a14cd9b664e9ff1f75c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8962\win32file.pyd

Filesize
112KB

MD5
7a413cbb37b41d21712ccdba93e88d3d

SHA1
7a77b6dde51ed56b1647609e7f9b0fcc245e597f

SHA256
c6f524cb79c109f16c4495a44879845e74af12573bad3d3456ef0b98bd8abbd3

SHA512
40fa7ed0cc358454e0007488c95f328c6ddfd012e9d59575f59ea8a2ba69dc5a60d5f389b8f50e9f7e562103a187d0dce2f8cdf305b74b10ed040ee3ed7e51f8

Download Submit
memory/3616-101-0x0000000060900000-0x0000000060944000-memory.dmp

Filesize
272KB

Download
memory/3616-97-0x0000000000610000-0x000000000061C000-memory.dmp

Filesize
48KB

Download
memory/3616-87-0x0000000002AF0000-0x0000000002B49000-memory.dmp

Filesize
356KB

Download