f183fe8f365d461bfa6c2d5603f37bb2da5b57393847486df99785df6f888195

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23-07-2024 14:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Adobe After Effects 2024 24.0.3.2 (x64) + Patch/Adobe After Effects 2024 24.0.3.2 (x64) + Patch/Setup/packages/setup.exe
Size

9.6MB
MD5

4dc40661d30996777a5a35ec24fec3ce
SHA1

a73991cdbda052c6634301771cec5f3e2649db2a
SHA256

9645ee20696ec08b04e3f4ed4a1240a676800354f8885e387a8dd7523fd4f3f1
SHA512

e4dd50ff9f8de1541642723cd02dc64577e42a29e5bffb4d99858b0930ca0ac30e2f2f6ad7a5883afd447a6af226f4a1b4bd0a699bbd1da9d40a9781c879f9b1
SSDEEP

196608:XpH3Sfz7FwECTXV1olC1Xr4Bf6U0uDL4O6Y9evCrHce3Nj2yMNuoT:XB3gFqzV1f1XI6UuO6YJZ9nyVT

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	Set-up.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Set-up.exe = "11001"	Set-up.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 4748 wrote to memory of 4428	4748	setup.exe	88
PID 4748 wrote to memory of 4428	4748	setup.exe	88
PID 4748 wrote to memory of 4428	4748	setup.exe	88
PID 4748 wrote to memory of 2368	4748	setup.exe	93
PID 4748 wrote to memory of 2368	4748	setup.exe	93
PID 2368 wrote to memory of 1992	2368	setup.exe	94
PID 2368 wrote to memory of 1992	2368	setup.exe	94

C:\Users\Admin\AppData\Local\Temp\Adobe After Effects 2024 24.0.3.2 (x64) + Patch\Adobe After Effects 2024 24.0.3.2 (x64) + Patch\Setup\packages\setup.exe
"C:\Users\Admin\AppData\Local\Temp\Adobe After Effects 2024 24.0.3.2 (x64) + Patch\Adobe After Effects 2024 24.0.3.2 (x64) + Patch\Setup\packages\setup.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4748
- C:\Users\Admin\AppData\Local\Temp\Adobe After Effects 2024 24.0.3.2 (x64) + Patch\Adobe After Effects 2024 24.0.3.2 (x64) + Patch\Setup\Set-up.exe
  "C:\Users\Admin\AppData\Local\Temp\Adobe After Effects 2024 24.0.3.2 (x64) + Patch\Adobe After Effects 2024 24.0.3.2 (x64) + Patch\Setup\Set-up.exe"
  2⤵
  - Modifies Internet Explorer settings
  PID:4428
- C:\Users\Admin\AppData\Local\Temp\Adobe After Effects 2024 24.0.3.2 (x64) + Patch\Adobe After Effects 2024 24.0.3.2 (x64) + Patch\Setup\packages\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Adobe After Effects 2024 24.0.3.2 (x64) + Patch\Adobe After Effects 2024 24.0.3.2 (x64) + Patch\Setup\packages\setup.exe" -sfxwaitall:1 "cmd" /c IF EXIST "C:\Program Files\Maxon Cinema 4D 2023\Cinema 4D.exe" ( REN "C:\Program Files\Maxon Cinema 4D 2023\Cinema 4D.exe" "Cinema 4D.yes" && XCOPY /y /r "C:\Users\Admin\AppData\Local\Temp\Adobe After Effects Temp\Cinema 4D.exe" "C:\Program Files\Maxon Cinema 4D 2023" )
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c IF EXIST "C:\Program Files\Maxon Cinema 4D 2023\Cinema 4D.exe" ( REN "C:\Program Files\Maxon Cinema 4D 2023\Cinema 4D.exe" "Cinema 4D.yes" && XCOPY /y /r "C:\Users\Admin\AppData\Local\Temp\Adobe After Effects Temp\Cinema 4D.exe" "C:\Program Files\Maxon Cinema 4D 2023" )
    3⤵
    PID:1992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads