8d66b4fd8b8031e419b2393ab86ee7846a580ebb97a6d6fa56a68adaa5374c73

Analysis

max time kernel
145s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/08/2024, 15:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Premiere_Pro_Set-Up.exe
Size

2.0MB
MD5

aef9c419a9d62014d404d6fbc918206f
SHA1

da844993536c5b811754c78676662f705c2fec07
SHA256

8d66b4fd8b8031e419b2393ab86ee7846a580ebb97a6d6fa56a68adaa5374c73
SHA512

910d6135fc8e9657f23c17b905ff67570ac31ab6ec7980aaeef315d5a23078483045d672cf3991b831d876eb63ba9bb99e54a5701a9debef72e275743a0a8d4c
SSDEEP

49152:zqmy6gSCuaUoCOpbw3n0ocq4DGSdYTLHryG6HzhgtredQWF+mq:/2Fu3oCOcn07dtArylLZq

Score

7^/10

discovery upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/804-0-0x0000000000400000-0x0000000000927000-memory.dmp	upx
behavioral2/memory/804-99-0x0000000000400000-0x0000000000927000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
644	804	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Premiere_Pro_Set-Up.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	Premiere_Pro_Set-Up.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Premiere_Pro_Set-Up.exe = "11001"	Premiere_Pro_Set-Up.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
804	Premiere_Pro_Set-Up.exe
804	Premiere_Pro_Set-Up.exe
804	Premiere_Pro_Set-Up.exe
804	Premiere_Pro_Set-Up.exe
804	Premiere_Pro_Set-Up.exe
804	Premiere_Pro_Set-Up.exe
804	Premiere_Pro_Set-Up.exe
804	Premiere_Pro_Set-Up.exe
804	Premiere_Pro_Set-Up.exe
804	Premiere_Pro_Set-Up.exe
804	Premiere_Pro_Set-Up.exe
804	Premiere_Pro_Set-Up.exe
804	Premiere_Pro_Set-Up.exe
804	Premiere_Pro_Set-Up.exe
804	Premiere_Pro_Set-Up.exe
804	Premiere_Pro_Set-Up.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	804	Premiere_Pro_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	804	Premiere_Pro_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	804	Premiere_Pro_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	804	Premiere_Pro_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	804	Premiere_Pro_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	804	Premiere_Pro_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	804	Premiere_Pro_Set-Up.exe
Token: SeIncreaseQuotaPrivilege	804	Premiere_Pro_Set-Up.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
804	Premiere_Pro_Set-Up.exe
804	Premiere_Pro_Set-Up.exe

C:\Users\Admin\AppData\Local\Temp\Premiere_Pro_Set-Up.exe
"C:\Users\Admin\AppData\Local\Temp\Premiere_Pro_Set-Up.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:804
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 804 -s 2444
  2⤵
  - Program crash
  PID:644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 804 -ip 804
1⤵
PID:4636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\{B5AB00CF-D0C8-40D5-A94A-779DD844DCF4}\js\main.js

Filesize
7KB

MD5
a2ecc3bba3a5033720dd046cc6cf64d3

SHA1
49665f0f09e9d4ed4900706f74676c95e89e049d

SHA256
fc1bba3a598af6605a402ad2552cd8d7605e51a019af119f25f30dfbd67e63c0

SHA512
607a68fc046fd97c125cce992a3d3bcee2cef3db1e782ede497ed945677b3b32af953496444dc10312df815168fb9c9c2484a884fb320f5c8663a51edd7f7932

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B5AB00CF-D0C8-40D5-A94A-779DD844DCF4}\js\mainController.js

Filesize
18KB

MD5
51bdcc0e7d53c59ff20ff2f6e276e321

SHA1
10cbb35c2c714f940ee5d58a1cda84504471c764

SHA256
ec5b0cede51f5fd48c341cd27d42433bb9a2adb04836433fee5a90b101e4b1b2

SHA512
9ea5117d9a7862971947f7ece47dcbc2701b3ec61586f068a4cdc5d33c25e51b99dc4475fe9b2b33595f32d8d2c37e93310eb10638669b941f16b3d44d5c1a10

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B5AB00CF-D0C8-40D5-A94A-779DD844DCF4}\js\overlayController.js

Filesize
19KB

MD5
b610650c4d826b14c225cfbeca89b8c1

SHA1
05da2853feb6ec81fe44ef2c2d934878e48fb85b

SHA256
79d00458b49a02acee141b53dcf026aa1302ab6b48a745b57e1215bd3b20501c

SHA512
403d9f5f15e8a1ef438924327c1f8fe698a372ca0bcfbba7a1970005622c32468de89cbf13220aa33f6b0f44757c2f00c1f7291f45bf5e86bef9aa32586336d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B5AB00CF-D0C8-40D5-A94A-779DD844DCF4}\js\utils.js

Filesize
4KB

MD5
11671543588b007e7be2af6c784cb8ac

SHA1
84c86bb07a59ea951a510a7a7ac816b478598bd2

SHA256
bc354f2e25fe40ae21745c51b06d8f34643e238ee67fb94f5cd59c9b56ac17f5

SHA512
31af704991693747a74a32bdcfebabf31d98e2a47e69fe21a53c852b4c30de1c526ab602c530010e37751b59f6ff308c46443bb48fa30ed688c384fa0df35afd

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B5AB00CF-D0C8-40D5-A94A-779DD844DCF4}\lib\angular.min.js

Filesize
172KB

MD5
3be66f7f7b86956bc5e5abd64cadf924

SHA1
7d9e1d61541acfa6a0fdfc8f1932bd734fa61cb3

SHA256
b1a45f28aed77e38fb5ff62393f6c6573c6bea7f6089e83ed5e2e1fa025a6b2e

SHA512
2a72569fd512a2bf49d6667353530ab5bb2ff04b5579d007c4b5615ef128345d4dddd460cf1ec91daf775c40b15b9368ec1e815bfcdcf9e0abe94e8003fda947

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B5AB00CF-D0C8-40D5-A94A-779DD844DCF4}\lib\jquery.custom-scrollbar.min.js

Filesize
14KB

MD5
ab3adf4aff09a1c562a29db05795c8ab

SHA1
f6c3f470aea0678945cb889f518a0e9a5ce44342

SHA256
d05e193674c6fc31de0503cbc0b152600f22689ad7ad72adb35fcc7c25d4b01b

SHA512
44dfc748d0bd84f123f9d3f62d5ea137d9128d5bdbe45da9a8666d09039eb179acf0dbb3030e09896fd61e7aa5ae6dfaffe9258d80949a64d0a7e45037791fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B5AB00CF-D0C8-40D5-A94A-779DD844DCF4}\lib\jquery.min.js

Filesize
87KB

MD5
9ac39dc31635a363e377eda0f6fbe03f

SHA1
29fa5ad995e9ec866ece1d3d0b698fc556580eee

SHA256
9a2723c21fb1b7dff0e2aa5dc6be24a9670220a17ae21f70fdbc602d1f8acd38

SHA512
0799ae01799707b444fca518c3af9b91fda40d0a2c114e84bc52bd1f756b5e0d60f6fd239f04bd4d5bc37b6cdbf02d299185cd62410f2a514a7b3bd4d60b49fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B5AB00CF-D0C8-40D5-A94A-779DD844DCF4}\lib\jquery.placeholder.min.js

Filesize
3KB

MD5
e13f16e89fff39422bbb2cb08a015d30

SHA1
e7cacaf84f53997dd096afd1c5f350fd3e7c6ce9

SHA256
24320add10244d1834052c7e75b853aa2d164601c9d09220a9f9ac1f0ae44afe

SHA512
aad811f03f59f799da4b8fc4f859b51c39f132b7ddbffadabe4ec2373bd340617d6fe98761d1fb86d77606791663b387d98a60fba9cee5d99c34f683bcb8d1f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B5AB00CF-D0C8-40D5-A94A-779DD844DCF4}\main.html

Filesize
20KB

MD5
a501355e23582cbc6c8c2835fe076f52

SHA1
5dea00de3c163b2f4a2807f65b81f07fc957031f

SHA256
4be92dee71936c52319d441434992895818586acab859000341af74d0175ab54

SHA512
6e59cd5cc629a24fd0bacd42734937df779417fea595488d37f9923631f4b59abe7e24e9075e55e4313ea197c30f0bd44fd1663d9e6a4f9308b5ed7e3d5a62b0

Download Submit
memory/804-0-0x0000000000400000-0x0000000000927000-memory.dmp

Filesize
5.2MB

Download
memory/804-99-0x0000000000400000-0x0000000000927000-memory.dmp

Filesize
5.2MB

Download