Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    17-09-2024 21:03

General

  • Target

    adobe-cc-x86-64.exe

  • Size

    3.3MB

  • MD5

    d1336cfb68cac2d9453f81dc2a8d6d9b

  • SHA1

    070c9fb7ed6d4f4d2d7f95d1fb702bb2f637232b

  • SHA256

    c6bb166294257e53d0d4b9ef6fe362c8cbacef5ec2bd26f98c6d7043284dec73

  • SHA512

    8af1b7c806528e26e2b19b570425fca5671341fc0574817333a5e5f33a4245a1b3bd20410f167423d5272fb6c0290f95238556604ec21f1ff52c29745a04d344

  • SSDEEP

    49152:vNq8Etmh0Zd963OXW1kzFbkSfEYYSkN4uGpkFk0cq+3YbQtwPhYqFIolmfbSTvF0:lqVUXkXEf+uBbcz3TyP+uIolfxNCm3K

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 40 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\adobe-cc-x86-64.exe
    "C:\Users\Admin\AppData\Local\Temp\adobe-cc-x86-64.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2084
    • C:\Users\Admin\AppData\Local\Temp\is-7ID6V.tmp\adobe-cc-x86-64.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-7ID6V.tmp\adobe-cc-x86-64.tmp" /SL5="$400E4,2938718,205824,C:\Users\Admin\AppData\Local\Temp\adobe-cc-x86-64.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1604
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" cmd /c wmic diskdrive get model | FINDSTR /I "Virtual VBOX VMware">ds.txt
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2124
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic diskdrive get model
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2024
        • C:\Windows\system32\findstr.exe
          FINDSTR /I "Virtual VBOX VMware"
          4⤵
            PID:1736

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Local\Temp\is-7ID6V.tmp\adobe-cc-x86-64.tmp

      Filesize

      1.5MB

      MD5

      2e5268d21ee1d98eccf3b34eec423da1

      SHA1

      8a2438cd614bb41e25840bd2d4093624340340c1

      SHA256

      16eb4e42a9368653bd9d53fe8bde815fe87c597239f36b662cc96dbc007200b7

      SHA512

      aad98865430deca874beff456d349e640caaf9969726f1b279995d4eff41efd77e422c43e739af245f7e7ab5e6f970b4b10a8ef40681621a419b533da002fe94

    • \Users\Admin\AppData\Local\Temp\is-USH6C.tmp\_isetup\_shfoldr.dll

      Filesize

      22KB

      MD5

      92dc6ef532fbb4a5c3201469a5b5eb63

      SHA1

      3e89ff837147c16b4e41c30d6c796374e0b8e62c

      SHA256

      9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

      SHA512

      9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

    • \Users\Admin\AppData\Local\Temp\is-USH6C.tmp\idp.dll

      Filesize

      232KB

      MD5

      55c310c0319260d798757557ab3bf636

      SHA1

      0892eb7ed31d8bb20a56c6835990749011a2d8de

      SHA256

      54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed

      SHA512

      e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

    • memory/1604-10-0x0000000000400000-0x0000000000588000-memory.dmp

      Filesize

      1.5MB

    • memory/1604-22-0x0000000000400000-0x0000000000588000-memory.dmp

      Filesize

      1.5MB

    • memory/2084-2-0x0000000000401000-0x0000000000417000-memory.dmp

      Filesize

      88KB

    • memory/2084-0-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

    • memory/2084-24-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB