Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17-09-2024 21:03
Static task
static1
Behavioral task
behavioral1
Sample
adobe-cc-x86-64.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
adobe-cc-x86-64.exe
Resource
win10v2004-20240802-en
General
-
Target
adobe-cc-x86-64.exe
-
Size
3.3MB
-
MD5
d1336cfb68cac2d9453f81dc2a8d6d9b
-
SHA1
070c9fb7ed6d4f4d2d7f95d1fb702bb2f637232b
-
SHA256
c6bb166294257e53d0d4b9ef6fe362c8cbacef5ec2bd26f98c6d7043284dec73
-
SHA512
8af1b7c806528e26e2b19b570425fca5671341fc0574817333a5e5f33a4245a1b3bd20410f167423d5272fb6c0290f95238556604ec21f1ff52c29745a04d344
-
SSDEEP
49152:vNq8Etmh0Zd963OXW1kzFbkSfEYYSkN4uGpkFk0cq+3YbQtwPhYqFIolmfbSTvF0:lqVUXkXEf+uBbcz3TyP+uIolfxNCm3K
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
adobe-cc-x86-64.tmppid Process 1604 adobe-cc-x86-64.tmp -
Loads dropped DLL 4 IoCs
Processes:
adobe-cc-x86-64.exeadobe-cc-x86-64.tmppid Process 2084 adobe-cc-x86-64.exe 1604 adobe-cc-x86-64.tmp 1604 adobe-cc-x86-64.tmp 1604 adobe-cc-x86-64.tmp -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
adobe-cc-x86-64.tmpadobe-cc-x86-64.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language adobe-cc-x86-64.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language adobe-cc-x86-64.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
adobe-cc-x86-64.tmppid Process 1604 adobe-cc-x86-64.tmp 1604 adobe-cc-x86-64.tmp -
Suspicious use of AdjustPrivilegeToken 40 IoCs
Processes:
WMIC.exedescription pid Process Token: SeIncreaseQuotaPrivilege 2024 WMIC.exe Token: SeSecurityPrivilege 2024 WMIC.exe Token: SeTakeOwnershipPrivilege 2024 WMIC.exe Token: SeLoadDriverPrivilege 2024 WMIC.exe Token: SeSystemProfilePrivilege 2024 WMIC.exe Token: SeSystemtimePrivilege 2024 WMIC.exe Token: SeProfSingleProcessPrivilege 2024 WMIC.exe Token: SeIncBasePriorityPrivilege 2024 WMIC.exe Token: SeCreatePagefilePrivilege 2024 WMIC.exe Token: SeBackupPrivilege 2024 WMIC.exe Token: SeRestorePrivilege 2024 WMIC.exe Token: SeShutdownPrivilege 2024 WMIC.exe Token: SeDebugPrivilege 2024 WMIC.exe Token: SeSystemEnvironmentPrivilege 2024 WMIC.exe Token: SeRemoteShutdownPrivilege 2024 WMIC.exe Token: SeUndockPrivilege 2024 WMIC.exe Token: SeManageVolumePrivilege 2024 WMIC.exe Token: 33 2024 WMIC.exe Token: 34 2024 WMIC.exe Token: 35 2024 WMIC.exe Token: SeIncreaseQuotaPrivilege 2024 WMIC.exe Token: SeSecurityPrivilege 2024 WMIC.exe Token: SeTakeOwnershipPrivilege 2024 WMIC.exe Token: SeLoadDriverPrivilege 2024 WMIC.exe Token: SeSystemProfilePrivilege 2024 WMIC.exe Token: SeSystemtimePrivilege 2024 WMIC.exe Token: SeProfSingleProcessPrivilege 2024 WMIC.exe Token: SeIncBasePriorityPrivilege 2024 WMIC.exe Token: SeCreatePagefilePrivilege 2024 WMIC.exe Token: SeBackupPrivilege 2024 WMIC.exe Token: SeRestorePrivilege 2024 WMIC.exe Token: SeShutdownPrivilege 2024 WMIC.exe Token: SeDebugPrivilege 2024 WMIC.exe Token: SeSystemEnvironmentPrivilege 2024 WMIC.exe Token: SeRemoteShutdownPrivilege 2024 WMIC.exe Token: SeUndockPrivilege 2024 WMIC.exe Token: SeManageVolumePrivilege 2024 WMIC.exe Token: 33 2024 WMIC.exe Token: 34 2024 WMIC.exe Token: 35 2024 WMIC.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
adobe-cc-x86-64.exeadobe-cc-x86-64.tmpcmd.exedescription pid Process procid_target PID 2084 wrote to memory of 1604 2084 adobe-cc-x86-64.exe 31 PID 2084 wrote to memory of 1604 2084 adobe-cc-x86-64.exe 31 PID 2084 wrote to memory of 1604 2084 adobe-cc-x86-64.exe 31 PID 2084 wrote to memory of 1604 2084 adobe-cc-x86-64.exe 31 PID 2084 wrote to memory of 1604 2084 adobe-cc-x86-64.exe 31 PID 2084 wrote to memory of 1604 2084 adobe-cc-x86-64.exe 31 PID 2084 wrote to memory of 1604 2084 adobe-cc-x86-64.exe 31 PID 1604 wrote to memory of 2124 1604 adobe-cc-x86-64.tmp 32 PID 1604 wrote to memory of 2124 1604 adobe-cc-x86-64.tmp 32 PID 1604 wrote to memory of 2124 1604 adobe-cc-x86-64.tmp 32 PID 1604 wrote to memory of 2124 1604 adobe-cc-x86-64.tmp 32 PID 2124 wrote to memory of 2024 2124 cmd.exe 34 PID 2124 wrote to memory of 2024 2124 cmd.exe 34 PID 2124 wrote to memory of 2024 2124 cmd.exe 34 PID 2124 wrote to memory of 1736 2124 cmd.exe 35 PID 2124 wrote to memory of 1736 2124 cmd.exe 35 PID 2124 wrote to memory of 1736 2124 cmd.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\adobe-cc-x86-64.exe"C:\Users\Admin\AppData\Local\Temp\adobe-cc-x86-64.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Users\Admin\AppData\Local\Temp\is-7ID6V.tmp\adobe-cc-x86-64.tmp"C:\Users\Admin\AppData\Local\Temp\is-7ID6V.tmp\adobe-cc-x86-64.tmp" /SL5="$400E4,2938718,205824,C:\Users\Admin\AppData\Local\Temp\adobe-cc-x86-64.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" cmd /c wmic diskdrive get model | FINDSTR /I "Virtual VBOX VMware">ds.txt3⤵
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive get model4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2024
-
-
C:\Windows\system32\findstr.exeFINDSTR /I "Virtual VBOX VMware"4⤵PID:1736
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD52e5268d21ee1d98eccf3b34eec423da1
SHA18a2438cd614bb41e25840bd2d4093624340340c1
SHA25616eb4e42a9368653bd9d53fe8bde815fe87c597239f36b662cc96dbc007200b7
SHA512aad98865430deca874beff456d349e640caaf9969726f1b279995d4eff41efd77e422c43e739af245f7e7ab5e6f970b4b10a8ef40681621a419b533da002fe94
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
232KB
MD555c310c0319260d798757557ab3bf636
SHA10892eb7ed31d8bb20a56c6835990749011a2d8de
SHA25654e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed
SHA512e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57