Analysis
-
max time kernel
126s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
17-09-2024 21:02
Static task
static1
Behavioral task
behavioral1
Sample
Adobe.exe
Resource
win7-20240903-en
General
-
Target
Adobe.exe
-
Size
13.1MB
-
MD5
94a4cf44784c5ee6d367a314baaad468
-
SHA1
0598573a52eef7d17f95e6d164d13dc82cd9f218
-
SHA256
28907701949c43559e5dfe1fed791b19bfa9f7009a171945dcd4d4b49f9cddd2
-
SHA512
10d451ded975fd8b08e7d70708cbaac9ec931f5d06665eb7dc430874373aeb41a38128230429dfc2cd3a5eaca72493d8ee5dd3c3d152023cad1dcf67b77c6333
-
SSDEEP
393216:BdnFCDbuNvhuGCDbuNetK0NYAaWzxDxE:zFCDbux0GCDbu
Malware Config
Signatures
-
SectopRAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/756-26-0x0000000001120000-0x00000000011E6000-memory.dmp family_sectoprat -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
Adobe.execmd.exedescription pid Process procid_target PID 740 set thread context of 2872 740 Adobe.exe 89 PID 2872 set thread context of 756 2872 cmd.exe 100 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Adobe.execmd.exeMSBuild.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adobe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
Adobe.execmd.exepid Process 740 Adobe.exe 740 Adobe.exe 2872 cmd.exe 2872 cmd.exe 2872 cmd.exe 2872 cmd.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
Adobe.execmd.exepid Process 740 Adobe.exe 2872 cmd.exe 2872 cmd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid Process Token: SeDebugPrivilege 756 MSBuild.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Adobe.exepid Process 740 Adobe.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
Adobe.exepid Process 740 Adobe.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Adobe.execmd.exedescription pid Process procid_target PID 740 wrote to memory of 2872 740 Adobe.exe 89 PID 740 wrote to memory of 2872 740 Adobe.exe 89 PID 740 wrote to memory of 2872 740 Adobe.exe 89 PID 740 wrote to memory of 2872 740 Adobe.exe 89 PID 2872 wrote to memory of 756 2872 cmd.exe 100 PID 2872 wrote to memory of 756 2872 cmd.exe 100 PID 2872 wrote to memory of 756 2872 cmd.exe 100 PID 2872 wrote to memory of 756 2872 cmd.exe 100 PID 2872 wrote to memory of 756 2872 cmd.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\Adobe.exe"C:\Users\Admin\AppData\Local\Temp\Adobe.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:756
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4148,i,3387628439405076340,17957358341235678872,262144 --variations-seed-version --mojo-platform-channel-handle=4180 /prefetch:81⤵PID:4692
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD5587213bb38beb37007f2636f574a793a
SHA1aa92dc86e5f8ca6e28543b14147c3480c37db8cb
SHA2568941d07ebeed67ff4573ba4a83dfdbe5d922fbdda16f3525de283ba7c5c84c0b
SHA512dab7fa550b8ea492acc63f35822057ef05876766cf28db768f21592571b0eeed82659396b566fe1311c456d59d9bdfd1cbbefa4418f159c219b518ad0c6f0fa4
-
Filesize
1.4MB
MD517f0949cafaa03e6fb374d44a9f3aa00
SHA11c96158bf4535005adcbade6bd56f83722922c9e
SHA2564b689f8023611ad33c006afb94b510719d6cba426da62457a53a90ed27b9eda2
SHA5129cd4f3559d3fced8af4a78efde96a3307ce8f9218165d64044ee8f3cc513cfcc22008ba9cc8b8f6e05bd7af7b1d10cf5923118b4183885fa9072764d39f34b91