adb60302050b3f9d05690a86b14212a35a49be08617e3b1136da91429267d0d2

Analysis

max time kernel
149s
max time network
141s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-09-2024 22:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

adb60302050b3f9d05690a86b14212a35a49be08617e3b1136da91429267d0d2.exe
Size

159KB
MD5

ab98efb2f991fe0f764a1deb7cc39b67
SHA1

a79e0646669e9ba1b2aad4896caa8a2c6b29ac23
SHA256

adb60302050b3f9d05690a86b14212a35a49be08617e3b1136da91429267d0d2
SHA512

5baf23e7e46ce94c1daa9e7fb0479f11316c5c3fce826db05dd2f59bfa77594f222f25e5f97d95bb911df189a31da1677ceb3d5c673e4d990186f965fcdc06f4
SSDEEP

3072:Fx1TajppFJN7hyH8He6am2iQPgpKoVjM3N9XZbcqZcquHRg:j1TaFpR7UIttrQGvC991c+cD

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2960	AdobeARM.exe
2308	AdobeARM.exe
2172	AdobeARM.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\AdobeARM = "\"C:\\Users\\Admin\\AppData\\Roaming\\AdobeARM.lnk\""	AdobeARM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\AdobeARM = "\"C:\\Users\\Admin\\AppData\\Roaming\\AdobeARM.lnk\""	userinit.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2748 set thread context of 2964	2748	adb60302050b3f9d05690a86b14212a35a49be08617e3b1136da91429267d0d2.exe	30
PID 2960 set thread context of 2172	2960	AdobeARM.exe	33
PID 2172 set thread context of 1084	2172	AdobeARM.exe	34
PID 1084 set thread context of 1628	1084	userinit.exe	35

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\773e7d0	adb60302050b3f9d05690a86b14212a35a49be08617e3b1136da91429267d0d2.exe
File created	C:\Windows\AdobeARM.exe	adb60302050b3f9d05690a86b14212a35a49be08617e3b1136da91429267d0d2.exe
File opened for modification	C:\Windows\AdobeARM.exe	adb60302050b3f9d05690a86b14212a35a49be08617e3b1136da91429267d0d2.exe
File opened for modification	C:\Windows\773e7d0	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adb60302050b3f9d05690a86b14212a35a49be08617e3b1136da91429267d0d2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adb60302050b3f9d05690a86b14212a35a49be08617e3b1136da91429267d0d2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdobeARM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdobeARM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	userinit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2172	AdobeARM.exe
2172	AdobeARM.exe
1084	userinit.exe
1084	userinit.exe
1084	userinit.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2964	adb60302050b3f9d05690a86b14212a35a49be08617e3b1136da91429267d0d2.exe
Token: SeDebugPrivilege	2964	adb60302050b3f9d05690a86b14212a35a49be08617e3b1136da91429267d0d2.exe
Token: SeSecurityPrivilege	2172	AdobeARM.exe
Token: SeDebugPrivilege	2172	AdobeARM.exe
Token: SeSecurityPrivilege	1084	userinit.exe
Token: SeDebugPrivilege	1084	userinit.exe
Token: SeSecurityPrivilege	1628	explorer.exe
Token: SeDebugPrivilege	1628	explorer.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 2964	2748	adb60302050b3f9d05690a86b14212a35a49be08617e3b1136da91429267d0d2.exe	30
PID 2748 wrote to memory of 2964	2748	adb60302050b3f9d05690a86b14212a35a49be08617e3b1136da91429267d0d2.exe	30
PID 2748 wrote to memory of 2964	2748	adb60302050b3f9d05690a86b14212a35a49be08617e3b1136da91429267d0d2.exe	30
PID 2748 wrote to memory of 2964	2748	adb60302050b3f9d05690a86b14212a35a49be08617e3b1136da91429267d0d2.exe	30
PID 2748 wrote to memory of 2964	2748	adb60302050b3f9d05690a86b14212a35a49be08617e3b1136da91429267d0d2.exe	30
PID 2748 wrote to memory of 2964	2748	adb60302050b3f9d05690a86b14212a35a49be08617e3b1136da91429267d0d2.exe	30
PID 2748 wrote to memory of 2964	2748	adb60302050b3f9d05690a86b14212a35a49be08617e3b1136da91429267d0d2.exe	30
PID 2748 wrote to memory of 2964	2748	adb60302050b3f9d05690a86b14212a35a49be08617e3b1136da91429267d0d2.exe	30
PID 2748 wrote to memory of 2964	2748	adb60302050b3f9d05690a86b14212a35a49be08617e3b1136da91429267d0d2.exe	30
PID 2748 wrote to memory of 2964	2748	adb60302050b3f9d05690a86b14212a35a49be08617e3b1136da91429267d0d2.exe	30
PID 2964 wrote to memory of 2960	2964	adb60302050b3f9d05690a86b14212a35a49be08617e3b1136da91429267d0d2.exe	31
PID 2964 wrote to memory of 2960	2964	adb60302050b3f9d05690a86b14212a35a49be08617e3b1136da91429267d0d2.exe	31
PID 2964 wrote to memory of 2960	2964	adb60302050b3f9d05690a86b14212a35a49be08617e3b1136da91429267d0d2.exe	31
PID 2964 wrote to memory of 2960	2964	adb60302050b3f9d05690a86b14212a35a49be08617e3b1136da91429267d0d2.exe	31
PID 2960 wrote to memory of 2308	2960	AdobeARM.exe	32
PID 2960 wrote to memory of 2308	2960	AdobeARM.exe	32
PID 2960 wrote to memory of 2308	2960	AdobeARM.exe	32
PID 2960 wrote to memory of 2308	2960	AdobeARM.exe	32
PID 2960 wrote to memory of 2172	2960	AdobeARM.exe	33
PID 2960 wrote to memory of 2172	2960	AdobeARM.exe	33
PID 2960 wrote to memory of 2172	2960	AdobeARM.exe	33
PID 2960 wrote to memory of 2172	2960	AdobeARM.exe	33
PID 2960 wrote to memory of 2172	2960	AdobeARM.exe	33
PID 2960 wrote to memory of 2172	2960	AdobeARM.exe	33
PID 2960 wrote to memory of 2172	2960	AdobeARM.exe	33
PID 2960 wrote to memory of 2172	2960	AdobeARM.exe	33
PID 2960 wrote to memory of 2172	2960	AdobeARM.exe	33
PID 2960 wrote to memory of 2172	2960	AdobeARM.exe	33
PID 2172 wrote to memory of 1084	2172	AdobeARM.exe	34
PID 2172 wrote to memory of 1084	2172	AdobeARM.exe	34
PID 2172 wrote to memory of 1084	2172	AdobeARM.exe	34
PID 2172 wrote to memory of 1084	2172	AdobeARM.exe	34
PID 2172 wrote to memory of 1084	2172	AdobeARM.exe	34
PID 2172 wrote to memory of 1084	2172	AdobeARM.exe	34
PID 2172 wrote to memory of 1084	2172	AdobeARM.exe	34
PID 2172 wrote to memory of 1084	2172	AdobeARM.exe	34
PID 2172 wrote to memory of 1084	2172	AdobeARM.exe	34
PID 2172 wrote to memory of 1084	2172	AdobeARM.exe	34
PID 1084 wrote to memory of 1628	1084	userinit.exe	35
PID 1084 wrote to memory of 1628	1084	userinit.exe	35
PID 1084 wrote to memory of 1628	1084	userinit.exe	35
PID 1084 wrote to memory of 1628	1084	userinit.exe	35
PID 1084 wrote to memory of 1628	1084	userinit.exe	35
PID 1084 wrote to memory of 1628	1084	userinit.exe	35
PID 1084 wrote to memory of 1628	1084	userinit.exe	35
PID 1084 wrote to memory of 1628	1084	userinit.exe	35
PID 1084 wrote to memory of 1628	1084	userinit.exe	35
PID 1084 wrote to memory of 1628	1084	userinit.exe	35

C:\Users\Admin\AppData\Local\Temp\adb60302050b3f9d05690a86b14212a35a49be08617e3b1136da91429267d0d2.exe
"C:\Users\Admin\AppData\Local\Temp\adb60302050b3f9d05690a86b14212a35a49be08617e3b1136da91429267d0d2.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Users\Admin\AppData\Local\Temp\adb60302050b3f9d05690a86b14212a35a49be08617e3b1136da91429267d0d2.exe
  "C:\Users\Admin\AppData\Local\Temp\adb60302050b3f9d05690a86b14212a35a49be08617e3b1136da91429267d0d2.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Windows\AdobeARM.exe
    "C:\Windows\AdobeARM.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2960
  - - C:\Windows\AdobeARM.exe
      "C:\Windows\AdobeARM.exe"
      4⤵
      Executes dropped EXE
      PID:2308
  - - C:\Windows\AdobeARM.exe
      "C:\Windows\AdobeARM.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2172
    - - C:\Windows\syswow64\userinit.exe
        
        "C:\Windows\syswow64\userinit.exe"
        5⤵
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1084
      - C:\Windows\syswow64\explorer.exe
        
        "C:\Windows\syswow64\explorer.exe"
        6⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AdobeARM.lnk

Filesize
741B

MD5
9458e10938f091fab2a53feaf15213af

SHA1
2e25aa16620a00b89cb4074f75ae101bd92a5d3d

SHA256
a5044c173e247a9826e84e2bc2a4938d4944a975dab98fd3783406dcb0d75f6c

SHA512
2f978a875c8508ebba580827f07961bad151a765d7358905088aae826d358589f4d58894dd388acb9945d52a3394e508fbcbc8b447e525b6fe3c087dbcf3611a

Download Submit
C:\Windows\773e7d0

Filesize
1KB

MD5
9e5baa48b6a5d17ce12ec09a4ef7bbae

SHA1
ee30f74c32cef6020c4434e1c35b783020a02746

SHA256
13050b664e9f45ac65857d8221e33804007d84fb3afa0f08ebed642a4273d6af

SHA512
58eec6a2d80cc740f9e4895ff052ce86723cb6516fdf39f910a45557ac83efb3e0b5a7d14c3e11921aec40c8ce445b7181afa602e1177c494567b6d8d1eb8366

Download Submit
C:\Windows\AdobeARM.exe

Filesize
159KB

MD5
bf300fda09eb9f48b4b4c173e55513dc

SHA1
505667b8f147351f04068da7666a5f91ae0e56da

SHA256
389b0f117e67ea1cf06bf8c52affc0dca441e4d7ddb6cc0164643406b14ed9b5

SHA512
024190924207a6568b3a3e20f60cc29c53f56f9ee00dc9ab2ffd523347e2f63d885dd1646974bed819b0a51816bdcb516feaad030dd5cb59312546993844f47a

Download Submit
memory/2172-251-0x00000000000E0000-0x00000000000F3000-memory.dmp

Filesize
76KB

Download
memory/2172-424-0x00000000000E0000-0x00000000000F3000-memory.dmp

Filesize
76KB

Download
memory/2748-0-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2964-35-0x00000000001F0000-0x0000000000203000-memory.dmp

Filesize
76KB

Download
memory/2964-32-0x00000000001F0000-0x0000000000203000-memory.dmp

Filesize
76KB

Download
memory/2964-2-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2964-1-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2964-41-0x0000000000BB0000-0x0000000000CC0000-memory.dmp

Filesize
1.1MB

Download
memory/2964-43-0x0000000000BB0000-0x0000000000CC0000-memory.dmp

Filesize
1.1MB

Download
memory/2964-82-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2964-81-0x00000000001F0000-0x0000000000203000-memory.dmp

Filesize
76KB

Download
memory/2964-63-0x0000000000270000-0x00000000002C7000-memory.dmp

Filesize
348KB

Download
memory/2964-61-0x0000000000270000-0x00000000002C7000-memory.dmp

Filesize
348KB

Download
memory/2964-59-0x0000000000270000-0x00000000002C7000-memory.dmp

Filesize
348KB

Download
memory/2964-55-0x0000000000B60000-0x0000000000C60000-memory.dmp

Filesize
1024KB

Download
memory/2964-53-0x0000000000B60000-0x0000000000C60000-memory.dmp

Filesize
1024KB

Download
memory/2964-51-0x0000000000B60000-0x0000000000C60000-memory.dmp

Filesize
1024KB

Download
memory/2964-49-0x0000000000B60000-0x0000000000C60000-memory.dmp

Filesize
1024KB

Download
memory/2964-47-0x0000000000BB0000-0x0000000000CC0000-memory.dmp

Filesize
1.1MB

Download
memory/2964-39-0x0000000000BB0000-0x0000000000CC0000-memory.dmp

Filesize
1.1MB

Download
memory/2964-36-0x00000000001F0000-0x0000000000203000-memory.dmp

Filesize
76KB

Download
memory/2964-13-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2964-34-0x00000000001F0000-0x0000000000203000-memory.dmp

Filesize
76KB

Download
memory/2964-33-0x00000000001F0000-0x0000000000203000-memory.dmp

Filesize
76KB

Download
memory/2964-3-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2964-29-0x00000000001F0000-0x0000000000203000-memory.dmp

Filesize
76KB

Download
memory/2964-28-0x00000000001F0000-0x0000000000203000-memory.dmp

Filesize
76KB

Download
memory/2964-57-0x0000000000B60000-0x0000000000C60000-memory.dmp

Filesize
1024KB

Download
memory/2964-22-0x00000000001F0000-0x0000000000203000-memory.dmp

Filesize
76KB

Download
memory/2964-20-0x00000000001F0000-0x0000000000203000-memory.dmp

Filesize
76KB

Download
memory/2964-18-0x00000000001F0000-0x0000000000203000-memory.dmp

Filesize
76KB

Download
memory/2964-45-0x0000000000BB0000-0x0000000000CC0000-memory.dmp

Filesize
1.1MB

Download
memory/2964-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2964-9-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2964-7-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2964-5-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2964-38-0x00000000001F0000-0x0000000000203000-memory.dmp

Filesize
76KB

Download
memory/2964-37-0x00000000001F0000-0x0000000000203000-memory.dmp

Filesize
76KB

Download
memory/2964-31-0x00000000001F0000-0x0000000000203000-memory.dmp

Filesize
76KB

Download
memory/2964-30-0x00000000001F0000-0x0000000000203000-memory.dmp

Filesize
76KB

Download
memory/2964-27-0x00000000001F0000-0x0000000000203000-memory.dmp

Filesize
76KB

Download
memory/2964-26-0x00000000001F0000-0x0000000000203000-memory.dmp

Filesize
76KB

Download
memory/2964-25-0x00000000001F0000-0x0000000000203000-memory.dmp

Filesize
76KB

Download
memory/2964-24-0x00000000001F0000-0x0000000000203000-memory.dmp

Filesize
76KB

Download
memory/2964-16-0x00000000001F0000-0x0000000000203000-memory.dmp

Filesize
76KB

Download
memory/2964-14-0x00000000001F0000-0x0000000000203000-memory.dmp

Filesize
76KB

Download
memory/2964-410-0x00000000001F0000-0x0000000000203000-memory.dmp

Filesize
76KB

Download