General
-
Target
Adobe.Photoshop.2024.v25.12.0.806.exe
-
Size
492.3MB
-
Sample
241004-r1j1vazbmj
-
MD5
0979c4293a5789466e339920f11e835b
-
SHA1
5f7ec25364432ae51efd6c9dd2f3b31cb59ab6c5
-
SHA256
4d9a9ec48650a2eef998e89c51273772802dbada3d5727e013b11659779c302f
-
SHA512
3afdd7555e464f4986e6d578b6239f1d0772c88530d7206cac56c0703ba985c8ecdf6feca8e28f3ddae86e6e54475ce37dec8615d6d3555fd2b765e421c8e5e6
-
SSDEEP
12582912:ifPEpU9BL0YziowXIqfjmEaGSEylWHzhPc9uPUDfPp6x:ifPh9BZziVYqjmYzhk9AUrPp6x
Malware Config
Targets
-
-
Target
Adobe.Photoshop.2024.v25.12.0.806.exe
-
Size
492.3MB
-
MD5
0979c4293a5789466e339920f11e835b
-
SHA1
5f7ec25364432ae51efd6c9dd2f3b31cb59ab6c5
-
SHA256
4d9a9ec48650a2eef998e89c51273772802dbada3d5727e013b11659779c302f
-
SHA512
3afdd7555e464f4986e6d578b6239f1d0772c88530d7206cac56c0703ba985c8ecdf6feca8e28f3ddae86e6e54475ce37dec8615d6d3555fd2b765e421c8e5e6
-
SSDEEP
12582912:ifPEpU9BL0YziowXIqfjmEaGSEylWHzhPc9uPUDfPp6x:ifPh9BZziVYqjmYzhk9AUrPp6x
Score8/10-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Modifies Windows Firewall
-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
3PowerShell
2System Services
1Service Execution
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Component Object Model Hijacking
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Component Object Model Hijacking
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
1Modify Registry
4Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1