| File name: | AdobeGenP-3.4.13.4.exe |
| Full analysis: | https://app.any.run/tasks/2ed5f122-b9c3-4e44-a769-4f396e0fd0e2 |
| Verdict: | Malicious activity |
| Threats: | Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. |
| Analysis date: | July 24, 2024, 03:14:36 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32+ executable (GUI) x86-64, for MS Windows |
| MD5: | DDA7AC07C4630A25A65A40EB4065B0C8 |
| SHA1: | 37EBCF8F91C0B739A62823BE6E89443E1D36A026 |
| SHA256: | 3C80BA8FCDF07DCF7F676FA69F043BBC0C127680514281ACED70C2BA9775C1FB |
| SSDEEP: | 49152:YE/XUraxm5O9QMal0QRO8tfDqSnXmYwj9hCcGaH6BBpOn2qv:Y9rem5Oidkv |
MALICIOUS
Drops the executable file immediately after the start
- AdobeGenP-3.4.13.4.exe (PID: 528)
Modifies hosts file to block updates
- powershell.exe (PID: 1132)
Actions looks like stealing of personal data
- AdobeGenP-3.4.13.4.exe (PID: 6636)
Steals credentials from Web Browsers
- AdobeGenP-3.4.13.4.exe (PID: 6636)
SUSPICIOUS
Reads security settings of Internet Explorer
- AdobeGenP-3.4.13.4.exe (PID: 528)
- AdobeGenP-3.4.13.4.exe (PID: 6636)
Reads the date of Windows installation
- AdobeGenP-3.4.13.4.exe (PID: 528)
Application launched itself
- AdobeGenP-3.4.13.4.exe (PID: 528)
Found IP address in command line
- powershell.exe (PID: 4516)
Starts POWERSHELL.EXE for commands execution
- AdobeGenP-3.4.13.4.exe (PID: 6636)
Probably obfuscated PowerShell command line is found
- AdobeGenP-3.4.13.4.exe (PID: 6636)
Uses NETSH.EXE to add a firewall rule or allowed programs
- AdobeGenP-3.4.13.4.exe (PID: 6636)
Uses NETSH.EXE to delete a firewall rule or allowed programs
- AdobeGenP-3.4.13.4.exe (PID: 6636)
The process bypasses the loading of PowerShell profile settings
- AdobeGenP-3.4.13.4.exe (PID: 6636)
Request a resource from the Internet using PowerShell's cmdlet
- AdobeGenP-3.4.13.4.exe (PID: 6636)
The process checks if current user has admin rights
- AdobeGenP-3.4.13.4.exe (PID: 6636)
INFO
Checks supported languages
- AdobeGenP-3.4.13.4.exe (PID: 528)
- AdobeGenP-3.4.13.4.exe (PID: 6636)
Reads mouse settings
- AdobeGenP-3.4.13.4.exe (PID: 528)
- AdobeGenP-3.4.13.4.exe (PID: 6636)
Process checks computer location settings
- AdobeGenP-3.4.13.4.exe (PID: 528)
Reads the computer name
- AdobeGenP-3.4.13.4.exe (PID: 528)
- AdobeGenP-3.4.13.4.exe (PID: 6636)
Create files in a temporary directory
- AdobeGenP-3.4.13.4.exe (PID: 6636)
Checks proxy server information
- slui.exe (PID: 1596)
- powershell.exe (PID: 1132)
Reads the software policy settings
- slui.exe (PID: 1596)
Creates files in the program directory
- AdobeGenP-3.4.13.4.exe (PID: 6636)
Script raised an exception (POWERSHELL)
- powershell.exe (PID: 1132)
Disables trace logs
- powershell.exe (PID: 1132)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Generic Win/DOS Executable (50) |
|---|---|---|
| .exe | | | DOS Executable Generic (49.9) |
EXIF
EXE
| MachineType: | AMD AMD64 |
|---|---|
| TimeStamp: | 2024:04:04 16:17:11+00:00 |
| ImageFileCharacteristics: | Executable, Large address aware |
| PEType: | PE32+ |
| LinkerVersion: | 14.16 |
| CodeSize: | 734208 |
| InitializedDataSize: | 470528 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x2549c |
| OSVersion: | 5.2 |
| ImageVersion: | - |
| SubsystemVersion: | 5.2 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 3.4.13.4 |
| ProductVersionNumber: | 3.4.13.4 |
| FileFlagsMask: | 0x0000 |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Unknown |
| FileSubtype: | - |
| LanguageCode: | English (British) |
| CharacterSet: | Unicode |
| FileVersion: | 3.4.13.4 |
| Comments: | Adobe GenP v3.4.13.4 |
| FileDescription: | Adobe GenP v3.4.13.4 |
| ProductName: | Adobe GenP v3.4.13.4 |
| ProductVersion: | 3.4.13.4 |
| CompanyName: | GenP |
| LegalCopyright: | GenP |
| LegalTradeMarks: | GenP |
Total processes
153
Monitored processes
13
Malicious processes
3
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 528 | "C:\Users\admin\AppData\Local\Temp\AdobeGenP-3.4.13.4.exe" | C:\Users\admin\AppData\Local\Temp\AdobeGenP-3.4.13.4.exe | — | explorer.exe | |||||||||||
User: admin Company: GenP Integrity Level: MEDIUM Description: Adobe GenP v3.4.13.4 Exit code: 0 Version: 3.4.13.4 Modules
| |||||||||||||||
| 1132 | C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe -NoProfile -Command "if(-not([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)){Write-Host 'Script execution failed...';exit};$hostsPath='C:\Windows\System32\drivers\etc\hosts';$webContent=(Invoke-RestMethod -Uri 'https://raw.githubusercontent.com/ignaciocastro/adobe-is-dumb/main/list.txt' -UseBasicParsing).Split($([char]0x0A))|ForEach-Object{ $_.Trim()};$currentHostsContent=Get-Content -Path $hostsPath;$startMarker='#region Adobe URL Blacklist';$endMarker='#endregion';$blockStart=$currentHostsContent.IndexOf($startMarker);$blockEnd=$currentHostsContent.IndexOf($endMarker);if($blockStart -ne -1 -and $blockEnd -ne -1){$currentHostsContent=$currentHostsContent[0..($blockStart-1)]+$currentHostsContent[($blockEnd+1)..$currentHostsContent.Length]};$newBlock=@($startMarker)+$webContent+$endMarker;$newHostsContent=$currentHostsContent+$newBlock;Set-Content -Path $hostsPath -Value $newHostsContent;Write-Host 'Script execution complete.';exit" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | AdobeGenP-3.4.13.4.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1264 | "C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe" -Command "$currentDate=Get-Date;$ipAddresses=@();try{$SOA=(Resolve-DnsName -Name adobe.io -Type SOA -ErrorAction Stop).PrimaryServer}catch{$SOA=$null};if($SOA){Do{if((New-TimeSpan -Start $currentDate -End (Get-Date)).TotalSeconds -gt 5){if($ipAddresses.Count -eq 0){$ipAddresses+='False'};break};try{$ipAddress=(Resolve-DnsName -Name adobe.io -Server $SOA -ErrorAction Stop).IPAddress}catch{$ipAddress=$null};if($ipAddress){$ipAddresses+=$ipAddress};$ipAddresses=$ipAddresses|Select -Unique|Sort-Object}While($ipAddresses.Count -lt 8)}else{$ipAddresses+='False'};Do{if((New-TimeSpan -Start $currentDate -End (Get-Date)).TotalSeconds -gt 5 -or $ipAddresses[0] -eq 'False'){break};try{$ipAddress=(Resolve-DnsName -Name 3u6k9as4bj.adobestats.io -ErrorAction Stop).IPAddress}catch{$ipAddress=$null};if($ipAddress){$ipAddresses+=$ipAddress};$ipAddresses=$ipAddresses|Select -Unique|Sort-Object}While($ipAddresses.Count -lt 12 -and $ipAddresses[0] -ne 'False');$ipAddresses=$ipAddresses -ne 'False'|Select -Unique|Sort-Object;$ipAddressList=if($ipAddresses.Count -eq 0){'False'}else{$ipAddresses -join ','};$ipAddressList" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | AdobeGenP-3.4.13.4.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1564 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | netsh.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1596 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2548 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3220 | netsh advfirewall firewall add rule name="Adobe Unlicensed Pop-up" dir=out action=block remoteip="18.172.112.115,18.172.112.123,18.172.112.59,18.172.112.76,18.213.11.84,3.219.243.226,3.233.129.217,34.237.241.83,50.16.47.176,52.22.41.97,52.6.155.20,54.224.241.105" | C:\Windows\System32\netsh.exe | — | AdobeGenP-3.4.13.4.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Network Command Shell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4336 | netsh advfirewall firewall delete rule name="Adobe Unlicensed Pop-up" | C:\Windows\System32\netsh.exe | — | AdobeGenP-3.4.13.4.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Network Command Shell Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4516 | "C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe" -Command "Test-Connection 8.8.8.8 -Count 1 -Quiet" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | AdobeGenP-3.4.13.4.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5872 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | netsh.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
32 346
Read events
32 122
Write events
209
Delete events
15
Modification events
| (PID) Process: | (528) AdobeGenP-3.4.13.4.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (528) AdobeGenP-3.4.13.4.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (528) AdobeGenP-3.4.13.4.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (528) AdobeGenP-3.4.13.4.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (1264) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (1264) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (1264) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (1264) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (1132) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\PowerShell_RASAPI32 |
| Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
| (PID) Process: | (1132) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\PowerShell_RASAPI32 |
| Operation: | write | Name: | EnableAutoFileTracing |
Value: 0 | |||
Executable files
0
Suspicious files
2
Text files
8
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 6636 | AdobeGenP-3.4.13.4.exe | C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.dll.bak | — | |
MD5:— | SHA256:— | |||
| 6636 | AdobeGenP-3.4.13.4.exe | C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.dll | — | |
MD5:— | SHA256:— | |||
| 1264 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_mmwdg1b3.i15.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 1264 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_nrko2dz0.lor.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 4516 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_gzoi4u4x.czc.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 6636 | AdobeGenP-3.4.13.4.exe | C:\Users\admin\AppData\Local\Temp\aut10F3.tmp | binary | |
MD5:676E7BE9E8E977819EAAF83654627BD9 | SHA256:0007DA89F7DC235EBDF9BCA31EB1926405E5B8F755DD84107B87D001B43659B6 | |||
| 6636 | AdobeGenP-3.4.13.4.exe | C:\Users\admin\AppData\Local\Temp\config.ini | ini | |
MD5:B0C34CC14886B2BD2F72B56957C55A66 | SHA256:1277DD76C6F9770A3DDA70C8F425FB1DBD72DD629726DA36B842CDF0BA2B2C7E | |||
| 4516 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_bv20hjxb.mpt.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 1132 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_d1t0fdsm.trc.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 4516 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | binary | |
MD5:B1A75209255850C2B04D4C1BC45A75AF | SHA256:9732975BCEF3B6BBC51136ADDB58874D4B8C660814C0A9BE19FCB04F08C7F768 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
50
DNS requests
33
Threats
1
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
5700 | backgroundTaskHost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D | unknown | — | — | whitelisted |
3148 | OfficeClickToRun.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D | unknown | — | — | whitelisted |
6432 | backgroundTaskHost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
6012 | MoUsoCoreWorker.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
3008 | RUXIMICS.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
4008 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
— | — | 184.86.251.13:443 | — | Akamai International B.V. | DE | unknown |
— | — | 4.209.32.67:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | US | unknown |
3952 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
— | — | 4.209.32.198:443 | licensing.mp.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | unknown |
1756 | slui.exe | 40.91.76.224:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
1596 | slui.exe | 40.91.76.224:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
licensing.mp.microsoft.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |
login.live.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
arc.msn.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
fd.api.iris.microsoft.com |
| whitelisted |
go.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | Not Suspicious Traffic | INFO [ANY.RUN] Attempting to access raw user content on GitHub |