Play interactive tour

Edit tour

Analysis Report adobe.snr.patch.v2.0-painter.exe

Overview

General Information

Sample Name:	adobe.snr.patch.v2.0-painter.exe
Analysis ID:	330953
MD5:	b31679db7db878992b4553290a9e6c7c
SHA1:	7d0d2b434b51abe91e5b16e4c8dc8d26143b138c
SHA256:	256c2a409c97448d168f3eb1bfb89af3d259dfc05a510a3f464d8e4b348116d4
Most interesting Screenshot:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Multi AV Scanner detection for submitted file

Machine Learning detection for sample

Contains capabilities to detect virtual machines

Drops PE files

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

PE file contains sections with non-standard names

PE file contains strange resources

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

adobe.snr.patch.v2.0-painter.exe (PID: 6860 cmdline: 'C:\Users\user\Desktop\adobe.snr.patch.v2.0-painter.exe' MD5: B31679DB7DB878992B4553290A9E6C7C)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: adobe.snr.patch.v2.0-painter.exe	Virustotal: Detection: 65%	Perma Link
Source: adobe.snr.patch.v2.0-painter.exe	Metadefender: Detection: 43%	Perma Link
Source: adobe.snr.patch.v2.0-painter.exe	ReversingLabs: Detection: 70%

Machine Learning detection for sample

Show sources

Source: adobe.snr.patch.v2.0-painter.exe

Joe Sandbox ML: detected

Source: adobe.snr.patch.v2.0-painter.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: adobe.snr.patch.v2.0-painter.exe, 00000000.00000000.233240197.00000000005A6000.00000008.00020000.sdmp	Binary or memory string: OriginalFilenameadobesnr.exeP vs adobe.snr.patch.v2.0-painter.exe
Source: adobe.snr.patch.v2.0-painter.exe, 00000000.00000002.530105572.000000006DAC2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamevgm_play.dllD vs adobe.snr.patch.v2.0-painter.exe
Source: adobe.snr.patch.v2.0-painter.exe, 00000000.00000002.529566137.0000000004AA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewdmaud.drv.muij% vs adobe.snr.patch.v2.0-painter.exe
Source: adobe.snr.patch.v2.0-painter.exe, 00000000.00000002.518766183.0000000002630000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamecomctl32.DLL.MUIj% vs adobe.snr.patch.v2.0-painter.exe
Source: adobe.snr.patch.v2.0-painter.exe	Binary or memory string: OriginalFilenameadobesnr.exeP vs adobe.snr.patch.v2.0-painter.exe

Source: adobe.snr.patch.v2.0-painter.exe

Static PE information: Section: .MPRESS1 ZLIB complexity 1.0003091277

Source: classification engine

Classification label: mal60.evad.winEXE@1/1@0/0

Source: C:\Users\user\Desktop\adobe.snr.patch.v2.0-painter.exe

File created: C:\Users\user~1\AppData\Local\Temp\vgm_player.dll

Jump to behavior

Source: C:\Users\user\Desktop\adobe.snr.patch.v2.0-painter.exe

Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Jump to behavior

Source: C:\Users\user\Desktop\adobe.snr.patch.v2.0-painter.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\adobe.snr.patch.v2.0-painter.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: adobe.snr.patch.v2.0-painter.exe	Virustotal: Detection: 65%
Source: adobe.snr.patch.v2.0-painter.exe	Metadefender: Detection: 43%
Source: adobe.snr.patch.v2.0-painter.exe	ReversingLabs: Detection: 70%

Source: C:\Users\user\Desktop\adobe.snr.patch.v2.0-painter.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0E5AAE11-A475-4c5b-AB00-C66DE400274E}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\adobe.snr.patch.v2.0-painter.exe

Window found: window name: TButton

Jump to behavior

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\adobe.snr.patch.v2.0-painter.exe

Unpacked PE file: 0.2.adobe.snr.patch.v2.0-painter.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;

Source: initial sample

Static PE information: section where entry point is pointing to: .MPRESS2

Source: adobe.snr.patch.v2.0-painter.exe	Static PE information: section name: .MPRESS1
Source: adobe.snr.patch.v2.0-painter.exe	Static PE information: section name: .MPRESS2

Source: C:\Users\user\Desktop\adobe.snr.patch.v2.0-painter.exe	Code function: 0_3_023CE715 push esi; ret	0_3_023CE716
Source: C:\Users\user\Desktop\adobe.snr.patch.v2.0-painter.exe	Code function: 0_3_023CCC0C push eax; ret	0_3_023CCC0E
Source: C:\Users\user\Desktop\adobe.snr.patch.v2.0-painter.exe	Code function: 0_3_023CCE6D push cs; retf	0_3_023CCE6E
Source: C:\Users\user\Desktop\adobe.snr.patch.v2.0-painter.exe	Code function: 0_3_023CC5D6 push es; iretd	0_3_023CC5DE

Source: initial sample

Static PE information: section name: .MPRESS1 entropy: 7.99967477514

Source: C:\Users\user\Desktop\adobe.snr.patch.v2.0-painter.exe

File created: C:\Users\user\AppData\Local\Temp\vgm_player.dll

Jump to dropped file

Source: C:\Users\user\Desktop\adobe.snr.patch.v2.0-painter.exe

Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Users\user\Desktop\adobe.snr.patch.v2.0-painter.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\adobe.snr.patch.v2.0-painter.exe

Window / User API: threadDelayed 5849

Jump to behavior

Source: C:\Users\user\Desktop\adobe.snr.patch.v2.0-painter.exe

Last function: Thread delayed

Source: adobe.snr.patch.v2.0-painter.exe, 00000000.00000002.517643832.0000000000F70000.00000002.00000001.sdmp	Binary or memory string: uProgram Manager
Source: adobe.snr.patch.v2.0-painter.exe, 00000000.00000002.517643832.0000000000F70000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: adobe.snr.patch.v2.0-painter.exe, 00000000.00000002.517643832.0000000000F70000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: adobe.snr.patch.v2.0-painter.exe, 00000000.00000002.517643832.0000000000F70000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: adobe.snr.patch.v2.0-painter.exe, 00000000.00000002.511387843.0000000000401000.00000040.00020000.sdmp	Binary or memory string: Shell_TrayWndS
Source: adobe.snr.patch.v2.0-painter.exe, 00000000.00000002.511387843.0000000000401000.00000040.00020000.sdmp	Binary or memory string: Shell_TrayWndReBarWindow32MSTaskSwWClassToolbarWindow32SV

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Virtualization/Sandbox Evasion1	OS Credential Dumping	Security Software Discovery1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Software Packing12	LSASS Memory	Virtualization/Sandbox Evasion1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information2	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	File and Directory Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Information Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
adobe.snr.patch.v2.0-painter.exe	66%	Virustotal		Browse
adobe.snr.patch.v2.0-painter.exe	43%	Metadefender		Browse
adobe.snr.patch.v2.0-painter.exe	71%	ReversingLabs	Win32.Hacktool.Patcher
adobe.snr.patch.v2.0-painter.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\vgm_player.dll	2%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\vgm_player.dll	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\vgm_player.dll	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.2.adobe.snr.patch.v2.0-painter.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1116574		Download File
0.1.adobe.snr.patch.v2.0-painter.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	330953
Start date:	15.12.2020
Start time:	20:56:58
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	adobe.snr.patch.v2.0-painter.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal60.evad.winEXE@1/1@0/0
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Execution Graph export aborted for target adobe.snr.patch.v2.0-painter.exe, PID 6860 because there are no executed function Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\vgm_player.dll	vHQYvz88iw.exe	Get hash	malicious	Browse
	adobe.snr.patch.v2.0-painter.exe	Get hash	malicious	Browse
	kkTsu5q9ua.exe	Get hash	malicious	Browse
	ASP_v2_0_P.exe	Get hash	malicious	Browse
	adobe.snr.patch.v2.0-painter.exe	Get hash	malicious	Browse
	adobe.snr.patch.v2.0-painter.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\vgm_player.dll Download File
Process:	C:\Users\user\Desktop\adobe.snr.patch.v2.0-painter.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	83968
Entropy (8bit):	6.234304945662412
Encrypted:	false
SSDEEP:	1536:bIkMAKIUVWsbWVdeX/tjjyp8XYXCXCAxPpZsM:bI/IUVWzdevtj+p8IySWp
MD5:	47361F2E1CE562953C36C1E3E4509C06
SHA1:	84031B61E761160040C0F02FCDBF5149AFA4CE1C
SHA-256:	C5F76741A5B02C7373A05C13F44B47AF60D130F2B2D1A510E7DF270BD2E4D62A
SHA-512:	0B2FAD69A2786D9934ED55525F67BE6661B9C22CCD3E0E752F60A787E804CE0C475CBA6D672A0507C55334D948E912E2BBD951F23BE19E30553B528B3516FFF2
Malicious:	false
Antivirus:	Antivirus: Virustotal, Detection: 2%, Browse Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: vHQYvz88iw.exe, Detection: malicious, Browse Filename: adobe.snr.patch.v2.0-painter.exe, Detection: malicious, Browse Filename: kkTsu5q9ua.exe, Detection: malicious, Browse Filename: ASP_v2_0_P.exe, Detection: malicious, Browse Filename: adobe.snr.patch.v2.0-painter.exe, Detection: malicious, Browse Filename: adobe.snr.patch.v2.0-painter.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........j...........n..............0......1..................Y.......G...........Rich...........................PE..L....M/X...........!................P........ ...............................@............@..........................7..a...T8..<.... ..p....................0....................................................... ..L............................text............................... ..`.rdata....... ......................@..@.data........@......................@....rsrc...p.... .......4..............@..@.reloc.......0.......:..............@..B................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	MS-DOS executable, MZ for MS-DOS
Entropy (8bit):	7.97199102850528
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	adobe.snr.patch.v2.0-painter.exe
File size:	601600
MD5:	b31679db7db878992b4553290a9e6c7c
SHA1:	7d0d2b434b51abe91e5b16e4c8dc8d26143b138c
SHA256:	256c2a409c97448d168f3eb1bfb89af3d259dfc05a510a3f464d8e4b348116d4
SHA512:	a9c65a280c5bfcd9a221a47237e96f454c85cf0a2222cd0469d2326a03cfaaa5b69424c4963f128affc91c8861b9aac236289578a94629717d81a7e3b08a75f2
SSDEEP:	12288:0MNVzzbgNRk1Lq+TC0YPxfqswK/EH1WYEmMC+jsEdf8Zdq0Cxmj1A:dLE1+TYPljwK/oY9se8Zd8kJA
File Content Preview:	MZ@.....................................!..L.!Win32 .EXE...$@...PE..L....^B*............................?S....... ....@..........................................................................P..@....`...k.................................................

File Icon


Icon Hash:	82b2ecccd4b68a94

Static PE Info

General
Entrypoint:	0x5a533f
Entrypoint Section:	.MPRESS2
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, DEBUG_STRIPPED, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	416af365bd0075002ad4b3999c9e9a47

Entrypoint Preview

Instruction
pushad
call 00007F14E5033CD5h
pop eax
add eax, 00000B5Ah
mov esi, dword ptr [eax]
add esi, eax
sub eax, eax
mov edi, esi
lodsw
shl eax, 0Ch
mov ecx, eax
push eax
lodsd
sub ecx, eax
add esi, ecx
mov ecx, eax
push edi
push ecx
dec ecx
mov al, byte ptr [ecx+edi+06h]
mov byte ptr [ecx+esi], al
jne 00007F14E5033CC8h
sub eax, eax
lodsb
mov ecx, eax
and cl, FFFFFFF0h
and al, 0Fh
shl ecx, 0Ch
mov ch, al
lodsb
or ecx, eax
push ecx
add cl, ch
mov ebp, FFFFFD00h
shl ebp, cl
pop ecx
pop eax
mov ebx, esp
lea esp, dword ptr [esp+ebp*2-00000E70h]
push ecx
sub ecx, ecx
push ecx
push ecx
mov ecx, esp
push ecx
mov dx, word ptr [edi]
shl edx, 0Ch
push edx
push edi
add ecx, 04h
push ecx
push eax
add ecx, 04h
push esi
push ecx
call 00007F14E5033D33h
mov esp, ebx
pop esi
pop edx
sub eax, eax
mov dword ptr [edx+esi], eax
mov ah, 10h
sub edx, eax
sub ecx, ecx
cmp ecx, edx
jnc 00007F14E5033CF8h
mov ebx, ecx
lodsb
inc ecx
and al, FEh
cmp al, E8h
jne 00007F14E5033CC4h
inc ebx
add ecx, 04h
lodsd
or eax, eax
js 00007F14E5033CD8h
cmp eax, edx
jnc 00007F14E5033CB7h
jmp 00007F14E5033CD8h
add eax, ebx
js 00007F14E5033CB1h
add eax, edx
sub eax, ebx
mov dword ptr [esi-04h], eax
jmp 00007F14E5033CA8h
call 00007F14E5033CD5h
pop edi
add edi, FFFFFF4Dh
mov al, E9h
stosb
mov eax, 00000B56h
stosd
call 00007F14E5033CD5h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1a5000	0x340	.MPRESS2
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1a6000	0x6be4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x1a5eb0	0x18	.MPRESS2
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1a517c	0x50	.MPRESS2
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.MPRESS1	0x1000	0x1a4000	0x8b000	False	1.0003091277	data	7.99967477514	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.MPRESS2	0x1a5000	0xed8	0x1000	False	0.506103515625	data	5.53506287685	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x1a6000	0x6be4	0x6c00	False	0.323712384259	data	5.52077721827	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
LIB	0x15f64c	0x14800	empty	English	United States
RT_CURSOR	0x173e4c	0x134	empty	English	United States
RT_CURSOR	0x173f80	0x134	empty
RT_CURSOR	0x1740b4	0x134	empty
RT_CURSOR	0x1741e8	0x134	empty
RT_CURSOR	0x17431c	0x134	empty
RT_CURSOR	0x174450	0x134	empty
RT_CURSOR	0x174584	0x134	empty
RT_CURSOR	0x1746b8	0x134	empty
RT_BITMAP	0x1747ec	0x1d0	empty
RT_BITMAP	0x1749bc	0x1e4	empty
RT_BITMAP	0x174ba0	0x1d0	empty
RT_BITMAP	0x174d70	0x1d0	empty
RT_BITMAP	0x174f40	0x1d0	empty
RT_BITMAP	0x175110	0x1d0	empty
RT_BITMAP	0x1752e0	0x1d0	empty
RT_BITMAP	0x1754b0	0x1d0	empty
RT_BITMAP	0x175680	0x1d0	empty
RT_BITMAP	0x175850	0x1d0	empty
RT_BITMAP	0x175a20	0x488	empty	Russian	Russia
RT_BITMAP	0x175ea8	0xc0	empty
RT_BITMAP	0x175f68	0xe0	empty
RT_BITMAP	0x176048	0xe0	empty
RT_BITMAP	0x176128	0xe0	empty
RT_BITMAP	0x176208	0xc0	empty
RT_BITMAP	0x1762c8	0xc0	empty
RT_BITMAP	0x176388	0xe0	empty
RT_BITMAP	0x176468	0xc58	empty	English	United States
RT_BITMAP	0x1770c0	0x328	empty	English	United States
RT_BITMAP	0x1773e8	0xc0	empty
RT_BITMAP	0x1774a8	0xe0	empty
RT_BITMAP	0x177588	0xe8	empty	Russian	Russia
RT_BITMAP	0x177670	0x328	empty	English	United States
RT_BITMAP	0x177998	0xc0	empty
RT_BITMAP	0x177a58	0x328	empty	English	United States
RT_BITMAP	0x177d80	0x328	empty	English	United States
RT_BITMAP	0x1780a8	0x328	empty	English	United States
RT_BITMAP	0x1783d0	0xe0	empty
RT_ICON	0x1a6a04	0x11fc	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0x1a7c28	0x25a8	data	English	United States
RT_ICON	0x1aa1f8	0x10a8	data	English	United States
RT_ICON	0x1ab2c8	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_DIALOG	0x17d164	0x52	empty
RT_STRING	0x17d1b8	0x4c	empty
RT_STRING	0x17d204	0xaa	empty
RT_STRING	0x17d2b0	0x186	empty
RT_STRING	0x17d438	0x1ce	empty
RT_STRING	0x17d608	0x144	empty
RT_STRING	0x17d74c	0x7e	empty
RT_STRING	0x17d7cc	0x24	empty
RT_STRING	0x17d7f0	0x1a0	empty
RT_STRING	0x17d990	0x1d8	empty
RT_STRING	0x17db68	0x1ec	empty
RT_STRING	0x17dd54	0xec	empty
RT_STRING	0x17de40	0x370	empty
RT_STRING	0x17e1b0	0xc0	empty
RT_STRING	0x17e270	0xfc	empty
RT_STRING	0x17e36c	0x120	empty
RT_STRING	0x17e48c	0x4ac	empty
RT_STRING	0x17e938	0x36c	empty
RT_STRING	0x17eca4	0x390	empty
RT_STRING	0x17f034	0x430	empty
RT_STRING	0x17f464	0xf0	empty
RT_STRING	0x17f554	0xd8	empty
RT_STRING	0x17f62c	0x274	empty
RT_STRING	0x17f8a0	0x3e0	empty
RT_STRING	0x17fc80	0x388	empty
RT_STRING	0x180008	0x2d8	empty
RT_RCDATA	0x1802e0	0xcbf	empty	English	United States
RT_RCDATA	0x180fa0	0x3a5	empty	English	United States
RT_RCDATA	0x181348	0xd58	empty	Russian	Russia
RT_RCDATA	0x1820a0	0xd0d	empty	Russian	Russia
RT_RCDATA	0x182db0	0x10	empty
RT_RCDATA	0x182dc0	0x684	empty
RT_RCDATA	0x183444	0x434	empty	English	United States
RT_RCDATA	0x183878	0x4b1	empty	English	United States
RT_RCDATA	0x183d2c	0x1a1	empty	English	United States
RT_RCDATA	0x183ed0	0x671	empty	English	United States
RT_RCDATA	0x184544	0x7b1	empty	English	United States
RT_RCDATA	0x184cf8	0x70b	empty
RT_RCDATA	0x185404	0x1a90b	empty
RT_RCDATA	0x19fd10	0x640	empty
RT_RCDATA	0x1a0350	0x1bf0	empty
RT_RCDATA	0x1a1f40	0x1fdb	empty
RT_RCDATA	0x1a3f1c	0x2f3	empty
RT_GROUP_CURSOR	0x1a4210	0x14	empty	English	United States
RT_GROUP_CURSOR	0x1a4224	0x14	empty
RT_GROUP_CURSOR	0x1a4238	0x14	empty
RT_GROUP_CURSOR	0x1a424c	0x14	empty
RT_GROUP_CURSOR	0x1a4260	0x14	empty
RT_GROUP_CURSOR	0x1a4274	0x14	empty
RT_GROUP_CURSOR	0x1a4288	0x14	empty
RT_GROUP_CURSOR	0x1a429c	0x14	empty
RT_GROUP_ICON	0x1ac2b4	0x3e	data	English	United States
RT_VERSION	0x1ac334	0x2e0	data	English	United States
RT_MANIFEST	0x1ac654	0x58f	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
KERNEL32.DLL	GetModuleHandleA, GetProcAddress
user32.dll	CharNextA
advapi32.dll	RegCloseKey
oleaut32.dll	SysFreeString
version.dll	VerQueryValueA
gdi32.dll	SaveDC
ole32.dll	CoInitialize
comctl32.dll	ImageList_Add
shell32.dll	SHGetFileInfoA
comdlg32.dll	GetOpenFileNameA

Version Infos

Description	Data
LegalCopyright	PainteR
InternalName	Universal Adobe Patcher
FileVersion	2.0.0.0
CompanyName	PainteR
ProductName	Universal Adobe Patcher
ProductVersion	2.0.0.0
FileDescription	Universal Adobe Patcher
OriginalFilename	adobesnr.exe
Translation	0x0419 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
Russian	Russia

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

• adobe.snr.patch.v2.0-painter.exe

Click to jump to process

Memory Usage

• adobe.snr.patch.v2.0-painter.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

System Behavior

Analysis Process: adobe.snr.patch.v2.0-painter.exe PID: 6860 Parent PID: 5692

Function Logs

General

Start time:	20:57:48
Start date:	15/12/2020
Path:	C:\Users\user\Desktop\adobe.snr.patch.v2.0-painter.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\adobe.snr.patch.v2.0-painter.exe'
Imagebase:	0x400000
File size:	601600 bytes
MD5 hash:	B31679DB7DB878992B4553290A9E6C7C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low

Show Windows behavior

File Activities

File Opened

File Created

File Written

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Key Opened

Show Windows behavior

Mutex Activities

Show Windows behavior

Process Activities

Process Information Set

Show Windows behavior

Thread Activities

Thread Created

Thread Delayed

Thread Information Set

Show Windows behavior

Memory Activities

Memory Allocated

Memory Protection Changed

Memory Usage Statistics

Show Windows behavior

System Activities

Language or Locale ID Queried

Show Windows behavior

Timing Activities

Show Windows behavior

Windows UI Activities

Window Created

Window UI Enumerated

Message Posted to Windows UI

Window UIs Event Hook Set

Show Windows behavior

LPC Port Activities

Chronological Activities

Disassembly

Code Analysis

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report adobe.snr.patch.v2.0-painter.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

AV Detection:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

HIPS / PFW / Operating System Protection Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: adobe.snr.patch.v2.0-painter.exe PID: 6860 Parent PID: 5692

General

File Activities

File Opened

File Created

File Written

File Read

File Attributes Queried

Directory Queried

Volume Information Queried

Device IO

Section Activities