Summary

604dc2651140b591_adobe_updater.exe

File 604dc2651140b591_adobe_updater.exe

Summary
Download Resubmit sample

Size 2.9MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 ed3d701c87f57e3c09a6a095005c58df
SHA1 3aef5ddeb3f52559e10eb939b3bf904bb18165c8
SHA256 604dc2651140b59135259143a40dfd31c49528577325898df190535b80c47f5a
SHA512
2aa710bc53ecfc45e09b367be003a4b7f09ce01986f77097083adb046826ce91405942e162554ac565164751b18ccd832eda9a0c2fdc0b0e5aec47fe87eb110b
CRC32 634FBC5A
ssdeep None
PDB Path c:\coretech\source\roxy\aum\public\aum\binaries\windows\release\Adobe_Updater.pdb
Yara
  • anti_dbg - Checks if being debugged
  • network_http - Communications over HTTP
  • network_tcp_socket - Communications over RAW socket
  • escalate_priv - Escalade priviledges
  • screenshot - Take screenshot
  • keylogger - Run a keylogger
  • win_mutex - Create or check mutex
  • win_registry - Affect system registries
  • win_token - Affect system token
  • win_files_operation - Affect private profile

Score

This file is very suspicious, with a score of 10 out of 10!

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Autosubmit

Parent_Task_ID:6433156

Feedback

Expecting different results? Send us this analysis and we will inspect it. Click here

Information on Execution

Analysis
Category Started Completed Duration Routing Logs
FILE May 11, 2025, 4:23 a.m. May 11, 2025, 4:32 a.m. 532 seconds internet Show Analyzer Log
Show Cuckoo Log

Analyzer Log

2025-05-05 12:11:15,015 [analyzer] DEBUG: Starting analyzer from: C:\tmpdyrg_l
2025-05-05 12:11:15,015 [analyzer] DEBUG: Pipe server name: \??\PIPE\wzdbtsSZVmoiAgdaI
2025-05-05 12:11:15,015 [analyzer] DEBUG: Log pipe server name: \??\PIPE\GkGDKuvVAAeZyTLOkiDeNQLyhSs
2025-05-05 12:11:15,015 [analyzer] DEBUG: No analysis package specified, trying to detect it automagically.
2025-05-05 12:11:15,030 [analyzer] INFO: Automatically selected analysis package "exe"
2025-05-05 12:11:15,296 [analyzer] DEBUG: Started auxiliary module Curtain
2025-05-05 12:11:15,296 [analyzer] DEBUG: Started auxiliary module DbgView
2025-05-05 12:11:15,780 [analyzer] DEBUG: Started auxiliary module Disguise
2025-05-05 12:11:16,015 [analyzer] DEBUG: Loaded monitor into process with pid 500
2025-05-05 12:11:16,015 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2025-05-05 12:11:16,015 [analyzer] DEBUG: Started auxiliary module Human
2025-05-05 12:11:16,015 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2025-05-05 12:11:16,015 [analyzer] DEBUG: Started auxiliary module Reboot
2025-05-05 12:11:16,078 [analyzer] DEBUG: Started auxiliary module RecentFiles
2025-05-05 12:11:16,078 [analyzer] DEBUG: Started auxiliary module Screenshots
2025-05-05 12:11:16,078 [analyzer] DEBUG: Started auxiliary module Sysmon
2025-05-05 12:11:16,078 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n
2025-05-05 12:11:16,265 [lib.api.process] INFO: Successfully executed process from path u'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\604dc2651140b591_adobe_updater.exe' with arguments '' and pid 1372
2025-05-05 12:11:16,530 [analyzer] DEBUG: Loaded monitor into process with pid 1372
2025-05-05 12:11:16,655 [analyzer] INFO: Added new file to list with pid 1372 and path C:\Users\Administrator\AppData\Local\Adobe\Updater6\AdobeUpdaterPrefs.dat
2025-05-05 12:11:16,671 [analyzer] INFO: Added new file to list with pid 1372 and path C:\Users\Administrator\AppData\Local\Adobe\Updater6\aum.log
2025-05-05 12:11:17,015 [analyzer] INFO: Added new file to list with pid 1372 and path C:\Users\Administrator\AppData\Local\Adobe\Updater6\AUTrans.xml_
2025-05-05 12:11:17,046 [analyzer] INFO: Added new file to list with pid 1372 and path C:\Users\Administrator\AppData\Local\Adobe\Updater6\AUTrans.sig
2025-05-05 12:14:35,296 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2025-05-05 12:14:36,592 [analyzer] INFO: Terminating remaining processes before shutdown.
2025-05-05 12:14:36,592 [lib.api.process] INFO: Successfully terminated process with pid 1372.
2025-05-05 12:14:36,625 [analyzer] INFO: Analysis completed.

Cuckoo Log

2025-05-11 04:23:10,130 [cuckoo.core.scheduler] DEBUG: Task #6433789: no machine available yet
2025-05-11 04:23:11,162 [cuckoo.core.scheduler] DEBUG: Task #6433789: no machine available yet
2025-05-11 04:23:12,195 [cuckoo.core.scheduler] DEBUG: Task #6433789: no machine available yet
2025-05-11 04:23:13,217 [cuckoo.core.scheduler] DEBUG: Task #6433789: no machine available yet
2025-05-11 04:23:14,244 [cuckoo.core.scheduler] DEBUG: Task #6433789: no machine available yet
2025-05-11 04:23:15,281 [cuckoo.core.scheduler] DEBUG: Task #6433789: no machine available yet
2025-05-11 04:23:16,306 [cuckoo.core.scheduler] DEBUG: Task #6433789: no machine available yet
2025-05-11 04:23:17,332 [cuckoo.core.scheduler] DEBUG: Task #6433789: no machine available yet
2025-05-11 04:23:18,358 [cuckoo.core.scheduler] DEBUG: Task #6433789: no machine available yet
2025-05-11 04:23:19,385 [cuckoo.core.scheduler] DEBUG: Task #6433789: no machine available yet
2025-05-11 04:23:20,409 [cuckoo.core.scheduler] DEBUG: Task #6433789: no machine available yet
2025-05-11 04:23:21,533 [cuckoo.core.scheduler] DEBUG: Task #6433789: no machine available yet
2025-05-11 04:23:22,575 [cuckoo.core.scheduler] DEBUG: Task #6433789: no machine available yet
2025-05-11 04:23:23,619 [cuckoo.core.scheduler] DEBUG: Task #6433789: no machine available yet
2025-05-11 04:23:24,670 [cuckoo.core.scheduler] DEBUG: Task #6433789: no machine available yet
2025-05-11 04:23:25,714 [cuckoo.core.scheduler] DEBUG: Task #6433789: no machine available yet
2025-05-11 04:23:26,757 [cuckoo.core.scheduler] DEBUG: Task #6433789: no machine available yet
2025-05-11 04:23:27,833 [cuckoo.core.scheduler] DEBUG: Task #6433789: no machine available yet
2025-05-11 04:23:29,156 [cuckoo.core.scheduler] INFO: Task #6433789: acquired machine win7x6430 (label=win7x6430)
2025-05-11 04:23:29,160 [cuckoo.core.resultserver] DEBUG: Now tracking machine 192.168.168.230 for task #6433789
2025-05-11 04:23:29,418 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 3413200 (interface=vboxnet0, host=192.168.168.230)
2025-05-11 04:23:32,532 [cuckoo.machinery.virtualbox] DEBUG: Starting vm win7x6430
2025-05-11 04:23:32,987 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine win7x6430 to vmcloak
2025-05-11 04:25:45,750 [cuckoo.core.guest] INFO: Starting analysis #6433789 on guest (id=win7x6430, ip=192.168.168.230)
2025-05-11 04:25:46,755 [cuckoo.core.guest] DEBUG: win7x6430: not ready yet
2025-05-11 04:25:51,779 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.10 (id=win7x6430, ip=192.168.168.230)
2025-05-11 04:25:51,846 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=win7x6430, ip=192.168.168.230, monitor=latest, size=6660546)
2025-05-11 04:25:53,312 [cuckoo.core.resultserver] DEBUG: Task #6433789: live log analysis.log initialized.
2025-05-11 04:25:54,261 [cuckoo.core.resultserver] DEBUG: Task #6433789 is sending a BSON stream
2025-05-11 04:25:54,758 [cuckoo.core.resultserver] DEBUG: Task #6433789 is sending a BSON stream
2025-05-11 04:25:55,345 [cuckoo.core.resultserver] DEBUG: Task #6433789: File upload for 'files/d7d1d900e0da4705_AUTrans.xml_'
2025-05-11 04:25:55,349 [cuckoo.core.resultserver] DEBUG: Task #6433789 uploaded file length: 261
2025-05-11 04:25:55,361 [cuckoo.core.resultserver] DEBUG: Task #6433789: File upload for 'files/e3b0c44298fc1c14_AdobeUpdater.aum'
2025-05-11 04:25:55,363 [cuckoo.core.resultserver] DEBUG: Task #6433789 uploaded file length: 0
2025-05-11 04:25:55,493 [cuckoo.core.resultserver] DEBUG: Task #6433789: File upload for 'shots/0001.jpg'
2025-05-11 04:25:55,508 [cuckoo.core.resultserver] DEBUG: Task #6433789 uploaded file length: 133515
2025-05-11 04:25:56,606 [cuckoo.core.resultserver] DEBUG: Task #6433789: File upload for 'shots/0002.jpg'
2025-05-11 04:25:56,623 [cuckoo.core.resultserver] DEBUG: Task #6433789 uploaded file length: 138690
2025-05-11 04:26:07,926 [cuckoo.core.guest] DEBUG: win7x6430: analysis #6433789 still processing
2025-05-11 04:26:23,096 [cuckoo.core.guest] DEBUG: win7x6430: analysis #6433789 still processing
2025-05-11 04:26:38,414 [cuckoo.core.guest] DEBUG: win7x6430: analysis #6433789 still processing
2025-05-11 04:26:53,514 [cuckoo.core.guest] DEBUG: win7x6430: analysis #6433789 still processing
2025-05-11 04:27:08,652 [cuckoo.core.guest] DEBUG: win7x6430: analysis #6433789 still processing
2025-05-11 04:27:23,734 [cuckoo.core.guest] DEBUG: win7x6430: analysis #6433789 still processing
2025-05-11 04:27:38,851 [cuckoo.core.guest] DEBUG: win7x6430: analysis #6433789 still processing
2025-05-11 04:27:54,007 [cuckoo.core.guest] DEBUG: win7x6430: analysis #6433789 still processing
2025-05-11 04:28:09,121 [cuckoo.core.guest] DEBUG: win7x6430: analysis #6433789 still processing
2025-05-11 04:28:24,211 [cuckoo.core.guest] DEBUG: win7x6430: analysis #6433789 still processing
2025-05-11 04:28:39,554 [cuckoo.core.guest] DEBUG: win7x6430: analysis #6433789 still processing
2025-05-11 04:28:54,699 [cuckoo.core.guest] DEBUG: win7x6430: analysis #6433789 still processing
2025-05-11 04:29:09,812 [cuckoo.core.guest] DEBUG: win7x6430: analysis #6433789 still processing
2025-05-11 04:29:14,177 [cuckoo.core.resultserver] DEBUG: Task #6433789: File upload for 'curtain/1746440075.56.curtain.log'
2025-05-11 04:29:14,183 [cuckoo.core.resultserver] DEBUG: Task #6433789 uploaded file length: 36
2025-05-11 04:29:15,028 [cuckoo.core.resultserver] DEBUG: Task #6433789: File upload for 'sysmon/1746440076.48.sysmon.xml'
2025-05-11 04:29:15,134 [cuckoo.core.resultserver] DEBUG: Task #6433789 uploaded file length: 11293810
2025-05-11 04:29:15,155 [cuckoo.core.resultserver] DEBUG: Task #6433789: File upload for 'files/ac3fbfe71318488f_autrans.sig'
2025-05-11 04:29:15,157 [cuckoo.core.resultserver] DEBUG: Task #6433789 uploaded file length: 32
2025-05-11 04:29:15,158 [cuckoo.core.resultserver] DEBUG: Task #6433789: File upload for 'files/2a1bae790bbdc314_aum.log'
2025-05-11 04:29:15,159 [cuckoo.core.resultserver] DEBUG: Task #6433789 uploaded file length: 779
2025-05-11 04:29:15,161 [cuckoo.core.resultserver] DEBUG: Task #6433789: File upload for 'files/33307967def22108_adobeupdaterprefs.dat'
2025-05-11 04:29:15,162 [cuckoo.core.resultserver] DEBUG: Task #6433789 uploaded file length: 384
2025-05-11 04:29:15,188 [cuckoo.core.resultserver] DEBUG: Task #6433789 had connection reset for <Context for LOG>
2025-05-11 04:29:15,843 [cuckoo.core.guest] INFO: win7x6430: analysis completed successfully
2025-05-11 04:29:15,857 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Redsocks
2025-05-11 04:29:15,889 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2025-05-11 04:29:16,538 [cuckoo.machinery.virtualbox] INFO: Successfully generated memory dump for virtual machine with label win7x6430 to path /srv/cuckoo/cwd/storage/analyses/6433789/memory.dmp
2025-05-11 04:29:16,540 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm win7x6430
2025-05-11 04:32:01,298 [cuckoo.core.resultserver] DEBUG: Stopped tracking machine 192.168.168.230 for task #6433789
2025-05-11 04:32:02,626 [cuckoo.core.scheduler] DEBUG: Released database task #6433789
2025-05-11 04:32:02,663 [cuckoo.core.scheduler] INFO: Task #6433789: analysis procedure completed

Signatures

Yara rules detected for file (10 events)
description Checks if being debugged rule anti_dbg
description Communications over HTTP rule network_http
description Communications over RAW socket rule network_tcp_socket
description Escalade priviledges rule escalate_priv
description Take screenshot rule screenshot
description Run a keylogger rule keylogger
description Create or check mutex rule win_mutex
description Affect system registries rule win_registry
description Affect system token rule win_token
description Affect private profile rule win_files_operation
This executable has a PDB path (1 event)
pdb_path c:\coretech\source\roxy\aum\public\aum\binaries\windows\release\Adobe_Updater.pdb
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)
section .data1
The file contains an unknown PE resource name possibly indicative of a packer (1 event)
resource name None
A process attempted to delay the analysis task. (1 event)
description 604dc2651140b591_adobe_updater.exe tried to sleep 180 seconds, actually delayed analysis time by 180 seconds
Checks adapter addresses which can be used to detect virtual network interfaces (1 event)
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 46
family: 0
1 0 0
The binary likely contains encrypted or compressed data indicative of a packer (2 events)
section {u'size_of_data': u'0x000b5000', u'virtual_address': u'0x00246000', u'entropy': 7.591840780015338, u'name': u'.reloc', u'virtual_size': u'0x000b6000'} entropy 7.59184078002 description A section with a high entropy has been found
entropy 0.240013260401 description Overall entropy of this PE file is high
Sets or modifies WPAD proxy autoconfiguration file for traffic interception (10 events)
Time & API Arguments Status Return Repeated

RegSetValueExW

 key_handle: 0x00000384
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
value: 1
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{092F0E6C-7874-4263-8D41-969F2B667EA2}\WpadDecisionReason
1 0 0

RegSetValueExW

 key_handle: 0x00000384
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
value: ‚ìû0¿½Û
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{092F0E6C-7874-4263-8D41-969F2B667EA2}\WpadDecisionTime
1 0 0

RegSetValueExW

 key_handle: 0x00000384
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
value: 0
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{092F0E6C-7874-4263-8D41-969F2B667EA2}\WpadDecision
1 0 0

RegSetValueExW

 key_handle: 0x00000384
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
value: Network
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{092F0E6C-7874-4263-8D41-969F2B667EA2}\WpadNetworkName
1 0 0

RegSetValueExW

 key_handle: 0x000001c0
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
value: 1
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
1 0 0

RegSetValueExW

 key_handle: 0x000001c0
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
value: ‚ìû0¿½Û
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
1 0 0

RegSetValueExW

 key_handle: 0x000001c0
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
value: 0
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
1 0 0

RegSetValueExW

 key_handle: 0x000001c0
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
value: 1
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
1 0 0

RegSetValueExW

 key_handle: 0x000001c0
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
value: ‚ìû0¿½Û
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
1 0 0

RegSetValueExW

 key_handle: 0x000001c0
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
value: 0
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
1 0 0
File has been identified by 10 AntiVirus engine on IRMA as malicious (10 events)
G Data Antivirus (Windows) Virus: Win32.Expiro.Gen.7 (Engine A)
Avast Core Security (Linux) Win32:Expiro-HI [Inf]
WithSecure (Linux) Malware.W32/Infector.Gen
eScan Antivirus (Linux) Win32.Expiro.Gen.7(DB)
ESET Security (Windows) a variant of Win32/Expiro.CT virus
Sophos Anti-Virus (Linux) W32/Moiva-A
DrWeb Antivirus (Linux) Win32.Expiro.153
Bitdefender Antivirus (Linux) Win32.Expiro.Gen.7
Kaspersky Standard (Windows) Virus.Win32.Moiva.a
Emsisoft Commandline Scanner (Windows) Win32.Expiro.Gen.7 (B)
Screenshots
Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action VT Location
No hosts contacted.
Cuckoo

We're processing your submission... This could take a few seconds.