95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6

General

Target

95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe
Size

2.6MB
MD5

09a4b5da5c1e7fe7ac8c2568b3c0acb9
SHA1

0f51fb65a6f69c2e906466f3928861d8818e8c59
SHA256

95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6
SHA512

471bc062459cae8a7d1ca04e7e4f017cd0a6baf07d9f076b966da066ec469d118024d6258f0a3927c0d80934a52e9ca9eccb710e660fc04d0302f536dd1b13d5
SSDEEP

24576:RVYbWzOjX8hyE23Z5EU1JQnxBqabsM8KGH7Co0OLeGrIocE5lArjPPF:4WzOQyrZOU+q08KGbNLeGMb4unF

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\Officemirc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe"	95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices	95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mircOffice = "C:\\Users\\Admin\\AppData\\Local\\Temp\\95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe"	95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops file in System32 directory 1 IoCs

Processes:

95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe

description ioc process

File created C:\Windows\SysWOW64\ntdll.dll.dll 95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe

description	ioc	process
File created	C:\Windows\SysWOW64\ntdll.dll.dll	95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe

Drops file in Program Files directory 64 IoCs

Processes:

95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\RCX82D7.tmp	95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\1033\MSOSVINTMsoSVInt.exe	95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\WindowsMicrosoft.exe	95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\LinqData.exe	95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\UpdateUpdate.exe	95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\AiodAcrobat.exe	95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ja-JP\Microsoftmsinfo.exe	95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe
File created	C:\Program Files (x86)\Common Files\System\ado\Systemmsader15.exe	95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\FormsInternet9.0.0.2008061200.exe	95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\resourcesruntime.exe	95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1042\MicrosoftRHXDSUI2.05.50727.4039.0507274000.exe	95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\SystemWindows.exe	95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\operativoTipRes.exe	95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\WindowsWindows.exe	95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\mpasdescmpasdesc.exe	95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\MicrosoftMicrosoft.exe	95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Filters\odffiltFormat.exe	95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\en-US\MicrosoftWindows.exe	95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vstaep32vstaep32.exe	95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\fr-FR\TTSEngineLocMicrosoft.exe	95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\OfficeOffice.exe	95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\WindowsWindows.exe	95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\MicrosoftOutlook.exe	95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\transmgrOutlook.exe	95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\ja-JP\SystemOperating6.1.7600.16385.exe	95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\mpasdescmpasdesc.exe	95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\ja-JP\Windowssbdrop.exe	95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\VSTAProjectStudio.exe	95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies\MicrosoftVisual.exe	95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Filters\odffiltFormat.exe	95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\1033\Languagemsgr3en.exe	95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\OfficeMicrosoft.exe	95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\MicrosoftOffice14.0.4750.1000.exe	95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\MpEvMsgdexploitation.exe	95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\RealFlash8.0.0.0.exe	95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Library\SOLVER\OfficeMicrosoft.exe	95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\msb1xtorMicrosoft.exe	95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\dexploitationdexploitation.exe	95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe
File created	C:\Program Files (x86)\Windows Media Player\WindowsWindows.exe	95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\de-DE\WindowsWindows.exe	95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\MicrosoftMicrosoft2.05.50727.4039.0507274000.exe	95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe
File created	C:\Program Files (x86)\Common Files\System\ado\es-ES\OperatingSystem.exe	95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\ComRPCChannelMicrosoft.exe	95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\es-ES\WAB32resoperativo.exe	95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\mpasdescMpEvMsg.exe	95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\Studiovstoee.exe	95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\MicrosoftOffice14.0.4750.1000.exe	95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\MpEvMsgdexploitation.exe	95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\MicrosoftMicrosoft.exe	95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\MicrosoftTableTextService.exe	95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe
File created	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\InstallerChrome.exe	95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceserviceinstallermaintenanceserviceinstaller.exe	95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\resourcesruntime.exe	95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\jsprofileruijsprofilerui.exe	95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.71\UpdateUpdate.exe	95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe
File created	C:\Program Files (x86)\Windows Sidebar\en-US\sbdropWindows.exe	95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\mshy7frmssp7es.exe	95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\en-US\setupwmwmplayer.exe	95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\systemPresentationBuildTasks.exe	95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\AUTOSHAPMediaStore.exe	95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\3082\NaturalComponents.exe	95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\ToolsVisualStudio9.0.30729.4130.exe	95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\SetupSmall.exe	95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\MicrosoftOutlook.exe	95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe

pid	process
1828	95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe
1828	95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe
1828	95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe

C:\Users\Admin\AppData\Local\Temp\95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe
"C:\Users\Admin\AppData\Local\Temp\95635e5cf3fda6f466f3e5a35bc60d03f6d647272f28bb1df49a02b20b844fc6.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1828