8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5

General

Target

8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
Size

2.1MB
MD5

51cbf4fc5c5b7631ccc79e268da1b515
SHA1

b0a6392f2950d072da1ac99025e57fc05bf397a4
SHA256

8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5
SHA512

157d0dd07d0da51a41c6a197e32f3debe75bdbecee5b4ae63407a6b46c0d217364eaff45c3539facd52cd3f9f08a19354a6143b6123c2d13b5b274491b8677e3
SSDEEP

24576:EVYbWzOKQ220xXlH1QnxBdabsM8KGH7Co0OLeGrIocE5lArjPPc:1WzOM20Zlcd08KGbNLeGMb4unc

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mircOffice = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe"	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\Officemirc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe"	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops file in System32 directory 1 IoCs

Processes:

8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe

description ioc process

File created C:\Windows\SysWOW64\ntdll.dll.dll 8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe

description	ioc	process
File created	C:\Windows\SysWOW64\ntdll.dll.dll	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe

Drops file in Program Files directory 64 IoCs

Processes:

8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\WindowsTipRes.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\osppcextOffice.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File created	C:\Program Files (x86)\Windows Sidebar\en-US\WindowsSystem6.1.7600.16385.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\SQLCESEServer.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1042\HXDSUIHelp.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\fr-FR\SystemWindows.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\resourcesUIAutomationClient.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File created	C:\Program Files (x86)\Common Files\System\ja-JP\SystemOperating.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\es-ES\WindowsOperating.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\OARPMANRalrtintl.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\Operatingmsinfo.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceserviceinstallermaintenanceservice.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Library\Analysis\ANALYS32Office.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\14\BuildingBuiltIn.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\moflOffice14.0.4760.1000.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\OperatingSystem.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\osppcextOffice.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File created	C:\Program Files (x86)\Windows Sidebar\es-ES\Sistemasbdrop.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\EntityLinq3.5.30729.5420.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\OARPMANRalrtintl.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\InterfacesServer.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VGX\ExplorerInternet.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\en-US\WindowsSystem6.1.7600.16385.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\SQLCESEServer.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\QUERIES\CurrencyMoneyCentral11027.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\EntityLinq3.5.30729.5420.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\Microsoftmstore10.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcqSystem.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\it-IT\MicrosoftPhotoViewer6.1.7600.163857.0907131255.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\ElementsGlobal.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\Operatingmsinfo.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\ja-JP\WindowsWindows.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\SynchronizationSqlServerCe.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\VisualVisual.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\JP2KLibfiles.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\Contracts\MicrosoftVisualStudio.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\it-IT\Windowsmsaddsr.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\MicrosoftPhotoViewer6.1.7600.163857.0907131255.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\Systemresources3.0.6920.5011.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\AUTOSHAPAutoShap.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ja-JP\msinfoSystem.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\ReachFrameworkserialization.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\OfficeLINES.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\en-US\msadcorWindows.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File created	C:\Program Files (x86)\Windows Media Player\ja-JP\WindowsWindows.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ja-JP\SystemOperating.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\PROOF\Languagemslid.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File created	C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\operativosqloledb.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\InfoPathMicrosoft14.0.4750.1000.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\InkObjWindows.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\VisualVSTAProject8.0.50727.200.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File created	C:\Program Files (x86)\Windows Media Player\de-DE\WindowsWindows.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\VisualVisual.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\dexploitationdexploitation.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File created	C:\Program Files (x86)\Common Files\DESIGNER\AddInDesignerObject.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File created	C:\Program Files (x86)\Common Files\System\msadc\en-US\msadcorWindows.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\PROOF\Languagemslid.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\systemMicrosoft.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\MicrosoftPhotoViewer.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\ToolsMicrosoft10.0.21022.1.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\fr-FR\TTSEngineLocEngine.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File created	C:\Program Files (x86)\Common Files\System\de-DE\WAB32resWindows.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\SmallSmall.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\it-IT\msinfoWindows.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe

pid	process
2032	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
2032	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
2032	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe

C:\Users\Admin\AppData\Local\Temp\8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
"C:\Users\Admin\AppData\Local\Temp\8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2032