8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5

General

Target

8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
Size

2.1MB
MD5

51cbf4fc5c5b7631ccc79e268da1b515
SHA1

b0a6392f2950d072da1ac99025e57fc05bf397a4
SHA256

8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5
SHA512

157d0dd07d0da51a41c6a197e32f3debe75bdbecee5b4ae63407a6b46c0d217364eaff45c3539facd52cd3f9f08a19354a6143b6123c2d13b5b274491b8677e3
SSDEEP

24576:EVYbWzOKQ220xXlH1QnxBdabsM8KGH7Co0OLeGrIocE5lArjPPc:1WzOM20Zlcd08KGbNLeGMb4unc

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mIRCmirc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe"	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\mIRCmirc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe"	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops file in System32 directory 1 IoCs

Processes:

8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe

description ioc process

File created C:\Windows\SysWOW64\ntdll.dll.dll 8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe

description	ioc	process
File created	C:\Windows\SysWOW64\ntdll.dll.dll	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe

Drops file in Program Files directory 64 IoCs

Processes:

8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\WindowsSystme.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\104.0.1293.47\EBWebView\x64\WebViewEdge.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\104.0.1293.47\libEGLProxy.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\mIRCmirc.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\mIRCmIRC.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\Windowsmsinfo10.0.19041.1110.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\ControlBrowser.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\mIRCmirc.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\104.0.1293.47\WidevineCdm\_platform_specific\win_x64\mircmIRC6.34.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File created	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\mircmirc1.824.29.8644.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\ja-JP\msdaprsrmsdaremr.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\qrcodepmppdf417pmp.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\resourcesUIAutomationClientsideProviders.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\FrameworkEntity.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\ClientEdge.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ja-JP\WindowsWindows.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\learningtoolsStudio.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\104.0.1293.47\EBWebView\x86\WebViewEmbedded.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\mIRCmirc6.34.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\it-IT\mIRCmirc6.34.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\AdobeAcrobat.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\ja-JP\SystemMicrosoft.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File created	C:\Program Files (x86)\Google\Update\Install\{37BCB7E1-6DF3-4935-9CF6-805CF8E35892}\GoogleChrome.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File created	C:\Program Files (x86)\Common Files\System\it-IT\operativoWindows.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\es-ES\operativoWAB32res.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.165.21\UpdateMicrosoft.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\EscriptIA3219.10.20064.310990.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File created	C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\mIRCmirc.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File created	C:\Program Files (x86)\Windows Mail\mIRCWABIMP.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\_platform_specific\win_x64\widevinecdmDecryption4.10.2209.0.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\win_x64\playreadycdmMicrosoft.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\fr\dexploitationresources.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\mIRCmirc.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File created	C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\mIRCmirc6.34.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File created	C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\SystemSystem10.0.19041.1.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\mIRCReachFramework.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\fr-FR\mircmIRC.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\ResourceUpdate.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{DA88B731-B926-4911-B8B3-75C39184D83C}\Microsoftmirc.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\104.0.1293.47\EBWebView\x86\WebViewMicrosoft.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.165.21\UpdateMicrosoft.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\mIRCmirc.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VisualmIRC.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMmirc.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\Createmirc6.34.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\msdaprstmsdfmap.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\104.0.1293.47\Installer\setupexeEdge.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File created	C:\Program Files (x86)\Windows Mail\WindowsWindows.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\SystemWindows.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\de-DE\mircmirc.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\mIRCmirc.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\104.0.1293.47\BHO\mircietoedgebho64dll.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\mircmIRC.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\mIRCEdge.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceserviceinstallermirc.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\es-ES\msader15Operating.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\Embeddedmirc.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\104.0.1293.47\WidevineCdm\_platform_specific\win_x64\widevinecdmDecryption.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\mIRCAcrobat.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleGoogleoppdatering.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\Windowsmsinfo.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\MCIMPPWindowsMedia.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\mIRCmirc6.34.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{DA88B731-B926-4911-B8B3-75C39184D83C}\Microsoftmirc.exe	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe

pid	process
1424	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
1424	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
1424	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
1424	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
1424	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
1424	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
1424	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
1424	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
1424	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
1424	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
1424	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
1424	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
1424	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
1424	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
1424	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
1424	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
1424	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
1424	8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe

C:\Users\Admin\AppData\Local\Temp\8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe
"C:\Users\Admin\AppData\Local\Temp\8e051762af9e788f3a4c3d29171e995a4fcc0ed8f4516a015a06a20c2465c1b5.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1424