6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8

General

Target

6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe
Size

2.9MB
MD5

025ff903f8f2ff90f159a4a24cb7a055
SHA1

01e786c21b0df87495eab4202d72dbbcc91d220e
SHA256

6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8
SHA512

d18779830e72a5ab9937a6061a64741d207478bca12f4125adff2c67dcbaf1c0d589f41ea3f436b814f803bc45070dcab9151b53a8c9de3956aecebf215f4eed
SSDEEP

49152:/WzOlzcD1b42rrCMMp7408KGbNLeGMb4un:/mDW2rrCMMJMR5I0k

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices	6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mircOffice = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe"	6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\Officemirc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe"	6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops file in System32 directory 1 IoCs

Processes:

6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe

description ioc process

File created C:\Windows\SysWOW64\ntdll.dll.dll 6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe

description	ioc	process
File created	C:\Windows\SysWOW64\ntdll.dll.dll	6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe

Drops file in Program Files directory 64 IoCs

Processes:

6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\Windowsmsinfo.exe	6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe
File created	C:\Program Files (x86)\Windows Portable Devices\sqmapiSystem.exe	6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\ClientMicrosoft14.0.4731.1000.exe	6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\Contracts\MicrosoftMicrosoft.exe	6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\WindowsMicrosoft6.1.7600.163857.0907131255.exe	6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA6\BasicVisual7.00.1590.exe	6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\Contracts\MicrosoftMicrosoft.exe	6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe
File created	C:\Program Files (x86)\Windows Media Player\it-IT\SistemaSystem12.0.7600.16385.exe	6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\it-IT\SistemaMicrosoft.exe	6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VC\MicrosoftMSDIA100.exe	6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\AdobeNPPDF32.exe	6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\1033\SynchronizationFramework.exe	6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\WindowsSystem6.1.7600.16385.exe	6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\ClientMicrosoft14.0.4731.1000.exe	6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\de-DE\TableTextServiceOperating.exe	6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\VisualVSTAProjectUI.exe	6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\odeployOffice.exe	6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\1036\MsGr3FrLanguage.exe	6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\de-DE\msdaremrSystem.exe	6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe
File created	C:\Program Files (x86)\Windows Mail\it-IT\WindowsWindows.exe	6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\PROOF\Identificationmslid.exe	6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\MicrosoftFPSrvUtl.exe	6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ja-JP\Systemmsinfo6.1.7600.16385.exe	6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\RCXACA6.tmp	6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\SystemConversion3.5.30729.542071.exe	6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\WindowsWindows.exe	6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe
File created	C:\Program Files (x86)\Common Files\System\it-IT\SistemaMicrosoft.exe	6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\WindowsSystem6.1.7600.16385.exe	6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\RCXA91C.tmp	6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\es-ES\MicrosoftWinMail.exe	6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\UpdaterAdobeUpdaterInstallMgr.exe	6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\MicrosoftCagCat10.exe	6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\vstoeeVisual.exe	6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\CustomerSupport10172.exe	6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\Microsoftoperativo.exe	6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\vstoeeVisual.exe	6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe
File created	C:\Program Files (x86)\Common Files\System\msadc\ja-JP\OperatingWindows6.1.7601.17514.exe	6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\it-IT\TableTextServiceSystem.exe	6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\operativompasdesc.exe	6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe
File created	C:\Program Files (x86)\Common Files\System\fr-FR\dexploitationWAB32res.exe	6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\it-IT\SistemaSystem12.0.7600.16385.exe	6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\HelpMicrosoft.exe	6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\fr-FR\WinMailWindows.exe	6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\fr-FR\dexploitationwordpad6.1.7600.163857.0907131255.exe	6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe
File created	C:\Program Files (x86)\Common Files\System\ado\msadrh15Windows.exe	6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\MicrosoftWindows.exe	6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\AdobeNPPDF32.exe	6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\it-IT\WindowsWindows.exe	6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\fr-FR\dexploitationWAB32res.exe	6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\MicrosoftEQNEDT32.exe	6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\fr-FR\dexploitationwordpad6.1.7600.163857.0907131255.exe	6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\Windowsmicaut.exe	6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\Windowsmsinfo.exe	6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\operativompasdesc.exe	6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\de-DE\Betriebssystemwordpad.exe	6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe
File created	C:\Program Files (x86)\Windows Sidebar\it-IT\Windowssidebar1.0.7600.16385.exe	6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\odeployOffice.exe	6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\AdobeInstaller.exe	6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe
File created	C:\Program Files (x86)\Windows Media Player\ja-JP\Systemwmplayer.exe	6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\ContactPickerIntlExpToOWS14.0.4756.1000.exe	6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInSideAdapters\ToolsExcel.exe	6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\es-ES\DesktopSistema.exe	6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\OneNote\SendToOneNoteUISendToOneNotePrintDriverUI.exe	6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\Systemmicaut.exe	6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe

pid	process
1476	6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe
1476	6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe
1476	6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe

C:\Users\Admin\AppData\Local\Temp\6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe
"C:\Users\Admin\AppData\Local\Temp\6ebe1da3948bf0202e2a7c8de9895ae04acee8b76af612bd3bd68472d89181a8.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1476