6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49

General

Target

6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe
Size

2.6MB
MD5

21bfbbd8990a2b32f74f609f733fad97
SHA1

afee8492d97800b3fe85862b36f8df9581170b96
SHA256

6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49
SHA512

bfc83be6ca09f2d24b9405f742642e004eb3ffa0aa0aef0ce4ae0fe0c40fde440941582c8cb310833d2d3637727f16efa7a7738939d10ad9c3288a2cfdbf2b20
SSDEEP

49152:UWzOOR4X1he1HxU25LBcD08KGbNLeGMb4un:UOR4FheA25LBcJR5I0k

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\Officemirc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe"	6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices	6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mircOffice = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe"	6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops file in System32 directory 1 IoCs

Processes:

6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe

description ioc process

File created C:\Windows\SysWOW64\ntdll.dll.dll 6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe

description	ioc	process
File created	C:\Windows\SysWOW64\ntdll.dll.dll	6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe

Drops file in Program Files directory 64 IoCs

Processes:

6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\de-DE\WindowsOperating.exe	6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\1033\MicrosoftOffice.exe	6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PrivateAssemblies\VisualStudioTools.exe	6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\OfficeInfoPath.exe	6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\it-IT\MicrosoftWindows.exe	6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe
File created	C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\OperatingWindows.exe	6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\SQLCEERServer.exe	6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\1033\MicrosoftOffice.exe	6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe
File opened for modification	C:\Program Files (x86)\Common Files\DESIGNER\MsAddnDrLibrary.exe	6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\WkconvMicrosoft.exe	6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\MicrosoftSystem.exe	6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\MicrosoftHelp.exe	6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\VisualStudioMicrosoft.exe	6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\fr-FR\Microsoftmsinfo.exe	6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe
File created	C:\Program Files (x86)\Common Files\System\ado\it-IT\Operatingmsader15.exe	6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\Windowsmpasdesc.exe	6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\InstallerApplication.exe	6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\GlobalElements14.0.4730.1010.exe	6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\DialogAdobe9.0.0.exe	6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\en-US\SystemSystem.exe	6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\OfficeInfoPath.exe	6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservicemaintenanceserviceinstaller75.0.exe	6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe
File created	C:\Program Files (x86)\Windows Media Player\fr-FR\setupwmSystme.exe	6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\MSMAPI\1033\Microsoftmsmapi3214.0.4760.1000.exe	6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe
File created	C:\Program Files (x86)\Common Files\System\msadc\msadcormsdaremr6.1.7601.17514.exe	6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\de-DE\WORDPADBetriebssystem.exe	6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe
File created	C:\Program Files (x86)\Windows Mail\SystemMSOERES.exe	6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\OfficeMicrosoft.exe	6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\HelpHXDSUI.exe	6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\VisualStudioMicrosoft.exe	6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OneNote\MicrosoftSendToOneNotePrintDriverFilter.exe	6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\DialogAdobe9.0.0.exe	6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\infintlOffice.exe	6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vstaep32Visual.exe	6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\3082\Naturalmsgr3es.exe	6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\InfoPathOMFormServicesV12\InfoPathOffice.exe	6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VC\MSDIA100Visual.exe	6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\Systmedexploitation.exe	6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\mpclientOperating.exe	6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\CustomerSupport.exe	6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe
File created	C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\msdasqlrmsdasqlr6.1.7600.163857.0907131255.exe	6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\TipTsfOperating6.1.7600.163857.0907131255.exe	6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe
File created	C:\Program Files (x86)\Common Files\DESIGNER\MsAddnDrLibrary.exe	6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\StudioMicrosoft2.0.50727.200.exe	6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\BetriebssystemMicrosoft6.1.7600.16385.exe	6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\dexploitationdexploitation.exe	6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\msb1xtorwtsp61ms.exe	6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\WkconvMicrosoft.exe	6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe
File created	C:\Program Files (x86)\Common Files\System\it-IT\MicrosoftSistema.exe	6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\ja-JP\msadcormsdaremr6.1.7600.16385.exe	6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Library\Analysis\MicrosoftANALYS3214.0.4756.1000.exe	6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\UpdaterAdobeUpdater.exe	6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe
File created	C:\Program Files (x86)\Common Files\System\msadc\de-DE\SystemSystem.exe	6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\OneNote\MicrosoftSendToOneNotePrintDriverFilter.exe	6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\RCXD8D5.tmp	6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\en-US\TTSFrontEndENUMicrosoft.exe	6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PrivateAssemblies\VisualStudioTools.exe	6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe
File created	C:\Program Files (x86)\Windows Defender\mpclientOperating.exe	6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\DAO\MicrosoftDAO360.exe	6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\HelpHXDSUI.exe	6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\TipTsfWindows6.1.7600.163857.0907131255.exe	6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe
File created	C:\Program Files (x86)\Windows Sidebar\ja-JP\sbdropsbdrop.exe	6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\BasicVisual.exe	6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\OperatingWindows.exe	6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe

pid	process
484	6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe
484	6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe
484	6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe

C:\Users\Admin\AppData\Local\Temp\6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe
"C:\Users\Admin\AppData\Local\Temp\6837f75a51ba2fdebe7ef66fbd67d4e132e53148fc926abcb0672fbaa41a3c49.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:484