9aa652e6e3f1568836b53a3329bf33fa8cd2fab103cb13de5e76f71b98fa518a

Analysis

max time kernel
182s
max time network
174s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
01/11/2023, 14:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.ff63fa93084d1cd258752238a5e11c80.exe
Size

2.4MB
MD5

ff63fa93084d1cd258752238a5e11c80
SHA1

194be21c87c3f83c06160995fb58e97ff4183a66
SHA256

9aa652e6e3f1568836b53a3329bf33fa8cd2fab103cb13de5e76f71b98fa518a
SHA512

6603f44c409cf22adb6e7dfbe860579215339f8bbfe10e43cea173f9aca7636d1d6ea580ceecc3ae7680f7fce704d25df381dc448a58ac4d9cee8192211be3f5
SSDEEP

49152:48YE4O8b8ITDnlckqeEXGF+6z8zmqtqCK3RTeyay+hviOZ8afQf2Pyn8:Jptrw+6zEmqtqCKkT6OW8

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OneDriveSetupOneDrive = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.ff63fa93084d1cd258752238a5e11c80.exe"	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\MicrosoftOneDriveSetup26962 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.ff63fa93084d1cd258752238a5e11c80.exe"	NEAS.ff63fa93084d1cd258752238a5e11c80.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ntdll.dll.dll	NEAS.ff63fa93084d1cd258752238a5e11c80.exe

Drops file in Program Files directory 37 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\OfficeMicrosoft.exe	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\RCX9D50.tmp	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AdobeAiod19.8.20071.303822.exe	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
File created	C:\Program Files (x86)\Common Files\System\ado\en-US\msader15System.exe	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\NPPDF32Adobe.exe	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\ReaderAdobeARM.exe	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\RCX3D09.tmp	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\RCX4558.tmp	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RCXA5DC.tmp	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\AdobeWindowsMedia.exe	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroSup64Lilo.exe	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroPDFImplControl.exe	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
File created	C:\Program Files (x86)\Common Files\System\fr-FR\WAB32resSystme.exe	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\vstoeevstoee10.0.60828.0.exe	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroSup64Lilo.exe	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\StudioVSTOInstaller.exe	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\vstoeevstoee10.0.60828.0.exe	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\textExtendScript15.7.20033.133275.exe	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
File created	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\ReaderAdobeARM.exe	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\AdobeWCChromeNativeMessagingHost.exe	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\RCX5FC8.tmp	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\AcrobatAdobe.exe	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\fr-FR\RCX2CD7.tmp	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\RCX3AC5.tmp	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\RCX4509.tmp	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\ClientWebView.exe	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\en-US\RCX3B24.tmp	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\textExtendScript15.7.20033.133275.exe	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCXA62B.tmp	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCXADCD.tmp	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\fr-FR\WAB32resSystme.exe	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\RCX2D85.tmp	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\RCX45B7.tmp	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AiodAcrobat.exe	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\RCX2D27.tmp	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\AdobeWCChromeNativeMessagingHost.exe	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RCX619D.tmp	NEAS.ff63fa93084d1cd258752238a5e11c80.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	NEAS.ff63fa93084d1cd258752238a5e11c80.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
1908	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
1908	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
1908	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
1908	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
1908	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
1908	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
1908	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
1908	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
1908	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
1908	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
1908	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
1908	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
1908	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
1908	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
1908	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
1908	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
1908	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
1908	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
1908	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
1908	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
1908	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
1908	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
1908	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
1908	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
1908	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
1908	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
1908	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
1908	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
1908	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
1908	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
1908	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
1908	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
1908	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
1908	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
1908	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
1908	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
1908	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
1908	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
1908	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
1908	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
1908	NEAS.ff63fa93084d1cd258752238a5e11c80.exe
1908	NEAS.ff63fa93084d1cd258752238a5e11c80.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.ff63fa93084d1cd258752238a5e11c80.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.ff63fa93084d1cd258752238a5e11c80.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\textExtendScript15.7.20033.133275.exe

Filesize
2.4MB

MD5
e880ab71335393a09dab7c2110f519ff

SHA1
47ccc55de8691f884631c3955a032c176f736e58

SHA256
ba0b0c7e47caccfcdb3f7d3c10fda67cbdfdf9616db1fdbaeb51d691865f096b

SHA512
0c2568c34935f7a1db7d0f91e5c71d018a11b792d1dcbbca1f7951722877c6146fc1aae0c53e5a94e021b77cc09d541669a9da98cdbf0cdcadae1aed7e364da3

Download Submit
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\ReaderAdobeARM.exe

Filesize
2.7MB

MD5
ad73adddd8ab931e0fa55ea41b952017

SHA1
b6e609533aeed66255d019cf07b9b351bf2e7da2

SHA256
5a7e0f3547e0931231b76d2c63ba75e893e24105b7ac240ca54519d18a4f12c8

SHA512
1e725246b5ca267b8b9fa93c3785bbf5bcb25cf15a95b9964ecaa46e6b969a85f257d222cef3b7d8e95cfa58fe209ee8090d61d1a02d65974b697663c8b28f8d

Download Submit
C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\RCX45B7.tmp

Filesize
2.4MB

MD5
3a163551d240222ab078355c66b97044

SHA1
83c5161a4eb281b65a48da3ce389eff8209cf9ad

SHA256
1c06d5a7e2e16c3adfef67fe5f4b7f527029fb2b360ec63de19aaa3ad71149bf

SHA512
232305bc5e6e1a13cbcb0b6298335d322f5d67ef547d182dfc79a2463a8c9b5e6504ee8ac0bac630063e984df8458c77dad33624eb7b0034e419e2681cfa0d0a

Download Submit
C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\RCX2D85.tmp

Filesize
2.4MB

MD5
e6b97052624e93c1f7b44e386b13440d

SHA1
e8dbaf28ef5d85f42eccf7bc9be859ca25df7050

SHA256
da14fcc8f3c7f6adbd56418344d0a5bba67f58917595125eee793db4b90e2f2e

SHA512
1c0439b6413824cd29043f04b8e6bb71808e42bb265d42784d4ad469cfe9cba31aefa79e9833e5449ab0bae1c61d0571f1e8fbbc8b290a66a80033fed954c9ef

Download Submit
C:\Program Files (x86)\Common Files\System\fr-FR\WAB32resSystme.exe

Filesize
2.4MB

MD5
ff63fa93084d1cd258752238a5e11c80

SHA1
194be21c87c3f83c06160995fb58e97ff4183a66

SHA256
9aa652e6e3f1568836b53a3329bf33fa8cd2fab103cb13de5e76f71b98fa518a

SHA512
6603f44c409cf22adb6e7dfbe860579215339f8bbfe10e43cea173f9aca7636d1d6ea580ceecc3ae7680f7fce704d25df381dc448a58ac4d9cee8192211be3f5

Download Submit