2d2ce6729c02c033ffbf783cccc7fd592e7a672926a9f84919205b11e4b94e20

Analysis

max time kernel
6s
max time network
13s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
27/11/2023, 17:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2d2ce6729c02c033ffbf783cccc7fd592e7a672926a9f84919205b11e4b94e20.exe
Size

916KB
MD5

a43c64002f14cc7e327166e497d21d0e
SHA1

58a35bafa8cbe155cd63823b5a523eba09e1f8ea
SHA256

2d2ce6729c02c033ffbf783cccc7fd592e7a672926a9f84919205b11e4b94e20
SHA512

e903491c392b42a48a9c6993f71c826cbcb093a61904a54b948fc2f4906f1c998e22398dbd09c23933757ff9b97b04cfe6cfc2b84d819e8cf9edb5d7abf59bcf
SSDEEP

24576:lgZXoZUTVdt7KEA1SZsflCxjah+6Vr2x3aAq12JQf8fe:QASclC4AxKAB+Efe

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation	2d2ce6729c02c033ffbf783cccc7fd592e7a672926a9f84919205b11e4b94e20.exe

Executes dropped EXE 5 IoCs

pid	Process
4984	sanexpedito1-Y3Jpc2dvbjg3QGdtYWlsLmNvbSAzODQ1MjMgTk5OTk5O.exe
3020	sanexpedito1-Y3Jpc2dvbjg3QGdtYWlsLmNvbSAzODQ1MjMgTk5OTk5O.exe
3536	sanexpedito1-Y3Jpc2dvbjg3QGdtYWlsLmNvbSAzODQ1MjMgTk5OTk5O.exe
3032	sanexpedito1-Y3Jpc2dvbjg3QGdtYWlsLmNvbSAzODQ1MjMgTk5OTk5O.exe
4620	sanexpedito1-Y3Jpc2dvbjg3QGdtYWlsLmNvbSAzODQ1MjMgTk5OTk5O.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Sep\sanexpedito1-Y3Jpc2dvbjg3QGdtYWlsLmNvbSAzODQ1MjMgTk5OTk5O.exe	2d2ce6729c02c033ffbf783cccc7fd592e7a672926a9f84919205b11e4b94e20.exe
File created	C:\Program Files (x86)\Sep\PAGAMENTO_COMMISSIONI_MBS_Settembre_MG.pdf	2d2ce6729c02c033ffbf783cccc7fd592e7a672926a9f84919205b11e4b94e20.exe
File opened for modification	C:\Program Files (x86)\Sep\PAGAMENTO_COMMISSIONI_MBS_Settembre_MG.pdf	2d2ce6729c02c033ffbf783cccc7fd592e7a672926a9f84919205b11e4b94e20.exe
File opened for modification	C:\Program Files (x86)\Sep	2d2ce6729c02c033ffbf783cccc7fd592e7a672926a9f84919205b11e4b94e20.exe
File created	C:\Program Files (x86)\Sep\__tmp_rar_sfx_access_check_240608500	2d2ce6729c02c033ffbf783cccc7fd592e7a672926a9f84919205b11e4b94e20.exe
File created	C:\Program Files (x86)\Sep\sanexpedito1-Y3Jpc2dvbjg3QGdtYWlsLmNvbSAzODQ1MjMgTk5OTk5O.exe	2d2ce6729c02c033ffbf783cccc7fd592e7a672926a9f84919205b11e4b94e20.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\Local Settings	2d2ce6729c02c033ffbf783cccc7fd592e7a672926a9f84919205b11e4b94e20.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3436	AcroRd32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3436	AcroRd32.exe
3436	AcroRd32.exe
3436	AcroRd32.exe
3436	AcroRd32.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4736 wrote to memory of 3436	4736	2d2ce6729c02c033ffbf783cccc7fd592e7a672926a9f84919205b11e4b94e20.exe	86
PID 4736 wrote to memory of 3436	4736	2d2ce6729c02c033ffbf783cccc7fd592e7a672926a9f84919205b11e4b94e20.exe	86
PID 4736 wrote to memory of 3436	4736	2d2ce6729c02c033ffbf783cccc7fd592e7a672926a9f84919205b11e4b94e20.exe	86
PID 4736 wrote to memory of 4984	4736	2d2ce6729c02c033ffbf783cccc7fd592e7a672926a9f84919205b11e4b94e20.exe	88
PID 4736 wrote to memory of 4984	4736	2d2ce6729c02c033ffbf783cccc7fd592e7a672926a9f84919205b11e4b94e20.exe	88
PID 4736 wrote to memory of 4984	4736	2d2ce6729c02c033ffbf783cccc7fd592e7a672926a9f84919205b11e4b94e20.exe	88
PID 3020 wrote to memory of 3536	3020	sanexpedito1-Y3Jpc2dvbjg3QGdtYWlsLmNvbSAzODQ1MjMgTk5OTk5O.exe	90
PID 3020 wrote to memory of 3536	3020	sanexpedito1-Y3Jpc2dvbjg3QGdtYWlsLmNvbSAzODQ1MjMgTk5OTk5O.exe	90
PID 3020 wrote to memory of 3536	3020	sanexpedito1-Y3Jpc2dvbjg3QGdtYWlsLmNvbSAzODQ1MjMgTk5OTk5O.exe	90
PID 3032 wrote to memory of 4620	3032	sanexpedito1-Y3Jpc2dvbjg3QGdtYWlsLmNvbSAzODQ1MjMgTk5OTk5O.exe	92
PID 3032 wrote to memory of 4620	3032	sanexpedito1-Y3Jpc2dvbjg3QGdtYWlsLmNvbSAzODQ1MjMgTk5OTk5O.exe	92
PID 3032 wrote to memory of 4620	3032	sanexpedito1-Y3Jpc2dvbjg3QGdtYWlsLmNvbSAzODQ1MjMgTk5OTk5O.exe	92

C:\Users\Admin\AppData\Local\Temp\2d2ce6729c02c033ffbf783cccc7fd592e7a672926a9f84919205b11e4b94e20.exe
"C:\Users\Admin\AppData\Local\Temp\2d2ce6729c02c033ffbf783cccc7fd592e7a672926a9f84919205b11e4b94e20.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4736
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Program Files (x86)\Sep\PAGAMENTO_COMMISSIONI_MBS_Settembre_MG.pdf"
  2⤵
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:3436
- C:\Program Files (x86)\Sep\sanexpedito1-Y3Jpc2dvbjg3QGdtYWlsLmNvbSAzODQ1MjMgTk5OTk5O.exe
  "C:\Program Files (x86)\Sep\sanexpedito1-Y3Jpc2dvbjg3QGdtYWlsLmNvbSAzODQ1MjMgTk5OTk5O.exe"
  2⤵
  - Executes dropped EXE
  PID:4984

C:\Program Files (x86)\Sep\sanexpedito1-Y3Jpc2dvbjg3QGdtYWlsLmNvbSAzODQ1MjMgTk5OTk5O.exe
"C:\Program Files (x86)\Sep\sanexpedito1-Y3Jpc2dvbjg3QGdtYWlsLmNvbSAzODQ1MjMgTk5OTk5O.exe" /service
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Program Files (x86)\Sep\sanexpedito1-Y3Jpc2dvbjg3QGdtYWlsLmNvbSAzODQ1MjMgTk5OTk5O.exe
  "" "/runsupportversion"
  2⤵
  - Executes dropped EXE
  PID:3536

C:\Program Files (x86)\Sep\sanexpedito1-Y3Jpc2dvbjg3QGdtYWlsLmNvbSAzODQ1MjMgTk5OTk5O.exe
"C:\Program Files (x86)\Sep\sanexpedito1-Y3Jpc2dvbjg3QGdtYWlsLmNvbSAzODQ1MjMgTk5OTk5O.exe" /service
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Program Files (x86)\Sep\sanexpedito1-Y3Jpc2dvbjg3QGdtYWlsLmNvbSAzODQ1MjMgTk5OTk5O.exe
  "" "/runsupportversion"
  2⤵
  - Executes dropped EXE
  PID:4620
- - C:\ProgramData\Anyplace Control Support\hcs.exe
    "C:\ProgramData\Anyplace Control Support\hcs.exe" "/effects=onC:\ProgramData\Anyplace?Control?Support\apc-settings.ini"
    3⤵
    PID:4424
- - C:\ProgramData\Anyplace Control Support\hcs.exe
    "C:\ProgramData\Anyplace Control Support\hcs.exe" "/theme=onC:\ProgramData\Anyplace?Control?Support\apc-settings.ini"
    3⤵
    PID:1484
- - C:\ProgramData\Anyplace Control Support\hcs.exe
    "C:\ProgramData\Anyplace Control Support\hcs.exe" "/wallpaper=on"
    3⤵
    PID:3844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Sep\PAGAMENTO_COMMISSIONI_MBS_Settembre_MG.pdf

Filesize
30KB

MD5
d033511d0d69d7c6e3a64eb523370f52

SHA1
71a5bc6e6d1b7300a5c0cfdcfa303c9568bf772b

SHA256
849476bfafb0481bd33b970e6a2cc312d0bdcb8f52a7baff083691bcfd096162

SHA512
836671e248b3c003b8909626927cbb285f8dcaff5c8dc4930771976d4744c0a800d2ba1a963f8ed886de873daef2926edeb34c53f385a80ce11d7235d7defd25

Download Submit
C:\Program Files (x86)\Sep\sanexpedito1-Y3Jpc2dvbjg3QGdtYWlsLmNvbSAzODQ1MjMgTk5OTk5O.exe

Filesize
1.4MB

MD5
e1d228f6e0f0c3ae48209a4cbc9bd0cd

SHA1
6709981fa5dc059059fa34fbdf9fd1df814684b7

SHA256
e77efb3fa3e19fed95448cde1862f72dd2458a01aaf1cd703930296aee7e5630

SHA512
5b805a43256fffda6ef6023ebf1438e70cef88a10d3a8759ad60b4e7c1a02a65096d9cb4de3ff99ab22288ea2e63687b4cc0b10aef1352d78e6c22ef94998055

Download Submit
C:\Program Files (x86)\Sep\sanexpedito1-Y3Jpc2dvbjg3QGdtYWlsLmNvbSAzODQ1MjMgTk5OTk5O.exe

Filesize
1.4MB

MD5
e1d228f6e0f0c3ae48209a4cbc9bd0cd

SHA1
6709981fa5dc059059fa34fbdf9fd1df814684b7

SHA256
e77efb3fa3e19fed95448cde1862f72dd2458a01aaf1cd703930296aee7e5630

SHA512
5b805a43256fffda6ef6023ebf1438e70cef88a10d3a8759ad60b4e7c1a02a65096d9cb4de3ff99ab22288ea2e63687b4cc0b10aef1352d78e6c22ef94998055

Download Submit
C:\Program Files (x86)\Sep\sanexpedito1-Y3Jpc2dvbjg3QGdtYWlsLmNvbSAzODQ1MjMgTk5OTk5O.exe

Filesize
1.4MB

MD5
e1d228f6e0f0c3ae48209a4cbc9bd0cd

SHA1
6709981fa5dc059059fa34fbdf9fd1df814684b7

SHA256
e77efb3fa3e19fed95448cde1862f72dd2458a01aaf1cd703930296aee7e5630

SHA512
5b805a43256fffda6ef6023ebf1438e70cef88a10d3a8759ad60b4e7c1a02a65096d9cb4de3ff99ab22288ea2e63687b4cc0b10aef1352d78e6c22ef94998055

Download Submit
C:\Program Files (x86)\Sep\sanexpedito1-Y3Jpc2dvbjg3QGdtYWlsLmNvbSAzODQ1MjMgTk5OTk5O.exe

Filesize
1.4MB

MD5
e1d228f6e0f0c3ae48209a4cbc9bd0cd

SHA1
6709981fa5dc059059fa34fbdf9fd1df814684b7

SHA256
e77efb3fa3e19fed95448cde1862f72dd2458a01aaf1cd703930296aee7e5630

SHA512
5b805a43256fffda6ef6023ebf1438e70cef88a10d3a8759ad60b4e7c1a02a65096d9cb4de3ff99ab22288ea2e63687b4cc0b10aef1352d78e6c22ef94998055

Download Submit
C:\Program Files (x86)\Sep\sanexpedito1-Y3Jpc2dvbjg3QGdtYWlsLmNvbSAzODQ1MjMgTk5OTk5O.exe

Filesize
1.4MB

MD5
e1d228f6e0f0c3ae48209a4cbc9bd0cd

SHA1
6709981fa5dc059059fa34fbdf9fd1df814684b7

SHA256
e77efb3fa3e19fed95448cde1862f72dd2458a01aaf1cd703930296aee7e5630

SHA512
5b805a43256fffda6ef6023ebf1438e70cef88a10d3a8759ad60b4e7c1a02a65096d9cb4de3ff99ab22288ea2e63687b4cc0b10aef1352d78e6c22ef94998055

Download Submit
C:\Program Files (x86)\Sep\sanexpedito1-Y3Jpc2dvbjg3QGdtYWlsLmNvbSAzODQ1MjMgTk5OTk5O.exe

Filesize
1.4MB

MD5
e1d228f6e0f0c3ae48209a4cbc9bd0cd

SHA1
6709981fa5dc059059fa34fbdf9fd1df814684b7

SHA256
e77efb3fa3e19fed95448cde1862f72dd2458a01aaf1cd703930296aee7e5630

SHA512
5b805a43256fffda6ef6023ebf1438e70cef88a10d3a8759ad60b4e7c1a02a65096d9cb4de3ff99ab22288ea2e63687b4cc0b10aef1352d78e6c22ef94998055

Download Submit
C:\Program Files (x86)\Sep\sanexpedito1-Y3Jpc2dvbjg3QGdtYWlsLmNvbSAzODQ1MjMgTk5OTk5O.exe

Filesize
1.4MB

MD5
e1d228f6e0f0c3ae48209a4cbc9bd0cd

SHA1
6709981fa5dc059059fa34fbdf9fd1df814684b7

SHA256
e77efb3fa3e19fed95448cde1862f72dd2458a01aaf1cd703930296aee7e5630

SHA512
5b805a43256fffda6ef6023ebf1438e70cef88a10d3a8759ad60b4e7c1a02a65096d9cb4de3ff99ab22288ea2e63687b4cc0b10aef1352d78e6c22ef94998055

Download Submit
C:\ProgramData\Anyplace Control Support\apcErrorsLog.txt

Filesize
437B

MD5
eddddccd2499f058ca622f1824403a2b

SHA1
fd60d8578abd56469c5cb1db14ada298ba558204

SHA256
52155b3fc2a42bf775e13f466bc7bc1d987362fea87aedab0168c1ed7084ba06

SHA512
039755d01e521455bff37fd0652c3ae1024fb254d351af687d7ffed94dbed4020c4c269c0816247b70ae7bb880a67966381604fd4823ebc4ef74927bbd30914c

Download Submit
C:\ProgramData\Anyplace Control Support\apcErrorsLog.txt

Filesize
437B

MD5
eddddccd2499f058ca622f1824403a2b

SHA1
fd60d8578abd56469c5cb1db14ada298ba558204

SHA256
52155b3fc2a42bf775e13f466bc7bc1d987362fea87aedab0168c1ed7084ba06

SHA512
039755d01e521455bff37fd0652c3ae1024fb254d351af687d7ffed94dbed4020c4c269c0816247b70ae7bb880a67966381604fd4823ebc4ef74927bbd30914c

Download Submit
C:\ProgramData\Anyplace Control Support\hcs.exe

Filesize
104KB

MD5
ac5933067b2c38299ae1443331a61511

SHA1
f1176f9bd6540bb4c1d9a7b723a42ff12c98b8b9

SHA256
8c305bb4c07fac5c88ad1906e6195dd8176f7b6e5014e8fb3e081a45161cf72a

SHA512
c53d784fd5d37e1b753b3397711e36aa3f6d323d1c9f82a7a8c6ae4947b21c125a64517ac76278350beee30faa53ef985c975f19007a43766594423bca4f1727

Download Submit
C:\ProgramData\Anyplace Control Support\hcs.exe

Filesize
104KB

MD5
ac5933067b2c38299ae1443331a61511

SHA1
f1176f9bd6540bb4c1d9a7b723a42ff12c98b8b9

SHA256
8c305bb4c07fac5c88ad1906e6195dd8176f7b6e5014e8fb3e081a45161cf72a

SHA512
c53d784fd5d37e1b753b3397711e36aa3f6d323d1c9f82a7a8c6ae4947b21c125a64517ac76278350beee30faa53ef985c975f19007a43766594423bca4f1727

Download Submit
C:\ProgramData\Anyplace Control Support\hcs.exe

Filesize
104KB

MD5
ac5933067b2c38299ae1443331a61511

SHA1
f1176f9bd6540bb4c1d9a7b723a42ff12c98b8b9

SHA256
8c305bb4c07fac5c88ad1906e6195dd8176f7b6e5014e8fb3e081a45161cf72a

SHA512
c53d784fd5d37e1b753b3397711e36aa3f6d323d1c9f82a7a8c6ae4947b21c125a64517ac76278350beee30faa53ef985c975f19007a43766594423bca4f1727

Download Submit
C:\ProgramData\Anyplace Control Support\hcs.exe

Filesize
104KB

MD5
ac5933067b2c38299ae1443331a61511

SHA1
f1176f9bd6540bb4c1d9a7b723a42ff12c98b8b9

SHA256
8c305bb4c07fac5c88ad1906e6195dd8176f7b6e5014e8fb3e081a45161cf72a

SHA512
c53d784fd5d37e1b753b3397711e36aa3f6d323d1c9f82a7a8c6ae4947b21c125a64517ac76278350beee30faa53ef985c975f19007a43766594423bca4f1727

Download Submit
C:\ProgramData\Anyplace Control Support\libspeex.dll

Filesize
166KB

MD5
e10db82c997a756a01b6f954e86b83e0

SHA1
411fca36d8639b0ba78d8b3cfe1421626a33e6b4

SHA256
65a9bbd5b3b9161c0dd61a9e185e391cfa68f31171e1a5fcfad20bcc9eb09480

SHA512
ad3915a619e139a39d9587975f20374852255437fbb31621be94252794beb553ac710ce5fd15ea562be753788c47ff49babd7f5361cb4665e748c8aada01ac8b

Download Submit
C:\ProgramData\Anyplace Control Support\libspeexdsp.dll

Filesize
153KB

MD5
9a8608bb0b654c650743221914d87ac2

SHA1
bc4dde9361fe4170a93e6e9af80cb8a2aaf70f66

SHA256
f15b0408096eafc700fe069b716ffa921854b4e95bed33ad08524a59cc8ad57b

SHA512
ceac4b5b61528832eedfc98c050fda907df88ad9ad342257c2fb2e15d8e185cc1b7f73e0c773950b7a63a5266c900d3ada4d96a2135fa2b791b4577e0f27258f

Download Submit
C:\ProgramData\Anyplace Control Support\sessionID.txt

Filesize
3B

MD5
a5ea0ad9260b1550a14cc58d2c39b03d

SHA1
f0aedf295071ed34ab8c6a7692223d22b6a19841

SHA256
f1b2f662800122bed0ff255693df89c4487fbdcf453d3524a42d4ec20c3d9c04

SHA512
7c735c613ece191801114785c1ee26a0485cbf1e8ee2c3b85ba1ad290ef75eec9fede5e1a5dc26d504701f3542e6b6457818f4c1d62448d0db40d5f35c357d74

Download Submit
C:\ProgramData\Anyplace Control Support\sessionID.txt

Filesize
3B

MD5
a5ea0ad9260b1550a14cc58d2c39b03d

SHA1
f0aedf295071ed34ab8c6a7692223d22b6a19841

SHA256
f1b2f662800122bed0ff255693df89c4487fbdcf453d3524a42d4ec20c3d9c04

SHA512
7c735c613ece191801114785c1ee26a0485cbf1e8ee2c3b85ba1ad290ef75eec9fede5e1a5dc26d504701f3542e6b6457818f4c1d62448d0db40d5f35c357d74

Download Submit
memory/3020-24-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/3020-22-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/3032-37-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/3032-39-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/3536-25-0x0000000002100000-0x0000000002101000-memory.dmp

Filesize
4KB

Download
memory/3536-46-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/4620-42-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/4984-45-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/4984-19-0x0000000000840000-0x0000000000841000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads