c451fb32dd30ad7610e5f569d46468c8bc8c2f19520488c49eb4dec30b6477e1

Analysis

max time kernel
53s
max time network
61s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
27/11/2023, 17:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c451fb32dd30ad7610e5f569d46468c8bc8c2f19520488c49eb4dec30b6477e1.exe
Size

916KB
MD5

d37b85b09086c80a3ee953249d2f2127
SHA1

b6436755f2793a563663064d407734038de90a5e
SHA256

c451fb32dd30ad7610e5f569d46468c8bc8c2f19520488c49eb4dec30b6477e1
SHA512

202da99d12bef5943789786597c0d0b1e2db27159c76cf4ff230a8db100fd730a106fcd1a250172b6314d1e52724ca182339123092ed54b264ac689f64d5d483
SSDEEP

24576:lgZXoZUTVdt7KEA1MZsflCxjah+6Vr2x3aAq12JQf8v9:QAMclC4AxKAB+Ev9

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	c451fb32dd30ad7610e5f569d46468c8bc8c2f19520488c49eb4dec30b6477e1.exe

Executes dropped EXE 6 IoCs

pid	Process
2488	sanexpedito87-Y3Jpc2dvbjg3QGdtYWlsLmNvbSAzODQ1MjMgTk5OTk5O.exe
2408	sanexpedito87-Y3Jpc2dvbjg3QGdtYWlsLmNvbSAzODQ1MjMgTk5OTk5O.exe
3088	sanexpedito87-Y3Jpc2dvbjg3QGdtYWlsLmNvbSAzODQ1MjMgTk5OTk5O.exe
1688	sanexpedito87-Y3Jpc2dvbjg3QGdtYWlsLmNvbSAzODQ1MjMgTk5OTk5O.exe
2312	sanexpedito87-Y3Jpc2dvbjg3QGdtYWlsLmNvbSAzODQ1MjMgTk5OTk5O.exe
3440	hcs.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Sep	c451fb32dd30ad7610e5f569d46468c8bc8c2f19520488c49eb4dec30b6477e1.exe
File created	C:\Program Files (x86)\Sep\__tmp_rar_sfx_access_check_240665906	c451fb32dd30ad7610e5f569d46468c8bc8c2f19520488c49eb4dec30b6477e1.exe
File created	C:\Program Files (x86)\Sep\sanexpedito87-Y3Jpc2dvbjg3QGdtYWlsLmNvbSAzODQ1MjMgTk5OTk5O.exe	c451fb32dd30ad7610e5f569d46468c8bc8c2f19520488c49eb4dec30b6477e1.exe
File opened for modification	C:\Program Files (x86)\Sep\sanexpedito87-Y3Jpc2dvbjg3QGdtYWlsLmNvbSAzODQ1MjMgTk5OTk5O.exe	c451fb32dd30ad7610e5f569d46468c8bc8c2f19520488c49eb4dec30b6477e1.exe
File created	C:\Program Files (x86)\Sep\Certificazione Partecipazione Corso AML IT15318.pdf	c451fb32dd30ad7610e5f569d46468c8bc8c2f19520488c49eb4dec30b6477e1.exe
File opened for modification	C:\Program Files (x86)\Sep\Certificazione Partecipazione Corso AML IT15318.pdf	c451fb32dd30ad7610e5f569d46468c8bc8c2f19520488c49eb4dec30b6477e1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings	c451fb32dd30ad7610e5f569d46468c8bc8c2f19520488c49eb4dec30b6477e1.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1772	AcroRd32.exe
1772	AcroRd32.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1912 wrote to memory of 1772	1912	c451fb32dd30ad7610e5f569d46468c8bc8c2f19520488c49eb4dec30b6477e1.exe	89
PID 1912 wrote to memory of 1772	1912	c451fb32dd30ad7610e5f569d46468c8bc8c2f19520488c49eb4dec30b6477e1.exe	89
PID 1912 wrote to memory of 1772	1912	c451fb32dd30ad7610e5f569d46468c8bc8c2f19520488c49eb4dec30b6477e1.exe	89
PID 1912 wrote to memory of 2488	1912	c451fb32dd30ad7610e5f569d46468c8bc8c2f19520488c49eb4dec30b6477e1.exe	91
PID 1912 wrote to memory of 2488	1912	c451fb32dd30ad7610e5f569d46468c8bc8c2f19520488c49eb4dec30b6477e1.exe	91
PID 1912 wrote to memory of 2488	1912	c451fb32dd30ad7610e5f569d46468c8bc8c2f19520488c49eb4dec30b6477e1.exe	91
PID 2408 wrote to memory of 3088	2408	sanexpedito87-Y3Jpc2dvbjg3QGdtYWlsLmNvbSAzODQ1MjMgTk5OTk5O.exe	93
PID 2408 wrote to memory of 3088	2408	sanexpedito87-Y3Jpc2dvbjg3QGdtYWlsLmNvbSAzODQ1MjMgTk5OTk5O.exe	93
PID 2408 wrote to memory of 3088	2408	sanexpedito87-Y3Jpc2dvbjg3QGdtYWlsLmNvbSAzODQ1MjMgTk5OTk5O.exe	93
PID 1688 wrote to memory of 2312	1688	sanexpedito87-Y3Jpc2dvbjg3QGdtYWlsLmNvbSAzODQ1MjMgTk5OTk5O.exe	95
PID 1688 wrote to memory of 2312	1688	sanexpedito87-Y3Jpc2dvbjg3QGdtYWlsLmNvbSAzODQ1MjMgTk5OTk5O.exe	95
PID 1688 wrote to memory of 2312	1688	sanexpedito87-Y3Jpc2dvbjg3QGdtYWlsLmNvbSAzODQ1MjMgTk5OTk5O.exe	95
PID 2312 wrote to memory of 3440	2312	sanexpedito87-Y3Jpc2dvbjg3QGdtYWlsLmNvbSAzODQ1MjMgTk5OTk5O.exe	96
PID 2312 wrote to memory of 3440	2312	sanexpedito87-Y3Jpc2dvbjg3QGdtYWlsLmNvbSAzODQ1MjMgTk5OTk5O.exe	96
PID 2312 wrote to memory of 3440	2312	sanexpedito87-Y3Jpc2dvbjg3QGdtYWlsLmNvbSAzODQ1MjMgTk5OTk5O.exe	96

C:\Users\Admin\AppData\Local\Temp\c451fb32dd30ad7610e5f569d46468c8bc8c2f19520488c49eb4dec30b6477e1.exe
"C:\Users\Admin\AppData\Local\Temp\c451fb32dd30ad7610e5f569d46468c8bc8c2f19520488c49eb4dec30b6477e1.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Program Files (x86)\Sep\Certificazione Partecipazione Corso AML IT15318.pdf"
  2⤵
  - Checks processor information in registry
  - Suspicious use of SetWindowsHookEx
  PID:1772
- C:\Program Files (x86)\Sep\sanexpedito87-Y3Jpc2dvbjg3QGdtYWlsLmNvbSAzODQ1MjMgTk5OTk5O.exe
  "C:\Program Files (x86)\Sep\sanexpedito87-Y3Jpc2dvbjg3QGdtYWlsLmNvbSAzODQ1MjMgTk5OTk5O.exe"
  2⤵
  - Executes dropped EXE
  PID:2488

C:\Program Files (x86)\Sep\sanexpedito87-Y3Jpc2dvbjg3QGdtYWlsLmNvbSAzODQ1MjMgTk5OTk5O.exe
"C:\Program Files (x86)\Sep\sanexpedito87-Y3Jpc2dvbjg3QGdtYWlsLmNvbSAzODQ1MjMgTk5OTk5O.exe" /service
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Program Files (x86)\Sep\sanexpedito87-Y3Jpc2dvbjg3QGdtYWlsLmNvbSAzODQ1MjMgTk5OTk5O.exe
  "" "/runsupportversion"
  2⤵
  - Executes dropped EXE
  PID:3088

C:\Program Files (x86)\Sep\sanexpedito87-Y3Jpc2dvbjg3QGdtYWlsLmNvbSAzODQ1MjMgTk5OTk5O.exe
"C:\Program Files (x86)\Sep\sanexpedito87-Y3Jpc2dvbjg3QGdtYWlsLmNvbSAzODQ1MjMgTk5OTk5O.exe" /service
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Program Files (x86)\Sep\sanexpedito87-Y3Jpc2dvbjg3QGdtYWlsLmNvbSAzODQ1MjMgTk5OTk5O.exe
  "" "/runsupportversion"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2312
- - C:\ProgramData\Anyplace Control Support\hcs.exe
    "C:\ProgramData\Anyplace Control Support\hcs.exe" "/effects=onC:\ProgramData\Anyplace?Control?Support\apc-settings.ini"
    3⤵
    - Executes dropped EXE
    PID:3440
- - C:\ProgramData\Anyplace Control Support\hcs.exe
    "C:\ProgramData\Anyplace Control Support\hcs.exe" "/theme=onC:\ProgramData\Anyplace?Control?Support\apc-settings.ini"
    3⤵
    PID:2896
- - C:\ProgramData\Anyplace Control Support\hcs.exe
    "C:\ProgramData\Anyplace Control Support\hcs.exe" "/wallpaper=on"
    3⤵
    PID:1396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Sep\sanexpedito87-Y3Jpc2dvbjg3QGdtYWlsLmNvbSAzODQ1MjMgTk5OTk5O.exe

Filesize
1.4MB

MD5
e1d228f6e0f0c3ae48209a4cbc9bd0cd

SHA1
6709981fa5dc059059fa34fbdf9fd1df814684b7

SHA256
e77efb3fa3e19fed95448cde1862f72dd2458a01aaf1cd703930296aee7e5630

SHA512
5b805a43256fffda6ef6023ebf1438e70cef88a10d3a8759ad60b4e7c1a02a65096d9cb4de3ff99ab22288ea2e63687b4cc0b10aef1352d78e6c22ef94998055

Download Submit
C:\Program Files (x86)\Sep\sanexpedito87-Y3Jpc2dvbjg3QGdtYWlsLmNvbSAzODQ1MjMgTk5OTk5O.exe

Filesize
1.4MB

MD5
e1d228f6e0f0c3ae48209a4cbc9bd0cd

SHA1
6709981fa5dc059059fa34fbdf9fd1df814684b7

SHA256
e77efb3fa3e19fed95448cde1862f72dd2458a01aaf1cd703930296aee7e5630

SHA512
5b805a43256fffda6ef6023ebf1438e70cef88a10d3a8759ad60b4e7c1a02a65096d9cb4de3ff99ab22288ea2e63687b4cc0b10aef1352d78e6c22ef94998055

Download Submit
C:\Program Files (x86)\Sep\sanexpedito87-Y3Jpc2dvbjg3QGdtYWlsLmNvbSAzODQ1MjMgTk5OTk5O.exe

Filesize
1.4MB

MD5
e1d228f6e0f0c3ae48209a4cbc9bd0cd

SHA1
6709981fa5dc059059fa34fbdf9fd1df814684b7

SHA256
e77efb3fa3e19fed95448cde1862f72dd2458a01aaf1cd703930296aee7e5630

SHA512
5b805a43256fffda6ef6023ebf1438e70cef88a10d3a8759ad60b4e7c1a02a65096d9cb4de3ff99ab22288ea2e63687b4cc0b10aef1352d78e6c22ef94998055

Download Submit
C:\Program Files (x86)\Sep\sanexpedito87-Y3Jpc2dvbjg3QGdtYWlsLmNvbSAzODQ1MjMgTk5OTk5O.exe

Filesize
1.4MB

MD5
e1d228f6e0f0c3ae48209a4cbc9bd0cd

SHA1
6709981fa5dc059059fa34fbdf9fd1df814684b7

SHA256
e77efb3fa3e19fed95448cde1862f72dd2458a01aaf1cd703930296aee7e5630

SHA512
5b805a43256fffda6ef6023ebf1438e70cef88a10d3a8759ad60b4e7c1a02a65096d9cb4de3ff99ab22288ea2e63687b4cc0b10aef1352d78e6c22ef94998055

Download Submit
C:\Program Files (x86)\Sep\sanexpedito87-Y3Jpc2dvbjg3QGdtYWlsLmNvbSAzODQ1MjMgTk5OTk5O.exe

Filesize
1.4MB

MD5
e1d228f6e0f0c3ae48209a4cbc9bd0cd

SHA1
6709981fa5dc059059fa34fbdf9fd1df814684b7

SHA256
e77efb3fa3e19fed95448cde1862f72dd2458a01aaf1cd703930296aee7e5630

SHA512
5b805a43256fffda6ef6023ebf1438e70cef88a10d3a8759ad60b4e7c1a02a65096d9cb4de3ff99ab22288ea2e63687b4cc0b10aef1352d78e6c22ef94998055

Download Submit
C:\Program Files (x86)\Sep\sanexpedito87-Y3Jpc2dvbjg3QGdtYWlsLmNvbSAzODQ1MjMgTk5OTk5O.exe

Filesize
1.4MB

MD5
e1d228f6e0f0c3ae48209a4cbc9bd0cd

SHA1
6709981fa5dc059059fa34fbdf9fd1df814684b7

SHA256
e77efb3fa3e19fed95448cde1862f72dd2458a01aaf1cd703930296aee7e5630

SHA512
5b805a43256fffda6ef6023ebf1438e70cef88a10d3a8759ad60b4e7c1a02a65096d9cb4de3ff99ab22288ea2e63687b4cc0b10aef1352d78e6c22ef94998055

Download Submit
C:\Program Files (x86)\Sep\sanexpedito87-Y3Jpc2dvbjg3QGdtYWlsLmNvbSAzODQ1MjMgTk5OTk5O.exe

Filesize
1.4MB

MD5
e1d228f6e0f0c3ae48209a4cbc9bd0cd

SHA1
6709981fa5dc059059fa34fbdf9fd1df814684b7

SHA256
e77efb3fa3e19fed95448cde1862f72dd2458a01aaf1cd703930296aee7e5630

SHA512
5b805a43256fffda6ef6023ebf1438e70cef88a10d3a8759ad60b4e7c1a02a65096d9cb4de3ff99ab22288ea2e63687b4cc0b10aef1352d78e6c22ef94998055

Download Submit
C:\ProgramData\Anyplace Control Support\apcErrorsLog.txt

Filesize
314B

MD5
3e2e6bfba818c7d056a7f5e86315175f

SHA1
9b3586df5b79517949bb1e967f9c74717d85f10b

SHA256
003af980357a48e142bce7405accc8cd6cb5cf8fa147e272718862f5f95c2fda

SHA512
584520b76624ef18f52b7a63d23e8667acde2c405a42402b7d093564e91caa47df5adb36fafa3c1dfe8940a56b666e6ebebfd2bf567eccd008332a89afe7d30e

Download Submit
C:\ProgramData\Anyplace Control Support\apcErrorsLog.txt

Filesize
437B

MD5
09ccf94c623c0453174ea885aa58150e

SHA1
325c670fc7cf55d73e8d023abb6db4e5b02c7ea7

SHA256
5403140c16fbe73fb696013d84d9c5b2c1822e7b7cfef914722cadc9e2e8281e

SHA512
63bdf68e4bad17bf3fb48130e473ad70e28c112c5ae21f4af321349271e2714d289bf3647a8e2ffffc8010d497724bae2664f2633e4a696a9b08d937a49732fe

Download Submit
C:\ProgramData\Anyplace Control Support\hcs.exe

Filesize
104KB

MD5
ac5933067b2c38299ae1443331a61511

SHA1
f1176f9bd6540bb4c1d9a7b723a42ff12c98b8b9

SHA256
8c305bb4c07fac5c88ad1906e6195dd8176f7b6e5014e8fb3e081a45161cf72a

SHA512
c53d784fd5d37e1b753b3397711e36aa3f6d323d1c9f82a7a8c6ae4947b21c125a64517ac76278350beee30faa53ef985c975f19007a43766594423bca4f1727

Download Submit
C:\ProgramData\Anyplace Control Support\hcs.exe

Filesize
104KB

MD5
ac5933067b2c38299ae1443331a61511

SHA1
f1176f9bd6540bb4c1d9a7b723a42ff12c98b8b9

SHA256
8c305bb4c07fac5c88ad1906e6195dd8176f7b6e5014e8fb3e081a45161cf72a

SHA512
c53d784fd5d37e1b753b3397711e36aa3f6d323d1c9f82a7a8c6ae4947b21c125a64517ac76278350beee30faa53ef985c975f19007a43766594423bca4f1727

Download Submit
C:\ProgramData\Anyplace Control Support\hcs.exe

Filesize
104KB

MD5
ac5933067b2c38299ae1443331a61511

SHA1
f1176f9bd6540bb4c1d9a7b723a42ff12c98b8b9

SHA256
8c305bb4c07fac5c88ad1906e6195dd8176f7b6e5014e8fb3e081a45161cf72a

SHA512
c53d784fd5d37e1b753b3397711e36aa3f6d323d1c9f82a7a8c6ae4947b21c125a64517ac76278350beee30faa53ef985c975f19007a43766594423bca4f1727

Download Submit
C:\ProgramData\Anyplace Control Support\hcs.exe

Filesize
104KB

MD5
ac5933067b2c38299ae1443331a61511

SHA1
f1176f9bd6540bb4c1d9a7b723a42ff12c98b8b9

SHA256
8c305bb4c07fac5c88ad1906e6195dd8176f7b6e5014e8fb3e081a45161cf72a

SHA512
c53d784fd5d37e1b753b3397711e36aa3f6d323d1c9f82a7a8c6ae4947b21c125a64517ac76278350beee30faa53ef985c975f19007a43766594423bca4f1727

Download Submit
C:\ProgramData\Anyplace Control Support\hcs.exe

Filesize
104KB

MD5
ac5933067b2c38299ae1443331a61511

SHA1
f1176f9bd6540bb4c1d9a7b723a42ff12c98b8b9

SHA256
8c305bb4c07fac5c88ad1906e6195dd8176f7b6e5014e8fb3e081a45161cf72a

SHA512
c53d784fd5d37e1b753b3397711e36aa3f6d323d1c9f82a7a8c6ae4947b21c125a64517ac76278350beee30faa53ef985c975f19007a43766594423bca4f1727

Download Submit
C:\ProgramData\Anyplace Control Support\libspeex.dll

Filesize
166KB

MD5
e10db82c997a756a01b6f954e86b83e0

SHA1
411fca36d8639b0ba78d8b3cfe1421626a33e6b4

SHA256
65a9bbd5b3b9161c0dd61a9e185e391cfa68f31171e1a5fcfad20bcc9eb09480

SHA512
ad3915a619e139a39d9587975f20374852255437fbb31621be94252794beb553ac710ce5fd15ea562be753788c47ff49babd7f5361cb4665e748c8aada01ac8b

Download Submit
C:\ProgramData\Anyplace Control Support\libspeexdsp.dll

Filesize
153KB

MD5
9a8608bb0b654c650743221914d87ac2

SHA1
bc4dde9361fe4170a93e6e9af80cb8a2aaf70f66

SHA256
f15b0408096eafc700fe069b716ffa921854b4e95bed33ad08524a59cc8ad57b

SHA512
ceac4b5b61528832eedfc98c050fda907df88ad9ad342257c2fb2e15d8e185cc1b7f73e0c773950b7a63a5266c900d3ada4d96a2135fa2b791b4577e0f27258f

Download Submit
C:\ProgramData\Anyplace Control Support\sessionID.txt

Filesize
3B

MD5
a5ea0ad9260b1550a14cc58d2c39b03d

SHA1
f0aedf295071ed34ab8c6a7692223d22b6a19841

SHA256
f1b2f662800122bed0ff255693df89c4487fbdcf453d3524a42d4ec20c3d9c04

SHA512
7c735c613ece191801114785c1ee26a0485cbf1e8ee2c3b85ba1ad290ef75eec9fede5e1a5dc26d504701f3542e6b6457818f4c1d62448d0db40d5f35c357d74

Download Submit
C:\ProgramData\Anyplace Control Support\sessionID.txt

Filesize
3B

MD5
a5ea0ad9260b1550a14cc58d2c39b03d

SHA1
f0aedf295071ed34ab8c6a7692223d22b6a19841

SHA256
f1b2f662800122bed0ff255693df89c4487fbdcf453d3524a42d4ec20c3d9c04

SHA512
7c735c613ece191801114785c1ee26a0485cbf1e8ee2c3b85ba1ad290ef75eec9fede5e1a5dc26d504701f3542e6b6457818f4c1d62448d0db40d5f35c357d74

Download Submit
memory/1688-38-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/1688-37-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/2312-41-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download
memory/2408-21-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/2408-24-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/2488-15-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/2488-44-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/3088-45-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/3088-25-0x0000000002320000-0x0000000002321000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads