bee575ab0030b49d32c268d85ada5534143d2894a9e5a928456fc5551a666d14

General

Target

4726df02c033fd5a1a0bba8de4ae42d5.exe
Size

134KB
MD5

4726df02c033fd5a1a0bba8de4ae42d5
SHA1

e7a488c997de9bab42ca057c9a5ed2c34a2a36bd
SHA256

bee575ab0030b49d32c268d85ada5534143d2894a9e5a928456fc5551a666d14
SHA512

6cefdbe7ed9b9eb870bd451668417803a2da4af1e9785bc941766f126c1946465f42e3b300961a73d62358cb9caa38de035ff29afcdd9bde21ec1d2ebd6967e7
SSDEEP

3072:Eor4EqPU81j1CQcJ5bOeEElLIYe7bzQxWk6+aljgBPb:Eor4PnR1/cJBEElC7PQDue

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

4726df02c033fd5a1a0bba8de4ae42d5.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OneDriveSetupOneDrive = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4726df02c033fd5a1a0bba8de4ae42d5.exe"	4726df02c033fd5a1a0bba8de4ae42d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\MicrosoftOneDriveSetup26962 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4726df02c033fd5a1a0bba8de4ae42d5.exe"	4726df02c033fd5a1a0bba8de4ae42d5.exe

Drops file in System32 directory 1 IoCs

Processes:

4726df02c033fd5a1a0bba8de4ae42d5.exe

description ioc process

File created C:\Windows\SysWOW64\ntdll.dll.dll 4726df02c033fd5a1a0bba8de4ae42d5.exe

description	ioc	process
File created	C:\Windows\SysWOW64\ntdll.dll.dll	4726df02c033fd5a1a0bba8de4ae42d5.exe

Drops file in Program Files directory 64 IoCs

Processes:

4726df02c033fd5a1a0bba8de4ae42d5.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\Operatingsqloledb10.0.19041.1.exe	4726df02c033fd5a1a0bba8de4ae42d5.exe
File created	C:\Program Files (x86)\Internet Explorer\ja-JP\scannerscanner.exe	4726df02c033fd5a1a0bba8de4ae42d5.exe
File created	C:\Program Files (x86)\Common Files\System\msadc\it-IT\SoftWarescanner.exe	4726df02c033fd5a1a0bba8de4ae42d5.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroPDFImplControl19.10.20064.310990.exe	4726df02c033fd5a1a0bba8de4ae42d5.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\SystemBetriebssystem.exe	4726df02c033fd5a1a0bba8de4ae42d5.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\AdobeAdobe.exe	4726df02c033fd5a1a0bba8de4ae42d5.exe
File created	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\ChromeGoogle.exe	4726df02c033fd5a1a0bba8de4ae42d5.exe
File created	C:\Program Files (x86)\Windows Media Player\fr-FR\SystmeWMPMediaSharing.exe	4726df02c033fd5a1a0bba8de4ae42d5.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\SoftWarescanner.exe	4726df02c033fd5a1a0bba8de4ae42d5.exe
File created	C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\WindowsWindows.exe	4726df02c033fd5a1a0bba8de4ae42d5.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\processesSoftWare.exe	4726df02c033fd5a1a0bba8de4ae42d5.exe
File created	C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\scannerscanner2.4.5600.0.exe	4726df02c033fd5a1a0bba8de4ae42d5.exe
File created	C:\Program Files (x86)\Windows Portable Devices\sqmapiMicrosoft10.0.19041.1.160101.0800.exe	4726df02c033fd5a1a0bba8de4ae42d5.exe
File created	C:\Program Files (x86)\Common Files\System\Ole DB\sqloledbOperating.exe	4726df02c033fd5a1a0bba8de4ae42d5.exe
File created	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaStart.exe	4726df02c033fd5a1a0bba8de4ae42d5.exe
File created	C:\Program Files (x86)\Common Files\System\ado\fr-FR\SoftWarescanner2.4.5600.0.exe	4726df02c033fd5a1a0bba8de4ae42d5.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\it-IT\SoftWarescanner.exe	4726df02c033fd5a1a0bba8de4ae42d5.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\processesmaintenanceservice.exe	4726df02c033fd5a1a0bba8de4ae42d5.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\PresentationCoreresources.exe	4726df02c033fd5a1a0bba8de4ae42d5.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\SoftWarescanner.exe	4726df02c033fd5a1a0bba8de4ae42d5.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceserviceinstallermaintenanceservice105.0.3.exe	4726df02c033fd5a1a0bba8de4ae42d5.exe
File created	C:\Program Files (x86)\Common Files\System\de-DE\WindowsMicrosoft10.0.19041.1.160101.0800.exe	4726df02c033fd5a1a0bba8de4ae42d5.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\fr\PackageManagementPackageManagement10.0.19041.1.exe	4726df02c033fd5a1a0bba8de4ae42d5.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\MicrosoftOperating.exe	4726df02c033fd5a1a0bba8de4ae42d5.exe
File created	C:\Program Files (x86)\Internet Explorer\ja-JP\Internetieinstal.exe	4726df02c033fd5a1a0bba8de4ae42d5.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\EmbeddedClient92.0.902.67.exe	4726df02c033fd5a1a0bba8de4ae42d5.exe
File created	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\Launcherscanner8.0.3810.9.exe	4726df02c033fd5a1a0bba8de4ae42d5.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\scannerscanner.exe	4726df02c033fd5a1a0bba8de4ae42d5.exe
File created	C:\Program Files (x86)\Common Files\System\ado\fr-FR\WindowsOperating.exe	4726df02c033fd5a1a0bba8de4ae42d5.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\dexploitationWindows4.18.1907.16384.160101.0800.exe	4726df02c033fd5a1a0bba8de4ae42d5.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\pdf417pmpdatamatrixpmp.exe	4726df02c033fd5a1a0bba8de4ae42d5.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\AdobeAdobe.exe	4726df02c033fd5a1a0bba8de4ae42d5.exe
File created	C:\Program Files (x86)\Common Files\System\Ole DB\en-US\SystemSystem.exe	4726df02c033fd5a1a0bba8de4ae42d5.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\win_x64\Edgeplayreadycdm.exe	4726df02c033fd5a1a0bba8de4ae42d5.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\AdobeAcrobat2796.exe	4726df02c033fd5a1a0bba8de4ae42d5.exe
File created	C:\Program Files (x86)\Common Files\System\ado\fr-FR\processesSoftWare2.4.5600.0.exe	4726df02c033fd5a1a0bba8de4ae42d5.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\InternetPlugin19.10.20064.310990.exe	4726df02c033fd5a1a0bba8de4ae42d5.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOLoaderVSTOLoader10.0.60828.0.exe	4726df02c033fd5a1a0bba8de4ae42d5.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\mshwLatinTabTip3210.0.19041.1.exe	4726df02c033fd5a1a0bba8de4ae42d5.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\WindowsSistema.exe	4726df02c033fd5a1a0bba8de4ae42d5.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\Operatingsqmapi10.0.19041.1.160101.0800.exe	4726df02c033fd5a1a0bba8de4ae42d5.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ietoedgestubietoedgebho64dll92.0.902.67.exe	4726df02c033fd5a1a0bba8de4ae42d5.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevicesSystem.exe	4726df02c033fd5a1a0bba8de4ae42d5.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\Speechresources.exe	4726df02c033fd5a1a0bba8de4ae42d5.exe
File created	C:\Program Files (x86)\Internet Explorer\ja-JP\scannerSoftWare.exe	4726df02c033fd5a1a0bba8de4ae42d5.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\Sistemaoperativo.exe	4726df02c033fd5a1a0bba8de4ae42d5.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\swiftshader\libEGLLink.exe	4726df02c033fd5a1a0bba8de4ae42d5.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\msedgeupdateUpdate.exe	4726df02c033fd5a1a0bba8de4ae42d5.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\ja\OperatingMetaProvider.exe	4726df02c033fd5a1a0bba8de4ae42d5.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\NPPDF32Adobe19.10.20064.310990.exe	4726df02c033fd5a1a0bba8de4ae42d5.exe
File created	C:\Program Files (x86)\Common Files\System\es-ES\operativoWindows10.0.19041.1.160101.0800.exe	4726df02c033fd5a1a0bba8de4ae42d5.exe
File created	C:\Program Files (x86)\Common Files\System\msadc\fr-FR\msdaprsrmsadcer.exe	4726df02c033fd5a1a0bba8de4ae42d5.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfoscanner.exe	4726df02c033fd5a1a0bba8de4ae42d5.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\UIAutomationClientsideProvidersWindowsBase.exe	4726df02c033fd5a1a0bba8de4ae42d5.exe
File created	C:\Program Files (x86)\Internet Explorer\it-IT\ieinstalInternet.exe	4726df02c033fd5a1a0bba8de4ae42d5.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\MicrosoftWORDPAD.exe	4726df02c033fd5a1a0bba8de4ae42d5.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\SoftWarescanner2.4.5600.0.exe	4726df02c033fd5a1a0bba8de4ae42d5.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\FrameworkMicrosoft.exe	4726df02c033fd5a1a0bba8de4ae42d5.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\es-ES\operativoWindows10.0.19041.1.160101.0800.exe	4726df02c033fd5a1a0bba8de4ae42d5.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\Windowswmplayer.exe	4726df02c033fd5a1a0bba8de4ae42d5.exe
File created	C:\Program Files (x86)\Common Files\System\msadc\it-IT\msaddsrmsadcer.exe	4726df02c033fd5a1a0bba8de4ae42d5.exe
File created	C:\Program Files (x86)\Internet Explorer\fr-FR\ieinstalieinstal.exe	4726df02c033fd5a1a0bba8de4ae42d5.exe
File created	C:\Program Files (x86)\Internet Explorer\es-ES\Explorerieinstal.exe	4726df02c033fd5a1a0bba8de4ae42d5.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\jauregjusched.exe	4726df02c033fd5a1a0bba8de4ae42d5.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

4726df02c033fd5a1a0bba8de4ae42d5.exe

pid	process
3324	4726df02c033fd5a1a0bba8de4ae42d5.exe
3324	4726df02c033fd5a1a0bba8de4ae42d5.exe
3324	4726df02c033fd5a1a0bba8de4ae42d5.exe
3324	4726df02c033fd5a1a0bba8de4ae42d5.exe
3324	4726df02c033fd5a1a0bba8de4ae42d5.exe
3324	4726df02c033fd5a1a0bba8de4ae42d5.exe
3324	4726df02c033fd5a1a0bba8de4ae42d5.exe
3324	4726df02c033fd5a1a0bba8de4ae42d5.exe
3324	4726df02c033fd5a1a0bba8de4ae42d5.exe
3324	4726df02c033fd5a1a0bba8de4ae42d5.exe
3324	4726df02c033fd5a1a0bba8de4ae42d5.exe
3324	4726df02c033fd5a1a0bba8de4ae42d5.exe
3324	4726df02c033fd5a1a0bba8de4ae42d5.exe
3324	4726df02c033fd5a1a0bba8de4ae42d5.exe
3324	4726df02c033fd5a1a0bba8de4ae42d5.exe
3324	4726df02c033fd5a1a0bba8de4ae42d5.exe
3324	4726df02c033fd5a1a0bba8de4ae42d5.exe
3324	4726df02c033fd5a1a0bba8de4ae42d5.exe
3324	4726df02c033fd5a1a0bba8de4ae42d5.exe
3324	4726df02c033fd5a1a0bba8de4ae42d5.exe
3324	4726df02c033fd5a1a0bba8de4ae42d5.exe
3324	4726df02c033fd5a1a0bba8de4ae42d5.exe
3324	4726df02c033fd5a1a0bba8de4ae42d5.exe
3324	4726df02c033fd5a1a0bba8de4ae42d5.exe
3324	4726df02c033fd5a1a0bba8de4ae42d5.exe
3324	4726df02c033fd5a1a0bba8de4ae42d5.exe
3324	4726df02c033fd5a1a0bba8de4ae42d5.exe
3324	4726df02c033fd5a1a0bba8de4ae42d5.exe
3324	4726df02c033fd5a1a0bba8de4ae42d5.exe
3324	4726df02c033fd5a1a0bba8de4ae42d5.exe
3324	4726df02c033fd5a1a0bba8de4ae42d5.exe
3324	4726df02c033fd5a1a0bba8de4ae42d5.exe
3324	4726df02c033fd5a1a0bba8de4ae42d5.exe
3324	4726df02c033fd5a1a0bba8de4ae42d5.exe
3324	4726df02c033fd5a1a0bba8de4ae42d5.exe
3324	4726df02c033fd5a1a0bba8de4ae42d5.exe
3324	4726df02c033fd5a1a0bba8de4ae42d5.exe
3324	4726df02c033fd5a1a0bba8de4ae42d5.exe
3324	4726df02c033fd5a1a0bba8de4ae42d5.exe
3324	4726df02c033fd5a1a0bba8de4ae42d5.exe
3324	4726df02c033fd5a1a0bba8de4ae42d5.exe
3324	4726df02c033fd5a1a0bba8de4ae42d5.exe
3324	4726df02c033fd5a1a0bba8de4ae42d5.exe
3324	4726df02c033fd5a1a0bba8de4ae42d5.exe
3324	4726df02c033fd5a1a0bba8de4ae42d5.exe
3324	4726df02c033fd5a1a0bba8de4ae42d5.exe
3324	4726df02c033fd5a1a0bba8de4ae42d5.exe
3324	4726df02c033fd5a1a0bba8de4ae42d5.exe
3324	4726df02c033fd5a1a0bba8de4ae42d5.exe
3324	4726df02c033fd5a1a0bba8de4ae42d5.exe
3324	4726df02c033fd5a1a0bba8de4ae42d5.exe
3324	4726df02c033fd5a1a0bba8de4ae42d5.exe
3324	4726df02c033fd5a1a0bba8de4ae42d5.exe
3324	4726df02c033fd5a1a0bba8de4ae42d5.exe
3324	4726df02c033fd5a1a0bba8de4ae42d5.exe
3324	4726df02c033fd5a1a0bba8de4ae42d5.exe
3324	4726df02c033fd5a1a0bba8de4ae42d5.exe
3324	4726df02c033fd5a1a0bba8de4ae42d5.exe
3324	4726df02c033fd5a1a0bba8de4ae42d5.exe
3324	4726df02c033fd5a1a0bba8de4ae42d5.exe
3324	4726df02c033fd5a1a0bba8de4ae42d5.exe
3324	4726df02c033fd5a1a0bba8de4ae42d5.exe
3324	4726df02c033fd5a1a0bba8de4ae42d5.exe
3324	4726df02c033fd5a1a0bba8de4ae42d5.exe

C:\Users\Admin\AppData\Local\Temp\4726df02c033fd5a1a0bba8de4ae42d5.exe
"C:\Users\Admin\AppData\Local\Temp\4726df02c033fd5a1a0bba8de4ae42d5.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:3324

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3324-0-0x0000000000570000-0x000000000058F000-memory.dmp

Filesize
124KB

Download
memory/3324-2-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/3324-1-0x0000000002220000-0x0000000002221000-memory.dmp

Filesize
4KB

Download
memory/3324-3-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/3324-6-0x0000000002220000-0x0000000002221000-memory.dmp

Filesize
4KB

Download
memory/3324-50-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads