601eed3a9c30f193cacbb575774b6e97f689f3de925043abd67ec5b2daabe0dd

General

Target

bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
Size

169KB
MD5

bc3c5ef1f273c9cf85ee33f2301fd8a2
SHA1

7d85f0c59b1fc3d9a6228e2569af7d955ef8ae6c
SHA256

601eed3a9c30f193cacbb575774b6e97f689f3de925043abd67ec5b2daabe0dd
SHA512

2988f919f04d27312636bc9f4f1e6413070136db283a16ad067d5b6f1ee96fafb29060846f4644db9277d37ea631c8adc95f28456e52c929bdc5001e7e6d1c24
SSDEEP

3072:fxHO3jT5823suijFBLJOA0aAWlEhlVYkM0og+K+s8ZXtI2RmpelUTk:fxeT5823k3YAjlUFM0og6sMqAmA

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

bc3c5ef1f273c9cf85ee33f2301fd8a2.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OneDriveSetupOneDrive = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bc3c5ef1f273c9cf85ee33f2301fd8a2.exe"	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\MicrosoftOneDriveSetup26962 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bc3c5ef1f273c9cf85ee33f2301fd8a2.exe"	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe

Drops file in System32 directory 1 IoCs

Processes:

bc3c5ef1f273c9cf85ee33f2301fd8a2.exe

description ioc process

File created C:\Windows\SysWOW64\ntdll.dll.dll bc3c5ef1f273c9cf85ee33f2301fd8a2.exe

description	ioc	process
File created	C:\Windows\SysWOW64\ntdll.dll.dll	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe

Drops file in Program Files directory 16 IoCs

Processes:

bc3c5ef1f273c9cf85ee33f2301fd8a2.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\Java\Java Update\SchedulerScheduler.exe	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\AdobeHunspellPluginAdobeHunspellPlugin.exe	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\uk-UA\WindowsPhotoViewer.exe	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\uk-UA\WindowsPhotoViewer.exe	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\FlashQuickTime.exe	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prcrprcr.exe	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\libEGLlibGLESv2.exe	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\AcrobatAdobe19.10.20064.310990.exe	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AdobeAcrobat.exe	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\NPPDF32Adobe.exe	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
File created	C:\Program Files (x86)\Internet Explorer\uk-UA\iexploreIEXPLORE.exe	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOMessageProviderVSTOLoader.exe	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\WindowsTipTsf.exe	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\EULAHelper.exe	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AiodAdobe.exe	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\d3dcompiler47Microsoft.exe	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

Processes:

bc3c5ef1f273c9cf85ee33f2301fd8a2.exe

pid	process
3964	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
3964	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
3964	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
3964	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
3964	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
3964	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
3964	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
3964	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
3964	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
3964	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
3964	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
3964	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
3964	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
3964	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
3964	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
3964	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
3964	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
3964	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
3964	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
3964	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
3964	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
3964	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
3964	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
3964	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
3964	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
3964	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
3964	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
3964	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
3964	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
3964	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
3964	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
3964	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
3964	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
3964	bc3c5ef1f273c9cf85ee33f2301fd8a2.exe

C:\Users\Admin\AppData\Local\Temp\bc3c5ef1f273c9cf85ee33f2301fd8a2.exe
"C:\Users\Admin\AppData\Local\Temp\bc3c5ef1f273c9cf85ee33f2301fd8a2.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:3964

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\uk-UA\iexploreIEXPLORE.exe
Filesize
169KB

MD5
bc3c5ef1f273c9cf85ee33f2301fd8a2

SHA1
7d85f0c59b1fc3d9a6228e2569af7d955ef8ae6c

SHA256
601eed3a9c30f193cacbb575774b6e97f689f3de925043abd67ec5b2daabe0dd

SHA512
2988f919f04d27312636bc9f4f1e6413070136db283a16ad067d5b6f1ee96fafb29060846f4644db9277d37ea631c8adc95f28456e52c929bdc5001e7e6d1c24

Download Submit
memory/3964-3-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3964-4-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3964-5-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3964-51-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads