32edd13d82c1847a0877066f28eb70f9b9b4c081e302b3fca90d82371b220347

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/04/2024, 05:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0057c55b1642f21d6d42adddd288f33d.exe
Size

493KB
MD5

0057c55b1642f21d6d42adddd288f33d
SHA1

9ed5b7096288943633d1f1a28912d9ea984fb6e6
SHA256

32edd13d82c1847a0877066f28eb70f9b9b4c081e302b3fca90d82371b220347
SHA512

7555728984ca5feadb0f19afebaafe1d636e84d9d2fd459694f9d9366ebcc98841123863d98c3d6bff304e8aecc60b7189f6a390a1de0d8a4f17f4721f0cd72c
SSDEEP

6144:HwynAtMrOVRkidy9yIGWlUimRVEDWnx4vNe:HwKfOVRo9yRYiSFe

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\a1e3fed276a14a1bb2c319bdbec4dc18OneDriveSetup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0057c55b1642f21d6d42adddd288f33d.exe"	0057c55b1642f21d6d42adddd288f33d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\OneDrivea1e3fed276a14a1bb2c319bdbec4dc1826962 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0057c55b1642f21d6d42adddd288f33d.exe"	0057c55b1642f21d6d42adddd288f33d.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ntdll.dll.dll	0057c55b1642f21d6d42adddd288f33d.exe

Drops file in Program Files directory 37 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\widevinecdmadapterd3dcompiler47.exe	0057c55b1642f21d6d42adddd288f33d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\RCXDAAA.tmp	0057c55b1642f21d6d42adddd288f33d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\d3dcompiler43Components.exe	0057c55b1642f21d6d42adddd288f33d.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\RCX7EE7.tmp	0057c55b1642f21d6d42adddd288f33d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\AcrobatNPPDF32.exe	0057c55b1642f21d6d42adddd288f33d.exe
File created	C:\Program Files (x86)\Common Files\System\ado\fr-FR\Microsoftmsader1510.0.19041.1.160101.0800.exe	0057c55b1642f21d6d42adddd288f33d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\CreateWCChromeNativeMessagingHost.exe	0057c55b1642f21d6d42adddd288f33d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\d3dcompiler43Components.exe	0057c55b1642f21d6d42adddd288f33d.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\en-US\RCX6E3A.tmp	0057c55b1642f21d6d42adddd288f33d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RCX8AFE.tmp	0057c55b1642f21d6d42adddd288f33d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\RCXAF60.tmp	0057c55b1642f21d6d42adddd288f33d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\sqliteEula.exe	0057c55b1642f21d6d42adddd288f33d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCXE307.tmp	0057c55b1642f21d6d42adddd288f33d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RCX586C.tmp	0057c55b1642f21d6d42adddd288f33d.exe
File created	C:\Program Files (x86)\Common Files\System\Ole DB\en-US\sqloledboledb32r10.0.19041.1.160101.0800.exe	0057c55b1642f21d6d42adddd288f33d.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\WindowsBaseresources.exe	0057c55b1642f21d6d42adddd288f33d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\CreateWCChromeNativeMessagingHost.exe	0057c55b1642f21d6d42adddd288f33d.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VC\MicrosoftVisual.exe	0057c55b1642f21d6d42adddd288f33d.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VC\RCX6F25.tmp	0057c55b1642f21d6d42adddd288f33d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\RCX77F0.tmp	0057c55b1642f21d6d42adddd288f33d.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMReader.exe	0057c55b1642f21d6d42adddd288f33d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\NPPDF32Adobe.exe	0057c55b1642f21d6d42adddd288f33d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AiodAiod.exe	0057c55b1642f21d6d42adddd288f33d.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\RCX5F73.tmp	0057c55b1642f21d6d42adddd288f33d.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\Operatingtifffilt.exe	0057c55b1642f21d6d42adddd288f33d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\RCX79E5.tmp	0057c55b1642f21d6d42adddd288f33d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\widevinecdmadapterd3dcompiler47.exe	0057c55b1642f21d6d42adddd288f33d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\RCXBFCC.tmp	0057c55b1642f21d6d42adddd288f33d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RCXDA3A.tmp	0057c55b1642f21d6d42adddd288f33d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCXDA7A.tmp	0057c55b1642f21d6d42adddd288f33d.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\RCX69A5.tmp	0057c55b1642f21d6d42adddd288f33d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prcrPlugin.exe	0057c55b1642f21d6d42adddd288f33d.exe
File created	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMReader.exe	0057c55b1642f21d6d42adddd288f33d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\sqliteEula.exe	0057c55b1642f21d6d42adddd288f33d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AcrobatAiod.exe	0057c55b1642f21d6d42adddd288f33d.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\fr-FR\RCX5A13.tmp	0057c55b1642f21d6d42adddd288f33d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\qrcodepmpdatamatrixpmp.exe	0057c55b1642f21d6d42adddd288f33d.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	0057c55b1642f21d6d42adddd288f33d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	0057c55b1642f21d6d42adddd288f33d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	0057c55b1642f21d6d42adddd288f33d.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
4088	0057c55b1642f21d6d42adddd288f33d.exe
4088	0057c55b1642f21d6d42adddd288f33d.exe
4088	0057c55b1642f21d6d42adddd288f33d.exe
4088	0057c55b1642f21d6d42adddd288f33d.exe
4088	0057c55b1642f21d6d42adddd288f33d.exe
4088	0057c55b1642f21d6d42adddd288f33d.exe
4088	0057c55b1642f21d6d42adddd288f33d.exe
4088	0057c55b1642f21d6d42adddd288f33d.exe
4088	0057c55b1642f21d6d42adddd288f33d.exe
4088	0057c55b1642f21d6d42adddd288f33d.exe
4088	0057c55b1642f21d6d42adddd288f33d.exe
4088	0057c55b1642f21d6d42adddd288f33d.exe
4088	0057c55b1642f21d6d42adddd288f33d.exe
4088	0057c55b1642f21d6d42adddd288f33d.exe
4088	0057c55b1642f21d6d42adddd288f33d.exe
4088	0057c55b1642f21d6d42adddd288f33d.exe
4088	0057c55b1642f21d6d42adddd288f33d.exe
4088	0057c55b1642f21d6d42adddd288f33d.exe
4088	0057c55b1642f21d6d42adddd288f33d.exe
4088	0057c55b1642f21d6d42adddd288f33d.exe
4088	0057c55b1642f21d6d42adddd288f33d.exe
4088	0057c55b1642f21d6d42adddd288f33d.exe
4088	0057c55b1642f21d6d42adddd288f33d.exe
4088	0057c55b1642f21d6d42adddd288f33d.exe
4088	0057c55b1642f21d6d42adddd288f33d.exe
4088	0057c55b1642f21d6d42adddd288f33d.exe
4088	0057c55b1642f21d6d42adddd288f33d.exe
4088	0057c55b1642f21d6d42adddd288f33d.exe
4088	0057c55b1642f21d6d42adddd288f33d.exe
4088	0057c55b1642f21d6d42adddd288f33d.exe
4088	0057c55b1642f21d6d42adddd288f33d.exe
4088	0057c55b1642f21d6d42adddd288f33d.exe
4088	0057c55b1642f21d6d42adddd288f33d.exe
4088	0057c55b1642f21d6d42adddd288f33d.exe
4088	0057c55b1642f21d6d42adddd288f33d.exe
4088	0057c55b1642f21d6d42adddd288f33d.exe
4088	0057c55b1642f21d6d42adddd288f33d.exe
4088	0057c55b1642f21d6d42adddd288f33d.exe
4088	0057c55b1642f21d6d42adddd288f33d.exe
4088	0057c55b1642f21d6d42adddd288f33d.exe
4088	0057c55b1642f21d6d42adddd288f33d.exe
4088	0057c55b1642f21d6d42adddd288f33d.exe

C:\Users\Admin\AppData\Local\Temp\0057c55b1642f21d6d42adddd288f33d.exe
"C:\Users\Admin\AppData\Local\Temp\0057c55b1642f21d6d42adddd288f33d.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
1⤵
PID:1164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\d3dcompiler43Components.exe

Filesize
7.9MB

MD5
4b82e9738a56a6c532cb51adc6e3d0ee

SHA1
d4c5e7d0ae2257f3751543e28b5e657377530d3f

SHA256
cc727cfb69c542b84444b6265a97daa3e8585b58c25ed9c41c453a989961f58c

SHA512
3ff1e6c07a8df1995ca0abca3eae543facc77167013663a074f146e2eb516d430a1651a2bcea6c664b67613b6bf599a3723b400e0fe1c5398e9c5aa9e025ba29

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\d3dcompiler43Components.exe

Filesize
493KB

MD5
0057c55b1642f21d6d42adddd288f33d

SHA1
9ed5b7096288943633d1f1a28912d9ea984fb6e6

SHA256
32edd13d82c1847a0877066f28eb70f9b9b4c081e302b3fca90d82371b220347

SHA512
7555728984ca5feadb0f19afebaafe1d636e84d9d2fd459694f9d9366ebcc98841123863d98c3d6bff304e8aecc60b7189f6a390a1de0d8a4f17f4721f0cd72c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\widevinecdmadapterd3dcompiler47.exe

Filesize
592KB

MD5
972b93d9d14f7e1109d440cdb1c61bcf

SHA1
4d08f71b854ecc6a6faa82f2d84052d637120929

SHA256
f38891d5a4c9e7f56a96a954f777a9406fb361c9b38bf04a99ce93a7a232f5ae

SHA512
693d1fb0ce2b8f0e4ae6a4b37f1dbbb9f761bc1ea53573559e8d1987fb23ded849dfb2ad6cafae47f7a4f8b5b7ef6843f5340824b6482556b7ce021603d06013

Download Submit
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMReader.exe

Filesize
853KB

MD5
d6944e57f80f624ee346ed45cca1a1ab

SHA1
b7e8077b46683f8155d406e12868bfbbb51ba3ec

SHA256
eac5b3ba5ff8c95d471efe45a897c1091de0a6da1b46511a7cda604145afaf6e

SHA512
f2c031af5a103b1a58a7a211766a31c967598af42580362e9f08d92a90946cfb6b6c0ae0dd470b196ed08acc9d8612fcdb14080d195ffbc1f0215a8bf805367b

Download Submit
C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\RCX69A5.tmp

Filesize
495KB

MD5
9ad567dd7ea4530608bd140bfaa570ff

SHA1
e225bec1cb45643bb6bde1ac8055f465de49cfcc

SHA256
d1bebe9b64450b6ef2fa6a46238035ce17d611427aa282e8faa5bbffc41975d0

SHA512
187733e6e032ce19e465fa683d8ed9252f1321a5451ec54948382fabf1e22626316624c8fc8bc2e50aff3b43cedef6062a6527f60f34b06b1a86707e55a11953

Download Submit