11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3

Analysis

max time kernel
145s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17/05/2024, 18:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
Size

822KB
MD5

1f57fc13c56a4dceed5ef9287677978c
SHA1

6960f54e573c33a09e9cbc1c67394dec3237c355
SHA256

11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3
SHA512

9ddc28dab956886920e83d3ff0847eb3b9163d4f435b23eebffe9dd20775d9a90da59417a36b315cf0e730065663b555819989c913c6e192fc277417dc73603f
SSDEEP

6144:XwynAtMrOVRkidy9yIGWlUiJwzYDteYIpREZPF9xkNbyjUWAZyVVp7BnxeHF:XwKfOVRo9yRYzwzYDteYIpREf9eqVUl

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OneDriveSetupOneDrive = "C:\\Users\\Admin\\AppData\\Local\\Temp\\11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe"	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\MicrosoftOneDriveSetup26962 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe"	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ntdll.dll.dll	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe

Drops file in Program Files directory 28 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VC\MicrosoftStudio10.00.40219.01.exe	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\pluginLibrary.exe	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RCX6684.tmp	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCX6F30.tmp	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File created	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaStart.exe	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\TableTextServiceWindows.exe	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\RCX4874.tmp	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCX5CAE.tmp	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\RCX522B.tmp	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\RCX5BE1.tmp	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\EULAsqlite19.10.20064.310990.exe	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AdobeAiod.exe	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaStart.exe	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\EmbeddedFramework.exe	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RCX51CC.tmp	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VC\RCX525B.tmp	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\en-US\RCX4894.tmp	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\EmbeddedFramework.exe	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\AdobeWCChromeNativeMessagingHost.exe	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\AdobeWCChromeNativeMessagingHost.exe	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\RCX5D3B.tmp	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AdobeAcrobat.exe	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\EULAsqlite19.10.20064.310990.exe	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\AdobeNPPDF32.exe	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AdobeAcrobat.exe	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCX65D7.tmp	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\RCX4863.tmp	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File created	C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\msdasqlrSystem.exe	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_microsoft-windows-o..ap-rastls.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_591493e4aae0a7f7\SystemMicrosoft.exe	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\1036\RCX95C6.tmp	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File created	C:\Windows\Boot\PCAT\et-EE\Operatsioonissteembootmgr.exe	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File opened for modification	C:\Windows\Branding\Basebrd\RCX712B.tmp	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-oleacc_31bf3856ad364e35_10.0.19041.746_none_52d2b2ecb593c243\OLEACCHOOKSMicrosoft7.2.19041.746.160101.0800.exe	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..tion-mgmt.resources_31bf3856ad364e35_10.0.19041.1_es-es_983158f912426bfa\operativoWindows.exe	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\GAC\ja\RCX95F6.tmp	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File created	C:\Windows\Boot\PCAT\hu-HU\opercisrendszer.exe	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-storprop.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_a89d10c6ca0294a2\WindowsWindows.exe	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File created	C:\Windows\WinSxS\amd64_dual_bcmdhd64.inf_31bf3856ad364e35_10.0.19041.1_none_bc4ccf38b07f09e7\bcmdhd63Broadcom.exe	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core.resources\v4.0_4.0.0.0_es_b77a5c561934e089\SystemFramework.exe	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File created	C:\Windows\Boot\EFI\lt-LT\bootmgrbootmgr10.0.19041.1.exe	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File created	C:\Windows\Boot\EFI\fr-FR\memdiagbootmgr.exe	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File created	C:\Windows\Boot\EFI\nb-NO\bootmgrWindows.exe	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File created	C:\Windows\Boot\Resources\ja-JP\Windowsbootres.exe	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File created	C:\Windows\WinSxS\amd64_windows.networking.vpn.soh_31bf3856ad364e35_10.0.19041.1_none_1c26f47a7c412fc5\WindowsSystem.exe	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions.resources\v4.0_4.0.0.0_de_31bf3856ad364e35\MicrosoftFramework.exe	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File created	C:\Windows\Boot\PCAT\lv-LV\OperetajsistemaWindows.exe	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File created	C:\Windows\Boot\PCAT\nl-NL\Windowsbesturingssysteembootmgr.exe	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File created	C:\Windows\Branding\Basebrd\en-US\WindowsBASEBRD.exe	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-ie-ieshims_31bf3856ad364e35_11.0.19041.1_none_d5511ccdec12f5ef\Internetieshims11.00.19041.1.160101.0800.exe	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File created	C:\Windows\WinSxS\amd64_netfx4-clrjit_dll_b03f5f7f11d50a3a_4.0.15805.0_none_25a05175745571fa\clrjitFramework340.exe	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-lsa-secur32_31bf3856ad364e35_10.0.19041.546_none_d16d8ebdff57e550\MicrosoftWindows.exe	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions.resources\v4.0_4.0.0.0_de_31bf3856ad364e35\RCX8B4.tmp	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File created	C:\Windows\IME\IMEKR\DICTS\MicrosoftSystem.exe	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core.resources\v4.0_4.0.0.0_es_b77a5c561934e089\RCX4EE7.tmp	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\de-DE\RCXDBFB.tmp	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File created	C:\Windows\Boot\EFI\WindowsWindows.exe	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File created	C:\Windows\Boot\PCAT\zh-TW\WindowsSystem.exe	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File created	C:\Windows\Boot\Resources\en-US\bootresSystem10.0.19041.1.160101.0800.exe	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File created	C:\Windows\Branding\Basebrd\de-DE\BASEBRDWindows.exe	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File created	C:\Windows\Boot\PCAT\memdiagbootuwf10.0.19041.844.exe	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..ng-messagingservice_31bf3856ad364e35_10.0.19041.1_none_9cc477fa79f5a5d1\MessagingServiceSystem.exe	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File created	C:\Windows\WinSxS\wow64_multimedia-mferror_31bf3856ad364e35_10.0.19041.1_none_44ee8c4e35350868\mferrorError.exe	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File created	C:\Windows\Boot\PCAT\zh-TW\SystemWindows.exe	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File created	C:\Windows\Boot\EFI\pt-BR\SistemaWindows.exe	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-healthcenter.resources_31bf3856ad364e35_10.0.19041.1_de-de_0672dc82dbbaf33d\WindowsBetriebssystem.exe	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File created	C:\Windows\WinSxS\amd64_system.servicemodel.routing.resources_31bf3856ad364e35_4.0.15805.0_es-es_a896d3893bb8c9fa\MicrosoftRouting.exe	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-spp-main.resources_31bf3856ad364e35_10.0.19041.1_it-it_0351112ec34f96b4\Windowssxproxy.exe	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.ApplicationId.Framework.Resources\v4.0_10.0.0.0_ja_31bf3856ad364e35\FrameworkSystem.exe	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File created	C:\Windows\Boot\PCAT\el-GR\bootmgrssta10.0.19041.1.exe	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File created	C:\Windows\Boot\PCAT\fi-FI\Microsoftbootmgr.exe	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File created	C:\Windows\Boot\EFI\es-ES\Windowsbootmgr.exe	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File created	C:\Windows\Boot\Resources\bootresSystem.exe	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..licymaker.resources_31bf3856ad364e35_10.0.19041.1_en-us_0f5e2610667b667a\WindowsSystem.exe	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..linetools.resources_31bf3856ad364e35_10.0.19041.1_es-es_49cf410f45e6e872\Microsoftgprslt.exe	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\de\resourcessystem285.exe	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File opened for modification	C:\Windows\Branding\Basebrd\de-DE\RCX23A5.tmp	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File opened for modification	C:\Windows\Branding\Basebrd\ja-JP\RCX23E4.tmp	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\1036\mscorsecrmscorsecr.exe	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File created	C:\Windows\Boot\PCAT\hu-HU\memdiagMicrosoft.exe	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File created	C:\Windows\Boot\EFI\nl-NL\bootmgrWindowsbesturingssysteem.exe	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-n..2provider.resources_31bf3856ad364e35_10.0.19041.1_es-es_c701815d944c9281\SistemaNetNat.exe	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_10.0.19041.1_zh-tw_7c3d791319d34223\WindowsOperating10.0.19041.1.exe	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-i..l-keyboard-00000463_31bf3856ad364e35_10.0.19041.1_none_a86a61cd3764a4d4\SystemOperating.exe	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\de-DE\ServiceModelEventsServiceModelInstallRC3.0.4506.9135.exe	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File created	C:\Windows\Boot\EFI\hr-HR\Operacijskibootmgr.exe	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-wordpad.resources_31bf3856ad364e35_10.0.19041.1_en-us_62fab79bfea3a4cd\MicrosoftSystem.exe	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-controlpanel_31bf3856ad364e35_10.0.19041.1_none_95647fabfa4ec9fe\Systemtabletpc.exe	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File created	C:\Windows\Branding\Basebrd\fr-FR\MicrosoftSystme.exe	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File created	C:\Windows\Boot\PCAT\es-MX\operativobootmgr.exe	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationClient.resources\v4.0_4.0.0.0_ja_31bf3856ad364e35\resourcesMicrosoftR.exe	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..r-desktop.resources_31bf3856ad364e35_10.0.19041.1_it-it_010f40593444a934\SistemaMicrosoft.exe	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
File opened for modification	C:\Windows\IME\IMEKR\DICTS\RCX95B6.tmp	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3368	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
3368	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
3368	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
3368	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
3368	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
3368	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
3368	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
3368	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
3368	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
3368	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
3368	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
3368	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
3368	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
3368	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
3368	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
3368	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
3368	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
3368	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
3368	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
3368	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
3368	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
3368	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
3368	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
3368	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
3368	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
3368	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
3368	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
3368	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
3368	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
3368	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
3368	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
3368	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
3368	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
3368	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
3368	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
3368	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
3368	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
3368	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
3368	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
3368	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
3368	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
3368	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
3368	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
3368	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
3368	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
3368	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
3368	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
3368	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
3368	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
3368	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
3368	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
3368	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
3368	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
3368	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
3368	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
3368	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
3368	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
3368	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
3368	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
3368	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
3368	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
3368	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
3368	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
3368	11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe

C:\Users\Admin\AppData\Local\Temp\11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe
"C:\Users\Admin\AppData\Local\Temp\11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:3368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\AdobeWCChromeNativeMessagingHost.exe

Filesize
858KB

MD5
399de831cbf8b202f4b3d41bd430ab81

SHA1
91aca64c62e4c24608c1cb79db3608b7091b946b

SHA256
fd8a2931c6ee13faa407afde279643217b1b173977f0fab106a3cc45f42326af

SHA512
c24fe011521ebb12e0798cd3cca2ccd44aec4af95e1bb7032c4c44185675e64228bac893720d00da2077324c75e083e3cace2a7bf032a34f306b5dd3af36be33

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\EULAsqlite19.10.20064.310990.exe

Filesize
824KB

MD5
e3d3f7c75aa2f612247f633cea276bb9

SHA1
abaa2225e09400488f490faca90f41504e1c5de0

SHA256
abe44885753bf6d1fdadef2902977bcfaa218a70841aa8d7f1d55f9bdb092c30

SHA512
a626a2644bff94b35527f2380690c8a34f8abe50e6791ac1602a925fbe9ff830455c9633a8c5db52db95e105ad6d46fe8bd612f552290ae7d48fd5a87f3c6911

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\RCX522B.tmp

Filesize
824KB

MD5
d54595e229bf6bd28ada9fa7ac3a5c25

SHA1
c594dbb9076521e6e191ffe69ed77c139a15129f

SHA256
3954899cf8b8f3d7581922a5f6e3a0f6de0e09508d2d9832ce3af72c0285305a

SHA512
96f7d2f5628b5de80bd3fc4de32829a66381bbcf170f8a89f45002867d6fc057a8d9b203ab48706355e714a7d9d27f8fb343439fdad148c0d1df5522726ed8a8

Download Submit
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99718\javaStart.exe

Filesize
822KB

MD5
1f57fc13c56a4dceed5ef9287677978c

SHA1
6960f54e573c33a09e9cbc1c67394dec3237c355

SHA256
11313ef4a0328466ba28c81b10882b632ba4ff4af99d435cdcdfaf7e6ac562e3

SHA512
9ddc28dab956886920e83d3ff0847eb3b9163d4f435b23eebffe9dd20775d9a90da59417a36b315cf0e730065663b555819989c913c6e192fc277417dc73603f

Download Submit
C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Routing.resources\v4.0_4.0.0.0_fr_31bf3856ad364e35\RCX4F07.tmp

Filesize
824KB

MD5
e8c363233badcaa9e5dccc23d6d88003

SHA1
a4af9a296b176524236ee0941296d358aa8dcdec

SHA256
11a64e6dfce3c12f42af312829eb9407d626198d436a5b1f8d449ae3919195d8

SHA512
792c4ff9321b934dc938001319c6fb4446ad325d0b007ca01685636992e9e15280c8c80491a7a398bc75cb000ea92b2e845554832d1a76071fb6b0aa00c79834

Download Submit