31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3

General

Target

31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
Size

2.0MB
MD5

d133f4968bf0cfcf2c3e94862eaa41b7
SHA1

a4460e274eaa3d462aeeb530972ecc7b9d5f7844
SHA256

31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3
SHA512

76be7bba7de2a267ad0ac01f815a683009ed87193d2db053e0dcaaf0c6a6d9b7681fb41a34267bef796f55ccd5d3fd51e1dcd0976a7d0a71846dd25d1bf9d6ea
SSDEEP

49152:h8YqH4O8b8ITDnlIfeEXGF+6z8zmqtqCK3RTeyay+hviOZ8afQf2PynL:qDVrw+6zEmqtqCKkT6OWL

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OneDriveSetupOneDrive = "C:\\Users\\Admin\\AppData\\Local\\Temp\\31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe"	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\MicrosoftOneDriveSetup26962 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe"	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops file in System32 directory 1 IoCs

Processes:

31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe

description ioc process

File created C:\Windows\SysWOW64\ntdll.dll.dll 31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe

description	ioc	process
File created	C:\Windows\SysWOW64\ntdll.dll.dll	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe

Drops file in Program Files directory 29 IoCs

Processes:

31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\RCX9CB8.tmp	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\SystemWABIMP.exe	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\RCX934D.tmp	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\CreateWCChromeNativeMessagingHost.exe	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RCX9C97.tmp	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCX7FDE.tmp	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\win_x64\playreadycdmplayreadycdm.exe	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\CreateWCChromeNativeMessagingHost.exe	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeScCoreAcroBroker91.163616.exe	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\win_x64\RCX800E.tmp	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCX93AD.tmp	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeScCoreAcroBroker91.163616.exe	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\RCX9CA8.tmp	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\TipTsfTipRes.exe	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AiodAcrobat.exe	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AiodAiod.exe	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
File created	C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\sqlxmlxsqloledb10.0.19041.1.160101.0800.exe	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\RCX8A62.tmp	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\AcrobatAdobe.exe	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\RCX937D.tmp	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\RCX802E.tmp	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\RCX8A51.tmp	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\WindowsWindows10.0.19041.1.160101.0800.exe	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\AdobeAcrobat.exe	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCXA535.tmp	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
File created	C:\Program Files (x86)\Windows Mail\SystemWABIMP.exe	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\AcrobatAdobe.exe	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\RCX8AEF.tmp	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\NPPDF32Acrobat19.10.20064.310990.exe	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe

Drops file in Windows directory 41 IoCs

Processes:

31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe

description	ioc	process
File created	C:\Windows\WinSxS\wow64_microsoft-windows-i..pbinaries.resources_31bf3856ad364e35_10.0.19041.1_es-es_35639e205a5b7ca5\browscapbrowscap.exe	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
File created	C:\Windows\WinSxS\amd64_netfx-wminet_utils_dll_b03f5f7f11d50a3a_10.0.19041.1_none_ec6d603df6f17ff4\WMINetUtilsFramework2.0.50727.91496.0507279100.exe	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..telrunner.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_b86e662e5cd8a100\OperatingMicrosoft10.0.19041.1.exe	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management.Resources\v4.0_10.0.0.0_fr_31bf3856ad364e35\SystmeManagement.exe	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Tasks.v4.0.resources\v4.0_4.0.0.0_fr_b03f5f7f11d50a3a\resourcesFramework.exe	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Tasks.v4.0.resources\v4.0_4.0.0.0_fr_b03f5f7f11d50a3a\RCX8625.tmp	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-pmemcmdlets.resources_31bf3856ad364e35_10.0.19041.1_it-it_65bacf6f4bba5832\MicrosoftSistema.exe	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-dataexchange-api_31bf3856ad364e35_10.0.19041.1151_none_67917ea252cd4e15\WindowsSystem10.0.19041.1151.160101.0800.exe	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..-schedule.resources_31bf3856ad364e35_10.0.19041.1_de-de_04d0f6a176d2ba76\WindowsMdSched.exe	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..assistant.resources_31bf3856ad364e35_10.0.19041.1_it-it_4c6b85fccfedad2f\Windowspcasvc10.0.19041.1.exe	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_es-es_8f798b6f3ac6ca90\AppsDiagPackageSistema10.0.19041.1.160101.0800.exe	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
File created	C:\Windows\WinSxS\msil_miguicontrols.resources_31bf3856ad364e35_10.0.19041.1_de-de_7628fb4d5c7affac\WindowsBetriebssystem.exe	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-optionaltsps.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_2760afa5ec078afa\Microsofttcmsetup.exe	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-smbserver-v2.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_15bc8f718d213568\MicrosoftWindows.exe	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-o..t-storage.resources_31bf3856ad364e35_10.0.19041.1_de-de_c0201467c59e592b\StorageWindows.exe	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
File created	C:\Windows\WinSxS\amd64_wvmbus.inf.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5f58944c3a581c94\vmbusvmbus.exe	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics.resources\v4.0_4.0.0.0_fr_b77a5c561934e089\resourcesFramework.exe	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Design.resources\v4.0_4.0.0.0_de_b03f5f7f11d50a3a\RCX8615.tmp	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-smbserver.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_d97b399b2623b706\dexploitationdexploitation.exe	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
File created	C:\Windows\diagnostics\system\DeviceCenter\en-US\SystemCLLocalizationDatap6467.exe	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-uiribbon.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_b2420a5c46d8cbf4\WindowsWindows.exe	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..pplatform.resources_31bf3856ad364e35_10.0.19041.1_es-es_26f47634d4beea3e\SetupPlatformProviderSistema.exe	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-media-devices_31bf3856ad364e35_10.0.19041.264_none_639da44c72a5d48f\deviceSystem.exe	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-m..aphostres.resources_31bf3856ad364e35_10.0.19041.1_zh-tw_97ccd1d8549f31d7\APHostResWindows10.0.19041.1.exe	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management.Resources\v4.0_10.0.0.0_fr_31bf3856ad364e35\RCX40EA.tmp	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
File created	C:\Windows\WinSxS\amd64_system.workflow.runtime.resources_31bf3856ad364e35_4.0.15805.0_de-de_142e0ace56b75463\resourcesRuntime.exe	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Design.resources\v4.0_4.0.0.0_de_b03f5f7f11d50a3a\Systemresources.exe	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-eudcedit.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_92dd879503e1f98e\OperatingMicrosoft.exe	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\WindowsFormsIntegration.resources\v4.0_4.0.0.0_de_31bf3856ad364e35\resourcesresources.exe	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..g-fdprint.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_4f47a185578c8dba\WindowsFDPrint10.0.19041.1.exe	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-l2na.resources_31bf3856ad364e35_10.0.19041.1_it-it_e8e6e86841c9fbee\operativol2nacp10.0.19041.1.exe	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-ncryptprov-dll_31bf3856ad364e35_10.0.19041.1_none_d466de7d3371ee7b\Windowsncryptprov10.0.19041.1.exe	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\WindowsFormsIntegration.resources\v4.0_4.0.0.0_de_31bf3856ad364e35\RCX40AB.tmp	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.resources\v4.0_4.0.0.0_ja_b03f5f7f11d50a3a\ConfigurationSystem.exe	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g...scrptadm.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_f9aadfbec9e71e3c\Microsoftscrptadm10.0.19041.1.exe	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-twinui-appcore_31bf3856ad364e35_10.0.19041.1023_none_10f51e9144584b90\TWINUIAPPCORE.exe	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-help-datalayer_31bf3856ad364e35_10.0.19041.746_none_a2b3f28a7d262dfe\APDSOperating.exe	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-fsutil_31bf3856ad364e35_10.0.19041.1_none_825521fc8f4a22ac\fsutilfsutil.exe	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
File created	C:\Windows\WinSxS\amd64_microsoft-hyper-v-m..lebrowser.resources_31bf3856ad364e35_10.0.19041.1_en-us_4373d0692dcd3a06\RemoteFileBrowseWindows.exe	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics.resources\v4.0_4.0.0.0_fr_b77a5c561934e089\RCX410B.tmp	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.resources\v4.0_4.0.0.0_ja_b03f5f7f11d50a3a\RCX8604.tmp	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe

pid	process
1724	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
1724	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
1724	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
1724	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
1724	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
1724	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
1724	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
1724	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
1724	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
1724	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
1724	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
1724	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
1724	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
1724	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
1724	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
1724	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
1724	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
1724	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
1724	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
1724	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
1724	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
1724	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
1724	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
1724	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
1724	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
1724	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
1724	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
1724	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
1724	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
1724	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
1724	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
1724	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
1724	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
1724	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
1724	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
1724	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
1724	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
1724	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
1724	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
1724	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
1724	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
1724	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
1724	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
1724	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
1724	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
1724	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
1724	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
1724	31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe

C:\Users\Admin\AppData\Local\Temp\31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe
"C:\Users\Admin\AppData\Local\Temp\31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCX93AD.tmp

Filesize
2.0MB

MD5
c6c123ca7dfd3c5a952852066d5f4df7

SHA1
a50a88ac4ae5b6cbbd8db479cfcc0e10dbd300cf

SHA256
e2c95e8d9f41919655fc41bbe63a3b147bfa1d09ef4a2991aaca59f958f05b90

SHA512
10f8abed25cd70554caed4d599f3890948e8f33b45294b455c775336c185abee908de755813f484d2fbca7451086d0d3d31dbd5704284d86e943bf5f433d8462

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\CreateWCChromeNativeMessagingHost.exe

Filesize
2.1MB

MD5
338d45b0dc1afa9a8bb9271c85486f39

SHA1
18d4e34bde9811effa41ca3b8cfb862aa43d6ade

SHA256
e0f6173c1a459f2f8b51e8e612b00d3b3ab9ed6fe061f29e0bbe2bcf27238f4e

SHA512
c66f80bd2174d60bc66d560b7fe782252552c58dfcfbf9af9b7843dfa98b49da1d863f8a8107c6627c76d1cc09897e8c8669b2cea9f5faf8f9851d270eabd73f

Download Submit
C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\WindowsWindows10.0.19041.1.160101.0800.exe

Filesize
2.0MB

MD5
40a8598ea1937daa92e900c0edbbbb8c

SHA1
e94f029a0886fac17710487390d6cf84c2a58dc4

SHA256
03fdf533e6a7978901adef3ec833794cb1565d0dc9ce5c1d800d320729aad03c

SHA512
fd1b0a2a8586dc880fc998d7d0b051861b35b7630b96d27833e4340f96edadbeacb5023c36b0426adeb22fcc6d052b772d102e1737f132be8fb0e7ad40da7a04

Download Submit
C:\Program Files (x86)\Windows Mail\SystemWABIMP.exe

Filesize
2.0MB

MD5
d133f4968bf0cfcf2c3e94862eaa41b7

SHA1
a4460e274eaa3d462aeeb530972ecc7b9d5f7844

SHA256
31de997cdc417ee2a4bcffd2e9998ce35945df9bb8bbe18a7bb08f7048cb64d3

SHA512
76be7bba7de2a267ad0ac01f815a683009ed87193d2db053e0dcaaf0c6a6d9b7681fb41a34267bef796f55ccd5d3fd51e1dcd0976a7d0a71846dd25d1bf9d6ea

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\es\mscorlibsystem.exe

Filesize
2.1MB

MD5
84f5ad74cf38c306c1f2906669b0d976

SHA1
ca9d210f68b5ff8b04f2bbe863f2e2b974c5c308

SHA256
a473f1e1c899ef6ef1971b9ed2c07b78b980b47ba02861218e9363ba121c4ee9

SHA512
c742c5ca70dfedda772056ee9d80a9d4e5206a99f421b058778441931f909200b28466daa7a73ad2ed13a205ff110cac2510d285cefb5bcc75ae341dcc5f9c1e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads