437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28-08-2024 21:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
Size

9.7MB
MD5

72eb240ffd1678f6b6eb7ec26c81e980
SHA1

a927117831ee2132025616e68ad182cd744d4b39
SHA256

437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976
SHA512

e399f82f9d3f7bfe5663da0df23e140608c5283d98af6a10e3b72205083dbeb155d4e9f44e218603b99f6e55e5f6600eb16f037c4108414dc26805041f102d31
SSDEEP

196608:rbqnhgJuP3LAhCiVXOWvd6A1oMuWr45hrr2u:wS+LJYeJWGhrr2u

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OneDriveSetupOneDrive = "C:\\Users\\Admin\\AppData\\Local\\Temp\\437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe"	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\MicrosoftOneDriveSetup26962 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe"	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ntdll.dll.dll	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File created	C:\Windows\SysWOW64\F12\ja-JP\F12ScriptF12Script11.00.19041.1.160101.0800.exe	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File opened for modification	C:\Windows\SysWOW64\F12\ja-JP\RCX6145.tmp	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe

Drops file in Program Files directory 33 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\System\ado\de-DE\Microsoftmsader15.exe	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\MicrosoftHostAdapter.exe	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File created	C:\Program Files (x86)\Common Files\System\ado\en-US\Windowsmsader15.exe	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\RCXAA01.tmp	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\de-DE\RCX979C.tmp	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File created	C:\Program Files (x86)\Common Files\System\OperatingWindows.exe	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\win_x64\RCX9973.tmp	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\RCXA250.tmp	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCXBC95.tmp	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\win_x64\MicrosoftPlayReady.exe	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\Studiovstoee.exe	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\NPPDF32Acrobat.exe	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\de-DE\RCXA106.tmp	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\en-US\RCXA193.tmp	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\RCXB3A9.tmp	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\RCXB4F3.tmp	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File created	C:\Program Files (x86)\Common Files\System\de-DE\WAB32resMicrosoft10.0.19041.1.exe	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\de-DE\WAB32resMicrosoft10.0.19041.1.exe	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\OperatingWindows.exe	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AdobeAcrobat.exe	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfomsinfo.exe	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfomsinfo.exe	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\AdobeHunspellPluginAdobeHunspellPlugin.exe	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\RCXB456.tmp	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AiodAiod.exe	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\icudt58Viewer.exe	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\RCX9878.tmp	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\Studiovstoee.exe	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCXAAFC.tmp	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\RCXAB9A.tmp	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\QuickTimeMCIMPP.exe	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\icudt58Viewer.exe	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RCXBD90.tmp	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices.AccountManagement.resources\v4.0_4.0.0.0_ja_b77a5c561934e089\RCX6220.tmp	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Collections\v4.0_4.0.0.0__b03f5f7f11d50a3a\CollectionsSystem4.8.4084.0.exe	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File created	C:\Windows\Boot\Resources\SystemMicrosoft.exe	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.5\RCX7C84.tmp	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File opened for modification	C:\Windows\IME\uk-UA\RCX7DFD.tmp	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File created	C:\Windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols.Resources\2.0.0.0_de_b03f5f7f11d50a3a\Microsoftresources2.0.50727.91496.0507279100.exe	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-update-updatecsps_31bf3856ad364e35_10.0.19041.1_none_6a4e21c256513db3\OperatingUpdateCsp.exe	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_fi-fi_0bc0c6751faa809f\memdiagWindows.exe	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-i..ation-net.resources_31bf3856ad364e35_10.0.19041.1_de-de_aa80822f6acf8352\WindowsWindows.exe	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..itycenter.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_cc214dc399dc7e0b\Systmedexploitation10.0.19041.1.exe	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-usp_31bf3856ad364e35_10.0.19041.1_none_6d4030e42c3aa8a4\USP10Windows.exe	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File created	C:\Windows\WinSxS\amd64_dual_ufxsynopsys.inf_31bf3856ad364e35_10.0.19041.662_none_eb48813183604651\ufxsynopsysufxsynopsys.exe	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.resources\v4.0_10.0.0.0_es_b03f5f7f11d50a3a\RCXEDF9.tmp	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\msvcp100Studio.exe	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-iis-ftpsvc.resources_31bf3856ad364e35_10.0.19041.1_it-it_b92c6387c69987b4\ftpresService.exe	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-wwansvc.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_0b679f36bac0ef8f\SystemWindows.exe	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..shandlers.resources_31bf3856ad364e35_10.0.19041.1_en-us_9434f946b230b8cd\SystemWindows.exe	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-wldp.resources_31bf3856ad364e35_10.0.19041.1_de-de_38ee9899c52fca32\wldpBetriebssystem.exe	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-n..orkconnectionbroker_31bf3856ad364e35_10.0.19041.1202_none_d16f7d1b7a182564\Windowsncbservice10.0.19041.1202.160101.0800.exe	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..xecserver.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_fb4e37b4d1f31353\SystemMicrosoft.exe	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\XsdBuildTask.resources\v4.0_4.0.0.0_es_31bf3856ad364e35\RCXA882.tmp	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\it\RCX37C9.tmp	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-c..shandlers.resources_31bf3856ad364e35_10.0.19041.1_es-es_6d6f37f3cf287fa0\operativooperativo.exe	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Collections\v4.0_4.0.0.0__b03f5f7f11d50a3a\RCXEF91.tmp	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\en-US\ServiceModelEventsMicrosoft.exe	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File created	C:\Windows\Boot\PCAT\nb-NO\memdiagbootmgr.exe	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-f..utilities.resources_31bf3856ad364e35_10.0.19041.1_it-it_c6064dd13a0b9139\SistemaWindows.exe	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-wmvxencd_31bf3856ad364e35_10.0.19041.1_none_ff80e427d9d812ab\wmvxencdwmvxencd.exe	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\InstallUtil.resources\v4.0_4.0.0.0_es_b03f5f7f11d50a3a\Frameworkresources.exe	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..omponents.resources_31bf3856ad364e35_10.0.19041.1_de-de_e92b3608b1b54436\WindowsLocationNotification.exe	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.resources\v4.0_4.0.0.0_es_b03f5f7f11d50a3a\RCXA92F.tmp	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\it\RuntimeMicrosoft4.8.4084.0.exe	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\RCXC103.tmp	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\1033\RCX7D7F.tmp	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File created	C:\Windows\IME\uk-UA\SpTipOperating.exe	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-wmpdmc-ux.resources_31bf3856ad364e35_10.0.19041.1_es-es_9bf702b0c10fd8cf\WMPDMCWindows.exe	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..rolviewer.resources_31bf3856ad364e35_11.0.19041.1_de-de_e365cb47d7f752c9\InternetOCCACHE.exe	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File created	C:\Windows\Boot\EFI\fr-CA\dexploitationdexploitation.exe	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\1033\ActivitiesCompilerUI.exe	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..i-appcore.resources_31bf3856ad364e35_10.0.19041.1_it-it_74ece4c48458b602\appcoreoperativo.exe	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_672218d31369e729\SystemWindows.exe	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-setup-cleanup_31bf3856ad364e35_10.0.19041.1_none_0f872b20c6a7236b\SystemMicrosoft.exe	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File created	C:\Windows\WinSxS\wow64_windows-gaming-prev..esenumeration-winrt_31bf3856ad364e35_10.0.19041.264_none_35f854e9a12ee0d6\Systemwindows.exe	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMDiagnosticsWasHosting.exe	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\RCXC20E.tmp	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-e..orenderer.resources_31bf3856ad364e35_10.0.19041.1_it-it_ec95d3299db3d921\VideoWindows.exe	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-upnpdevicehost_31bf3856ad364e35_10.0.19041.867_none_9fcce199936290f4\Systemupnpcont.exe	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-wlanpref.resources_31bf3856ad364e35_10.0.19041.1_es-es_b4dd029ebb557d69\operativowlanpref.exe	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\en-US\RCXC066.tmp	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..up-prompt.resources_31bf3856ad364e35_10.0.19041.1_it-it_9e964c095f6360e0\FVEPROMPTSistema10.0.19041.1.exe	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.5\MicrosoftTasks.exe	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-i..riptcollectionagent_31bf3856ad364e35_11.0.19041.1_none_438b34e5eaa45e3d\ExplorerJavaScriptCollectionAgent.exe	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-dui70_31bf3856ad364e35_10.0.19041.1_none_17fa67a6d1d90f6d\MicrosoftSystem.exe	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..gementwmi.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5e68a27ba5a6dfcd\OperatingWindows.exe	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..languages.resources_31bf3856ad364e35_10.0.19041.1_tr-tr_f6f764f1cf052149\tipresxtipresx.exe	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices.AccountManagement.resources\v4.0_4.0.0.0_ja_b77a5c561934e089\SystemDirectoryServices.exe	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Activities.Build.resources\v4.0_4.0.0.0_it_31bf3856ad364e35\MicrosoftBuild4.8.4084.0.exe	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols.Resources\2.0.0.0_de_b03f5f7f11d50a3a\RCX5F7F.tmp	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-lsa.resources_31bf3856ad364e35_10.0.19041.1_es-es_3c643eb9361fcf47\operativoWindows.exe	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..clientsku.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_722f57ec7f2152fb\Microsoftrdpshell.exe	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..llercommandlinetool_31bf3856ad364e35_10.0.19041.1_none_2a5f489c740a390b\OperatingMicrosoft.exe	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.resources\v4.0_10.0.0.0_es_b03f5f7f11d50a3a\Frameworkresources.exe	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.5\MicrosoftTasks.exe	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..t-tracker.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_0ab60e84be3fd462\OperatingSHUTDOWN.exe	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1460	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
1460	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
1460	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
1460	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
1460	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
1460	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
1460	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
1460	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
1460	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
1460	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
1460	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
1460	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
1460	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
1460	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
1460	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
1460	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
1460	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
1460	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
1460	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
1460	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
1460	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
1460	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
1460	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
1460	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
1460	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
1460	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
1460	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
1460	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
1460	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
1460	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
1460	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
1460	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
1460	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
1460	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
1460	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
1460	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
1460	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
1460	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
1460	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
1460	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
1460	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
1460	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
1460	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
1460	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
1460	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
1460	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
1460	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
1460	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
1460	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
1460	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
1460	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
1460	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
1460	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
1460	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
1460	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
1460	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
1460	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
1460	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
1460	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
1460	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
1460	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
1460	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
1460	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
1460	437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe

C:\Users\Admin\AppData\Local\Temp\437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe
"C:\Users\Admin\AppData\Local\Temp\437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\icudt58Viewer.exe

Filesize
9.6MB

MD5
826d75465b21c30a75e2bcdeb8c8a9d3

SHA1
caee6266d9b387ffd14667b1525a360981b71250

SHA256
bf9b8c743057dd8c0dc42c37bd644eaf45b0df03909a7a9562f782ce903a3372

SHA512
13bed6614d97d77903834dbc5adf1e6814fd9f3b65078576342e3aa5cb8acc61e1f0e9aed34db53da9c6df7565cb9f82e74dcc3c352fb0ecae957729cdc1bebe

Download Submit
C:\Program Files (x86)\Common Files\System\de-DE\WAB32resMicrosoft10.0.19041.1.exe

Filesize
9.7MB

MD5
72eb240ffd1678f6b6eb7ec26c81e980

SHA1
a927117831ee2132025616e68ad182cd744d4b39

SHA256
437f64a5f0130273bbf72301e20b29ae2fc645f08e62860935d6860cd3fa1976

SHA512
e399f82f9d3f7bfe5663da0df23e140608c5283d98af6a10e3b72205083dbeb155d4e9f44e218603b99f6e55e5f6600eb16f037c4108414dc26805041f102d31

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\win_x64\MicrosoftPlayReady.exe

Filesize
9.7MB

MD5
e05b437f5b33381999d83b03b22dc39b

SHA1
76640666bd8bf502634b177f45dbd6bf72ce1bdf

SHA256
17166fde5c630d9c243551b1f3434c44f81e0b84d391617f459a5e51cadd1b6b

SHA512
e050c23eeb2169eb6a2829a7c288c63f53beb85cfd908500f61b58873ebf80ef234cc85b2c59d8bc649c220bea31cd4dff12e1ca764c34c4ed928ea72c7021f8

Download Submit
C:\Windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols.Resources\2.0.0.0_de_b03f5f7f11d50a3a\RCX5F7F.tmp

Filesize
9.7MB

MD5
646d6992d20a2bd6694eef7bdc23e4e0

SHA1
f32b0bec56cb3f941248730ce12a2b47219d586c

SHA256
24a6fcb3c7f452b92feaefe89ab537a12a4f111c316ca5f7bcd451633dbe1536

SHA512
7252593c934530719755dd31fa6ef46251700fdb4576d6df9352e4f829c547be1fa7ae70cf31ef82a025f54c5e10fe4ad31e07cb66f35d049fe3405cf782d342

Download Submit