646c0854f6d90d2c71c3ae9a73d4ea5e40c9d82790e0c5429b448a0afaccee75

Analysis

max time kernel
116s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/08/2024, 00:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a16ff17f73edf4b0ff82670f1b4f6a10N.exe
Size

9.7MB
MD5

a16ff17f73edf4b0ff82670f1b4f6a10
SHA1

009538052666905a36c2c12c7caa58e83887afe1
SHA256

646c0854f6d90d2c71c3ae9a73d4ea5e40c9d82790e0c5429b448a0afaccee75
SHA512

2435e43ba87c78c9e6466afab9516a7b92d87dd22ca1814bd3fd314c31cf80127e70902f27f13f2e56eb3dd6555f09a4017d32ee8806f1f3b6b61589d6be16a0
SSDEEP

196608:HGqnhgJuP3LAhCiVXOWvd6A1oMuWr45hrr2j:HS+LJYeJWGhrr2j

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OneDriveSetupOneDrive = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a16ff17f73edf4b0ff82670f1b4f6a10N.exe"	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\MicrosoftOneDriveSetup26962 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a16ff17f73edf4b0ff82670f1b4f6a10N.exe"	a16ff17f73edf4b0ff82670f1b4f6a10N.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Com\fr-FR\RCXAECA.tmp	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File created	C:\Windows\SysWOW64\ntdll.dll.dll	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File created	C:\Windows\SysWOW64\Com\fr-FR\dexploitationSystme.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe

Drops file in Program Files directory 39 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AdobeAiod19.8.20071.303822.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File created	C:\Program Files (x86)\Common Files\System\MicrosoftWAB3210.0.19041.1.160101.0800.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\MicrosoftWAB3210.0.19041.1.160101.0800.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\RCXDFAC.tmp	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\Componentschromeelf.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCXE925.tmp	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\InternetA3DUtils19.10.20064.310990.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMAcrobat.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\RCXD131.tmp	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File created	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMAcrobat.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\Libraryprcr.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\it-IT\RCXC0A2.tmp	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\RCXC8D2.tmp	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\RCXD21C.tmp	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\AdobeAcrobat.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHostAdobe.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\Componentschromeelf.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\AcrobatNPPDF3219.10.20064.310990.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\SystemWindows.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RCXEA5E.tmp	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\InternetA3DUtils19.10.20064.310990.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\RCXC99E.tmp	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File created	C:\Program Files (x86)\Windows Mail\SystemWindows.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\RCXBF1A.tmp	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\WindowsRTSCom.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\RCXDD59.tmp	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File created	C:\Program Files (x86)\Common Files\System\Ole DB\Windowsmsdaorar.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File created	C:\Program Files (x86)\Internet Explorer\it-IT\Internetiexplore.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\RCXC816.tmp	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File created	C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\Systemoledb32r.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCXBFE6.tmp	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File created	C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\sqlxmlxSystem.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\RCXD2B9.tmp	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHostAdobe.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RCXE0E5.tmp	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\RCXE887.tmp	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AiodAcrobat19.8.20071.303822.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCXF1C2.tmp	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\Windowsmsdaorar.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\wow64_microsoft-windows-directshow-core_31bf3856ad364e35_10.0.19041.746_none_8ebe2cff8116324c\MicrosoftWindows.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File created	C:\Windows\WinSxS\amd64_system.servicemodel.discovery.resources_31bf3856ad364e35_4.0.15805.0_es-es_1c06b9f3ffaef9e0\Systemresources.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-wpd-portabledevicesqm_31bf3856ad364e35_10.0.19041.1_none_08e68641864a4973\sqmapiWindows10.0.19041.1.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-acx-classextension_31bf3856ad364e35_10.0.19041.1_none_603af04756940675\OperatingSystem.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-devices-usb-winrt_31bf3856ad364e35_10.0.19041.264_none_5ba1dfc4d3293c02\WindowsSystem.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-ncdautosetup.resources_31bf3856ad364e35_10.0.19041.1_it-it_67401f247610a75c\NcdAutoSetupoperativo10.0.19041.1.160101.0800.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..-els-core.resources_31bf3856ad364e35_10.0.19041.1_en-us_b2e0c950367705e7\OperatingMicrosoft10.0.19041.1.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-powercpl.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_e2d0e344473e4213\PowerCPLdexploitation.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-p..opeerpnrp.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_fdc3d2d566f4e93d\dexploitationMicrosoft.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..os-filter.resources_31bf3856ad364e35_10.0.19041.1_es-es_0bbf6aa911b82c87\storqosfltstorqosflt10.0.19041.1.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..vider-rll.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5d0ec9e910feba4e\sqloledbWindows10.0.19041.1.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..ig-registrar-wizard_31bf3856ad364e35_10.0.19041.1_none_f323c5809ebfa506\wcnwizWindows.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\aspnet_regbrowsers.resources\v4.0_4.0.0.0_de_b03f5f7f11d50a3a\resourcesresources4.8.4084.0.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.RunTime.Serialization.resources\v4.0_4.0.0.0_de_b77a5c561934e089\RCX41EA.tmp	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File created	C:\Windows\WinSxS\amd64_reachframework.resources_31bf3856ad364e35_4.0.15805.0_it-it_723eda883fc96480\FrameworkReachFramework4.8.4084.0481.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..iders-msi.resources_31bf3856ad364e35_10.0.19041.1_en-us_4821b12cfcf638ae\MsiProviderMicrosoft.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..xperience.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_9604296b5a82eb05\WebcamUiWindows.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-ieinstal.resources_31bf3856ad364e35_11.0.19041.1_it-it_706b403826ef5bbd\Internetieinstal.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-vmuidevices_31bf3856ad364e35_10.0.19041.928_none_5baff06b214ab1ff\OperatingVmUiDevices.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..hange-pin.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_63bb6136da609839\Microsoftbdechangepin.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Discovery.resources\v4.0_4.0.0.0_fr_31bf3856ad364e35\RCXAE4C.tmp	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File created	C:\Windows\WinSxS\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_fr-ca_ae0781067f78a70c\MicrosoftMDSystme.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer.Resources\v4.0_10.0.0.0_fr_31bf3856ad364e35\RCXF8F6.tmp	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File created	C:\Windows\WinSxS\msil_multipoint-wmsusertab.resources_31bf3856ad364e35_10.0.19041.1_it-it_32ec12aee844780c\WmsUserTabWindows.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-updatepolicy.resources_31bf3856ad364e35_10.0.19041.1_de-de_04abd13736425274\UpdateWindows.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..omponents.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_1a234e1d533ecf9e\WindowsWIAACMGR10.0.19041.1.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-n..nts-netsh.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_a3031cc98e75efd5\WindowsSystme.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..utomation.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_dff5cb598188a4dd\WIAAutSystem10.0.19041.1.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..honyinteractiveuser_31bf3856ad364e35_10.0.19041.906_none_a6600355b5f69459\TelephonyInteractiveUserOperating.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-o..iles-core.resources_31bf3856ad364e35_10.0.19041.1_es-es_b96d1f87797239e1\SistemaMicrosoft.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..deviceapi.resources_31bf3856ad364e35_10.0.19041.1_es-es_abc677dbb1826c2e\PortableDeviceApiWindows.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File created	C:\Windows\WinSxS\amd64_netfx4-peverify_dll_b03f5f7f11d50a3a_4.0.15805.0_none_38f11417b7a9886a\peverifypeverify4.8.4084.0.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-scripting.resources_31bf3856ad364e35_10.0.19041.1_it-it_cdc877bcc0fc1a9c\Runtimescrobj.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Web.DynamicData.Design\3.5.0.0__31bf3856ad364e35\RCXAF87.tmp	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.5\MicrosoftMicrosoft.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-wwan-lpasvc.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_f00372dc3ec1bd51\WindowsLpaSvc.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File created	C:\Windows\WinSxS\amd64_netfx-system.web.regularexpressions_b03f5f7f11d50a3a_10.0.19041.1_none_6aa7ea703456f467\SystemRegularExpressions.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File created	C:\Windows\WinSxS\amd64_microsoft.workflow.compiler.resources_31bf3856ad364e35_4.0.15805.0_de-de_b502bd100ad64b2b\WorkflowWorkflow.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..publicapi.resources_31bf3856ad364e35_10.0.19041.1_de-de_82d656b6c3cfbcbd\WMPMediaSharingBetriebssystem.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File created	C:\Windows\WinSxS\x86_wpf-presentationbuildtasks_31bf3856ad364e35_10.0.19041.1_none_a9dfb0de347b9d86\FrameworkMicrosoft3.0.6920.91416.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File created	C:\Windows\WinSxS\amd64_system.drawing.resources_b03f5f7f11d50a3a_4.0.15805.0_de-de_174a679403fb524c\MicrosoftSystem.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File created	C:\Windows\WinSxS\msil_system.servicemodel.install_b77a5c561934e089_10.0.19041.1_none_2c8ad249c7de225e\SystemInstall.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Web.DynamicData.Design\3.5.0.0__31bf3856ad364e35\MicrosoftDesign.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.5\MicrosoftMicrosoft.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File created	C:\Windows\WinSxS\amd64_regasm.resources_b03f5f7f11d50a3a_4.0.15805.0_ja-jp_206daa38763fecfd\resourcesFramework4.8.4084.0.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mediaplayer-wmvcore_31bf3856ad364e35_10.0.19041.1202_none_7bf2b0b78b0dd8da\Microsoftwmvcore.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-fsavailux.resources_31bf3856ad364e35_10.0.19041.1_it-it_892895783b4943ee\SistemaMicrosoft.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File created	C:\Windows\WinSxS\amd64_system.io.compression.filesystem_b77a5c561934e089_4.0.15805.0_none_5729c15a32434f75\FileSystemSystem.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-icm-base.resources_31bf3856ad364e35_10.0.19041.1_es-es_a1af1edd5f5fbbe8\WindowsMicrosoft.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..languages.resources_31bf3856ad364e35_10.0.19041.1023_hu-hu_11a814b6853ad606\rendszertipresx.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..-unicode-components_31bf3856ad364e35_10.0.19041.1_none_ce8b94823117992e\icuinicuin.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-wmcodecdspps_31bf3856ad364e35_10.0.19041.1_none_995f983e954b9a5b\Microsoftwmcodecdspps.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.5\RCX40A0.tmp	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-w..nttoolapi.resources_31bf3856ad364e35_10.0.19041.1_en-us_496ffe7d0efcb1f1\SystemOperating.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\aspnet_regbrowsers.resources\v4.0_4.0.0.0_de_b03f5f7f11d50a3a\RCXF7EB.tmp	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms.DataVisualization.Design\v4.0_4.0.0.0__31bf3856ad364e35\RCXF974.tmp	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File created	C:\Windows\WinSxS\amd64_windows-gaming-prev..esenumeration-winrt_31bf3856ad364e35_10.0.19041.746_none_2bbb54816cbc0b6a\previewwindows.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File created	C:\Windows\WinSxS\amd64_microsoft.powershell.dsc.proxy.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_fd02813c9782ff3d\dscproxyWindows.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-n..orkcenter.resources_31bf3856ad364e35_10.0.19041.1_it-it_f5c51e7a75745b60\operativoMicrosoft.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-netshell-mui.resources_31bf3856ad364e35_10.0.19041.1_de-de_5bf9b028eafa9db8\ncpaWindows.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer.Resources\v4.0_10.0.0.0_fr_31bf3856ad364e35\Systmedexploitation10.0.19041.1.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.CertificateServices.PKIClient.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\RCX412D.tmp	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File created	C:\Windows\WinSxS\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_ko-kr_7b2bff232d678514\OperatingWindows.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
File created	C:\Windows\WinSxS\amd64_windows-media-speech-winrt.resources_31bf3856ad364e35_10.0.19041.789_el-gr_4188b851f3c79171\MicrosoftWindows.exe	a16ff17f73edf4b0ff82670f1b4f6a10N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a16ff17f73edf4b0ff82670f1b4f6a10N.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	a16ff17f73edf4b0ff82670f1b4f6a10N.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
2992	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
2992	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
2992	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
2992	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
2992	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
2992	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
2992	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
2992	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
2992	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
2992	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
2992	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
2992	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
2992	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
2992	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
2992	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
2992	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
2992	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
2992	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
2992	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
2992	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
2992	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
2992	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
2992	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
2992	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
2992	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
2992	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
2992	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
2992	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
2992	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
2992	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
2992	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
2992	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
2992	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
2992	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
2992	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
2992	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
2992	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
2992	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
2992	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
2992	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
2992	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
2992	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
2992	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
2992	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
2992	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
2992	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
2992	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
2992	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
2992	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
2992	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
2992	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
2992	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
2992	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
2992	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
2992	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
2992	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
2992	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
2992	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
2992	a16ff17f73edf4b0ff82670f1b4f6a10N.exe
2992	a16ff17f73edf4b0ff82670f1b4f6a10N.exe

C:\Users\Admin\AppData\Local\Temp\a16ff17f73edf4b0ff82670f1b4f6a10N.exe
"C:\Users\Admin\AppData\Local\Temp\a16ff17f73edf4b0ff82670f1b4f6a10N.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMAcrobat.exe

Filesize
9.6MB

MD5
ee21d144f6fd58b4b719e7bd95731378

SHA1
0ceaadf36f36e62ffab285373b4209173b74c4ef

SHA256
63a09ca84d6e446fb2ae5ebd90d218f67bdc81e9ed010cce8ca6b70cc62f5828

SHA512
7e5c47fd639d6f873ab88acd874051225c1e30d079c3b737480652835c73c7c921b2570b86d0b05be9b3ab1294becf24de3306efcaeac71385b80a4f875acd2e

Download Submit
C:\Program Files (x86)\Common Files\Microsoft Shared\ink\RCXC8D2.tmp

Filesize
9.7MB

MD5
a4a16d4de59ccc7c5cd7dcf3bde82140

SHA1
d08fc8424306bf50e2c6cfcc1192c76c7d14cf9f

SHA256
85c5d5246202790a992802fd4ba3bb13788847fe7118a15b12d317a522b925e5

SHA512
48bf4d7e9e13a85678d26ef91b5624c1de5514022ad48cf93f6b7df96ae80f489fa8f1784c8a26883b1acc2515725c91454e7523dde0000c9d9bc11a6814a355

Download Submit
C:\Program Files (x86)\Common Files\System\MicrosoftWAB3210.0.19041.1.160101.0800.exe

Filesize
9.6MB

MD5
31c76b46cc5925dcffddf51c97e134cc

SHA1
4113872f1c10d417b5f14679a4ffd5f93ba2b26e

SHA256
3dd85a6d7886e9aaf77505a9d6076feb6c3c701cda853bf039f78716d040c139

SHA512
fc6c3bcce87991507f31a330a6f3e0b43f2db487e3e062e9b73367a632a1910fdfdcff1585fa79cebcdae2946c5b3803cbda9589712e072a5a34534a8cdf9d99

Download Submit
C:\Program Files (x86)\Common Files\System\Ole DB\Windowsmsdaorar.exe

Filesize
9.7MB

MD5
a16ff17f73edf4b0ff82670f1b4f6a10

SHA1
009538052666905a36c2c12c7caa58e83887afe1

SHA256
646c0854f6d90d2c71c3ae9a73d4ea5e40c9d82790e0c5429b448a0afaccee75

SHA512
2435e43ba87c78c9e6466afab9516a7b92d87dd22ca1814bd3fd314c31cf80127e70902f27f13f2e56eb3dd6555f09a4017d32ee8806f1f3b6b61589d6be16a0

Download Submit
C:\Windows\assembly\GAC_MSIL\System.Web.DynamicData.Design\3.5.0.0__31bf3856ad364e35\MicrosoftDesign.exe

Filesize
9.7MB

MD5
7ca67d6cdf9362aa7a6bb00cbd741025

SHA1
8e957872f735148e5b98a9671b35771c113e6f63

SHA256
621393bbca01af2512e0ae3de5bfbdd8c17bcf31cf19fe337e8378bd63c20d57

SHA512
b3794e3f9d655b88f679e927216c550080b82532f356a80a60be842690d7a2e1017d18920249169ebff49a4e8602af19e864c07acc27e7aec26ec44f3bc19b2d

Download Submit