d1210147dbb868f8c36b61398d4acd11a68de2e44ba5a43bcb771db2ace18e3c

Analysis

max time kernel
120s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
29-08-2024 07:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a002570b8a79e74c0cbe9532395a62e0N.exe
Size

9.6MB
MD5

a002570b8a79e74c0cbe9532395a62e0
SHA1

ce7982587be07b05d94ebeb911fcaead387933bc
SHA256

d1210147dbb868f8c36b61398d4acd11a68de2e44ba5a43bcb771db2ace18e3c
SHA512

a34b3c1dbcd8f681e1d505302cb744a0fd03fd46cb5ac6f3f8cfb6bea1296d6ec72dcabbfb832ad08ad4475616f38a162240f14ab81016226d8addb8c18411ef
SSDEEP

196608:45qnhgJuP3LAhCiVXOWvs6A1oMuWr45hrr2l:1S+LJBeJWGhrr2l

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2276	visualvstoloader.exe
2040	operativooperativo.exe
444	msoeurooffice.exe
1560	microsofthelp.exe

Loads dropped DLL 16 IoCs

pid	Process
1700	a002570b8a79e74c0cbe9532395a62e0N.exe
2276	visualvstoloader.exe
2276	visualvstoloader.exe
2276	visualvstoloader.exe
1700	a002570b8a79e74c0cbe9532395a62e0N.exe
2040	operativooperativo.exe
2040	operativooperativo.exe
2040	operativooperativo.exe
1700	a002570b8a79e74c0cbe9532395a62e0N.exe
444	msoeurooffice.exe
444	msoeurooffice.exe
444	msoeurooffice.exe
1700	a002570b8a79e74c0cbe9532395a62e0N.exe
1560	microsofthelp.exe
1560	microsofthelp.exe
1560	microsofthelp.exe

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\osppcOffice = "c:\\program files (x86)\\common files\\microsoft shared\\officesoftwareprotectionplatform\\osppcextosppcext.exe"	a002570b8a79e74c0cbe9532395a62e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\EngineSource = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a002570b8a79e74c0cbe9532395a62e0N.exe"	a002570b8a79e74c0cbe9532395a62e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BCSSync = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\BCSSync.exe\" /DelayServices"	a002570b8a79e74c0cbe9532395a62e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HXDSUIMicrosoft = "c:\\program files (x86)\\common files\\microsoft shared\\help\\1049\\microsofthelp.exe"	a002570b8a79e74c0cbe9532395a62e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\VSTOLoaderMicrosoft = "c:\\program files (x86)\\common files\\microsoft shared\\vsto\\10.0\\visualvstoloader.exe"	a002570b8a79e74c0cbe9532395a62e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OfficeOffice = "c:\\program files (x86)\\common files\\microsoft shared\\euro\\msoeurooffice.exe"	a002570b8a79e74c0cbe9532395a62e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EngineOffice = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a002570b8a79e74c0cbe9532395a62e0N.exe"	a002570b8a79e74c0cbe9532395a62e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicrosoftSYNCHRONIZATION = "c:\\program files (x86)\\microsoft sync framework\\v1.0\\runtime\\x86\\feedsyncmicrosoft1.0.1504.0.exe"	a002570b8a79e74c0cbe9532395a62e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\Windowsoperativo = "c:\\program files (x86)\\common files\\system\\es-es\\operativooperativo.exe"	a002570b8a79e74c0cbe9532395a62e0N.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ntdll.dll.dll	a002570b8a79e74c0cbe9532395a62e0N.exe
File created	C:\Windows\SysWOW64\ntdll.dll.dll	visualvstoloader.exe
File created	C:\Windows\SysWOW64\ntdll.dll.dll	operativooperativo.exe
File created	C:\Windows\SysWOW64\ntdll.dll.dll	msoeurooffice.exe
File created	C:\Windows\SysWOW64\ntdll.dll.dll	microsofthelp.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\RCX97AD.tmp	a002570b8a79e74c0cbe9532395a62e0N.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\MicrosoftHelp.exe	a002570b8a79e74c0cbe9532395a62e0N.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EURO\RCXAED9.tmp	a002570b8a79e74c0cbe9532395a62e0N.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\FEEDSYNCMicrosoft1.0.1504.0.exe	a002570b8a79e74c0cbe9532395a62e0N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\RCX98F7.tmp	a002570b8a79e74c0cbe9532395a62e0N.exe
File created	C:\Program Files (x86)\Common Files\System\es-ES\operativooperativo.exe	a002570b8a79e74c0cbe9532395a62e0N.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\osppcextosppcext.exe	a002570b8a79e74c0cbe9532395a62e0N.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VisualVSTOLoader.exe	a002570b8a79e74c0cbe9532395a62e0N.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VisualVSTOLoader.exe	a002570b8a79e74c0cbe9532395a62e0N.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\es-ES\RCXAE8A.tmp	a002570b8a79e74c0cbe9532395a62e0N.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\en-US\EngineMicrosoft2.00.4319.00.exe	a002570b8a79e74c0cbe9532395a62e0N.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\EURO\MsoEuroOffice.exe	a002570b8a79e74c0cbe9532395a62e0N.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\RCXAFF3.tmp	a002570b8a79e74c0cbe9532395a62e0N.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\RCX9889.tmp	a002570b8a79e74c0cbe9532395a62e0N.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msoeurooffice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	microsofthelp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a002570b8a79e74c0cbe9532395a62e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	visualvstoloader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	operativooperativo.exe

Checks processor information in registry 2 TTPs 15 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	a002570b8a79e74c0cbe9532395a62e0N.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	visualvstoloader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	microsofthelp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	a002570b8a79e74c0cbe9532395a62e0N.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	operativooperativo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	operativooperativo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	microsofthelp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	a002570b8a79e74c0cbe9532395a62e0N.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	operativooperativo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msoeurooffice.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	visualvstoloader.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msoeurooffice.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	msoeurooffice.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	microsofthelp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	visualvstoloader.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1700	a002570b8a79e74c0cbe9532395a62e0N.exe
1700	a002570b8a79e74c0cbe9532395a62e0N.exe
1700	a002570b8a79e74c0cbe9532395a62e0N.exe
1700	a002570b8a79e74c0cbe9532395a62e0N.exe
1700	a002570b8a79e74c0cbe9532395a62e0N.exe
1700	a002570b8a79e74c0cbe9532395a62e0N.exe
1700	a002570b8a79e74c0cbe9532395a62e0N.exe
2276	visualvstoloader.exe
1700	a002570b8a79e74c0cbe9532395a62e0N.exe
1700	a002570b8a79e74c0cbe9532395a62e0N.exe
1700	a002570b8a79e74c0cbe9532395a62e0N.exe
2040	operativooperativo.exe
1700	a002570b8a79e74c0cbe9532395a62e0N.exe
1700	a002570b8a79e74c0cbe9532395a62e0N.exe
1700	a002570b8a79e74c0cbe9532395a62e0N.exe
444	msoeurooffice.exe
1700	a002570b8a79e74c0cbe9532395a62e0N.exe
1700	a002570b8a79e74c0cbe9532395a62e0N.exe
1700	a002570b8a79e74c0cbe9532395a62e0N.exe
1560	microsofthelp.exe
1700	a002570b8a79e74c0cbe9532395a62e0N.exe
1700	a002570b8a79e74c0cbe9532395a62e0N.exe
1700	a002570b8a79e74c0cbe9532395a62e0N.exe
1700	a002570b8a79e74c0cbe9532395a62e0N.exe
1700	a002570b8a79e74c0cbe9532395a62e0N.exe
1700	a002570b8a79e74c0cbe9532395a62e0N.exe
1700	a002570b8a79e74c0cbe9532395a62e0N.exe
1700	a002570b8a79e74c0cbe9532395a62e0N.exe
1700	a002570b8a79e74c0cbe9532395a62e0N.exe
1700	a002570b8a79e74c0cbe9532395a62e0N.exe
1700	a002570b8a79e74c0cbe9532395a62e0N.exe
1700	a002570b8a79e74c0cbe9532395a62e0N.exe
1700	a002570b8a79e74c0cbe9532395a62e0N.exe
1700	a002570b8a79e74c0cbe9532395a62e0N.exe
1700	a002570b8a79e74c0cbe9532395a62e0N.exe
1700	a002570b8a79e74c0cbe9532395a62e0N.exe
1700	a002570b8a79e74c0cbe9532395a62e0N.exe
1700	a002570b8a79e74c0cbe9532395a62e0N.exe
1700	a002570b8a79e74c0cbe9532395a62e0N.exe
1700	a002570b8a79e74c0cbe9532395a62e0N.exe
1700	a002570b8a79e74c0cbe9532395a62e0N.exe
1700	a002570b8a79e74c0cbe9532395a62e0N.exe
1700	a002570b8a79e74c0cbe9532395a62e0N.exe
1700	a002570b8a79e74c0cbe9532395a62e0N.exe
1700	a002570b8a79e74c0cbe9532395a62e0N.exe
1700	a002570b8a79e74c0cbe9532395a62e0N.exe
1700	a002570b8a79e74c0cbe9532395a62e0N.exe
1700	a002570b8a79e74c0cbe9532395a62e0N.exe
1700	a002570b8a79e74c0cbe9532395a62e0N.exe
1700	a002570b8a79e74c0cbe9532395a62e0N.exe
1700	a002570b8a79e74c0cbe9532395a62e0N.exe
1700	a002570b8a79e74c0cbe9532395a62e0N.exe
1700	a002570b8a79e74c0cbe9532395a62e0N.exe
1700	a002570b8a79e74c0cbe9532395a62e0N.exe
1700	a002570b8a79e74c0cbe9532395a62e0N.exe
1700	a002570b8a79e74c0cbe9532395a62e0N.exe
1700	a002570b8a79e74c0cbe9532395a62e0N.exe
1700	a002570b8a79e74c0cbe9532395a62e0N.exe
1700	a002570b8a79e74c0cbe9532395a62e0N.exe
1700	a002570b8a79e74c0cbe9532395a62e0N.exe
1700	a002570b8a79e74c0cbe9532395a62e0N.exe
1700	a002570b8a79e74c0cbe9532395a62e0N.exe
1700	a002570b8a79e74c0cbe9532395a62e0N.exe
1700	a002570b8a79e74c0cbe9532395a62e0N.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 2276	1700	a002570b8a79e74c0cbe9532395a62e0N.exe	31
PID 1700 wrote to memory of 2276	1700	a002570b8a79e74c0cbe9532395a62e0N.exe	31
PID 1700 wrote to memory of 2276	1700	a002570b8a79e74c0cbe9532395a62e0N.exe	31
PID 1700 wrote to memory of 2276	1700	a002570b8a79e74c0cbe9532395a62e0N.exe	31
PID 1700 wrote to memory of 2276	1700	a002570b8a79e74c0cbe9532395a62e0N.exe	31
PID 1700 wrote to memory of 2276	1700	a002570b8a79e74c0cbe9532395a62e0N.exe	31
PID 1700 wrote to memory of 2276	1700	a002570b8a79e74c0cbe9532395a62e0N.exe	31
PID 1700 wrote to memory of 2040	1700	a002570b8a79e74c0cbe9532395a62e0N.exe	32
PID 1700 wrote to memory of 2040	1700	a002570b8a79e74c0cbe9532395a62e0N.exe	32
PID 1700 wrote to memory of 2040	1700	a002570b8a79e74c0cbe9532395a62e0N.exe	32
PID 1700 wrote to memory of 2040	1700	a002570b8a79e74c0cbe9532395a62e0N.exe	32
PID 1700 wrote to memory of 2040	1700	a002570b8a79e74c0cbe9532395a62e0N.exe	32
PID 1700 wrote to memory of 2040	1700	a002570b8a79e74c0cbe9532395a62e0N.exe	32
PID 1700 wrote to memory of 2040	1700	a002570b8a79e74c0cbe9532395a62e0N.exe	32
PID 1700 wrote to memory of 444	1700	a002570b8a79e74c0cbe9532395a62e0N.exe	34
PID 1700 wrote to memory of 444	1700	a002570b8a79e74c0cbe9532395a62e0N.exe	34
PID 1700 wrote to memory of 444	1700	a002570b8a79e74c0cbe9532395a62e0N.exe	34
PID 1700 wrote to memory of 444	1700	a002570b8a79e74c0cbe9532395a62e0N.exe	34
PID 1700 wrote to memory of 444	1700	a002570b8a79e74c0cbe9532395a62e0N.exe	34
PID 1700 wrote to memory of 444	1700	a002570b8a79e74c0cbe9532395a62e0N.exe	34
PID 1700 wrote to memory of 444	1700	a002570b8a79e74c0cbe9532395a62e0N.exe	34
PID 1700 wrote to memory of 1560	1700	a002570b8a79e74c0cbe9532395a62e0N.exe	35
PID 1700 wrote to memory of 1560	1700	a002570b8a79e74c0cbe9532395a62e0N.exe	35
PID 1700 wrote to memory of 1560	1700	a002570b8a79e74c0cbe9532395a62e0N.exe	35
PID 1700 wrote to memory of 1560	1700	a002570b8a79e74c0cbe9532395a62e0N.exe	35
PID 1700 wrote to memory of 1560	1700	a002570b8a79e74c0cbe9532395a62e0N.exe	35
PID 1700 wrote to memory of 1560	1700	a002570b8a79e74c0cbe9532395a62e0N.exe	35
PID 1700 wrote to memory of 1560	1700	a002570b8a79e74c0cbe9532395a62e0N.exe	35

C:\Users\Admin\AppData\Local\Temp\a002570b8a79e74c0cbe9532395a62e0N.exe
"C:\Users\Admin\AppData\Local\Temp\a002570b8a79e74c0cbe9532395a62e0N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1700
- \??\c:\program files (x86)\common files\microsoft shared\vsto\10.0\visualvstoloader.exe
  "c:\program files (x86)\common files\microsoft shared\vsto\10.0\visualvstoloader.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:2276
- \??\c:\program files (x86)\common files\system\es-es\operativooperativo.exe
  "c:\program files (x86)\common files\system\es-es\operativooperativo.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:2040
- \??\c:\program files (x86)\common files\microsoft shared\euro\msoeurooffice.exe
  "c:\program files (x86)\common files\microsoft shared\euro\msoeurooffice.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:444
- \??\c:\program files (x86)\common files\microsoft shared\help\1049\microsofthelp.exe
  "c:\program files (x86)\common files\microsoft shared\help\1049\microsofthelp.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:1560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\System\es-ES\RCXAE8A.tmp

Filesize
9.6MB

MD5
f046037cdce96532f7091b608f619906

SHA1
36deb5f00a2ce37406ed405068bf8647c60c7f4a

SHA256
ba332b69c983e7a5d767d16620b8cb34bdd011296e22d55160f80b855ba934ad

SHA512
468b8afc175e07aec4d7e1ce6c959977c073f49e6f72e323e46891e0f4d9202df0e54f60316383071e690df79a285ac8eb1eac274a5ea03ee7e5f220e829a757

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VisualVSTOLoader.exe

Filesize
9.6MB

MD5
a002570b8a79e74c0cbe9532395a62e0

SHA1
ce7982587be07b05d94ebeb911fcaead387933bc

SHA256
d1210147dbb868f8c36b61398d4acd11a68de2e44ba5a43bcb771db2ace18e3c

SHA512
a34b3c1dbcd8f681e1d505302cb744a0fd03fd46cb5ac6f3f8cfb6bea1296d6ec72dcabbfb832ad08ad4475616f38a162240f14ab81016226d8addb8c18411ef

Download Submit