d1210147dbb868f8c36b61398d4acd11a68de2e44ba5a43bcb771db2ace18e3c

Analysis

max time kernel
116s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/08/2024, 07:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a002570b8a79e74c0cbe9532395a62e0N.exe
Size

9.6MB
MD5

a002570b8a79e74c0cbe9532395a62e0
SHA1

ce7982587be07b05d94ebeb911fcaead387933bc
SHA256

d1210147dbb868f8c36b61398d4acd11a68de2e44ba5a43bcb771db2ace18e3c
SHA512

a34b3c1dbcd8f681e1d505302cb744a0fd03fd46cb5ac6f3f8cfb6bea1296d6ec72dcabbfb832ad08ad4475616f38a162240f14ab81016226d8addb8c18411ef
SSDEEP

196608:45qnhgJuP3LAhCiVXOWvs6A1oMuWr45hrr2l:1S+LJBeJWGhrr2l

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OneDriveSetupOneDrive = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a002570b8a79e74c0cbe9532395a62e0N.exe"	a002570b8a79e74c0cbe9532395a62e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\MicrosoftOneDriveSetup26962 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a002570b8a79e74c0cbe9532395a62e0N.exe"	a002570b8a79e74c0cbe9532395a62e0N.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ntdll.dll.dll	a002570b8a79e74c0cbe9532395a62e0N.exe
File created	C:\Windows\SysWOW64\lv-LV\WindowsOperetajsistema.exe	a002570b8a79e74c0cbe9532395a62e0N.exe
File opened for modification	C:\Windows\SysWOW64\lv-LV\RCX3B6E.tmp	a002570b8a79e74c0cbe9532395a62e0N.exe

Drops file in Program Files directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\RCXA030.tmp	a002570b8a79e74c0cbe9532395a62e0N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\AdobeHunspellPluginAdobeHunspellPlugin.exe	a002570b8a79e74c0cbe9532395a62e0N.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VC\MSDIA90Studio.exe	a002570b8a79e74c0cbe9532395a62e0N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\RCX95CC.tmp	a002570b8a79e74c0cbe9532395a62e0N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\AdobeCreate.exe	a002570b8a79e74c0cbe9532395a62e0N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\RCX9E2A.tmp	a002570b8a79e74c0cbe9532395a62e0N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\FlashMCIMPP.exe	a002570b8a79e74c0cbe9532395a62e0N.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\VisualStudioTools.exe	a002570b8a79e74c0cbe9532395a62e0N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\RCX8D2E.tmp	a002570b8a79e74c0cbe9532395a62e0N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\RCXA978.tmp	a002570b8a79e74c0cbe9532395a62e0N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCXB34E.tmp	a002570b8a79e74c0cbe9532395a62e0N.exe
File created	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\ReaderAdobe.exe	a002570b8a79e74c0cbe9532395a62e0N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\RCX9F73.tmp	a002570b8a79e74c0cbe9532395a62e0N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\RCX8C91.tmp	a002570b8a79e74c0cbe9532395a62e0N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VC\RCX9688.tmp	a002570b8a79e74c0cbe9532395a62e0N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\RCXA9F6.tmp	a002570b8a79e74c0cbe9532395a62e0N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCXAB9D.tmp	a002570b8a79e74c0cbe9532395a62e0N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AiodAdobe.exe	a002570b8a79e74c0cbe9532395a62e0N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\RCX94D1.tmp	a002570b8a79e74c0cbe9532395a62e0N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\AdobeCreate.exe	a002570b8a79e74c0cbe9532395a62e0N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AiodAcrobat.exe	a002570b8a79e74c0cbe9532395a62e0N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ccmebaseEULA.exe	a002570b8a79e74c0cbe9532395a62e0N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ccmebaseEULA.exe	a002570b8a79e74c0cbe9532395a62e0N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RCXB449.tmp	a002570b8a79e74c0cbe9532395a62e0N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\AdobeAdobe15.0.0.0.exe	a002570b8a79e74c0cbe9532395a62e0N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\pluginprcr.exe	a002570b8a79e74c0cbe9532395a62e0N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\ReaderAdobe.exe	a002570b8a79e74c0cbe9532395a62e0N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\RCX8BE4.tmp	a002570b8a79e74c0cbe9532395a62e0N.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\SystemRTSCom.exe	a002570b8a79e74c0cbe9532395a62e0N.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\AdobeHunspellPluginAdobeHunspellPlugin.exe	a002570b8a79e74c0cbe9532395a62e0N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\NPPDF32Acrobat.exe	a002570b8a79e74c0cbe9532395a62e0N.exe

Drops file in Windows directory 45 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_microsoft-windows-eapteapext.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_07e28e91d8485e96\EapTeapExtWindows.exe	a002570b8a79e74c0cbe9532395a62e0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1023_bg-bg_88616845ca1cafcb\comctl32comctl32.exe	a002570b8a79e74c0cbe9532395a62e0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..-hologramcompositor_31bf3856ad364e35_10.0.19041.746_none_d4ac604bb087a5b5\MicrosoftWindows.exe	a002570b8a79e74c0cbe9532395a62e0N.exe
File created	C:\Windows\ImmersiveControlPanel\uk-UA\WindowsMicrosoft.exe	a002570b8a79e74c0cbe9532395a62e0N.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\de\PresentationUIresources.exe	a002570b8a79e74c0cbe9532395a62e0N.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\de\RCXC9C9.tmp	a002570b8a79e74c0cbe9532395a62e0N.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_32\Policy.1.0.Microsoft.Interop.Security.AzRoles\v4.0_10.0.19041.1__31bf3856ad364e35\RCXCBDD.tmp	a002570b8a79e74c0cbe9532395a62e0N.exe
File created	C:\Windows\WinSxS\amd64_dual_msgpiowin32.inf_31bf3856ad364e35_10.0.19041.1_none_2df672b8ffbbd907\Systemmsgpiowin32.exe	a002570b8a79e74c0cbe9532395a62e0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-rasmontr.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_04a3362ba8b89c1c\WindowsSystem.exe	a002570b8a79e74c0cbe9532395a62e0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-e..orenderer.resources_31bf3856ad364e35_10.0.19041.1_de-de_b6fa3406e4aadfd7\MicrosoftBetriebssystem.exe	a002570b8a79e74c0cbe9532395a62e0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..localsessionmanager_31bf3856ad364e35_10.0.19041.1_none_5b35da44a9e83608\MicrosoftWindows.exe	a002570b8a79e74c0cbe9532395a62e0N.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Routing.resources\v4.0_4.0.0.0_es_31bf3856ad364e35\RCX8096.tmp	a002570b8a79e74c0cbe9532395a62e0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-credwiz.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_f4c60ac9202dd698\OperatingWindows.exe	a002570b8a79e74c0cbe9532395a62e0N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Activation.resources\v4.0_4.0.0.0_ja_31bf3856ad364e35\resourcesServiceModel.exe	a002570b8a79e74c0cbe9532395a62e0N.exe
File created	C:\Windows\assembly\GAC_MSIL\UIAutomationProvider.Resources\3.0.0.0_it_31bf3856ad364e35\resourcesUIAutomationProvider.exe	a002570b8a79e74c0cbe9532395a62e0N.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\UIAutomationProvider.Resources\3.0.0.0_it_31bf3856ad364e35\RCX3949.tmp	a002570b8a79e74c0cbe9532395a62e0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-wof-tasks.resources_31bf3856ad364e35_10.0.19041.1_de-de_7a760f5384acc4e0\BetriebssystemMicrosoft.exe	a002570b8a79e74c0cbe9532395a62e0N.exe
File created	C:\Windows\WinSxS\x86_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_10.0.19041.1_none_a723631dce180fe0\OperatingMicrosoft.exe	a002570b8a79e74c0cbe9532395a62e0N.exe
File created	C:\Windows\WinSxS\amd64_system.servicemodel_b77a5c561934e089_4.0.15805.110_none_f7bba5c230d509e2\ServiceModelSystem.exe	a002570b8a79e74c0cbe9532395a62e0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-o..mentation.resources_31bf3856ad364e35_10.0.19041.1_it-it_30a6149bcd05b406\StartLayoutPopulationEventsWindows.exe	a002570b8a79e74c0cbe9532395a62e0N.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Activation.resources\v4.0_4.0.0.0_ja_31bf3856ad364e35\RCX8329.tmp	a002570b8a79e74c0cbe9532395a62e0N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Policy.1.0.Microsoft.Interop.Security.AzRoles\v4.0_10.0.19041.1__31bf3856ad364e35\WindowsAzRoles.exe	a002570b8a79e74c0cbe9532395a62e0N.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\de\RCX101B.tmp	a002570b8a79e74c0cbe9532395a62e0N.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\RCX1089.tmp	a002570b8a79e74c0cbe9532395a62e0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-vmserial.resources_31bf3856ad364e35_10.0.19041.1_it-it_ca57e3cd83a04896\VmSerialoperativo10.0.19041.1.exe	a002570b8a79e74c0cbe9532395a62e0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-n..structure.resources_31bf3856ad364e35_10.0.19041.1_de-de_fb3a7bfd402987eb\WindowsMicrosoft.exe	a002570b8a79e74c0cbe9532395a62e0N.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Transactions.Bridge.Resources\3.0.0.0_es_b03f5f7f11d50a3a\RCX3AF0.tmp	a002570b8a79e74c0cbe9532395a62e0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..utilities.resources_31bf3856ad364e35_10.0.19041.1_es-es_41f87be3fd9703fa\WindowsWindows.exe	a002570b8a79e74c0cbe9532395a62e0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-u..-core-tsp.resources_31bf3856ad364e35_10.0.19041.1_es-es_241c4d92a97109f1\SistemaUNIMDM.exe	a002570b8a79e74c0cbe9532395a62e0N.exe
File created	C:\Windows\Microsoft.NET\Framework\OperatingMicrosoft.exe	a002570b8a79e74c0cbe9532395a62e0N.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-playtostatusprovider_31bf3856ad364e35_10.0.19041.746_none_6cbb6863e18c601f\PlayToStatusProviderWindows.exe	a002570b8a79e74c0cbe9532395a62e0N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ScheduledJob.Resources\v4.0_3.0.0.0_it_31bf3856ad364e35\Sistemaoperativo.exe	a002570b8a79e74c0cbe9532395a62e0N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting.resources\v4.0_4.0.0.0_es_b77a5c561934e089\Systemresources.exe	a002570b8a79e74c0cbe9532395a62e0N.exe
File opened for modification	C:\Windows\Branding\Basebrd\en-US\RCX1126.tmp	a002570b8a79e74c0cbe9532395a62e0N.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-a..datamodel.resources_31bf3856ad364e35_10.0.19041.1_en-us_513319e50086b3c5\MessagingDataModel2System.exe	a002570b8a79e74c0cbe9532395a62e0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-smbserver-apis_31bf3856ad364e35_10.0.19041.1_none_8618dfed22edf4fa\SMBWMIV2Windows.exe	a002570b8a79e74c0cbe9532395a62e0N.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ScheduledJob.Resources\v4.0_3.0.0.0_it_31bf3856ad364e35\RCX81EF.tmp	a002570b8a79e74c0cbe9532395a62e0N.exe
File created	C:\Windows\Branding\Basebrd\en-US\OperatingWindows.exe	a002570b8a79e74c0cbe9532395a62e0N.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\de\MicrosoftPrinting.exe	a002570b8a79e74c0cbe9532395a62e0N.exe
File created	C:\Windows\WinSxS\msil_microsoft.powershell.security.resources_31bf3856ad364e35_10.0.19041.1_de-de_f22c4fba0328c426\resourcesSecurity.exe	a002570b8a79e74c0cbe9532395a62e0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..fontcache.resources_31bf3856ad364e35_10.0.19041.1_en-us_86cec2673098cffa\OperatingMicrosoft10.0.19041.1.exe	a002570b8a79e74c0cbe9532395a62e0N.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Transactions.Bridge.Resources\3.0.0.0_es_b03f5f7f11d50a3a\microsoftresources3.0.4506.9135.exe	a002570b8a79e74c0cbe9532395a62e0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-wmvdecod.resources_31bf3856ad364e35_10.0.19041.1_en-us_1ce339dc526b6641\Windowswmvdecod10.0.19041.1.exe	a002570b8a79e74c0cbe9532395a62e0N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Routing.resources\v4.0_4.0.0.0_es_31bf3856ad364e35\RoutingServiceModel.exe	a002570b8a79e74c0cbe9532395a62e0N.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting.resources\v4.0_4.0.0.0_es_b77a5c561934e089\RCXC93B.tmp	a002570b8a79e74c0cbe9532395a62e0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a002570b8a79e74c0cbe9532395a62e0N.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	a002570b8a79e74c0cbe9532395a62e0N.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	a002570b8a79e74c0cbe9532395a62e0N.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	a002570b8a79e74c0cbe9532395a62e0N.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
4884	a002570b8a79e74c0cbe9532395a62e0N.exe
4884	a002570b8a79e74c0cbe9532395a62e0N.exe
4884	a002570b8a79e74c0cbe9532395a62e0N.exe
4884	a002570b8a79e74c0cbe9532395a62e0N.exe
4884	a002570b8a79e74c0cbe9532395a62e0N.exe
4884	a002570b8a79e74c0cbe9532395a62e0N.exe
4884	a002570b8a79e74c0cbe9532395a62e0N.exe
4884	a002570b8a79e74c0cbe9532395a62e0N.exe
4884	a002570b8a79e74c0cbe9532395a62e0N.exe
4884	a002570b8a79e74c0cbe9532395a62e0N.exe
4884	a002570b8a79e74c0cbe9532395a62e0N.exe
4884	a002570b8a79e74c0cbe9532395a62e0N.exe
4884	a002570b8a79e74c0cbe9532395a62e0N.exe
4884	a002570b8a79e74c0cbe9532395a62e0N.exe
4884	a002570b8a79e74c0cbe9532395a62e0N.exe
4884	a002570b8a79e74c0cbe9532395a62e0N.exe
4884	a002570b8a79e74c0cbe9532395a62e0N.exe
4884	a002570b8a79e74c0cbe9532395a62e0N.exe
4884	a002570b8a79e74c0cbe9532395a62e0N.exe
4884	a002570b8a79e74c0cbe9532395a62e0N.exe
4884	a002570b8a79e74c0cbe9532395a62e0N.exe
4884	a002570b8a79e74c0cbe9532395a62e0N.exe
4884	a002570b8a79e74c0cbe9532395a62e0N.exe
4884	a002570b8a79e74c0cbe9532395a62e0N.exe
4884	a002570b8a79e74c0cbe9532395a62e0N.exe
4884	a002570b8a79e74c0cbe9532395a62e0N.exe
4884	a002570b8a79e74c0cbe9532395a62e0N.exe
4884	a002570b8a79e74c0cbe9532395a62e0N.exe
4884	a002570b8a79e74c0cbe9532395a62e0N.exe
4884	a002570b8a79e74c0cbe9532395a62e0N.exe
4884	a002570b8a79e74c0cbe9532395a62e0N.exe
4884	a002570b8a79e74c0cbe9532395a62e0N.exe
4884	a002570b8a79e74c0cbe9532395a62e0N.exe
4884	a002570b8a79e74c0cbe9532395a62e0N.exe
4884	a002570b8a79e74c0cbe9532395a62e0N.exe
4884	a002570b8a79e74c0cbe9532395a62e0N.exe
4884	a002570b8a79e74c0cbe9532395a62e0N.exe
4884	a002570b8a79e74c0cbe9532395a62e0N.exe
4884	a002570b8a79e74c0cbe9532395a62e0N.exe
4884	a002570b8a79e74c0cbe9532395a62e0N.exe
4884	a002570b8a79e74c0cbe9532395a62e0N.exe
4884	a002570b8a79e74c0cbe9532395a62e0N.exe
4884	a002570b8a79e74c0cbe9532395a62e0N.exe
4884	a002570b8a79e74c0cbe9532395a62e0N.exe
4884	a002570b8a79e74c0cbe9532395a62e0N.exe
4884	a002570b8a79e74c0cbe9532395a62e0N.exe
4884	a002570b8a79e74c0cbe9532395a62e0N.exe
4884	a002570b8a79e74c0cbe9532395a62e0N.exe
4884	a002570b8a79e74c0cbe9532395a62e0N.exe
4884	a002570b8a79e74c0cbe9532395a62e0N.exe
4884	a002570b8a79e74c0cbe9532395a62e0N.exe
4884	a002570b8a79e74c0cbe9532395a62e0N.exe
4884	a002570b8a79e74c0cbe9532395a62e0N.exe
4884	a002570b8a79e74c0cbe9532395a62e0N.exe
4884	a002570b8a79e74c0cbe9532395a62e0N.exe
4884	a002570b8a79e74c0cbe9532395a62e0N.exe
4884	a002570b8a79e74c0cbe9532395a62e0N.exe
4884	a002570b8a79e74c0cbe9532395a62e0N.exe
4884	a002570b8a79e74c0cbe9532395a62e0N.exe
4884	a002570b8a79e74c0cbe9532395a62e0N.exe

C:\Users\Admin\AppData\Local\Temp\a002570b8a79e74c0cbe9532395a62e0N.exe
"C:\Users\Admin\AppData\Local\Temp\a002570b8a79e74c0cbe9532395a62e0N.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\AdobeCreate.exe

Filesize
9.6MB

MD5
a08e34b6373cf8cf1df0c885198f7661

SHA1
c053177434826412c3eb2e78423730718f77685a

SHA256
7fc09ce38912f111ac8f1497ec17c0f4c7f8ce06c8e5eede2522416e0c21704c

SHA512
71462f62d6aa9f3125646986ccc4e7fbb8cccddace8fb065eb128aa119b0fb035853dc47664ad0a85463d89e7c0048b9946a5d2c63301e8b59f3f9a7a125a8d7

Download Submit
C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\AdobeHunspellPluginAdobeHunspellPlugin.exe

Filesize
9.6MB

MD5
a002570b8a79e74c0cbe9532395a62e0

SHA1
ce7982587be07b05d94ebeb911fcaead387933bc

SHA256
d1210147dbb868f8c36b61398d4acd11a68de2e44ba5a43bcb771db2ace18e3c

SHA512
a34b3c1dbcd8f681e1d505302cb744a0fd03fd46cb5ac6f3f8cfb6bea1296d6ec72dcabbfb832ad08ad4475616f38a162240f14ab81016226d8addb8c18411ef

Download Submit
C:\Program Files (x86)\Common Files\Microsoft Shared\VC\RCX9688.tmp

Filesize
9.6MB

MD5
7e46e52735d173eee76638bd50e579b5

SHA1
a9fdeb827ab67e612545b0c71d6b25c9c30ae5e1

SHA256
402680fd18ea554a3d97f2c217e3476bfa32c14a6e29b836657bf6dd5eeac3ca

SHA512
ea224fc54c894dd174442229dbe30a4d834fd5a928c8136975e567e17a5c679e4aece059ce3bb28bbec02841fe3c17fc8dc82eb66b61da8f23d92abf0bfb30a5

Download Submit
C:\Windows\assembly\GAC_MSIL\UIAutomationProvider.Resources\3.0.0.0_it_31bf3856ad364e35\RCX3949.tmp

Filesize
9.6MB

MD5
b23020244857e8663b252d9639d5151d

SHA1
d4840995a780e84f64248d51d1b6d37987dd3a9b

SHA256
f8e0b6930e3feca1907ebda49c4d7d2836f6034750c91b57619f8af709051310

SHA512
6968d8515d6266ff57956cbe9c6e4039b6736e279c083870c7cd6be86e22e0e9185706b079957aa0d4d5831b23219a415272fe36b41393fabbbc06aa3376446e

Download Submit