a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1

Analysis

max time kernel
145s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2024, 00:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
Size

1.1MB
MD5

ba3549ae8cdc1fae00a3577c13f051a7
SHA1

b7332a48c4d1b9c0070c505a2aab3b016e49d387
SHA256

a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1
SHA512

f6cd0e15110780c7d81837bda0883dc917a3817fcb9e3a4b4085a30d06e04f4fc01849ef008823c4404280a591cc907f0073e6cdecfece226f3084631c33fb5c
SSDEEP

12288:dwKfOVRo9yRYsIHLUh7Wk/LmF4O8b8ITDnlydqY:dxWVeyRYsIH8BTg4O8b8ITDnlykY

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicrosoftInstaller41 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe"	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\miniinstallerOneDrive = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe"	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\migwiz\RCX7150.tmp	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File created	C:\Windows\SysWOW64\ntdll.dll.dll	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File created	C:\Windows\SysWOW64\migwiz\OperatingMicrosoft10.0.19041.450.exe	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe

Drops file in Program Files directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\ContractVisual.exe	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\RCXB0F5.tmp	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\Operatingchromeelf.exe	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RCXB984.tmp	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\filesDynamic.exe	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AiodAcrobat.exe	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\wordpadMicrosoft.exe	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\Linkchromeelfdll.exe	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RCXC0E9.tmp	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AiodAiod.exe	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\ContractVisual.exe	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\en-US\RCXA654.tmp	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{A1342620-C3E7-48E4-A8CA-2B9DD9AE1E3F}\miniinstallerGoogle.exe	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{A1342620-C3E7-48E4-A8CA-2B9DD9AE1E3F}\RCXAFBB.tmp	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File created	C:\Program Files (x86)\Windows Defender\ja-JP\mpasdescmpasdesc4.18.1907.16384.160101.0800.exe	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\VisualStudioStudio9.0.30729.7079.exe	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\RCXB888.tmp	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\dexploitationMicrosoft.exe	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\RCXB0F6.tmp	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\NPPDF32Acrobat.exe	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\filesDynamic.exe	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\RCXA623.tmp	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\Operatingchromeelf.exe	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\Linkchromeelfdll.exe	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File created	C:\Program Files (x86)\Google\Update\Install\{A1342620-C3E7-48E4-A8CA-2B9DD9AE1E3F}\miniinstallerGoogle.exe	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\ReachFrameworkWindowsFormsIntegration.exe	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCXC82E.tmp	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\RCXA643.tmp	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\RCXB906.tmp	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RCXC07A.tmp	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCXC119.tmp	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_microsoft-windows-n..lperclass.resources_31bf3856ad364e35_10.0.19041.1_it-it_d625a751877c3fe9\Microsoftoperativo.exe	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..s-sessionenvservice_31bf3856ad364e35_10.0.19041.1_none_94cf631187048f38\SessEnvWindows.exe	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File created	C:\Windows\WinSxS\x86_mscorlib_b77a5c561934e089_10.0.19041.1_none_889f22e0525b760e\mscorlibMicrosoft.exe	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\de-DE\ServiceModelInstallRCServiceModelEvents.exe	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File created	C:\Windows\Boot\PCAT\da-DK\memdiagmemdiag.exe	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File created	C:\Windows\Branding\Basebrd\de-DE\BASEBRDMicrosoft10.0.19041.1.exe	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File created	C:\Windows\Boot\Resources\es-ES\bootresSistema.exe	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..ntication.resources_31bf3856ad364e35_10.0.19041.1_de-de_b072f1de17d291d1\WindowsWindows.exe	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File created	C:\Windows\Boot\PCAT\en-GB\bootmgrOperating.exe	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File created	C:\Windows\WinSxS\amd64_networking-mpssvc-wmi.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_f840f484ae9930ae\MicrosoftSystem10.0.19041.1.160101.0800.exe	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-qedit.resources_31bf3856ad364e35_10.0.19041.1_en-us_dce3eecbe8ab5848\MicrosoftOperating.exe	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.0\WPF\XamlViewer\RCXB8ED.tmp	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Office.Runtime\v4.0_10.0.0.0__b03f5f7f11d50a3a\VisualStudioStudio.exe	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..y-library.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_706e9c57f86d38bd\credprovslegacyMicrosoft.exe	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File created	C:\Windows\Boot\EFI\sl-SI\MicrosoftOperacijski.exe	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-wwansvc.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_0b679f36bac0ef8f\WwanSvcWindows.exe	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..oundation.resources_31bf3856ad364e35_10.0.19041.1_de-de_9ba950d56c69ded2\ProtectedProtected.exe	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices.AccountManagement.resources\v4.0_4.0.0.0_fr_b77a5c561934e089\resourcesAccountManagement.exe	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ibinaries.resources_31bf3856ad364e35_10.0.19041.1_it-it_39580c3d1f32c14d\iisfcgiiisfcgi.exe	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-power-sysprep_31bf3856ad364e35_10.0.19041.1_none_1f41d6d2e78c4779\SystemOperating.exe	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File created	C:\Windows\WinSxS\amd64_microsoft.backgroun..r.management.module_31bf3856ad364e35_10.0.19041.1_none_8f3e2d4e3a3d61b3\OperatingWindows.exe	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-wlanpref.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_4d3fce4b79c6d1d0\dexploitationSystme.exe	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices.AccountManagement.resources\v4.0_4.0.0.0_fr_b77a5c561934e089\RCX71CE.tmp	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File created	C:\Windows\Boot\EFI\fr-CA\SystmeMicrosoft10.0.19041.1.exe	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File created	C:\Windows\Boot\PCAT\de-DE\memdiagmemdiag.exe	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_0e2f6adb2cec6f62\MicrosoftSystme.exe	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.Commands.GetDiagInput.Resources\v4.0_1.0.0.0_ja_31bf3856ad364e35\RCX71FE.tmp	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File opened for modification	C:\Windows\Branding\Basebrd\fr-FR\RCX8C61.tmp	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File opened for modification	C:\Windows\RCX8CD0.tmp	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File created	C:\Windows\Boot\EFI\hr-HR\Operacijskibootmgr.exe	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File created	C:\Windows\WinSxS\msil_system.data.resources_b77a5c561934e089_10.0.19041.1_it-it_b2d82e7d20a24f73\resourcesData.exe	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Device.resources\v4.0_4.0.0.0_ja_b77a5c561934e089\RCXB8CD.tmp	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File created	C:\Windows\Boot\EFI\es-ES\operativobootmgr.exe	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File created	C:\Windows\Boot\EFI\sk-SK\Windowsbootmgr.exe	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File created	C:\Windows\Boot\PCAT\tr-TR\bootmgrSistemi.exe	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-dusm.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c004af9b4011400c\dexploitationdusmsvc.exe	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..ator-base.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_f0806eef4f18158e\MicrosoftWindows.exe	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File created	C:\Windows\IME\IMETC\DICTS\OperatingWindows.exe	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File created	C:\Windows\Boot\EFI\fr-CA\bootmgrbootmgr.exe	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-ctl3d32_31bf3856ad364e35_10.0.19041.1_none_23fb58683b20b516\WindowsCTL3D32.exe	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..count-profilenotify_31bf3856ad364e35_10.0.19041.423_none_7a6c51e331bfdd3b\MSAProfileNotificationHandlerSystem.exe	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File opened for modification	C:\Windows\IME\es-ES\RCX468D.tmp	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File created	C:\Windows\Boot\PCAT\el-GR\memdiagssta.exe	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File created	C:\Windows\Boot\Resources\en-US\OperatingWindows10.0.19041.1.exe	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File created	C:\Windows\Boot\PCAT\zh-TW\Windowsmemdiag.exe	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File created	C:\Windows\Boot\PCAT\nb-NO\Windowsbootmgr.exe	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-winre-recoverytools_31bf3856ad364e35_10.0.19041.572_none_b322aa88d0148356\Windowsreagentc.exe	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Device.resources\v4.0_4.0.0.0_ja_b77a5c561934e089\Systemresources.exe	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File created	C:\Windows\Boot\PCAT\sr-Latn-RS\Microsoftsistem10.0.19041.1.exe	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File created	C:\Windows\Boot\PCAT\lt-LT\Operacinebootmgr.exe	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..installer.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_71de136b5edf8321\Microsoftdexploitation.exe	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Office.Runtime\v4.0_10.0.0.0__b03f5f7f11d50a3a\RCX1CE.tmp	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File opened for modification	C:\Windows\Branding\Basebrd\de-DE\RCXD0B1.tmp	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File created	C:\Windows\Boot\PCAT\MicrosoftWindows.exe	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..tservices.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_f15c2f5815b5c92d\WindowsMicrosoft10.0.19041.1.160101.0800.exe	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_10.0.19041.1_fr-ca_3be058ec071cdd84\MicrosoftSystme.exe	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File created	C:\Windows\WinSxS\amd64_windows-defender-branding.resources_31bf3856ad364e35_10.0.19041.1_es-es_6c09af6ca8e373a7\Windowsoperativo.exe	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mapcontrol.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_5daaedf1bc02d0c2\SystemMicrosoft.exe	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File created	C:\Windows\Boot\EFI\ja-JP\Windowsbootmgr.exe	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File created	C:\Windows\Globalization\ELS\SpellDictionaries\Microsoftmssp7enUS.exe	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File created	C:\Windows\Boot\PCAT\en-US\Operatingmemdiag.exe	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File created	C:\Windows\WinSxS\amd64_system.workflow.componentmodel.resources_31bf3856ad364e35_4.0.15805.0_ja-jp_3829830a079a4eec\WorkflowSystem4.8.4084.0481.exe	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-i..l-keyboard-00000426_31bf3856ad364e35_10.0.19041.1_none_a9bf527736894be5\SystemMicrosoft.exe	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..ettingshandlers-pen_31bf3856ad364e35_10.0.19041.746_none_b5db20c677eadbd4\OperatingSettingsHandlersPen10.0.19041.746.exe	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3516	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
3516	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
3516	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
3516	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
3516	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
3516	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
3516	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
3516	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
3516	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
3516	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
3516	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
3516	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
3516	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
3516	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
3516	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
3516	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
3516	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
3516	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
3516	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
3516	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
3516	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
3516	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
3516	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
3516	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
3516	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
3516	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
3516	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
3516	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
3516	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
3516	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
3516	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
3516	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
3516	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
3516	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
3516	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
3516	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
3516	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
3516	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
3516	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
3516	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
3516	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
3516	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
3516	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
3516	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
3516	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
3516	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
3516	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
3516	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
3516	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
3516	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
3516	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
3516	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
3516	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
3516	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
3516	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
3516	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
3516	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
3516	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
3516	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
3516	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
3516	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
3516	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
3516	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
3516	a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe

C:\Users\Admin\AppData\Local\Temp\a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe
"C:\Users\Admin\AppData\Local\Temp\a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:3516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\Operatingchromeelf.exe

Filesize
955KB

MD5
bb59f828442042df34a580dfd7224d47

SHA1
9f9782649e7741bb44d17b622a07b80a565b1c28

SHA256
ce429365d9b539544c6babde91b34499151e4ec41cbc43458d2f78a87d807816

SHA512
de8f8f98284829591d96023ae7664f3971d1450d3c7c5197b3756c3dc87573d7569905ef79ecf95358f79d1a229cc25e7f4250d751532bda3200a6d63c1fbd93

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\filesDynamic.exe

Filesize
1.1MB

MD5
3e8d8755345ca0b95e23aca47335679c

SHA1
df0bf25cdf49d09081ac04ce5daf5db401d633a5

SHA256
90428af0e676b1385a8decb221cad925012001c1691c9d4ba1735f568dcf9584

SHA512
946b0b4912d27bdd696362ab7ebff2d62a770823d89410457955c2bc5edef1e8b55129db09755245f694fd2dd367d2a7143a7f43a491c8ee7dcbafd98ff99170

Download Submit
C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\ContractVisual.exe

Filesize
1.1MB

MD5
ba3549ae8cdc1fae00a3577c13f051a7

SHA1
b7332a48c4d1b9c0070c505a2aab3b016e49d387

SHA256
a2ed9e5c6fa9699ac57de1196d6562c89a8297fb8545dffab3b926b5115cd7b1

SHA512
f6cd0e15110780c7d81837bda0883dc917a3817fcb9e3a4b4085a30d06e04f4fc01849ef008823c4404280a591cc907f0073e6cdecfece226f3084631c33fb5c

Download Submit
C:\Program Files (x86)\Windows NT\Accessories\en-US\RCXA654.tmp

Filesize
1.1MB

MD5
28756188c2297db851d188ef3da887c7

SHA1
346fba1a333e1a155b52284ef662f6da8875c9ac

SHA256
e4aa3502c5b360d80ec3693615aac72597f55fd21908d153341698a652a50da0

SHA512
4996ba5039b7370c5baa447c3751c9e4928a61ae0fc4eb5720b0f0f03a0f0b4b42cd17cc59eb70826cbbeddd901ffa32b40f4847ded08d06e8b1e2dbf9ae4837

Download Submit