af7b758f0e5c287a1bde21af1f77cf3d88f9a020093014c887cad63bd050e6d6

Analysis

max time kernel
120s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/09/2024, 13:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

152b8e1dd2051e56320b4ed579431c80N.exe
Size

842KB
MD5

152b8e1dd2051e56320b4ed579431c80
SHA1

e78cca156d4ecbed1595a7894b50f14c5e7217a2
SHA256

af7b758f0e5c287a1bde21af1f77cf3d88f9a020093014c887cad63bd050e6d6
SHA512

5e06981e5caa318a3d839a029a5548ca583b46e46b72d4b783ba5196b6b41ba9006d178c40da4e3e0de7c1696aa6d0552d84288052727d408aabb19b95087b39
SSDEEP

6144:HwynAtMrOVRkidy9yIGWlUiA2uIJ4O8b8ITDnlznZLZAKzD:HwKfOVRo9yRY/F4O8b8ITDnlLJ

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OneDriveSetupOneDrive = "C:\\Users\\Admin\\AppData\\Local\\Temp\\152b8e1dd2051e56320b4ed579431c80N.exe"	152b8e1dd2051e56320b4ed579431c80N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\MicrosoftOneDriveSetup26962 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\152b8e1dd2051e56320b4ed579431c80N.exe"	152b8e1dd2051e56320b4ed579431c80N.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ntdll.dll.dll	152b8e1dd2051e56320b4ed579431c80N.exe
File created	C:\Windows\SysWOW64\IME\IMETC\applets\WindowsWindows.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File opened for modification	C:\Windows\SysWOW64\IME\IMETC\applets\WindowsWindows.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File opened for modification	C:\Windows\SysWOW64\IME\IMETC\applets\RCX4B6D.tmp	152b8e1dd2051e56320b4ed579431c80N.exe

Drops file in Program Files directory 39 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prcrprcr.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\WindowsMicrosoft.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\d3dcompiler47widevinecdmadapterdll.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCXBC1B.tmp	152b8e1dd2051e56320b4ed579431c80N.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VisualVSTOInstaller.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\RCX9A9F.tmp	152b8e1dd2051e56320b4ed579431c80N.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\UpdateUpdate1.3.147.37.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ccmebaseUnicode.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\RCXAC77.tmp	152b8e1dd2051e56320b4ed579431c80N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AcrobatAdobe19.8.20071.303822.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VisualVSTOInstaller.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\RCX91F0.tmp	152b8e1dd2051e56320b4ed579431c80N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RCXABBB.tmp	152b8e1dd2051e56320b4ed579431c80N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\RCX9182.tmp	152b8e1dd2051e56320b4ed579431c80N.exe
File created	C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\msdasqlroledb32r.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\RCX927E.tmp	152b8e1dd2051e56320b4ed579431c80N.exe
File created	C:\Program Files (x86)\Common Files\System\ado\de-DE\msader15Operating10.0.19041.1.160101.0800.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\PDFPrevHndlrInternational.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AcrobatAiod.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\goopdateresjaUpdate.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\UpdateUpdate1.3.147.37.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\RCXA282.tmp	152b8e1dd2051e56320b4ed579431c80N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\RCX9A3F.tmp	152b8e1dd2051e56320b4ed579431c80N.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\tifffiltMicrosoft10.0.19041.746.160101.0800.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\d3dcompiler47widevinecdmadapterdll.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RCXB4F6.tmp	152b8e1dd2051e56320b4ed579431c80N.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\WindowsMicrosoft.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\PDFPrevHndlrInternational.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\RCXA242.tmp	152b8e1dd2051e56320b4ed579431c80N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ccmebaseUnicode.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\AdobeAcrobat.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCXB469.tmp	152b8e1dd2051e56320b4ed579431c80N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\AcrobatAdobe.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\RCXA212.tmp	152b8e1dd2051e56320b4ed579431c80N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\NPPDF32Adobe.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\RCXAA91.tmp	152b8e1dd2051e56320b4ed579431c80N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RCXB448.tmp	152b8e1dd2051e56320b4ed579431c80N.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.371\goopdateresjaUpdate.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\de-DE\RCX9A5F.tmp	152b8e1dd2051e56320b4ed579431c80N.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Web.Mobile.Resources\2.0.0.0_de_b03f5f7f11d50a3a\RCX4B0E.tmp	152b8e1dd2051e56320b4ed579431c80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..publicapi.resources_31bf3856ad364e35_10.0.19041.1_es-es_2b928993b2d4ba27\WMPMediaSharingMicrosoft.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Routing\v4.0_4.0.0.0__31bf3856ad364e35\MicrosoftSystem.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..minkernel.resources_31bf3856ad364e35_10.0.19041.1_es-es_1f49b21079ed7a4c\operativoPRFLBMSG.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..evicecontexthandler_31bf3856ad364e35_10.0.19041.746_none_7b704a7a9117bb32\OperatingSystem.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..age-codec.resources_31bf3856ad364e35_10.0.19041.1_it-it_f21c1c3798c7a462\operativoSistema.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-wsp-spaces.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_f340d7e3afb3d9d9\mispaceMicrosoft.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-rastls.resources_31bf3856ad364e35_10.0.19041.1_it-it_f1d6388d9202b362\operativorastlsext.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File created	C:\Windows\WinSxS\msil_microsoft.identitymodel.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_0af096e1667cec63\resourcesOperating.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File created	C:\Windows\WinSxS\wow64_windows-application..-appcontracts-winrt_31bf3856ad364e35_10.0.19041.264_none_7354e59d10f99b71\WindowsAppContracts.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-com-oleui.resources_31bf3856ad364e35_10.0.19041.1_es-es_7dcbd4597f82011f\operativoSistema.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Engine.resources\v4.0_4.0.0.0_ja_b03f5f7f11d50a3a\RCX91D1.tmp	152b8e1dd2051e56320b4ed579431c80N.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.Commands.UpdateDiagReport.Resources\v4.0_1.0.0.0_it_31bf3856ad364e35\RCXD63D.tmp	152b8e1dd2051e56320b4ed579431c80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mystify.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_a65ce7b5790928f2\WindowsMystify.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.InteropServices.WindowsRuntime\v4.0_4.0.0.0__b03f5f7f11d50a3a\SystemInteropServices.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-smss.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_c92b8e1dbbd88268\Systemsmss.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-deliveryoptimization_31bf3856ad364e35_10.0.19041.1266_none_3f1ff4ad7c364440\dosvcSystem.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-whhelper.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_9ab5e83a17eb0db2\dexploitationWindows.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..cy-script.resources_31bf3856ad364e35_10.0.19041.1_en-us_fa11856d5bd077ce\gpscriptgpscript10.0.19041.1.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File created	C:\Windows\WinSxS\msil_aspnet_regbrowsers.resources_b03f5f7f11d50a3a_10.0.19041.1_it-it_7ed62adb0d6db7ad\Microsoftresources.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..tenanceservice-core_31bf3856ad364e35_10.0.19041.264_none_ade98eac7418f063\Microsoftsysmain.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\8335c7a6cac9c2a3a77da9f4a1817282\RuntimeSerialization.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.InteropServices.WindowsRuntime\v4.0_4.0.0.0__b03f5f7f11d50a3a\RCXD6AD.tmp	152b8e1dd2051e56320b4ed579431c80N.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\RCX1DA9.tmp	152b8e1dd2051e56320b4ed579431c80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-e..ngconsole.resources_31bf3856ad364e35_10.0.19041.1_en-us_32442ece44ba6f89\SystemWindows.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Input.Manipulations.resources\v4.0_4.0.0.0_fr_b77a5c561934e089\RCX91B0.tmp	152b8e1dd2051e56320b4ed579431c80N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Input.Manipulations.resources\v4.0_4.0.0.0_fr_b77a5c561934e089\FrameworkWindows4.8.4084.0.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-cryptdll-dll_31bf3856ad364e35_10.0.19041.1_none_c5e43dbc8183b99b\Microsoftcryptdll.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File created	C:\Windows\WinSxS\amd64_multipoint-wmssharinghost_31bf3856ad364e35_10.0.19041.746_none_e07862e65010e3f9\SystemWmsSharingHost.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-usbperf.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_be7bea4a7d4e268f\OperatingWindows.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..-workflow.resources_31bf3856ad364e35_10.0.19041.1_de-de_dc6641619417bed6\WorkflowServiceWindows.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-debug_31bf3856ad364e35_10.0.19041.928_none_e22c6ae2239eceef\Operatingvmdebug10.0.19041.928.160101.0800.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-v..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_en-us_46347513859a912e\VideoDiagPackageOperating10.0.19041.1.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-h..trolpanel.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_9d1ac9e3fca12ddd\WindowsHGCPL.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-timeout_31bf3856ad364e35_10.0.19041.1_none_42557a4465a237c8\SystemOperating.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-f..rant-heap.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_f05217ee3539cfed\SystemMicrosoft.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\OperatingSecureBoot.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-tunnel_31bf3856ad364e35_10.0.19041.1_none_595b16922411e0f5\WindowsOperating.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-wwanhc_31bf3856ad364e35_10.0.19041.1_none_279b0751a66c5def\Systemwwanhc.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-s..ngerprintcredential_31bf3856ad364e35_10.0.19041.1_none_5bdf664cece3f85a\fingerprintcredentialOperating10.0.19041.1.160101.0800.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.Commands.UpdateDiagReport.Resources\v4.0_1.0.0.0_it_31bf3856ad364e35\resourcesWindows10.0.19041.1.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\SystemPowerShell.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\SystemPowerShell.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File created	C:\Windows\WinSxS\msil_microsoft.virtualiz..t.wizards.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_39be396c9d8cc55c\WindowsOperating.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-smbserver-apis_31bf3856ad364e35_10.0.19041.1_none_8618dfed22edf4fa\OperatingMicrosoft.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-cng_31bf3856ad364e35_10.0.19041.264_none_86ccc606b9fe4762\OperatingSystem.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-ie-sysprep_31bf3856ad364e35_11.0.19041.1_none_0574a22cc433ea85\ExplorerInternet.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\RCXD66D.tmp	152b8e1dd2051e56320b4ed579431c80N.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\es-ES\PresentationHostv0400Microsoft.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File created	C:\Windows\WinSxS\msil_microsoft.certifica..t.cmdlets.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_4ebc34901ba66d19\dexploitationresources10.0.19041.1.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ice-winrt.resources_31bf3856ad364e35_10.0.19041.1_de-de_e5f7db65ea946710\WindowsPointOfService.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-e..ngconsole.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_6114770502006ee9\WerConCplWerConCpl.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-msftedit.resources_31bf3856ad364e35_10.0.19041.1_en-us_9b25e9f14e177c4f\SystemMicrosoft.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File created	C:\Windows\WinSxS\amd64_system.servicemodel.nettcp_b03f5f7f11d50a3a_4.0.15805.0_none_cd76da28594e9258\MicrosoftFramework.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File created	C:\Windows\WinSxS\msil_system.directoryser..anagement.resources_b77a5c561934e089_10.0.19041.1_ja-jp_37ad1bb2f3207eda\SystemSystem.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-dns-clientsnapin_31bf3856ad364e35_10.0.19041.1_none_3a9647649982dce0\SystemWindows.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Routing\v4.0_4.0.0.0__31bf3856ad364e35\RCX91A0.tmp	152b8e1dd2051e56320b4ed579431c80N.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\1041\RCX1DFA.tmp	152b8e1dd2051e56320b4ed579431c80N.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-u..ountcontrolsettings_31bf3856ad364e35_10.0.19041.1_none_43eac9c1ac59d1f0\SystemMicrosoft.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-wwanui.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_684fae063cdf7d44\Windowswwanpref.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File created	C:\Windows\WinSxS\msil_microsoft.iis.power...provider.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_7580566b51d839c3\resourcesSystem.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File created	C:\Windows\WinSxS\amd64_netfx4-presentationhostdllmui_b03f5f7f11d50a3a_4.0.15805.110_none_1aad94ce6cb2232c\PresentationHostv0400Microsoft.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..s-appexecutionalias_31bf3856ad364e35_10.0.19041.1_none_b841615fec58c508\SystemOperating.exe	152b8e1dd2051e56320b4ed579431c80N.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-shmig_31bf3856ad364e35_10.0.19041.1_none_1fe431714add4546\SystemWindows10.0.19041.1.160101.0800.exe	152b8e1dd2051e56320b4ed579431c80N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	152b8e1dd2051e56320b4ed579431c80N.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	152b8e1dd2051e56320b4ed579431c80N.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	152b8e1dd2051e56320b4ed579431c80N.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	152b8e1dd2051e56320b4ed579431c80N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3496	152b8e1dd2051e56320b4ed579431c80N.exe
3496	152b8e1dd2051e56320b4ed579431c80N.exe
3496	152b8e1dd2051e56320b4ed579431c80N.exe
3496	152b8e1dd2051e56320b4ed579431c80N.exe
3496	152b8e1dd2051e56320b4ed579431c80N.exe
3496	152b8e1dd2051e56320b4ed579431c80N.exe
3496	152b8e1dd2051e56320b4ed579431c80N.exe
3496	152b8e1dd2051e56320b4ed579431c80N.exe
3496	152b8e1dd2051e56320b4ed579431c80N.exe
3496	152b8e1dd2051e56320b4ed579431c80N.exe
3496	152b8e1dd2051e56320b4ed579431c80N.exe
3496	152b8e1dd2051e56320b4ed579431c80N.exe
3496	152b8e1dd2051e56320b4ed579431c80N.exe
3496	152b8e1dd2051e56320b4ed579431c80N.exe
3496	152b8e1dd2051e56320b4ed579431c80N.exe
3496	152b8e1dd2051e56320b4ed579431c80N.exe
3496	152b8e1dd2051e56320b4ed579431c80N.exe
3496	152b8e1dd2051e56320b4ed579431c80N.exe
3496	152b8e1dd2051e56320b4ed579431c80N.exe
3496	152b8e1dd2051e56320b4ed579431c80N.exe
3496	152b8e1dd2051e56320b4ed579431c80N.exe
3496	152b8e1dd2051e56320b4ed579431c80N.exe
3496	152b8e1dd2051e56320b4ed579431c80N.exe
3496	152b8e1dd2051e56320b4ed579431c80N.exe
3496	152b8e1dd2051e56320b4ed579431c80N.exe
3496	152b8e1dd2051e56320b4ed579431c80N.exe
3496	152b8e1dd2051e56320b4ed579431c80N.exe
3496	152b8e1dd2051e56320b4ed579431c80N.exe
3496	152b8e1dd2051e56320b4ed579431c80N.exe
3496	152b8e1dd2051e56320b4ed579431c80N.exe
3496	152b8e1dd2051e56320b4ed579431c80N.exe
3496	152b8e1dd2051e56320b4ed579431c80N.exe
3496	152b8e1dd2051e56320b4ed579431c80N.exe
3496	152b8e1dd2051e56320b4ed579431c80N.exe
3496	152b8e1dd2051e56320b4ed579431c80N.exe
3496	152b8e1dd2051e56320b4ed579431c80N.exe
3496	152b8e1dd2051e56320b4ed579431c80N.exe
3496	152b8e1dd2051e56320b4ed579431c80N.exe
3496	152b8e1dd2051e56320b4ed579431c80N.exe
3496	152b8e1dd2051e56320b4ed579431c80N.exe
3496	152b8e1dd2051e56320b4ed579431c80N.exe
3496	152b8e1dd2051e56320b4ed579431c80N.exe
3496	152b8e1dd2051e56320b4ed579431c80N.exe
3496	152b8e1dd2051e56320b4ed579431c80N.exe
3496	152b8e1dd2051e56320b4ed579431c80N.exe
3496	152b8e1dd2051e56320b4ed579431c80N.exe
3496	152b8e1dd2051e56320b4ed579431c80N.exe
3496	152b8e1dd2051e56320b4ed579431c80N.exe
3496	152b8e1dd2051e56320b4ed579431c80N.exe
3496	152b8e1dd2051e56320b4ed579431c80N.exe
3496	152b8e1dd2051e56320b4ed579431c80N.exe
3496	152b8e1dd2051e56320b4ed579431c80N.exe
3496	152b8e1dd2051e56320b4ed579431c80N.exe
3496	152b8e1dd2051e56320b4ed579431c80N.exe
3496	152b8e1dd2051e56320b4ed579431c80N.exe
3496	152b8e1dd2051e56320b4ed579431c80N.exe
3496	152b8e1dd2051e56320b4ed579431c80N.exe
3496	152b8e1dd2051e56320b4ed579431c80N.exe
3496	152b8e1dd2051e56320b4ed579431c80N.exe
3496	152b8e1dd2051e56320b4ed579431c80N.exe
3496	152b8e1dd2051e56320b4ed579431c80N.exe
3496	152b8e1dd2051e56320b4ed579431c80N.exe
3496	152b8e1dd2051e56320b4ed579431c80N.exe
3496	152b8e1dd2051e56320b4ed579431c80N.exe

C:\Users\Admin\AppData\Local\Temp\152b8e1dd2051e56320b4ed579431c80N.exe
"C:\Users\Admin\AppData\Local\Temp\152b8e1dd2051e56320b4ed579431c80N.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:3496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\NPPDF32Adobe.exe

Filesize
844KB

MD5
5e305cdbc72023f1b5c3b37b350c143d

SHA1
7c21d44599f14737fbc9527e6573634a8343f5e9

SHA256
cb33bef54a3c2366a9418da12b860c0ccfd484bc6ae85492f04e1e3d175c5263

SHA512
803e0741774b46c0c16fa8101271f6c63241d0d0a8a869e2d059ebd7b19a1c954d52eb83007b54f8637dd71cac336ab45f44fc2c56de7599e1b316e89243d282

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\PDFPrevHndlrInternational.exe

Filesize
843KB

MD5
4e2383b93514bf7395ac002869d16f6d

SHA1
8f2951f2bcb55b1be07c903347d2e3c880db3a67

SHA256
34c58eee7322f72dc320be06c861ca69299e402b04363ce282c02955f6a30429

SHA512
56c75929e5e51c00c25296d42ae6381fca2bdca0b7d48d4a6d11b4a6e20d09ea593fc16b697378653f9ebea7fcf4eaacea613f5820144a52ca2e4053d6c7cd4c

Download Submit
C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VisualVSTOInstaller.exe

Filesize
842KB

MD5
152b8e1dd2051e56320b4ed579431c80

SHA1
e78cca156d4ecbed1595a7894b50f14c5e7217a2

SHA256
af7b758f0e5c287a1bde21af1f77cf3d88f9a020093014c887cad63bd050e6d6

SHA512
5e06981e5caa318a3d839a029a5548ca583b46e46b72d4b783ba5196b6b41ba9006d178c40da4e3e0de7c1696aa6d0552d84288052727d408aabb19b95087b39

Download Submit
C:\Program Files (x86)\Common Files\System\ado\de-DE\RCX9A5F.tmp

Filesize
844KB

MD5
2b654152621a325b335a550edeb02653

SHA1
48f5714aa5f921eb2cb60d6820c6b484a122b61d

SHA256
1cf61c41e4c896b1cfbc5ed3f34279a51797a9e43edb53c21f70f4204ff6e224

SHA512
def5d91fc392f8da7e15ed1de09cfe93f7c82a626a047ea435c43a6e89a2ae479258d71761868f6e185fabe65ad551c3dddc69b38da67b7c815f6e50f0301648

Download Submit
C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\SystemPowerShell.exe

Filesize
875KB

MD5
75d6f59690910ed8c81bf8dd1398976a

SHA1
8cce3b2f6ff317cbf29ad65b20063512fe922c0a

SHA256
6693adeb536017200fdd795db1a2399c343d9f58054d62047f20278453970a73

SHA512
12f242dea7688189453a5d2713c56fb043cb6ce6d0fc82ab13e92898bf467df5a025ceca04eacbebb93ad2a985d0c919e5536bd1814e37ab0909165785fd3049

Download Submit
C:\Windows\SysWOW64\IME\IMETC\applets\WindowsWindows.exe

Filesize
850KB

MD5
20aa40bb546d1f25f617ee034d309d09

SHA1
13b35907963177747ec95021d095a68919c530b7

SHA256
1b7ed14602cfcb3613fc9afa4a4a2eda9048851e235f60790c229cf06f24279e

SHA512
5267ad52b874d90d38258904cae12166383c9c1c5d7316d303f7fdbd2d20a689b1de59a3147c553aa7b304a22d9f1b1556b249ed5831efd243b6bc8f2d57d18d

Download Submit