Analysis
-
max time kernel
116s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
09-09-2024 21:24
Static task
static1
Behavioral task
behavioral1
Sample
3b1cd5d4161fb80b4d89cc267a65c6d0N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
3b1cd5d4161fb80b4d89cc267a65c6d0N.exe
Resource
win10v2004-20240802-en
General
-
Target
3b1cd5d4161fb80b4d89cc267a65c6d0N.exe
-
Size
9.7MB
-
MD5
3b1cd5d4161fb80b4d89cc267a65c6d0
-
SHA1
07d3a65e89cc922ae3b2fa7e74c27c80677f7296
-
SHA256
49066be6efe8eb7be603f476422e41d4ee041791b81b49aa7d836c5a4df20e88
-
SHA512
f93108a654b3f1baead06be043f685866d234fafa5f2ab3b9460f309a4afbfabcba1339b8f3ffa4095004a16412c3214ff7b6219315cf422b01f0af2a21e2743
-
SSDEEP
196608:rNqnhgJuP3LAhCiVXOWvd6A1oMuWr45hrr2u:KS+LJYeJWGhrr2u
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\miniinstallerOneDrive = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3b1cd5d4161fb80b4d89cc267a65c6d0N.exe" 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicrosoftInstaller41 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3b1cd5d4161fb80b4d89cc267a65c6d0N.exe" 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\ntdll.dll.dll 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File created C:\Windows\System32\DriverStore\FileRepository\wgencounter.inf_amd64_f496147578cad554\vmgencountervmgencounter.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File created C:\Windows\System32\DriverStore\FileRepository\usbstor.inf_amd64_2be0e52237040d42\MicrosoftSystem.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe -
Drops file in Program Files directory 37 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceserviceinstallermaintenanceservice.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\RCXEDD4.tmp 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\AdobeCreate.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AiodAiod.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\RCXF9AF.tmp 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2Runtime.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceserviceinstallermaintenanceservice.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\VC\VisualVisual.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\MicrosoftOperating.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\AcrobatNPPDF32.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCX28B.tmp 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\RCXE380.tmp 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\RCXE518.tmp 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\RCXF036.tmp 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\ToolsRuntime.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\_platform_specific\win_x64\ModuleWidevine.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VC\RCXDB23.tmp 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\RCXE48B.tmp 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RCXFAAA.tmp 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\RCXDAA5.tmp 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\MicrosoftDAO360.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\AdobeCreate.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\RCXF102.tmp 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AdobeAiod.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\RCXCC29.tmp 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\RCXCE5D.tmp 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\ChromeGoogle.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File created C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\ChromeGoogle.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prcrplugin.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\DynamicPlugin.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\AdobeAcrobat23699.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCXF8A4.tmp 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2Runtime.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\_platform_specific\win_x64\RCXCEFA.tmp 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\RCXD8EE.tmp 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File created C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\ControlAcroPDFImpl.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\AcrobatNPPDF3219.10.20064.310990.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\WinSxS\amd64_microsoft-windows-audio-mci.resources_31bf3856ad364e35_10.0.19041.1_en-us_74871b578e5301d8\Windowsmcicda10.0.19041.1.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-r..onmanager.resources_31bf3856ad364e35_10.0.19041.1_es-es_e3d94ed6a2aaa6ec\ConnectionCMSTPLUA.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-o..oth-avctp.resources_31bf3856ad364e35_10.0.19041.1_en-us_868ba6a3bdbd4e45\WindowsBluetooth10.0.19041.1.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-w..lient-aux.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_8e7e66b9265396b7\wuapiWindows.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-x..lugin-mui.resources_31bf3856ad364e35_10.0.19041.1_it-it_986b04142ddadd06\MicrosoftSistema.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-netcfg.resources_31bf3856ad364e35_10.0.19041.1_en-us_ede48e8fc0a434c1\MicrosoftSystem.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-p..i-asyncui.resources_31bf3856ad364e35_10.0.19041.1_es-es_ec3435bc07095c1a\Windowsoperativo.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-a..in-native.resources_31bf3856ad364e35_10.0.19041.1_en-us_d4c19c1f9b2ce8d7\OperatingWindows.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File created C:\Windows\WinSxS\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_sl-si_b2af6b1bb9e4108d\comctl32Windows10.0.19041.1.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File created C:\Windows\WinSxS\msil_microsoft.managementconsole.resources_31bf3856ad364e35_10.0.19041.1_es-es_5c38789734c7a5f9\resourcesoperativo10.0.19041.1.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-cabinet_31bf3856ad364e35_10.0.19041.546_none_1f8d426f751bc0b8\cabinetOperating.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-i..l-keyboard-0000041d_31bf3856ad364e35_10.0.19041.1_none_b3d10930f50b408b\Operatingkbdsw.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-d..ingfolder.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_95263f064befbafa\MicrosoftWindows.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-iologgingdll.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_e4212e6f6a966af6\OperatingMicrosoft.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\aspnet_regbrowsers.resources\v4.0_4.0.0.0_fr_b03f5f7f11d50a3a\Frameworkresources.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-m..xecserver.resources_31bf3856ad364e35_10.0.19041.1_es-es_cc494c6214d40598\Sistemaoperativo.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Policy.14.0.office\15.0.0.0__71e9bce111e9429c\RCXB1F7.tmp 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-qedwipes_31bf3856ad364e35_10.0.19041.1_none_17c510857e094bb2\OperatingWindows.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-rasifmon.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_935cd18a49e6ac27\WindowsSystem10.0.19041.1.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File created C:\Windows\WinSxS\amd64_microsoft.appv.appv..mconsumer.resources_31bf3856ad364e35_10.0.19041.1_es-es_396bb7d54f21ff88\AppvClientComConsumerSistema.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-s..onservice.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_0d4b70ba2eb23601\SystmeSECLOGON10.0.19041.1.160101.0800.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-u..ationcore.resources_31bf3856ad364e35_10.0.19041.1_en-us_c072fc43c852c692\WindowsMicrosoft.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File opened for modification C:\Windows\Resources\Themes\aero\es-ES\RCXB0EC.tmp 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-w..mcore-dll.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_3a8868c8f0935eb1\wbemcoredexploitation.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.1_pl-pl_fc5b49726c485932\messagesUnicode5.0.19041.1.160101.0800.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.746_none_1da55dc225237a0d\OperatingWindows10.0.19041.746.160101.0800.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-p..an-plugin.resources_31bf3856ad364e35_10.0.19041.1_it-it_5c0894dd3bfda1b6\operativopwrshplugin10.0.19041.1.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-e..portingui.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_6f22c54d916f209b\weruiwerui.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-peerdist_31bf3856ad364e35_10.0.19041.1_none_d315a1e0897a3235\peerdisthttptransOperating.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-p..utilities.resources_31bf3856ad364e35_10.0.19041.1_en-us_422d1efffd701255\Windowstracert.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-a..in-native.resources_31bf3856ad364e35_10.0.19041.1_en-us_d4c19c1f9b2ce8d7\AuditPolMsgOperating.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.Commands.UpdateDiagRootcause.Resources\v4.0_1.0.0.0_ja_31bf3856ad364e35\RCXFD6A.tmp 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File created C:\Windows\WinSxS\x86_microsoft.grouppoli..mpleditor.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_8928a2bf0ffc7d47\resourcesMicrosoft10.0.19041.1.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.AddIn\v4.0_4.0.0.0__b77a5c561934e089\RCXFBD3.tmp 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic.resources\v4.0_10.0.0.0_it_b03f5f7f11d50a3a\VisualBasicresources14.8.4084.0.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\es\RCX4822.tmp 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-p..n-service.resources_31bf3856ad364e35_10.0.19041.1_it-it_2a6d6add45e56615\WindowsMicrosoft.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File created C:\Windows\Resources\Themes\aero\es-ES\operativomsstyles.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-n..-security.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_3d4bc9edd597cf22\nshwfpWFPLWFS10.0.19041.1.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File created C:\Windows\WinSxS\msil_reachframework.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_b0581265be40a7b0\ReachFrameworkMicrosoft.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-winrsplugins_31bf3856ad364e35_10.0.19041.1_none_cc2783ead104d62a\winrsmgrOperating.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-i..onal-keyboard-kbdus_31bf3856ad364e35_10.0.19041.546_none_67000d82a7c2a372\kbdusOperating.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler.resources\v4.0_4.0.0.0_de_31bf3856ad364e35\RCX4727.tmp 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-notepad_31bf3856ad364e35_10.0.19041.117_none_4d353cf1ceb5d6d2\NOTEPADSystem.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-n..idgenetsh.resources_31bf3856ad364e35_10.0.19041.1_de-de_2ffb5e38bff1e08e\Betriebssystemhnetmon.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-com-surrogate-core_31bf3856ad364e35_10.0.19041.1_none_eadb9d8875f59863\Microsoftdllhost10.0.19041.1.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-s..entication-usermode_31bf3856ad364e35_10.0.19041.546_none_181b0a33d323b695\authzSystem.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-netjoin.resources_31bf3856ad364e35_10.0.19041.1_it-it_ba105a873b3a0186\NETJOINoperativo.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-t..eprovider.resources_31bf3856ad364e35_10.0.19041.1_en-us_e4bd14b82d087e81\OperatingSystem.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-s..baaupdate.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_8265a15caaa9bd2d\WindowsBAAUPDATE.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-rasmprddm.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_8da1813676d229b7\Microsoftmprddm.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-s..stack-termsrv-extra_31bf3856ad364e35_10.0.19041.1220_none_87932d8cf4e7c842\VmHostAIWindows.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler.resources\v4.0_4.0.0.0_de_31bf3856ad364e35\Compilerresources.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File created C:\Windows\WinSxS\amd64_universalvolumecontrol-model_31bf3856ad364e35_10.0.19041.746_none_1f112a4fb5d16d58\WindowsWindows.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-mpr.resources_31bf3856ad364e35_10.0.19041.1_de-de_c785c586e47f93f8\BetriebssystemWindows10.0.19041.1.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-runtime-metadata_31bf3856ad364e35_10.0.19041.1202_none_a5b26837bd103d61\WindowsWindows.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-t..edirector.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_269758467b09df18\Windowsumrdp10.0.19041.1.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File created C:\Windows\WinSxS\x86_microsoft-windows-p..reensaver.resources_31bf3856ad364e35_10.0.19041.1_es-es_6a74e227b76d4226\PhotoScreensaverWindows.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-x..ocess-mui.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_b4d7019d48074bd6\xwizardSystme.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-tapiservice.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_df49bdfd73ff1fe6\WindowsMicrosoft.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-wsdscanproxy_31bf3856ad364e35_10.0.19041.746_none_6565ac8e2776555e\WSDScPrxMicrosoft.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-t..minsnapin.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_ecf71503f418d8a6\TpmInitTpmInit.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-d..airingdll.resources_31bf3856ad364e35_10.0.19041.1_de-de_ccddd64421a8ae37\WindowsWindows.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-w..iamanager.resources_31bf3856ad364e35_10.0.19041.1_it-it_0af99e5b5a0c41ca\operativooperativo.exe 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe -
Suspicious behavior: EnumeratesProcesses 60 IoCs
pid Process 2096 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe 2096 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe 2096 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe 2096 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe 2096 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe 2096 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe 2096 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe 2096 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe 2096 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe 2096 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe 2096 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe 2096 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe 2096 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe 2096 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe 2096 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe 2096 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe 2096 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe 2096 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe 2096 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe 2096 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe 2096 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe 2096 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe 2096 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe 2096 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe 2096 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe 2096 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe 2096 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe 2096 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe 2096 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe 2096 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe 2096 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe 2096 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe 2096 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe 2096 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe 2096 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe 2096 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe 2096 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe 2096 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe 2096 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe 2096 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe 2096 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe 2096 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe 2096 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe 2096 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe 2096 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe 2096 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe 2096 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe 2096 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe 2096 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe 2096 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe 2096 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe 2096 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe 2096 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe 2096 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe 2096 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe 2096 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe 2096 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe 2096 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe 2096 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe 2096 3b1cd5d4161fb80b4d89cc267a65c6d0N.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b1cd5d4161fb80b4d89cc267a65c6d0N.exe"C:\Users\Admin\AppData\Local\Temp\3b1cd5d4161fb80b4d89cc267a65c6d0N.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2096
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9.7MB
MD5465239b92bc46e951332c2dd544ffa82
SHA11c4c5c10f0d4ae401c90c9b28dc11a11b4d599e8
SHA2569d74db84c6a0029b2726b9600d9940a6158eeb7a6719fb46bbabde9eee7b5aae
SHA5122c8d6018165f5431ac6e7d8872f98ca86cd4121138883b2d12bf8b689b93582062e1c99fe5ddcea740811a23518d17dd589f703a34a1f6a27b9c7e376b3bbbe9
-
Filesize
9.6MB
MD503e0b2991d6d8885b6c8c40a64c70819
SHA19309b545b1c42d2a8e0afe314fd26277c59cfb08
SHA256f39d2fc7d5a98826cdaec771914bb66582e690eafd361f0fccda93ff71495e9b
SHA512fbb575066d38ed6d3080845bd6e28971933815c204a4d25799fc3356194d89cf2e298262f6230f9cbb258e2f17240a671b34a0daaff759821b183a10c251c18e
-
Filesize
9.7MB
MD535c8883fb43fbe40cca89e52872c1142
SHA193fedf6e6083d963ccfb8572cb9ad31cbae71c9e
SHA2566a33d0296589c804c232174c7608d69b2309107b31ddfcf2b0e68b32ffb15718
SHA51244fc9c71b95c71815109bfa5dec947c9bff53792cd9f9898d28480c2f28f641abb3c42bea744feff48eb0a3271f407650e04fc73ef9431a421feef7be9030d6b
-
Filesize
9.7MB
MD527d7b9889d25aedae5d001ac3176979f
SHA120f93ba3347ded849080057fcab45e2e36656672
SHA2566a39b812e9f49c56ec2b0e8351de97884de3d4a32d45cef1b0683c79b1954d39
SHA512214d49800df12501cba0ba0f9040e2b44a25fdcc3e3ddae6a3231a82b64ff0798a4c574bdcd4c7f7db30453cb8f73775f61f4cc05dcded443dc43564191df75a
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceserviceinstallermaintenanceservice.exe
Filesize9.7MB
MD53b1cd5d4161fb80b4d89cc267a65c6d0
SHA107d3a65e89cc922ae3b2fa7e74c27c80677f7296
SHA25649066be6efe8eb7be603f476422e41d4ee041791b81b49aa7d836c5a4df20e88
SHA512f93108a654b3f1baead06be043f685866d234fafa5f2ab3b9460f309a4afbfabcba1339b8f3ffa4095004a16412c3214ff7b6219315cf422b01f0af2a21e2743