e1c0734cc667ac700ba1e95da2185caa19d002b775507638208ba1dc4a7f5f99

Analysis

max time kernel
117s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11-09-2024 03:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b4267806c13daa2299e2f53d3758af0N.exe
Size

9.6MB
MD5

4b4267806c13daa2299e2f53d3758af0
SHA1

a4ff8e1151507498c739b610630df1492863173c
SHA256

e1c0734cc667ac700ba1e95da2185caa19d002b775507638208ba1dc4a7f5f99
SHA512

f49e46d13ad0a753e5667b302dbcbda3e6d98e0d4e5c76e84016df5bf442d7f18f6346570f5b1a9a09049aa2686a3c52c2eefd7ad610d3ea4cca0116c1923ccd
SSDEEP

196608:I3qnhgJuP3LAhCiVXOWv06A1oMuWr45hrr2s:nS+LJ9eJWGhrr2s

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OneDriveSetupOneDrive = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4b4267806c13daa2299e2f53d3758af0N.exe"	4b4267806c13daa2299e2f53d3758af0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\MicrosoftOneDriveSetup26962 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4b4267806c13daa2299e2f53d3758af0N.exe"	4b4267806c13daa2299e2f53d3758af0N.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ntdll.dll.dll	4b4267806c13daa2299e2f53d3758af0N.exe
File created	C:\Windows\System32\DriverStore\FileRepository\sisraid2.inf_amd64_845e008c32615283\sisraid2sisraid22.60.01.0709261510.exe	4b4267806c13daa2299e2f53d3758af0N.exe

Drops file in Program Files directory 44 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\uk-UA\TabTip32TipRes.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RCXB5C0.tmp	4b4267806c13daa2299e2f53d3758af0N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\AcrobatAdobe19.10.20064.310990.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\EulaBIBUtils19.10.20064.310990.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\uk-UA\WindowsWindows.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\Edgepwahelper.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File created	C:\Program Files (x86)\Common Files\System\de-DE\BetriebssystemMicrosoft10.0.19041.1.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\RCXA167.tmp	4b4267806c13daa2299e2f53d3758af0N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RCXB4D5.tmp	4b4267806c13daa2299e2f53d3758af0N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AdobeAiod.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File created	C:\Program Files (x86)\Common Files\System\Ole DB\en-US\sqlxmlxOperating.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHostCreate.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\libGLESv2Embedded.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCXBD92.tmp	4b4267806c13daa2299e2f53d3758af0N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHostCreate.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCXC5E1.tmp	4b4267806c13daa2299e2f53d3758af0N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogSessionUnicode.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AdobeAiod19.8.20071.303822.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\uk-UA\RCX8D9A.tmp	4b4267806c13daa2299e2f53d3758af0N.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\UIAutomationClientMicrosoft.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\RCX8E66.tmp	4b4267806c13daa2299e2f53d3758af0N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\Modulechromeelfdll.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\RCXABF9.tmp	4b4267806c13daa2299e2f53d3758af0N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\libGLESv2Embedded.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\Modulechromeelfdll.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\EulaBIBUtils19.10.20064.310990.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\RCX96F3.tmp	4b4267806c13daa2299e2f53d3758af0N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\RCX9FB1.tmp	4b4267806c13daa2299e2f53d3758af0N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\RCXAA33.tmp	4b4267806c13daa2299e2f53d3758af0N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prcrLibrary.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RCXBE30.tmp	4b4267806c13daa2299e2f53d3758af0N.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\Edgepwahelper.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\Firefoxmaintenanceserviceinstaller.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\RCX9781.tmp	4b4267806c13daa2299e2f53d3758af0N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RCXACF4.tmp	4b4267806c13daa2299e2f53d3758af0N.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\ToolsMicrosoft10.0.60828.0.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\MicrosoftTools.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\uk-UA\RCXA1E5.tmp	4b4267806c13daa2299e2f53d3758af0N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogSessionUnicode.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File created	C:\Program Files (x86)\Windows Media Player\uk-UA\WindowsWindows.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\en-US\RCX8F22.tmp	4b4267806c13daa2299e2f53d3758af0N.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Firefoxmaintenanceserviceinstaller.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\de-DE\RCX97EF.tmp	4b4267806c13daa2299e2f53d3758af0N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\RCXB62F.tmp	4b4267806c13daa2299e2f53d3758af0N.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_microsoft-windows-f..rcluster-clientcore_31bf3856ad364e35_10.0.19041.1202_none_0607b555ed95f3ce\resutilsclusapi.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..erclasses.resources_31bf3856ad364e35_10.0.19041.1_es-es_a2205590a9799629\paraClase.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-n..kprovider.resources_31bf3856ad364e35_10.0.19041.1_en-us_895e48f27a8d10f0\OperatingWindows.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File created	C:\Windows\Boot\EFI\sr-Latn-RS\bootmgrWindows.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File created	C:\Windows\WinSxS\msil_system.data.entity.design.resources_b77a5c561934e089_10.0.19041.1_it-it_7d0e92e6d91a3aef\MicrosoftSystem.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File created	C:\Windows\Boot\PCAT\pt-BR\MicrosoftWindows.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-i..playcolormanagement_31bf3856ad364e35_10.0.19041.1266_none_3a2c41db7861d24d\MicrosoftSystem.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..-credprov.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_75ddf9d005b47d52\Microsoftmgmtrefreshcredprov.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MUI\0410\mscorsecrmscorsecr.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..workspace.resources_31bf3856ad364e35_10.0.19041.1_es-es_c6a7fe7030c40507\Sistemaoperativo.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File created	C:\Windows\WinSxS\amd64_memory.inf.resources_31bf3856ad364e35_10.0.19041.1_en-us_6ab2aaf66f38aef7\pnpmemSystem.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..providers.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_b4976a16577c5e48\WindowsWindows.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft.csharp.resources_b03f5f7f11d50a3a_4.0.15805.0_es-es_9223236000c0833a\FrameworkCSharp.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..ier-winrt.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_9aa9d6f291812d33\SystemCredentials.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-r..-agilevpn.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_040c728e3e0654aa\Systemagilevpn.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-n..orkcenter.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_9d782eba0dc55e15\MicrosoftWindows.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-n..efetching.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_0773a7c19dccc486\BackgroundTransferSystem.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..ntication.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_8834100dc3f69cf6\WindowsNaturalAuth10.0.19041.1.160101.0800.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft.activities.build.resources_31bf3856ad364e35_4.0.15805.0_ja-jp_f42fbb0793b1f303\resourcesMicrosoft.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem.resources\v4.0_4.0.0.0_fr_b77a5c561934e089\RCX5EA8.tmp	4b4267806c13daa2299e2f53d3758af0N.exe
File created	C:\Windows\WinSxS\msil_presentationbuildtasks.resources_31bf3856ad364e35_10.0.19041.1_it-it_2eaab097040c32d1\PresentationBuildTasksresources.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..txvideoacceleration_31bf3856ad364e35_10.0.19041.1_none_2c1a6a6415f1388e\MicrosoftWindows.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Windows.Presentation.Resources\3.5.0.0_es_b77a5c561934e089\RCX605E.tmp	4b4267806c13daa2299e2f53d3758af0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..-credprov.resources_31bf3856ad364e35_10.0.19041.1_en-us_0a5757e82570bdab\Operatingngccredprov.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File created	C:\Windows\WinSxS\amd64_netfx4-wpfgfx_b03f5f7f11d50a3a_4.0.15805.0_none_35654e7a21d4486d\Microsoftwpfgfxv0400.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-security-tools-setspn_31bf3856ad364e35_10.0.19041.1_none_35f6aeed7d8158f9\WindowsSystem.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..xperience.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_09b6b4179035f3ac\dexploitationMicrosoft.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\RCXA9FD.tmp	4b4267806c13daa2299e2f53d3758af0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..component.resources_31bf3856ad364e35_10.0.19041.1_it-it_c4172dde232f5774\Microsoftoperativo.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File created	C:\Windows\WinSxS\msil_miguicontrols.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_4dea197d089f0ad1\SystemMicrosoft.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-scripting.resources_31bf3856ad364e35_10.0.19041.1_es-es_40e90b76f6f81ebc\ScriptWindows.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\1041\RCX3CAE.tmp	4b4267806c13daa2299e2f53d3758af0N.exe
File created	C:\Windows\WinSxS\msil_hyperv-ux-ui-vmcreate.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_6547187042ef031a\resourcesresources.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File created	C:\Windows\WinSxS\amd64_windows-application..ardserver.resources_31bf3856ad364e35_10.0.19041.1_de-de_7a55618e3e5c0ccd\ClipboardServerClipboard10.0.19041.1.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File created	C:\Windows\Boot\EFI\zh-TW\Systembootmgr.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-n..lientcore.resources_31bf3856ad364e35_10.0.19041.1_de-de_baa6fe43e9e91c2b\nfsrdrMicrosoft.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\fr\buildaspnetcompiler.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-n..n_service_migplugin_31bf3856ad364e35_10.0.19041.1_none_143f9ccce9aaa533\WindowsWindows10.0.19041.1.160101.0800.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..s-svchost.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_a9bcd14039d031f2\Windowsdexploitation10.0.19041.1.160101.0800.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-ui-search_31bf3856ad364e35_10.0.19041.1_none_ab0246b6c25f7d5c\SearchWindows.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-a..ionmodel-lockscreen_31bf3856ad364e35_10.0.19041.746_none_a1846c5cfa5f5331\windowsapplicationmodel.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-pantherengine_31bf3856ad364e35_10.0.19041.546_none_8c0ab69104a6024b\MicrosoftSystem10.0.19041.546.160101.0800.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..veryagent.resources_31bf3856ad364e35_10.0.19041.1_de-de_bf2eea434d33ed5d\reagentWindows.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-sbresources.resources_31bf3856ad364e35_10.0.19041.1_it-it_32466b377d8002f3\sbresourcesoperativo10.0.19041.1.160101.0800.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..i-ntprint.resources_31bf3856ad364e35_10.0.19041.1_en-us_28eefee5555bc47c\PRINTUISystem.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-l..ockhostingframework_31bf3856ad364e35_10.0.19041.1_none_1c249da153e74a09\WindowsMicrosoft.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File created	C:\Windows\WinSxS\msil_system_b77a5c561934e089_10.0.19041.1_none_9b78698aecf8304b\MicrosoftSystem2.0.50727.91496.0507279100.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-s..y-biometrics-client_31bf3856ad364e35_10.0.19041.1_none_725e78755886a3f4\winbiowinbio10.0.19041.1.160101.0800.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File created	C:\Windows\Boot\PCAT\lv-LV\OperetajsistemaWindows.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.0\WPF\es\resourcesresources.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-shimgvw.resources_31bf3856ad364e35_10.0.19041.1_es-es_6b92bea7a87ba808\ShImgVwMicrosoft.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Tpm.Commands\v4.0_10.0.0.0__31bf3856ad364e35\WindowsWindows.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File created	C:\Windows\WinSxS\x86_netfx-aspnet_regiis_exe_b03f5f7f11d50a3a_10.0.19041.1_none_d31059e0b2fa6d47\aspnetregiisaspnetregiis.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-ui-biofeedback-library_31bf3856ad364e35_10.0.19041.264_none_dfea510d9e8c28b8\MicrosoftWindows.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-i..l-keyboard-00011009_31bf3856ad364e35_10.0.19041.1_none_4e238886284afa06\Windowskbdcan.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..elmanifests-drivers_31bf3856ad364e35_10.0.19041.1_none_df67f692a7402ab0\BthMigPluginOperating.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-netshell-mui.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_39485f8b3c5499b7\ncpanetshell.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-upnpcontrolpoint_31bf3856ad364e35_10.0.19041.1081_none_a7ad541de5e002e2\SystemWindows.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..in-appmgr.resources_31bf3856ad364e35_10.0.19041.1_de-de_f8e0640599498757\Windowsappmgr10.0.19041.1.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-w..extension.resources_31bf3856ad364e35_10.0.19041.1_de-de_1e0ccacdc2f76922\audiodevaudiodevices10.0.19041.1.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..rtmonitor.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_3534f660eaacc181\Microsofttcpmonui.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-shmig.resources_31bf3856ad364e35_10.0.19041.1_it-it_c27859167109b5e5\Windowsoperativo.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_10.0.19041.1_fr-ca_b3b3ee7c2d11f9ce\MicrosoftMDWindowsMD.exe	4b4267806c13daa2299e2f53d3758af0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-n..lprovider.resources_31bf3856ad364e35_10.0.19041.1_en-us_b2aac2063f02bbf3\WindowsOperating.exe	4b4267806c13daa2299e2f53d3758af0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4b4267806c13daa2299e2f53d3758af0N.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	4b4267806c13daa2299e2f53d3758af0N.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	4b4267806c13daa2299e2f53d3758af0N.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	4b4267806c13daa2299e2f53d3758af0N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5036	4b4267806c13daa2299e2f53d3758af0N.exe
5036	4b4267806c13daa2299e2f53d3758af0N.exe
5036	4b4267806c13daa2299e2f53d3758af0N.exe
5036	4b4267806c13daa2299e2f53d3758af0N.exe
5036	4b4267806c13daa2299e2f53d3758af0N.exe
5036	4b4267806c13daa2299e2f53d3758af0N.exe
5036	4b4267806c13daa2299e2f53d3758af0N.exe
5036	4b4267806c13daa2299e2f53d3758af0N.exe
5036	4b4267806c13daa2299e2f53d3758af0N.exe
5036	4b4267806c13daa2299e2f53d3758af0N.exe
5036	4b4267806c13daa2299e2f53d3758af0N.exe
5036	4b4267806c13daa2299e2f53d3758af0N.exe
5036	4b4267806c13daa2299e2f53d3758af0N.exe
5036	4b4267806c13daa2299e2f53d3758af0N.exe
5036	4b4267806c13daa2299e2f53d3758af0N.exe
5036	4b4267806c13daa2299e2f53d3758af0N.exe
5036	4b4267806c13daa2299e2f53d3758af0N.exe
5036	4b4267806c13daa2299e2f53d3758af0N.exe
5036	4b4267806c13daa2299e2f53d3758af0N.exe
5036	4b4267806c13daa2299e2f53d3758af0N.exe
5036	4b4267806c13daa2299e2f53d3758af0N.exe
5036	4b4267806c13daa2299e2f53d3758af0N.exe
5036	4b4267806c13daa2299e2f53d3758af0N.exe
5036	4b4267806c13daa2299e2f53d3758af0N.exe
5036	4b4267806c13daa2299e2f53d3758af0N.exe
5036	4b4267806c13daa2299e2f53d3758af0N.exe
5036	4b4267806c13daa2299e2f53d3758af0N.exe
5036	4b4267806c13daa2299e2f53d3758af0N.exe
5036	4b4267806c13daa2299e2f53d3758af0N.exe
5036	4b4267806c13daa2299e2f53d3758af0N.exe
5036	4b4267806c13daa2299e2f53d3758af0N.exe
5036	4b4267806c13daa2299e2f53d3758af0N.exe
5036	4b4267806c13daa2299e2f53d3758af0N.exe
5036	4b4267806c13daa2299e2f53d3758af0N.exe
5036	4b4267806c13daa2299e2f53d3758af0N.exe
5036	4b4267806c13daa2299e2f53d3758af0N.exe
5036	4b4267806c13daa2299e2f53d3758af0N.exe
5036	4b4267806c13daa2299e2f53d3758af0N.exe
5036	4b4267806c13daa2299e2f53d3758af0N.exe
5036	4b4267806c13daa2299e2f53d3758af0N.exe
5036	4b4267806c13daa2299e2f53d3758af0N.exe
5036	4b4267806c13daa2299e2f53d3758af0N.exe
5036	4b4267806c13daa2299e2f53d3758af0N.exe
5036	4b4267806c13daa2299e2f53d3758af0N.exe
5036	4b4267806c13daa2299e2f53d3758af0N.exe
5036	4b4267806c13daa2299e2f53d3758af0N.exe
5036	4b4267806c13daa2299e2f53d3758af0N.exe
5036	4b4267806c13daa2299e2f53d3758af0N.exe
5036	4b4267806c13daa2299e2f53d3758af0N.exe
5036	4b4267806c13daa2299e2f53d3758af0N.exe
5036	4b4267806c13daa2299e2f53d3758af0N.exe
5036	4b4267806c13daa2299e2f53d3758af0N.exe
5036	4b4267806c13daa2299e2f53d3758af0N.exe
5036	4b4267806c13daa2299e2f53d3758af0N.exe
5036	4b4267806c13daa2299e2f53d3758af0N.exe
5036	4b4267806c13daa2299e2f53d3758af0N.exe
5036	4b4267806c13daa2299e2f53d3758af0N.exe
5036	4b4267806c13daa2299e2f53d3758af0N.exe
5036	4b4267806c13daa2299e2f53d3758af0N.exe
5036	4b4267806c13daa2299e2f53d3758af0N.exe
5036	4b4267806c13daa2299e2f53d3758af0N.exe
5036	4b4267806c13daa2299e2f53d3758af0N.exe
5036	4b4267806c13daa2299e2f53d3758af0N.exe
5036	4b4267806c13daa2299e2f53d3758af0N.exe

C:\Users\Admin\AppData\Local\Temp\4b4267806c13daa2299e2f53d3758af0N.exe
"C:\Users\Admin\AppData\Local\Temp\4b4267806c13daa2299e2f53d3758af0N.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:5036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\AcrobatAdobe19.10.20064.310990.exe

Filesize
9.6MB

MD5
873d0b5679896937ec707e198a08f305

SHA1
a7e93a0ee332b3958f32fd529cfeaac1bb57a908

SHA256
5e942ff3bd1a0cbe34b1016ffe266c432df22c8065f6f3e1bd18183400dc0719

SHA512
b1cbbced2849cd9b6462995ca1345625203330272ff0fc4af96b974065e1eebe65edf34e99fcf849b6c1e0550c2ff7a3317cfb9e28957526c1632d8889cb212b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogSessionUnicode.exe

Filesize
10.2MB

MD5
da0e0d38097110993140d96c6a6cfc83

SHA1
52a5300bfb956875cf74b4ab4b494b74ecf4c6c0

SHA256
fd05e983b63f622952695fbca61773f5f2fbb7417e332a6816ed9c6ee21645a0

SHA512
a320bf6aa63c1d04e816e157e12f14b7646b3a8f3e6474677523df93740150d7bbd48b110fc38071fb42b48117bfeb6b7d125c60efe17242cb69bc49794b2595

Download Submit
C:\Program Files (x86)\Common Files\System\de-DE\RCX97EF.tmp

Filesize
9.6MB

MD5
ed677aa5c26a840d663ef17e89a39dd7

SHA1
46fe54054d24da488b3d9c191b3e930e7fb9e590

SHA256
a256b8426082df3039422fbaf2560ca6dd9c862d855ed92b47d6fa9c917f9bc8

SHA512
5d18e57eef541e9b7d125ffcada6396f1becc4dba714e9151deffbf3db4f25ead96515a14bf2b8dec365260082ba49f13f130b6ed55bf7c604252e180e48e47b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\Firefoxmaintenanceserviceinstaller.exe

Filesize
9.6MB

MD5
5df379471a4273bf987657716684b6d2

SHA1
1009cb13f16dbb8d173094321203aee54065c6af

SHA256
290320cbb69c927cd09cd86b918f6dba687de86056bbf64a77164923abb1f504

SHA512
5e8d43e59801bf48eb1e5e6ea795e8f6380ebf35ccf26f3126a5d8d7538d363a07179e98e6c22e4a1bfda2eb6c4a7c18abfb17e03265415f66c6bab1dbca3adf

Download Submit
C:\Program Files (x86)\Windows Media Player\uk-UA\WindowsWindows.exe

Filesize
9.6MB

MD5
4b4267806c13daa2299e2f53d3758af0

SHA1
a4ff8e1151507498c739b610630df1492863173c

SHA256
e1c0734cc667ac700ba1e95da2185caa19d002b775507638208ba1dc4a7f5f99

SHA512
f49e46d13ad0a753e5667b302dbcbda3e6d98e0d4e5c76e84016df5bf442d7f18f6346570f5b1a9a09049aa2686a3c52c2eefd7ad610d3ea4cca0116c1923ccd

Download Submit