1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734

Analysis

max time kernel
118s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 06:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
Size

9.9MB
MD5

8b333d82d155fa98d1673371a7518a90
SHA1

f8fbf6b8cfa81226badd460b5758a974b63719dd
SHA256

1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734
SHA512

1a6c4dccad3852feed08cb7eaf10149889e2619450a0873e8e33b0e26134fd993bd10ec736d3496a62ebd420767273690a4443c721e1a2d0bc58154fe175acad
SSDEEP

196608:7HqnhgJuP3LAhCiVXCWeZLsA1oMuWr45hrr2P:US+LVReJWGhrr2P

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\miniinstallerOneDrive = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe"	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicrosoftInstaller41 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe"	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ntdll.dll.dll	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe

Drops file in Program Files directory 38 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\OfficeTools10.0.60828.0.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\RCXA8E8.tmp	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File created	C:\Program Files (x86)\Common Files\System\ja-JP\OperatingMicrosoft.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\es-ES\RCX980C.tmp	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ja-JP\RCXA099.tmp	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RCXA9A5.tmp	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2Components.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\libEGLlibEGL.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File created	C:\Program Files (x86)\Common Files\System\msadc\de-DE\msdaremrmsadcer10.0.19041.1.160101.0800.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File created	C:\Program Files (x86)\Common Files\System\msadc\es-ES\msaddsrmsadcer.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\de-DE\RCX9F8F.tmp	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\WindowsWindows.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RCXBDCE.tmp	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\en-US\RCX9720.tmp	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RCXBE5C.tmp	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCXBECA.tmp	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\de-DE\RCX96C2.tmp	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\Microsoftwordpad.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\RCXA156.tmp	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCXC62E.tmp	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\de-DE\msdaremrmsadcer10.0.19041.1.160101.0800.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\RCXAA23.tmp	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\PluginAdobe.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\RCXB4C3.tmp	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2Components.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AiodAdobe.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AiodAiod.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File created	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\ReaderAdobeARM.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\libGLESv2DirectX.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\libGLESv2DirectX.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\ReaderAdobeARM.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\AdobeCreate.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File created	C:\Program Files (x86)\Common Files\System\ado\de-DE\msader15System.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\WindowsMediaWindowsMedia19.10.20064.310990.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\AdobeCreate.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\RCXB541.tmp	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\libEGLlibEGL.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\RCXB445.tmp	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..lowbroker.resources_31bf3856ad364e35_10.0.19041.1_es-es_af65e0ddc21d3139\DevicesFlowBrokerWindows.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..8-payload.resources_31bf3856ad364e35_10.0.19041.1_es-es_8b47cc6d47a0c65d\operativodpnet10.0.19041.1.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File created	C:\Windows\WinSxS\amd64_dual_chargearbitration.inf_31bf3856ad364e35_10.0.19041.1_none_d564cdfecfd2a164\MicrosoftWindows.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-pnpsysprep.resources_31bf3856ad364e35_10.0.19041.1_it-it_13b9914b9f8e664f\operativoMicrosoft.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\AddInUtil.resources\v4.0_4.0.0.0_es_b77a5c561934e089\RCXDCF4.tmp	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.AppV.AppVClientWmi.Resources\v4.0_10.0.0.0_it_31bf3856ad364e35\AppVSistema.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands.Resources\v4.0_10.0.0.0_it_31bf3856ad364e35\SistemaMicrosoft.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..soundservice-client_31bf3856ad364e35_10.0.19041.746_none_8fc04bf4d6b5f0c9\WindowsMicrosoft10.0.19041.746.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..repairbde.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_d183d04ab4278a10\repairbdeWindows.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-security-ngc-credprov_31bf3856ad364e35_10.0.19041.84_none_84b35181aef4556b\ngccredprovngccredprov.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..pc-tabbtn.resources_31bf3856ad364e35_10.0.19041.1_en-us_751b79628dd6715f\OperatingTabBtn.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-winnat_31bf3856ad364e35_10.0.19041.1_none_6c94dc683b994e68\winnatOperating.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\AddInUtil.resources\v4.0_4.0.0.0_es_b77a5c561934e089\Microsoftresources.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..win32-dll.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_fc1a27c8abfb9e5a\Systmedexploitation.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-photoacquire.resources_31bf3856ad364e35_10.0.19041.1_de-de_931afdd7ff62db33\PhotoAcqWindows.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Printing.Resources\3.0.0.0_ja_31bf3856ad364e35\resourcesresources.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File created	C:\Windows\WinSxS\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_ru-ru_f212f1ebceb5ba45\WindowsMicrosoft.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..s-developer-library_31bf3856ad364e35_10.0.19041.264_none_da4721723d6d74ed\wpnappswpnapps.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File created	C:\Windows\WinSxS\wow64_windows-id-connecte..provider-msauserext_31bf3856ad364e35_10.0.19041.1_none_9f3ec6f605fa2446\SystemMicrosoft.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-msdt.resources_31bf3856ad364e35_10.0.19041.1_es-es_f01ae5dea51f1b01\Microsoftoperativo.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File created	C:\Windows\WinSxS\msil_system.data.datasetextensions.resources_b77a5c561934e089_10.0.19041.1_fr-fr_df35d2df1c8e2a82\resourcesresources.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-htmlhelp.resources_31bf3856ad364e35_10.0.19041.1_de-de_c24e7e323187595f\HTMLHilfeHTMLHilfe.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W708fc392#\e0d84dc25c6b76503171beec9d740dde\RCX50EB.tmp	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Policy.11.0.office\15.0.0.0__71e9bce111e9429c\RCX96C0.tmp	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-directx-xaudio2_9_31bf3856ad364e35_10.0.19041.1288_none_c59f8ee426ba6552\MicrosoftXAudio2910.0.19041.1288.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvsystem_31bf3856ad364e35_10.0.19041.1081_none_bdf809eb2dd695f9\MicrosoftWindows.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-timedate.resources_31bf3856ad364e35_10.0.19041.1_it-it_66605a628b963f04\MicrosoftSistema.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-hyper-v-h..t-service.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_0c7ef3fec77b2536\Microsofthvhostsvc.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..nkobjcore.resources_31bf3856ad364e35_10.0.19041.1_es-es_0344e80f2b854024\WindowsInkObjCore.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-profsvc.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_bf2ff44896ca733c\dexploitationdexploitation.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..rm-libraries-minwin_31bf3856ad364e35_10.0.19041.546_none_7dac31b7cfcccde0\Systemiphlpapi.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-appx-deployment-client_31bf3856ad364e35_10.0.19041.264_none_93c3704f3937c819\AppXDeploymentClientSystem.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File created	C:\Windows\WinSxS\amd64_netfx-aspnet_filter_dll_b03f5f7f11d50a3a_10.0.19041.1_none_4e8b91d5d4668c32\aspnetfilterFramework.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..structure.resources_31bf3856ad364e35_10.0.19041.1_en-us_54f08a4bd5da80bc\WindowsSystem10.0.19041.1.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-smbdirect.resources_31bf3856ad364e35_10.0.19041.1_it-it_0889d1c824b1484e\SistemaWindows.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-cdosys_31bf3856ad364e35_10.0.19041.1_none_de8bb7f5f922a5d7\WindowsMicrosoft6.6.19041.1.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Printing.Resources\3.0.0.0_ja_31bf3856ad364e35\RCX4F64.tmp	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..ityclient.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_4980aca4fc783f0e\OperatingMicrosoft.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File created	C:\Windows\WinSxS\amd64_product-onecore__mi..sport.inf.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_0f58db3d773cbd9d\WindowsBluetooth.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File created	C:\Windows\assembly\GAC_MSIL\Policy.11.0.office\15.0.0.0__71e9bce111e9429c\OfficeMicrosoft15.0.4420.1017.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-c..orization.resources_31bf3856ad364e35_10.0.19041.1_en-us_3d44ed7e58abe78a\capauthzWindows.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mlang.resources_31bf3856ad364e35_10.0.19041.1_tr-tr_ca5cfcc7e9163e4c\WindowsMLANG.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..reservice.resources_31bf3856ad364e35_10.0.19041.1_en-us_35d594f1a1774b09\MicrosoftOperating10.0.19041.1.160101.0800.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-cabview.resources_31bf3856ad364e35_10.0.19041.1_es-es_96cb5740729d1bf8\operativocabview.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..-credprov.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_cf32d5df5d5378d3\DeviceNgcCredProvWindows.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-wmpnssui.resources_31bf3856ad364e35_10.0.19041.1_es-es_f2a565545fb4ddb1\SistemaWindows.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.ConfigCI.Commands.Resources\v4.0_10.0.0.0_fr_31bf3856ad364e35\RCX979C.tmp	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Editor.Resources\v4.0_3.0.0.0_en_31bf3856ad364e35\RCX98E5.tmp	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-peerdist.resources_31bf3856ad364e35_10.0.19041.1_it-it_5db54213d20e313c\Sistemapeerdist.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-dxptasks-sync_31bf3856ad364e35_10.0.19041.1_none_449b0b804cfe29a1\DxpTaskSyncSystem.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-h..fp-driver.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_6bfbac38e66f3b16\Microsofthnswfpdriver10.0.19041.1.160101.0800.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.AppV.AppVClientWmi.Resources\v4.0_10.0.0.0_it_31bf3856ad364e35\RCXDDC1.tmp	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-msconfig-exe.resources_31bf3856ad364e35_10.0.19041.1_it-it_babc53cdbc10c9c6\Windowsoperativo.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.1_zh-cn_5c9967ffe53fc989\WindowsInstaller.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands.Resources\v4.0_10.0.0.0_it_31bf3856ad364e35\RCX22E9.tmp	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Tpm.Commands.Resources\v4.0_10.0.0.0_it_31bf3856ad364e35\Commandsresources.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..trolpanel.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_87841c7d021087bc\SystemMicrosoft10.0.19041.1.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-t..tfmonitor.resources_31bf3856ad364e35_10.0.19041.1_en-us_d12e6430c5338a18\WindowsOperating.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-charmap.resources_31bf3856ad364e35_10.0.19041.1_it-it_342f756995b69168\charmapoperativo.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..dapplugin.resources_31bf3856ad364e35_10.0.19041.1151_en-us_ff0c0b80e0527b71\OperatingaadCloudAP10.0.19041.1151.160101.0800.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-remoteassistance-exe_31bf3856ad364e35_10.0.19041.1110_none_b678ec2deb73b201\SystemWindows.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-alg.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_396a72f568ec33c2\MicrosoftSystem.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W708fc392#\e0d84dc25c6b76503171beec9d740dde\WriteDiagProgressWindows.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel.services.resources\v4.0_4.0.0.0_fr_b77a5c561934e089\servicesMicrosoft.exe	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4980	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
4980	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
4980	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
4980	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
4980	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
4980	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
4980	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
4980	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
4980	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
4980	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
4980	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
4980	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
4980	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
4980	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
4980	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
4980	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
4980	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
4980	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
4980	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
4980	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
4980	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
4980	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
4980	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
4980	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
4980	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
4980	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
4980	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
4980	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
4980	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
4980	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
4980	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
4980	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
4980	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
4980	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
4980	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
4980	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
4980	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
4980	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
4980	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
4980	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
4980	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
4980	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
4980	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
4980	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
4980	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
4980	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
4980	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
4980	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
4980	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
4980	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
4980	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
4980	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
4980	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
4980	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
4980	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
4980	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
4980	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
4980	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
4980	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
4980	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
4980	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
4980	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
4980	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
4980	1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe

C:\Users\Admin\AppData\Local\Temp\1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe
"C:\Users\Admin\AppData\Local\Temp\1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734N.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\libGLESv2DirectX.exe

Filesize
9.9MB

MD5
68aba3c21778d167ef7e07f61a3bd6b9

SHA1
d9a3bcb4c6fd18f732bcd22acad3679f7c017b7d

SHA256
7951a84d1ffe4921aeaee5f1a69dfdbcc695931a280ce079d79891b2a48ef187

SHA512
e31fc75e05b4e38c3faabf3ad676d27d9051aaa16b6b7ee701e23d8cd84e55d49614ffc85e525f1fe67e5f92354e936f413ad75c6036e19b03242bc36c5cc9e6

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\AdobeCreate.exe

Filesize
10.0MB

MD5
74beae54b75d0dfb8f884d2c5f745820

SHA1
2b693829092bf49eca3a1495a56788df83598c3a

SHA256
e6e460ce1a0f8a2817e3991b4d5f1a12514feae5eb4866e89669902057ece410

SHA512
737ade4262b15fdd1ed28a87a76ad1366954adcf8669b3e4d96a4218c811ab4491bcf80ef355d378122fc1c1be1134d2d1f26147cd59172db79a5d8038288ed7

Download Submit
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\ReaderAdobeARM.exe

Filesize
10.3MB

MD5
02c1213606231e4c2b11ee4bbe456e14

SHA1
72f8a3a196dbca244b51f225014fdd847eb839eb

SHA256
36318dffde8bd748fe8e6c991a2e6a8724a0c32f66d8c705b1685f4d4935e1e5

SHA512
a1791e531fef6b4ec73fb36c206923c209ba807c998fab8e240534870bdd61ee01b94ce17d2d51e8bff1dd937ce117b0492ce242759b1946a7baca8758a1bc97

Download Submit
C:\Program Files (x86)\Common Files\Microsoft Shared\ink\RCXA156.tmp

Filesize
9.9MB

MD5
79728cc63ec3adfeed801a9bf5a087f2

SHA1
585066e3cfc7aaec68995e3d7e8024327d8f7a9d

SHA256
034ff046dbe6af36b91bb5ecfdce8dd8e3c4e96e03097ba8fad2f16d41be5a0d

SHA512
8c7a1153de20cce5d6b5468853b88dda2c69b5b7c06dd95e23eeb39a6e5d1e91ab0cda4880ba05afde1684e756c61fd169e671ac09d72d6cb4824be8aa4d20bc

Download Submit
C:\Program Files (x86)\Common Files\System\ado\de-DE\RCX9F8F.tmp

Filesize
9.9MB

MD5
86c2cba4ca42640bf96ee575b7ecb619

SHA1
e9fc9b21c04e93c3ff0beeb1411b748b8a480cc0

SHA256
bf0520087204728677c007de9bc1c85e5049e7349a85b373f4e309a4fc146317

SHA512
cfe8170e2a20adb69ad56e9dd38bbeff845df47598861f66431406c22b95c62cb643d41ffc022aa680fc2da7ec1161a3b63b65c72b04a403b0b1b11b1764d520

Download Submit
C:\Program Files (x86)\Common Files\System\msadc\de-DE\msdaremrmsadcer10.0.19041.1.160101.0800.exe

Filesize
9.9MB

MD5
8b333d82d155fa98d1673371a7518a90

SHA1
f8fbf6b8cfa81226badd460b5758a974b63719dd

SHA256
1e05962fe6a8dd015a0abd46e896fe9b86f6d7ae68eca0412cf033b4d539e734

SHA512
1a6c4dccad3852feed08cb7eaf10149889e2619450a0873e8e33b0e26134fd993bd10ec736d3496a62ebd420767273690a4443c721e1a2d0bc58154fe175acad

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W708fc392#\e0d84dc25c6b76503171beec9d740dde\WriteDiagProgressWindows.exe

Filesize
9.9MB

MD5
63bace3a41ad43581ed10f63018a04eb

SHA1
e12800eac2b41e894512c848aada36cd69b0eed3

SHA256
d9ca39f53ae3bec3760f81369dd85aec2b9eef5a95aac83a65daf90aa008f77b

SHA512
7b0c7f5fa51d233c06b6a915c74b22438c5557f89e1b5fe4970f0a69e854a6382073513a47e28414b558d02e5b8d30553786bbe0dc6123f17c1ef487171d121a

Download Submit