e04977f7d1fbf8b3a69237bbd2170af6c3046a8ce29e2732cd7c72f079f0e0f8

General

Target

871ae1394889d6e1d9532c47d922091e.exe
Size

736KB
MD5

871ae1394889d6e1d9532c47d922091e
SHA1

ade45b1d4c1cca9b47e859f242b28b06431a3e9f
SHA256

e04977f7d1fbf8b3a69237bbd2170af6c3046a8ce29e2732cd7c72f079f0e0f8
SHA512

ed80414336dad96b558a9dcca9f0271bf48ef0bf343c74be9c3a88094f94b8faf507dc36f4bf5ba515d6fb024c0ab5f21e5a3994f57ecd43639b9e268562a2d9

Score

6^/10

evasion spyware trojan

Malware Config

Signatures

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

871ae1394889d6e1d9532c47d922091e.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	871ae1394889d6e1d9532c47d922091e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	871ae1394889d6e1d9532c47d922091e.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

871ae1394889d6e1d9532c47d922091e.exe

description	pid	process	target process
PID 1584 wrote to memory of 1596	1584	871ae1394889d6e1d9532c47d922091e.exe	871ae1394889d6e1d9532c47d922091e.exe
PID 1584 wrote to memory of 1596	1584	871ae1394889d6e1d9532c47d922091e.exe	871ae1394889d6e1d9532c47d922091e.exe
PID 1584 wrote to memory of 1596	1584	871ae1394889d6e1d9532c47d922091e.exe	871ae1394889d6e1d9532c47d922091e.exe
PID 1584 wrote to memory of 1596	1584	871ae1394889d6e1d9532c47d922091e.exe	871ae1394889d6e1d9532c47d922091e.exe
PID 1584 wrote to memory of 1596	1584	871ae1394889d6e1d9532c47d922091e.exe	871ae1394889d6e1d9532c47d922091e.exe
PID 1584 wrote to memory of 1596	1584	871ae1394889d6e1d9532c47d922091e.exe	871ae1394889d6e1d9532c47d922091e.exe
PID 1584 wrote to memory of 1596	1584	871ae1394889d6e1d9532c47d922091e.exe	871ae1394889d6e1d9532c47d922091e.exe
PID 1584 wrote to memory of 1596	1584	871ae1394889d6e1d9532c47d922091e.exe	871ae1394889d6e1d9532c47d922091e.exe
PID 1584 wrote to memory of 1596	1584	871ae1394889d6e1d9532c47d922091e.exe	871ae1394889d6e1d9532c47d922091e.exe
PID 1584 wrote to memory of 1596	1584	871ae1394889d6e1d9532c47d922091e.exe	871ae1394889d6e1d9532c47d922091e.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

871ae1394889d6e1d9532c47d922091e.exe

description pid process target process

PID 1584 set thread context of 1596 1584 871ae1394889d6e1d9532c47d922091e.exe 871ae1394889d6e1d9532c47d922091e.exe

description	pid	process	target process
PID 1584 set thread context of 1596	1584	871ae1394889d6e1d9532c47d922091e.exe	871ae1394889d6e1d9532c47d922091e.exe

C:\Users\Admin\AppData\Local\Temp\871ae1394889d6e1d9532c47d922091e.exe
"C:\Users\Admin\AppData\Local\Temp\871ae1394889d6e1d9532c47d922091e.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:1584

C:\Users\Admin\AppData\Local\Temp\871ae1394889d6e1d9532c47d922091e.exe
"{path}"
2⤵
- Modifies system certificate store
PID:1596

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1596-0-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1596-1-0x000000000043F5F5-mapping.dmp

Download
memory/1596-2-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing