Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-12-2020 16:39
Static task
static1
Behavioral task
behavioral1
Sample
d0c9878c32fc02a36c685276fbfe79d7.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
d0c9878c32fc02a36c685276fbfe79d7.exe
-
Size
6.1MB
-
MD5
d0c9878c32fc02a36c685276fbfe79d7
-
SHA1
4dc84a1060cc3b2d0bcbe2e57b8c00bfde5ec66d
-
SHA256
9cc27fbbdaf96f5ae4f649ad24e5e05b6c657801bcc0380f78f231b3c32b54a0
-
SHA512
c826f09c867d98d929b2d3bab6f3e7d9ac8e979b611d200f5fbfc5ba58c1c5ce5c5c6fa5a18e2b1135799a50d9cd48dfd695c8347bcbe9513181ba0ca21ca4a7
Malware Config
Signatures
-
XMRig Miner Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/648-2-0x0000000000400000-0x00000000010B6000-memory.dmp xmrig behavioral2/memory/648-3-0x0000000000400000-0x00000000010B6000-memory.dmp xmrig -
Processes:
yara_rule upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx -
Drops desktop.ini file(s) 2 IoCs
Processes:
d0c9878c32fc02a36c685276fbfe79d7.exedescription ioc process File created C:\$Recycle.Bin\S-1-5-21-1985363256-3005190890-1182679451-1000\desktop.ini d0c9878c32fc02a36c685276fbfe79d7.exe File created C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini d0c9878c32fc02a36c685276fbfe79d7.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in Program Files directory 877 IoCs
Processes:
d0c9878c32fc02a36c685276fbfe79d7.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyrun.jar d0c9878c32fc02a36c685276fbfe79d7.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\content-types.properties d0c9878c32fc02a36c685276fbfe79d7.exe File opened for modification C:\Program Files\7-Zip\Lang\ar.txt d0c9878c32fc02a36c685276fbfe79d7.exe File created C:\Program Files\Common Files\System\msadc\msdfmap.dll d0c9878c32fc02a36c685276fbfe79d7.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe d0c9878c32fc02a36c685276fbfe79d7.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\instrument.dll d0c9878c32fc02a36c685276fbfe79d7.exe File opened for modification C:\Program Files\Google\Chrome\Application\86.0.4240.111\default_apps\youtube.crx d0c9878c32fc02a36c685276fbfe79d7.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\kinit.exe d0c9878c32fc02a36c685276fbfe79d7.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\zipfs.jar d0c9878c32fc02a36c685276fbfe79d7.exe File opened for modification C:\Program Files\7-Zip\7z.sfx d0c9878c32fc02a36c685276fbfe79d7.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-pt.dll d0c9878c32fc02a36c685276fbfe79d7.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sk-sk.dll d0c9878c32fc02a36c685276fbfe79d7.exe File created C:\Program Files\Common Files\microsoft shared\ink\en-US\ShapeCollector.exe.mui d0c9878c32fc02a36c685276fbfe79d7.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sv-se.dll d0c9878c32fc02a36c685276fbfe79d7.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\amd64\jvm.cfg d0c9878c32fc02a36c685276fbfe79d7.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaTypewriterRegular.ttf d0c9878c32fc02a36c685276fbfe79d7.exe File created C:\Program Files\Common Files\microsoft shared\ink\en-US\InkObj.dll.mui d0c9878c32fc02a36c685276fbfe79d7.exe File opened for modification C:\Program Files\EnableClear.wmv d0c9878c32fc02a36c685276fbfe79d7.exe File opened for modification C:\Program Files\Google\Chrome\Application\86.0.4240.111\Locales\en-US.pak d0c9878c32fc02a36c685276fbfe79d7.exe File opened for modification C:\Program Files\7-Zip\Lang\mn.txt d0c9878c32fc02a36c685276fbfe79d7.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\oskclearuibase.xml d0c9878c32fc02a36c685276fbfe79d7.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\jvmti.h d0c9878c32fc02a36c685276fbfe79d7.exe File created C:\Program Files\Common Files\microsoft shared\Stationery\Green Bubbles.htm d0c9878c32fc02a36c685276fbfe79d7.exe File created C:\Program Files\Common Files\microsoft shared\ink\tabskb.dll d0c9878c32fc02a36c685276fbfe79d7.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages.properties d0c9878c32fc02a36c685276fbfe79d7.exe File opened for modification C:\Program Files\Google\Chrome\Application\86.0.4240.111\Locales\ro.pak d0c9878c32fc02a36c685276fbfe79d7.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe d0c9878c32fc02a36c685276fbfe79d7.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_it.properties d0c9878c32fc02a36c685276fbfe79d7.exe File opened for modification C:\Program Files\Google\Chrome\Application\86.0.4240.111\swiftshader\libEGL.dll d0c9878c32fc02a36c685276fbfe79d7.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\tnameserv.exe d0c9878c32fc02a36c685276fbfe79d7.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\jsoundds.dll d0c9878c32fc02a36c685276fbfe79d7.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.uk-ua.dll d0c9878c32fc02a36c685276fbfe79d7.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\dblook.bat d0c9878c32fc02a36c685276fbfe79d7.exe File created C:\Program Files\Common Files\microsoft shared\ink\ipsesp.xml d0c9878c32fc02a36c685276fbfe79d7.exe File opened for modification C:\Program Files\7-Zip\Lang\et.txt d0c9878c32fc02a36c685276fbfe79d7.exe File created C:\Program Files\Common Files\System\msadc\adcvbs.inc d0c9878c32fc02a36c685276fbfe79d7.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll d0c9878c32fc02a36c685276fbfe79d7.exe File created C:\Program Files\Common Files\microsoft shared\ink\ipscsy.xml d0c9878c32fc02a36c685276fbfe79d7.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml d0c9878c32fc02a36c685276fbfe79d7.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_hu.jar d0c9878c32fc02a36c685276fbfe79d7.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\fontmanager.dll d0c9878c32fc02a36c685276fbfe79d7.exe File opened for modification C:\Program Files\7-Zip\7z.exe d0c9878c32fc02a36c685276fbfe79d7.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lt-lt.dll d0c9878c32fc02a36c685276fbfe79d7.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pl-pl.dll d0c9878c32fc02a36c685276fbfe79d7.exe File opened for modification C:\Program Files\Google\Chrome\Application\86.0.4240.111\Locales\ml.pak d0c9878c32fc02a36c685276fbfe79d7.exe File created C:\Program Files\Internet Explorer\IEShims.dll d0c9878c32fc02a36c685276fbfe79d7.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\jni.h d0c9878c32fc02a36c685276fbfe79d7.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaw.exe d0c9878c32fc02a36c685276fbfe79d7.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIntegration.dll d0c9878c32fc02a36c685276fbfe79d7.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\osknavbase.xml d0c9878c32fc02a36c685276fbfe79d7.exe File created C:\Program Files\Common Files\microsoft shared\ink\ro-RO\tipresx.dll.mui d0c9878c32fc02a36c685276fbfe79d7.exe File created C:\Program Files\Common Files\microsoft shared\ink\uk-UA\tipresx.dll.mui d0c9878c32fc02a36c685276fbfe79d7.exe File opened for modification C:\Program Files\7-Zip\Lang\de.txt d0c9878c32fc02a36c685276fbfe79d7.exe File created C:\Program Files\Internet Explorer\iediagcmd.exe d0c9878c32fc02a36c685276fbfe79d7.exe File opened for modification C:\Program Files\7-Zip\Lang\an.txt d0c9878c32fc02a36c685276fbfe79d7.exe File opened for modification C:\Program Files\7-Zip\Lang\sl.txt d0c9878c32fc02a36c685276fbfe79d7.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\unpack200.exe d0c9878c32fc02a36c685276fbfe79d7.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\jdwp.dll d0c9878c32fc02a36c685276fbfe79d7.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\jp2iexp.dll d0c9878c32fc02a36c685276fbfe79d7.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\charsets.jar d0c9878c32fc02a36c685276fbfe79d7.exe File opened for modification C:\Program Files\7-Zip\History.txt d0c9878c32fc02a36c685276fbfe79d7.exe File opened for modification C:\Program Files\Google\Chrome\Application\86.0.4240.111\Locales\he.pak d0c9878c32fc02a36c685276fbfe79d7.exe File opened for modification C:\Program Files\Google\Chrome\Application\86.0.4240.111\eventlog_provider.dll d0c9878c32fc02a36c685276fbfe79d7.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\AccessBridgeCalls.h d0c9878c32fc02a36c685276fbfe79d7.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2416 648 WerFault.exe d0c9878c32fc02a36c685276fbfe79d7.exe -
Modifies Internet Explorer start page 1 TTPs 1 IoCs
Processes:
d0c9878c32fc02a36c685276fbfe79d7.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.KonVeTKqKR.com" d0c9878c32fc02a36c685276fbfe79d7.exe -
Processes:
d0c9878c32fc02a36c685276fbfe79d7.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e d0c9878c32fc02a36c685276fbfe79d7.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e d0c9878c32fc02a36c685276fbfe79d7.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d578112861900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e d0c9878c32fc02a36c685276fbfe79d7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 d0c9878c32fc02a36c685276fbfe79d7.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d601030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 d0c9878c32fc02a36c685276fbfe79d7.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 5c0000000100000004000000000800001900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c137e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d040000000100000010000000410352dc0ff7501b16f0028eba6f45c520000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 d0c9878c32fc02a36c685276fbfe79d7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 d0c9878c32fc02a36c685276fbfe79d7.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e d0c9878c32fc02a36c685276fbfe79d7.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
d0c9878c32fc02a36c685276fbfe79d7.exedescription pid process Token: SeLockMemoryPrivilege 648 d0c9878c32fc02a36c685276fbfe79d7.exe Token: SeLockMemoryPrivilege 648 d0c9878c32fc02a36c685276fbfe79d7.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d0c9878c32fc02a36c685276fbfe79d7.exe"C:\Users\Admin\AppData\Local\Temp\d0c9878c32fc02a36c685276fbfe79d7.exe"1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies Internet Explorer start page
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 648 -s 18642⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/648-2-0x0000000000400000-0x00000000010B6000-memory.dmpFilesize
12.7MB
-
memory/648-3-0x0000000000400000-0x00000000010B6000-memory.dmpFilesize
12.7MB
-
memory/648-6-0x0000000000180000-0x00000000001C0000-memory.dmpFilesize
256KB
-
memory/648-7-0x00000000001C0000-0x00000000001E2000-memory.dmpFilesize
136KB
-
memory/648-8-0x00000000001F0000-0x0000000000200000-memory.dmpFilesize
64KB