Analysis
-
max time kernel
131s -
max time network
131s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-12-2020 15:28
Static task
static1
Behavioral task
behavioral1
Sample
89ce0187773ace06c57df987af5e0d5d.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
89ce0187773ace06c57df987af5e0d5d.exe
-
Size
6.2MB
-
MD5
89ce0187773ace06c57df987af5e0d5d
-
SHA1
2ed0bab3d69180c6db0201c8a4277275d0423435
-
SHA256
140dcd3c8e64df78704efe2b1530b134534b93f37c2107ea29a7ebf132bcb052
-
SHA512
5a9d0c7e71dd250b364f644c341e8364f059d383728286f5edf24f5219bae8843ee8668b1a619d866faeb2e706f83f27eea705401c08c847318d29a98dc5475d
Malware Config
Signatures
-
XMRig Miner Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/640-2-0x0000000000400000-0x00000000010B6000-memory.dmp xmrig behavioral2/memory/640-3-0x0000000000400000-0x00000000010B6000-memory.dmp xmrig -
Processes:
yara_rule upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx upx -
Drops desktop.ini file(s) 2 IoCs
Processes:
89ce0187773ace06c57df987af5e0d5d.exedescription ioc process File created C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini 89ce0187773ace06c57df987af5e0d5d.exe File created C:\$Recycle.Bin\S-1-5-21-1985363256-3005190890-1182679451-1000\desktop.ini 89ce0187773ace06c57df987af5e0d5d.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in Program Files directory 1303 IoCs
Processes:
89ce0187773ace06c57df987af5e0d5d.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\feature.properties 89ce0187773ace06c57df987af5e0d5d.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh.htm 89ce0187773ace06c57df987af5e0d5d.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\dt_socket.dll 89ce0187773ace06c57df987af5e0d5d.exe File created C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe 89ce0187773ace06c57df987af5e0d5d.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\stopNetworkServer.bat 89ce0187773ace06c57df987af5e0d5d.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\w2k_lsa_auth.dll 89ce0187773ace06c57df987af5e0d5d.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\eclipse_update_120.jpg 89ce0187773ace06c57df987af5e0d5d.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.mbeanbrowser_5.5.0.165303.jar 89ce0187773ace06c57df987af5e0d5d.exe File created C:\Program Files\Common Files\System\msadc\msadcer.dll 89ce0187773ace06c57df987af5e0d5d.exe File opened for modification C:\Program Files\7-Zip\Lang\nb.txt 89ce0187773ace06c57df987af5e0d5d.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.nl-nl.dll 89ce0187773ace06c57df987af5e0d5d.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\SubsystemController.man 89ce0187773ace06c57df987af5e0d5d.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ja-jp-sym.xml 89ce0187773ace06c57df987af5e0d5d.exe File opened for modification C:\Program Files\DisconnectStep.i64 89ce0187773ace06c57df987af5e0d5d.exe File opened for modification C:\Program Files\7-Zip\Lang\ar.txt 89ce0187773ace06c57df987af5e0d5d.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\leftnav.gif 89ce0187773ace06c57df987af5e0d5d.exe File created C:\Program Files\Common Files\microsoft shared\Stationery\Shades of Blue.htm 89ce0187773ace06c57df987af5e0d5d.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\AccessBridgePackages.h 89ce0187773ace06c57df987af5e0d5d.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.batik.util_1.7.0.v201011041433.jar 89ce0187773ace06c57df987af5e0d5d.exe File opened for modification C:\Program Files\Google\Chrome\Application\86.0.4240.111\Locales\es.pak 89ce0187773ace06c57df987af5e0d5d.exe File created C:\Program Files\Internet Explorer\ieinstal.exe 89ce0187773ace06c57df987af5e0d5d.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\management\snmp.acl.template 89ce0187773ace06c57df987af5e0d5d.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe 89ce0187773ace06c57df987af5e0d5d.exe File opened for modification C:\Program Files\7-Zip\Lang\eo.txt 89ce0187773ace06c57df987af5e0d5d.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\artifacts.xml 89ce0187773ace06c57df987af5e0d5d.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\license.html 89ce0187773ace06c57df987af5e0d5d.exe File opened for modification C:\Program Files\7-Zip\Lang\el.txt 89ce0187773ace06c57df987af5e0d5d.exe File opened for modification C:\Program Files\Google\Chrome\Application\86.0.4240.111\VisualElements\LogoDev.png 89ce0187773ace06c57df987af5e0d5d.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF 89ce0187773ace06c57df987af5e0d5d.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\feature.xml 89ce0187773ace06c57df987af5e0d5d.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\new-trigger-wiz.gif 89ce0187773ace06c57df987af5e0d5d.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\send-email-16.png 89ce0187773ace06c57df987af5e0d5d.exe File created C:\Program Files\Common Files\System\Ole DB\msxactps.dll 89ce0187773ace06c57df987af5e0d5d.exe File created C:\Program Files\Common Files\System\ado\msadomd.dll 89ce0187773ace06c57df987af5e0d5d.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\oskmenubase.xml 89ce0187773ace06c57df987af5e0d5d.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\policytool.exe 89ce0187773ace06c57df987af5e0d5d.exe File opened for modification C:\Program Files\7-Zip\Lang\mng.txt 89ce0187773ace06c57df987af5e0d5d.exe File opened for modification C:\Program Files\7-Zip\Lang\va.txt 89ce0187773ace06c57df987af5e0d5d.exe File created C:\Program Files\Common Files\System\ado\msader15.dll 89ce0187773ace06c57df987af5e0d5d.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sv-se.dll 89ce0187773ace06c57df987af5e0d5d.exe File created C:\Program Files\Common Files\microsoft shared\ink\ipschs.xml 89ce0187773ace06c57df987af5e0d5d.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_it.properties 89ce0187773ace06c57df987af5e0d5d.exe File opened for modification C:\Program Files\7-Zip\Lang\kab.txt 89ce0187773ace06c57df987af5e0d5d.exe File created C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\tipresx.dll.mui 89ce0187773ace06c57df987af5e0d5d.exe File opened for modification C:\Program Files\Google\Chrome\Application\86.0.4240.111\Locales\sw.pak 89ce0187773ace06c57df987af5e0d5d.exe File opened for modification C:\Program Files\Google\Chrome\Application\86.0.4240.111\default_apps\gmail.crx 89ce0187773ace06c57df987af5e0d5d.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\NetworkServerControl 89ce0187773ace06c57df987af5e0d5d.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\java-rmi.exe 89ce0187773ace06c57df987af5e0d5d.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\osknavbase.xml 89ce0187773ace06c57df987af5e0d5d.exe File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\tipresx.dll.mui 89ce0187773ace06c57df987af5e0d5d.exe File opened for modification C:\Program Files\Google\Chrome\Application\86.0.4240.111\resources.pak 89ce0187773ace06c57df987af5e0d5d.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe 89ce0187773ace06c57df987af5e0d5d.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvStreamingManager.dll 89ce0187773ace06c57df987af5e0d5d.exe File opened for modification C:\Program Files\7-Zip\7zCon.sfx 89ce0187773ace06c57df987af5e0d5d.exe File opened for modification C:\Program Files\7-Zip\Lang\af.txt 89ce0187773ace06c57df987af5e0d5d.exe File opened for modification C:\Program Files\7-Zip\Lang\en.ttt 89ce0187773ace06c57df987af5e0d5d.exe File opened for modification C:\Program Files\7-Zip\Lang\nn.txt 89ce0187773ace06c57df987af5e0d5d.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.vi-vn.dll 89ce0187773ace06c57df987af5e0d5d.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\jsoundds.dll 89ce0187773ace06c57df987af5e0d5d.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\feature.properties 89ce0187773ace06c57df987af5e0d5d.exe File opened for modification C:\Program Files\7-Zip\7-zip.dll 89ce0187773ace06c57df987af5e0d5d.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.jobs_3.6.0.v20140424-0053.jar 89ce0187773ace06c57df987af5e0d5d.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.property.nl_zh_4.4.0.v20140623020002.jar 89ce0187773ace06c57df987af5e0d5d.exe File opened for modification C:\Program Files\CopyResume.csv 89ce0187773ace06c57df987af5e0d5d.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2176 640 WerFault.exe 89ce0187773ace06c57df987af5e0d5d.exe -
Modifies Internet Explorer start page 1 TTPs 5 IoCs
Processes:
89ce0187773ace06c57df987af5e0d5d.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.LAaEhKoSDS.com" 89ce0187773ace06c57df987af5e0d5d.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.zvPAWRLdpt.com" 89ce0187773ace06c57df987af5e0d5d.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.QJzkXoNTRb.com" 89ce0187773ace06c57df987af5e0d5d.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.TuTbhxdJnJ.com" 89ce0187773ace06c57df987af5e0d5d.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.pybUTkTUIC.com" 89ce0187773ace06c57df987af5e0d5d.exe -
Processes:
89ce0187773ace06c57df987af5e0d5d.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 89ce0187773ace06c57df987af5e0d5d.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 89ce0187773ace06c57df987af5e0d5d.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 89ce0187773ace06c57df987af5e0d5d.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d578112861900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 89ce0187773ace06c57df987af5e0d5d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 89ce0187773ace06c57df987af5e0d5d.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
89ce0187773ace06c57df987af5e0d5d.exedescription pid process Token: SeLockMemoryPrivilege 640 89ce0187773ace06c57df987af5e0d5d.exe Token: SeLockMemoryPrivilege 640 89ce0187773ace06c57df987af5e0d5d.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\89ce0187773ace06c57df987af5e0d5d.exe"C:\Users\Admin\AppData\Local\Temp\89ce0187773ace06c57df987af5e0d5d.exe"1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies Internet Explorer start page
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 640 -s 15282⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/640-2-0x0000000000400000-0x00000000010B6000-memory.dmpFilesize
12.7MB
-
memory/640-3-0x0000000000400000-0x00000000010B6000-memory.dmpFilesize
12.7MB
-
memory/640-5-0x0000000000070000-0x0000000000072000-memory.dmpFilesize
8KB
-
memory/640-7-0x00000000001B0000-0x00000000001C0000-memory.dmpFilesize
64KB
-
memory/640-8-0x00000000001C0000-0x00000000001D0000-memory.dmpFilesize
64KB
-
memory/640-9-0x00000000001D0000-0x00000000001D2000-memory.dmpFilesize
8KB
-
memory/640-10-0x00000000001E0000-0x00000000001F0000-memory.dmpFilesize
64KB
-
memory/640-11-0x00000000001F0000-0x0000000000200000-memory.dmpFilesize
64KB