xmrig | adf8d4bdcc642de48aee894ccb4a4506bd3fcc9ce5f01b1894e204e924ec6c76

General

Target

acfc902c90b90bd6cc8c1f3bbf393648.exe
Size

6.6MB
MD5

acfc902c90b90bd6cc8c1f3bbf393648
SHA1

76c2e6263c9ef4d477abdda8fdc7b8d31a7c25e3
SHA256

adf8d4bdcc642de48aee894ccb4a4506bd3fcc9ce5f01b1894e204e924ec6c76
SHA512

921aa7ed6a1f37ede7dfe152e467694f34292d3aefdaf3805392452662bfc44660d079a9bee02a0ef762c19abb223adcf7dcbf12ef03dec353adcf38c0663419

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 2 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/732-2-0x0000000000400000-0x00000000010B6000-memory.dmp	xmrig
behavioral2/memory/732-3-0x0000000000400000-0x00000000010B6000-memory.dmp	xmrig

UPX packed file 105 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

yara_rule
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx

Drops desktop.ini file(s) 2 IoCs

Processes:

acfc902c90b90bd6cc8c1f3bbf393648.exe

description	ioc	process
File created	C:\$Recycle.Bin\S-1-5-21-1985363256-3005190890-1182679451-1000\desktop.ini	acfc902c90b90bd6cc8c1f3bbf393648.exe
File created	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	acfc902c90b90bd6cc8c1f3bbf393648.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Drops file in Program Files directory 1450 IoCs

Processes:

acfc902c90b90bd6cc8c1f3bbf393648.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh001.htm	acfc902c90b90bd6cc8c1f3bbf393648.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.lucene.analysis_3.5.0.v20120725-1805.jar	acfc902c90b90bd6cc8c1f3bbf393648.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.common_3.6.200.v20130402-1505.jar	acfc902c90b90bd6cc8c1f3bbf393648.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler_1.2.0.v20140422-1847.jar	acfc902c90b90bd6cc8c1f3bbf393648.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	acfc902c90b90bd6cc8c1f3bbf393648.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe	acfc902c90b90bd6cc8c1f3bbf393648.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\feature.properties	acfc902c90b90bd6cc8c1f3bbf393648.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipshrv.xml	acfc902c90b90bd6cc8c1f3bbf393648.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\86.0.4240.111\Locales\zh-CN.pak	acfc902c90b90bd6cc8c1f3bbf393648.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\LICENSE	acfc902c90b90bd6cc8c1f3bbf393648.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\xjc.exe	acfc902c90b90bd6cc8c1f3bbf393648.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\artifacts.xml	acfc902c90b90bd6cc8c1f3bbf393648.exe
File opened for modification	C:\Program Files\7-Zip\Lang\en.ttt	acfc902c90b90bd6cc8c1f3bbf393648.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	acfc902c90b90bd6cc8c1f3bbf393648.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml	acfc902c90b90bd6cc8c1f3bbf393648.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\org.eclipse.equinox.p2.metadata.repository.prefs	acfc902c90b90bd6cc8c1f3bbf393648.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar	acfc902c90b90bd6cc8c1f3bbf393648.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\oledb32r.dll.mui	acfc902c90b90bd6cc8c1f3bbf393648.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientEventLogMessages.man	acfc902c90b90bd6cc8c1f3bbf393648.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.services_1.1.0.v20140328-1925.jar	acfc902c90b90bd6cc8c1f3bbf393648.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp.zh_CN_5.5.0.165303.jar	acfc902c90b90bd6cc8c1f3bbf393648.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.property_1.4.200.v20140214-0004.jar	acfc902c90b90bd6cc8c1f3bbf393648.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\feature.properties	acfc902c90b90bd6cc8c1f3bbf393648.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher.nl_ja_4.4.0.v20140623020002.jar	acfc902c90b90bd6cc8c1f3bbf393648.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	acfc902c90b90bd6cc8c1f3bbf393648.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\concrt140.dll	acfc902c90b90bd6cc8c1f3bbf393648.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\IPSEventLogMsg.dll	acfc902c90b90bd6cc8c1f3bbf393648.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\management.dll	acfc902c90b90bd6cc8c1f3bbf393648.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\feature.properties	acfc902c90b90bd6cc8c1f3bbf393648.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\epl-v10.html	acfc902c90b90bd6cc8c1f3bbf393648.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app.nl_zh_4.4.0.v20140623020002.jar	acfc902c90b90bd6cc8c1f3bbf393648.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	acfc902c90b90bd6cc8c1f3bbf393648.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\86.0.4240.111\Locales\sw.pak	acfc902c90b90bd6cc8c1f3bbf393648.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derby.war	acfc902c90b90bd6cc8c1f3bbf393648.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\larrow.gif	acfc902c90b90bd6cc8c1f3bbf393648.exe
File created	C:\Program Files\Common Files\System\ado\msado20.tlb	acfc902c90b90bd6cc8c1f3bbf393648.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaws.exe	acfc902c90b90bd6cc8c1f3bbf393648.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF	acfc902c90b90bd6cc8c1f3bbf393648.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaBrightDemiBold.ttf	acfc902c90b90bd6cc8c1f3bbf393648.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\about.html	acfc902c90b90bd6cc8c1f3bbf393648.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\about.html	acfc902c90b90bd6cc8c1f3bbf393648.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.docs.zh_CN_5.5.0.165303.jar	acfc902c90b90bd6cc8c1f3bbf393648.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mshwLatin.dll	acfc902c90b90bd6cc8c1f3bbf393648.exe
File created	C:\Program Files\Internet Explorer\en-US\hmmapi.dll.mui	acfc902c90b90bd6cc8c1f3bbf393648.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy.jar	acfc902c90b90bd6cc8c1f3bbf393648.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaSansRegular.ttf	acfc902c90b90bd6cc8c1f3bbf393648.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\logging.properties	acfc902c90b90bd6cc8c1f3bbf393648.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\epl-v10.html	acfc902c90b90bd6cc8c1f3bbf393648.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\ECLIPSE_.SF	acfc902c90b90bd6cc8c1f3bbf393648.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerEvaluators.exsd	acfc902c90b90bd6cc8c1f3bbf393648.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	acfc902c90b90bd6cc8c1f3bbf393648.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\LICENSE	acfc902c90b90bd6cc8c1f3bbf393648.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\GRAY.pf	acfc902c90b90bd6cc8c1f3bbf393648.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\86.0.4240.111\chrome.dll.sig	acfc902c90b90bd6cc8c1f3bbf393648.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe	acfc902c90b90bd6cc8c1f3bbf393648.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.ini	acfc902c90b90bd6cc8c1f3bbf393648.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\bin\dblook.bat	acfc902c90b90bd6cc8c1f3bbf393648.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jp2iexp.dll	acfc902c90b90bd6cc8c1f3bbf393648.exe
File created	C:\Program Files\Common Files\System\en-US\wab32res.dll.mui	acfc902c90b90bd6cc8c1f3bbf393648.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ja-jp.dll	acfc902c90b90bd6cc8c1f3bbf393648.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\ucrtbase.dll	acfc902c90b90bd6cc8c1f3bbf393648.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt_0.12.1.v20140903-1023.jar	acfc902c90b90bd6cc8c1f3bbf393648.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\86.0.4240.111\swiftshader\libEGL.dll	acfc902c90b90bd6cc8c1f3bbf393648.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\THIRDPARTYLICENSEREADME.txt	acfc902c90b90bd6cc8c1f3bbf393648.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3524 732 WerFault.exe acfc902c90b90bd6cc8c1f3bbf393648.exe

pid	pid_target	process	target process
3524	732	WerFault.exe	acfc902c90b90bd6cc8c1f3bbf393648.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

Processes:

acfc902c90b90bd6cc8c1f3bbf393648.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.NDGnFJswhg.com"	acfc902c90b90bd6cc8c1f3bbf393648.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.kYqMkeztkm.com"	acfc902c90b90bd6cc8c1f3bbf393648.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

acfc902c90b90bd6cc8c1f3bbf393648.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	acfc902c90b90bd6cc8c1f3bbf393648.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	acfc902c90b90bd6cc8c1f3bbf393648.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d578112861900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	acfc902c90b90bd6cc8c1f3bbf393648.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	acfc902c90b90bd6cc8c1f3bbf393648.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	acfc902c90b90bd6cc8c1f3bbf393648.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

acfc902c90b90bd6cc8c1f3bbf393648.exe

description	pid	process
Token: SeLockMemoryPrivilege	732	acfc902c90b90bd6cc8c1f3bbf393648.exe
Token: SeLockMemoryPrivilege	732	acfc902c90b90bd6cc8c1f3bbf393648.exe

C:\Users\Admin\AppData\Local\Temp\acfc902c90b90bd6cc8c1f3bbf393648.exe
"C:\Users\Admin\AppData\Local\Temp\acfc902c90b90bd6cc8c1f3bbf393648.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies Internet Explorer start page
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:732

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 732 -s 1632
2⤵
- Program crash
PID:3524

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Install Root Certificate

1

T1130

Credential Access

Discovery

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/732-2-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/732-3-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/732-6-0x0000000000180000-0x0000000000190000-memory.dmp

Filesize
64KB

Download
memory/732-7-0x0000000000190000-0x00000000001A0000-memory.dmp

Filesize
64KB

Download
memory/732-8-0x00000000001A0000-0x00000000001A2000-memory.dmp

Filesize
8KB

Download
memory/732-9-0x00000000001B0000-0x00000000001F0000-memory.dmp

Filesize
256KB

Download
memory/732-10-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads