834feb87d58ce3fa6ab779e6ddbf0e920bc94ec4d001e9af25d503bf00422607

General

Target

3eebb91a074c7020e3f3563066761ddb.exe
Size

26KB
MD5

3eebb91a074c7020e3f3563066761ddb
SHA1

dfaa7c3312e836e63013b3904134327d78783b34
SHA256

834feb87d58ce3fa6ab779e6ddbf0e920bc94ec4d001e9af25d503bf00422607
SHA512

6d6ba3b3fbfca4c5174b7fcc620053b428a33d85015a2a349cb34a22f2251e4357e440bda2874b436f306ea446243e8d3711a7896417550416da9f22c563b4e7

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 776 set thread context of 1380	776	3eebb91a074c7020e3f3563066761ddb.exe	29

Modifies system certificate store 2 TTPs 2 IoCs

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	3eebb91a074c7020e3f3563066761ddb.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	3eebb91a074c7020e3f3563066761ddb.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	776	3eebb91a074c7020e3f3563066761ddb.exe
Token: SeDebugPrivilege	1380	AddInProcess32.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 776 wrote to memory of 1380	776	3eebb91a074c7020e3f3563066761ddb.exe	29
PID 776 wrote to memory of 1380	776	3eebb91a074c7020e3f3563066761ddb.exe	29
PID 776 wrote to memory of 1380	776	3eebb91a074c7020e3f3563066761ddb.exe	29
PID 776 wrote to memory of 1380	776	3eebb91a074c7020e3f3563066761ddb.exe	29
PID 776 wrote to memory of 1380	776	3eebb91a074c7020e3f3563066761ddb.exe	29
PID 776 wrote to memory of 1380	776	3eebb91a074c7020e3f3563066761ddb.exe	29
PID 776 wrote to memory of 1380	776	3eebb91a074c7020e3f3563066761ddb.exe	29
PID 776 wrote to memory of 1380	776	3eebb91a074c7020e3f3563066761ddb.exe	29
PID 776 wrote to memory of 1380	776	3eebb91a074c7020e3f3563066761ddb.exe	29

C:\Users\Admin\AppData\Local\Temp\3eebb91a074c7020e3f3563066761ddb.exe
"C:\Users\Admin\AppData\Local\Temp\3eebb91a074c7020e3f3563066761ddb.exe"
1⤵
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1380

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/776-2-0x0000000073F20000-0x000000007460E000-memory.dmp

Filesize
6.9MB

Download
memory/776-3-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/776-5-0x0000000076071000-0x0000000076073000-memory.dmp

Filesize
8KB

Download
memory/776-6-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/1380-7-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1380-9-0x0000000073F20000-0x000000007460E000-memory.dmp

Filesize
6.9MB

Download
memory/1380-10-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1380-12-0x00000000048C0000-0x00000000048C1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing