Analysis
-
max time kernel
69s -
max time network
99s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
21-10-2021 09:27
Static task
static1
Behavioral task
behavioral1
Sample
DigiCertUtil.exe
Resource
win7-en-20210920
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
DigiCertUtil.exe
Resource
win10-en-20211014
windows10_x64
0 signatures
0 seconds
General
-
Target
DigiCertUtil.exe
-
Size
3.1MB
-
MD5
cd08f5aee51ce2ef2d4b1bd567adac90
-
SHA1
32ebfee9645f42c3719101df980832eccd24ee4c
-
SHA256
20229d2217d12e73f130c72645d7edf384c630973775d9f38326dfee0295cb12
-
SHA512
78d3c08da6f854774498f257e0a5479245376cda115773a47bfb3b621db6a0e132ad3539237bb09336f0de7b34bbf42e24c53fb02ef450edf430f2d7cf245424
Malware Config
Signatures
-
Drops file in Program Files directory 3 IoCs
Processes:
xcopy.exedescription ioc process File opened for modification C:\Program Files (x86)\Security xcopy.exe File created C:\Program Files (x86)\Security\DigiCertUtil.exe xcopy.exe File opened for modification C:\Program Files (x86)\Security\DigiCertUtil.exe xcopy.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
xcopy.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
DigiCertUtil.exepid process 2020 DigiCertUtil.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
DigiCertUtil.exepid process 2020 DigiCertUtil.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
DigiCertUtil.exepid process 2020 DigiCertUtil.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
DigiCertUtil.execmd.execmd.exedescription pid process target process PID 2020 wrote to memory of 108 2020 DigiCertUtil.exe cmd.exe PID 2020 wrote to memory of 108 2020 DigiCertUtil.exe cmd.exe PID 2020 wrote to memory of 108 2020 DigiCertUtil.exe cmd.exe PID 2020 wrote to memory of 108 2020 DigiCertUtil.exe cmd.exe PID 108 wrote to memory of 740 108 cmd.exe xcopy.exe PID 108 wrote to memory of 740 108 cmd.exe xcopy.exe PID 108 wrote to memory of 740 108 cmd.exe xcopy.exe PID 108 wrote to memory of 740 108 cmd.exe xcopy.exe PID 2020 wrote to memory of 1152 2020 DigiCertUtil.exe cmd.exe PID 2020 wrote to memory of 1152 2020 DigiCertUtil.exe cmd.exe PID 2020 wrote to memory of 1152 2020 DigiCertUtil.exe cmd.exe PID 2020 wrote to memory of 1152 2020 DigiCertUtil.exe cmd.exe PID 1152 wrote to memory of 436 1152 cmd.exe schtasks.exe PID 1152 wrote to memory of 436 1152 cmd.exe schtasks.exe PID 1152 wrote to memory of 436 1152 cmd.exe schtasks.exe PID 1152 wrote to memory of 436 1152 cmd.exe schtasks.exe PID 2020 wrote to memory of 756 2020 DigiCertUtil.exe xwizard.exe PID 2020 wrote to memory of 756 2020 DigiCertUtil.exe xwizard.exe PID 2020 wrote to memory of 756 2020 DigiCertUtil.exe xwizard.exe PID 2020 wrote to memory of 756 2020 DigiCertUtil.exe xwizard.exe PID 2020 wrote to memory of 756 2020 DigiCertUtil.exe xwizard.exe PID 2020 wrote to memory of 756 2020 DigiCertUtil.exe xwizard.exe PID 2020 wrote to memory of 756 2020 DigiCertUtil.exe xwizard.exe PID 2020 wrote to memory of 756 2020 DigiCertUtil.exe xwizard.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DigiCertUtil.exe"C:\Users\Admin\AppData\Local\Temp\DigiCertUtil.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c xcopy "C:\Users\Admin\AppData\Local\Temp\DigiCertUtil.exe" "%ProgramFiles%\Security\" /y /i /c /q2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\xcopy.exexcopy "C:\Users\Admin\AppData\Local\Temp\DigiCertUtil.exe" "C:\Program Files (x86)\Security\" /y /i /c /q3⤵
- Drops file in Program Files directory
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.execmd /c schtasks /create /sc ONLOGON /tn "Security" /tr "%ProgramFiles%\Security\DigiCertUtil.exe" /it /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc ONLOGON /tn "Security" /tr "C:\Program Files (x86)\Security\DigiCertUtil.exe" /it /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\xwizard.exeC:\Windows\System32\xwizard.exe2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/108-59-0x0000000000000000-mapping.dmp
-
memory/436-64-0x0000000000000000-mapping.dmp
-
memory/740-62-0x0000000000000000-mapping.dmp
-
memory/756-74-0x0000000001D00000-0x0000000001E80000-memory.dmpFilesize
1.5MB
-
memory/756-75-0x0000000001D00000-0x0000000001E80000-memory.dmpFilesize
1.5MB
-
memory/756-73-0x0000000000080000-0x0000000000083000-memory.dmpFilesize
12KB
-
memory/756-70-0x0000000000000000-mapping.dmp
-
memory/756-66-0x0000000000080000-0x0000000000083000-memory.dmpFilesize
12KB
-
memory/1152-63-0x0000000000000000-mapping.dmp
-
memory/2020-60-0x0000000000C20000-0x0000000000DA0000-memory.dmpFilesize
1.5MB
-
memory/2020-57-0x00000000001D0000-0x00000000001D1000-memory.dmpFilesize
4KB
-
memory/2020-61-0x0000000000C20000-0x0000000000DA0000-memory.dmpFilesize
1.5MB
-
memory/2020-65-0x0000000015940000-0x000000001594C000-memory.dmpFilesize
48KB
-
memory/2020-68-0x0000000049D90000-0x0000000049DDC000-memory.dmpFilesize
304KB
-
memory/2020-69-0x0000000049D90000-0x0000000049DDC000-memory.dmpFilesize
304KB
-
memory/2020-67-0x0000000049D90000-0x0000000049DDC000-memory.dmpFilesize
304KB
-
memory/2020-55-0x00000000051F0000-0x00000000051F1000-memory.dmpFilesize
4KB
-
memory/2020-54-0x00000000001B0000-0x00000000001BB000-memory.dmpFilesize
44KB
-
memory/2020-56-0x00000000001C0000-0x00000000001C1000-memory.dmpFilesize
4KB
-
memory/2020-53-0x00000000765A1000-0x00000000765A3000-memory.dmpFilesize
8KB