0333988d52da8b27e865657ffa2c4cb8e96b43fce7d6d7b72458a0b176713924

General

Target

0333988d52da8b27e865657ffa2c4cb8e96b43fce7d6d7b72458a0b176713924.exe
Size

5.2MB
MD5

9e341e85dcaa0a31a88ad14feaeed888
SHA1

0ba9508166b2f8127451e07a1ceffd9ec63fd640
SHA256

0333988d52da8b27e865657ffa2c4cb8e96b43fce7d6d7b72458a0b176713924
SHA512

cc2b7efe29bafae98b174129c3bd6da61f4f9051247ad9dd09b86843e7e6502958e1d1d70da332e5e63e73bff7e97514dd9f303de6baf3233662508ed1595db5

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1712	GenericSetup.exe

Loads dropped DLL 1 IoCs

pid	Process
1632	0333988d52da8b27e865657ffa2c4cb8e96b43fce7d6d7b72458a0b176713924.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	GenericSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	GenericSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	GenericSetup.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1712	GenericSetup.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 1712	1632	0333988d52da8b27e865657ffa2c4cb8e96b43fce7d6d7b72458a0b176713924.exe	27
PID 1632 wrote to memory of 1712	1632	0333988d52da8b27e865657ffa2c4cb8e96b43fce7d6d7b72458a0b176713924.exe	27
PID 1632 wrote to memory of 1712	1632	0333988d52da8b27e865657ffa2c4cb8e96b43fce7d6d7b72458a0b176713924.exe	27
PID 1632 wrote to memory of 1712	1632	0333988d52da8b27e865657ffa2c4cb8e96b43fce7d6d7b72458a0b176713924.exe	27
PID 1632 wrote to memory of 1712	1632	0333988d52da8b27e865657ffa2c4cb8e96b43fce7d6d7b72458a0b176713924.exe	27
PID 1632 wrote to memory of 1712	1632	0333988d52da8b27e865657ffa2c4cb8e96b43fce7d6d7b72458a0b176713924.exe	27
PID 1632 wrote to memory of 1712	1632	0333988d52da8b27e865657ffa2c4cb8e96b43fce7d6d7b72458a0b176713924.exe	27

C:\Users\Admin\AppData\Local\Temp\0333988d52da8b27e865657ffa2c4cb8e96b43fce7d6d7b72458a0b176713924.exe
"C:\Users\Admin\AppData\Local\Temp\0333988d52da8b27e865657ffa2c4cb8e96b43fce7d6d7b72458a0b176713924.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Users\Admin\AppData\Local\Temp\7zS06659766\GenericSetup.exe
  .\GenericSetup.exe
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  PID:1712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1632-55-0x0000000075021000-0x0000000075023000-memory.dmp

Filesize
8KB

Download
memory/1712-62-0x0000000001080000-0x0000000001AB0000-memory.dmp

Filesize
10.2MB

Download
memory/1712-59-0x000000007400E000-0x000000007400F000-memory.dmp

Filesize
4KB

Download
memory/1712-63-0x00000000056A0000-0x00000000056A1000-memory.dmp

Filesize
4KB

Download
memory/1712-64-0x0000000005AD0000-0x00000000061AA000-memory.dmp

Filesize
6.9MB

Download
memory/1712-65-0x0000000000410000-0x0000000000418000-memory.dmp

Filesize
32KB

Download
memory/1712-66-0x00000000004B0000-0x00000000004D8000-memory.dmp

Filesize
160KB

Download
memory/1712-67-0x0000000000B30000-0x0000000000B5C000-memory.dmp

Filesize
176KB

Download
memory/1712-68-0x0000000000C50000-0x0000000000C62000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing