95d8491c3c3373ebea7ce7377c9f370282bc6a5241bdb4ebab524b39e49d6c00

General

Target

95d8491c3c3373ebea7ce7377c9f370282bc6a5241bdb4ebab524b39e49d6c00.exe
Size

7.9MB
MD5

66eeed112f302db2ee39e58cf6eb0c2e
SHA1

7f614ccb6d175a343be4e9d18787f723e4a25e76
SHA256

95d8491c3c3373ebea7ce7377c9f370282bc6a5241bdb4ebab524b39e49d6c00
SHA512

2009a6e680d208759cccef72ab3000e232eb323befe6217960eba42b53765e7df2833be36bd8a6fd0dd33c54624d49a8a1f49ad73f27ec8a92924b5bb43d7280

Score

1^/10

Malware Config

Signatures

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	95d8491c3c3373ebea7ce7377c9f370282bc6a5241bdb4ebab524b39e49d6c00.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	95d8491c3c3373ebea7ce7377c9f370282bc6a5241bdb4ebab524b39e49d6c00.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
452	95d8491c3c3373ebea7ce7377c9f370282bc6a5241bdb4ebab524b39e49d6c00.exe
452	95d8491c3c3373ebea7ce7377c9f370282bc6a5241bdb4ebab524b39e49d6c00.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	452	95d8491c3c3373ebea7ce7377c9f370282bc6a5241bdb4ebab524b39e49d6c00.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
452	95d8491c3c3373ebea7ce7377c9f370282bc6a5241bdb4ebab524b39e49d6c00.exe
452	95d8491c3c3373ebea7ce7377c9f370282bc6a5241bdb4ebab524b39e49d6c00.exe

C:\Users\Admin\AppData\Local\Temp\95d8491c3c3373ebea7ce7377c9f370282bc6a5241bdb4ebab524b39e49d6c00.exe
"C:\Users\Admin\AppData\Local\Temp\95d8491c3c3373ebea7ce7377c9f370282bc6a5241bdb4ebab524b39e49d6c00.exe"
1⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:452

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/452-54-0x00000000002A0000-0x0000000000A82000-memory.dmp

Filesize
7.9MB

Download
memory/452-55-0x0000000002650000-0x00000000026AC000-memory.dmp

Filesize
368KB

Download
memory/452-56-0x0000000000AC0000-0x0000000000ACE000-memory.dmp

Filesize
56KB

Download
memory/452-57-0x0000000000AB0000-0x0000000000AC2000-memory.dmp

Filesize
72KB

Download
memory/452-58-0x000000001B660000-0x000000001B662000-memory.dmp

Filesize
8KB

Download
memory/452-59-0x000000001C060000-0x000000001C10A000-memory.dmp

Filesize
680KB

Download
memory/452-60-0x000000001BCC0000-0x000000001BD3C000-memory.dmp

Filesize
496KB

Download
memory/452-61-0x000000001B666000-0x000000001B685000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing