335a973cd3d245457d78423d13aaf020bb4fab14de2c2381f07ae28c50e0cc04

General

Target

335a973cd3d245457d78423d13aaf020bb4fab14de2c2381f07ae28c50e0cc04.exe
Size

229KB
MD5

8e20b32cc0daf478a81c9b4bfabb82d8
SHA1

fc6c797aa54bf8e010fad84568c7e74e12903274
SHA256

335a973cd3d245457d78423d13aaf020bb4fab14de2c2381f07ae28c50e0cc04
SHA512

73de0a3695167ade1a093210567d0ae140e2082caff2eab1034d2591414b9dabc6921218a4b7173b67a4bd6debb28b86c95472c7142d69caa0d293150a13b08b

Score

6^/10

discovery

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

Processes:

335a973cd3d245457d78423d13aaf020bb4fab14de2c2381f07ae28c50e0cc04.exe

description	pid	process	target process
PID 1672 set thread context of 2024	1672	335a973cd3d245457d78423d13aaf020bb4fab14de2c2381f07ae28c50e0cc04.exe	335a973cd3d245457d78423d13aaf020bb4fab14de2c2381f07ae28c50e0cc04.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

335a973cd3d245457d78423d13aaf020bb4fab14de2c2381f07ae28c50e0cc04.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46	335a973cd3d245457d78423d13aaf020bb4fab14de2c2381f07ae28c50e0cc04.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 0f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d80b000000010000001400000055005300450052005400720075007300740000001d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf6708030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d4620000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8	335a973cd3d245457d78423d13aaf020bb4fab14de2c2381f07ae28c50e0cc04.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 190000000100000010000000e843ac3b52ec8c297fa948c9b1fb2819030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d461d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf67080b00000001000000140000005500530045005200540072007500730074000000140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d8090000000100000016000000301406082b0601050507030306082b060105050703080f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb20000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8	335a973cd3d245457d78423d13aaf020bb4fab14de2c2381f07ae28c50e0cc04.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 040000000100000010000000a7f2e41606411150306b9ce3b49cb0c90f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d80b000000010000001400000055005300450052005400720075007300740000001d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf6708030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d46190000000100000010000000e843ac3b52ec8c297fa948c9b1fb281920000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8	335a973cd3d245457d78423d13aaf020bb4fab14de2c2381f07ae28c50e0cc04.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

335a973cd3d245457d78423d13aaf020bb4fab14de2c2381f07ae28c50e0cc04.exe

description	pid	process	target process
PID 1672 wrote to memory of 2024	1672	335a973cd3d245457d78423d13aaf020bb4fab14de2c2381f07ae28c50e0cc04.exe	335a973cd3d245457d78423d13aaf020bb4fab14de2c2381f07ae28c50e0cc04.exe
PID 1672 wrote to memory of 2024	1672	335a973cd3d245457d78423d13aaf020bb4fab14de2c2381f07ae28c50e0cc04.exe	335a973cd3d245457d78423d13aaf020bb4fab14de2c2381f07ae28c50e0cc04.exe
PID 1672 wrote to memory of 2024	1672	335a973cd3d245457d78423d13aaf020bb4fab14de2c2381f07ae28c50e0cc04.exe	335a973cd3d245457d78423d13aaf020bb4fab14de2c2381f07ae28c50e0cc04.exe
PID 1672 wrote to memory of 2024	1672	335a973cd3d245457d78423d13aaf020bb4fab14de2c2381f07ae28c50e0cc04.exe	335a973cd3d245457d78423d13aaf020bb4fab14de2c2381f07ae28c50e0cc04.exe
PID 1672 wrote to memory of 2024	1672	335a973cd3d245457d78423d13aaf020bb4fab14de2c2381f07ae28c50e0cc04.exe	335a973cd3d245457d78423d13aaf020bb4fab14de2c2381f07ae28c50e0cc04.exe
PID 1672 wrote to memory of 2024	1672	335a973cd3d245457d78423d13aaf020bb4fab14de2c2381f07ae28c50e0cc04.exe	335a973cd3d245457d78423d13aaf020bb4fab14de2c2381f07ae28c50e0cc04.exe
PID 1672 wrote to memory of 2024	1672	335a973cd3d245457d78423d13aaf020bb4fab14de2c2381f07ae28c50e0cc04.exe	335a973cd3d245457d78423d13aaf020bb4fab14de2c2381f07ae28c50e0cc04.exe
PID 1672 wrote to memory of 2024	1672	335a973cd3d245457d78423d13aaf020bb4fab14de2c2381f07ae28c50e0cc04.exe	335a973cd3d245457d78423d13aaf020bb4fab14de2c2381f07ae28c50e0cc04.exe
PID 1672 wrote to memory of 2024	1672	335a973cd3d245457d78423d13aaf020bb4fab14de2c2381f07ae28c50e0cc04.exe	335a973cd3d245457d78423d13aaf020bb4fab14de2c2381f07ae28c50e0cc04.exe
PID 1672 wrote to memory of 2024	1672	335a973cd3d245457d78423d13aaf020bb4fab14de2c2381f07ae28c50e0cc04.exe	335a973cd3d245457d78423d13aaf020bb4fab14de2c2381f07ae28c50e0cc04.exe
PID 1672 wrote to memory of 2024	1672	335a973cd3d245457d78423d13aaf020bb4fab14de2c2381f07ae28c50e0cc04.exe	335a973cd3d245457d78423d13aaf020bb4fab14de2c2381f07ae28c50e0cc04.exe
PID 1672 wrote to memory of 2024	1672	335a973cd3d245457d78423d13aaf020bb4fab14de2c2381f07ae28c50e0cc04.exe	335a973cd3d245457d78423d13aaf020bb4fab14de2c2381f07ae28c50e0cc04.exe

C:\Users\Admin\AppData\Local\Temp\335a973cd3d245457d78423d13aaf020bb4fab14de2c2381f07ae28c50e0cc04.exe
"C:\Users\Admin\AppData\Local\Temp\335a973cd3d245457d78423d13aaf020bb4fab14de2c2381f07ae28c50e0cc04.exe"
1⤵
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1672

C:\Users\Admin\AppData\Local\Temp\335a973cd3d245457d78423d13aaf020bb4fab14de2c2381f07ae28c50e0cc04.exe
"C:\Users\Admin\AppData\Local\Temp\335a973cd3d245457d78423d13aaf020bb4fab14de2c2381f07ae28c50e0cc04.exe"
2⤵
PID:2024

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1672-54-0x00000000763C1000-0x00000000763C3000-memory.dmp

Filesize
8KB

Download
memory/1672-55-0x0000000074860000-0x0000000074E0B000-memory.dmp

Filesize
5.7MB

Download
memory/1672-67-0x0000000074860000-0x0000000074E0B000-memory.dmp

Filesize
5.7MB

Download
memory/2024-57-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2024-59-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2024-61-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2024-63-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2024-64-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2024-65-0x000000000119552E-mapping.dmp

Download
memory/2024-56-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2024-66-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2024-68-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2024-70-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2024-71-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads