6055e6134d3c861ef5b2e599dd87959debcc09e6855cf3c8e4d32b6255aa1f99

Analysis

max time kernel
150s
max time network
97s
platform
windows7_x64
resource
win7-20220715-en
resource tags

arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
submitted
31-07-2022 05:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6055e6134d3c861ef5b2e599dd87959debcc09e6855cf3c8e4d32b6255aa1f99.exe
Size

179KB
MD5

84f2b1ef959d96970c899e581905c333
SHA1

57119042042e49e550c90a801c7ca15b8cf1b2ab
SHA256

6055e6134d3c861ef5b2e599dd87959debcc09e6855cf3c8e4d32b6255aa1f99
SHA512

c32903f151977a7fb624aa23639251976d10af864bd608f7a5b77ebde9cd178051529c1c0870f38a412f5e60ce97b499c20faeee2263ac70ce0ea7a675e51c29

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1416	svchost.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Startup32.3u.exe	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Startup32.3u.exe	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run\Sidebar(32.3u) = "C:\\Users\\Admin\\AppData\\Roaming\\ProgramFiles(32.3u)\\svchost.exe"	6055e6134d3c861ef5b2e599dd87959debcc09e6855cf3c8e4d32b6255aa1f99.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run\Sidebar(32.3u) = "C:\\Users\\Admin\\AppData\\Roaming\\ProgramFiles(32.3u)\\svchost.exe"	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	6055e6134d3c861ef5b2e599dd87959debcc09e6855cf3c8e4d32b6255aa1f99.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	6055e6134d3c861ef5b2e599dd87959debcc09e6855cf3c8e4d32b6255aa1f99.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	6055e6134d3c861ef5b2e599dd87959debcc09e6855cf3c8e4d32b6255aa1f99.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	6055e6134d3c861ef5b2e599dd87959debcc09e6855cf3c8e4d32b6255aa1f99.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2012	6055e6134d3c861ef5b2e599dd87959debcc09e6855cf3c8e4d32b6255aa1f99.exe
2012	6055e6134d3c861ef5b2e599dd87959debcc09e6855cf3c8e4d32b6255aa1f99.exe
2012	6055e6134d3c861ef5b2e599dd87959debcc09e6855cf3c8e4d32b6255aa1f99.exe
2012	6055e6134d3c861ef5b2e599dd87959debcc09e6855cf3c8e4d32b6255aa1f99.exe
2012	6055e6134d3c861ef5b2e599dd87959debcc09e6855cf3c8e4d32b6255aa1f99.exe
1416	svchost.exe
1416	svchost.exe
1416	svchost.exe
1416	svchost.exe
1416	svchost.exe
1416	svchost.exe
1416	svchost.exe
1416	svchost.exe
1416	svchost.exe
1416	svchost.exe
1416	svchost.exe
1416	svchost.exe
1416	svchost.exe
1416	svchost.exe
1416	svchost.exe
1416	svchost.exe
1416	svchost.exe
1416	svchost.exe
1416	svchost.exe
1416	svchost.exe
1416	svchost.exe
1416	svchost.exe
1416	svchost.exe
1416	svchost.exe
1416	svchost.exe
1416	svchost.exe
1416	svchost.exe
1416	svchost.exe
1416	svchost.exe
1416	svchost.exe
1416	svchost.exe
1416	svchost.exe
1416	svchost.exe
1416	svchost.exe
1416	svchost.exe
1416	svchost.exe
1416	svchost.exe
1416	svchost.exe
1416	svchost.exe
1416	svchost.exe
1416	svchost.exe
1416	svchost.exe
1416	svchost.exe
1416	svchost.exe
1416	svchost.exe
1416	svchost.exe
1416	svchost.exe
1416	svchost.exe
1416	svchost.exe
1416	svchost.exe
1416	svchost.exe
1416	svchost.exe
1416	svchost.exe
1416	svchost.exe
1416	svchost.exe
1416	svchost.exe
1416	svchost.exe
1416	svchost.exe
1416	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1416	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2012	6055e6134d3c861ef5b2e599dd87959debcc09e6855cf3c8e4d32b6255aa1f99.exe
Token: SeDebugPrivilege	1416	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 1416	2012	6055e6134d3c861ef5b2e599dd87959debcc09e6855cf3c8e4d32b6255aa1f99.exe	27
PID 2012 wrote to memory of 1416	2012	6055e6134d3c861ef5b2e599dd87959debcc09e6855cf3c8e4d32b6255aa1f99.exe	27
PID 2012 wrote to memory of 1416	2012	6055e6134d3c861ef5b2e599dd87959debcc09e6855cf3c8e4d32b6255aa1f99.exe	27

C:\Users\Admin\AppData\Local\Temp\6055e6134d3c861ef5b2e599dd87959debcc09e6855cf3c8e4d32b6255aa1f99.exe
"C:\Users\Admin\AppData\Local\Temp\6055e6134d3c861ef5b2e599dd87959debcc09e6855cf3c8e4d32b6255aa1f99.exe"
1⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Users\Admin\AppData\Roaming\ProgramFiles(32.3u)\svchost.exe
  "C:\Users\Admin\AppData\Roaming\ProgramFiles(32.3u)\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Drops startup file
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:1416

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5

Filesize
471B

MD5
c8e110d4f0fa3358d71e8759b61830f1

SHA1
82de544c2c0f7bf30fdf2044fb047106d7b094c3

SHA256
e3af569ed90c5283532bdc320551d1a5d674b989f38c9421855195fe0579fb5e

SHA512
0ea9babc2e63eceedc9ee5d404ff47908bf8c3b8983d822a670d31f78bbff489346d8375e437436fb044af5ce17232d4ce10f2a87f007dbb6415a3c7e7133601

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_1504CB01E15745C324D88B59ACA8C10D

Filesize
490B

MD5
8877d510e3c8d5fab1679d40884da090

SHA1
1d6bb8277ec519f8d3337d3786e1e1b35f818b37

SHA256
d00400964ebdd17939571e41935916f1bc2a0943e7614b9bf0b4397e85238d39

SHA512
03a10cf8691043e78ff8bdfab682da4127f2216a8d557a35c7996caf6fea232d146b2c4150b2948c564903db5b723b7a67e999aafc3b14fdf910437b9c07c715

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5

Filesize
434B

MD5
19086e6c57656bc5facc8646be3e3a47

SHA1
3c743f7cc18da45f7953289c53aa7bca8429a5d1

SHA256
8b3e5ed3c72d1b56463fad2b182e98ca401cebb0beff6991a88c958ef2e64aaa

SHA512
7eb7b4bbe36ae6032f0e0f698a16b0f6c2675c815ad1aff9b4007dea2362e69fad810b6c5952a93f139e42887bfa50fe8beeb26edce9b6771bb3ea7ab18027ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_1504CB01E15745C324D88B59ACA8C10D

Filesize
434B

MD5
6081063b3c4d7476b124d5966c4c2365

SHA1
72cf29e9f89391c90c2daa27d8968da2357c0c86

SHA256
8d54ebe0c361e8f2c2a435cd91b0d72a56eebdab79de040c91bdc1a158a75171

SHA512
62694167b61213bd4018c29c14d8c6017cbab7b7cdb942d4abc0fe9b7f439514a7e219dd656970b19874e3cb85f6c0bb9667712ddb370c7b3fd5f84b61cbef85

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
340B

MD5
3b51e162462c63c81bb4a4c01ad14259

SHA1
9acdccb1d3c80b72f241c85b6fa23dad054960b1

SHA256
cd76e8bd80a8b0ab741e20b103b6d1bb0fd598c54753accbb120c18a3a399b39

SHA512
bbf7c17c4722872df185eacaee6b43c022d033ecdeeab63cb90133cf1f2d8002fb0f9d4a67bc2f829e82d6a789dadfa52ba0452358077835a41a1399b1e77150

Download Submit
C:\Users\Admin\AppData\Roaming\ProgramFiles(32.3u)\svchost.exe

Filesize
179KB

MD5
84f2b1ef959d96970c899e581905c333

SHA1
57119042042e49e550c90a801c7ca15b8cf1b2ab

SHA256
6055e6134d3c861ef5b2e599dd87959debcc09e6855cf3c8e4d32b6255aa1f99

SHA512
c32903f151977a7fb624aa23639251976d10af864bd608f7a5b77ebde9cd178051529c1c0870f38a412f5e60ce97b499c20faeee2263ac70ce0ea7a675e51c29

Download Submit
C:\Users\Admin\AppData\Roaming\ProgramFiles(32.3u)\svchost.exe

Filesize
179KB

MD5
84f2b1ef959d96970c899e581905c333

SHA1
57119042042e49e550c90a801c7ca15b8cf1b2ab

SHA256
6055e6134d3c861ef5b2e599dd87959debcc09e6855cf3c8e4d32b6255aa1f99

SHA512
c32903f151977a7fb624aa23639251976d10af864bd608f7a5b77ebde9cd178051529c1c0870f38a412f5e60ce97b499c20faeee2263ac70ce0ea7a675e51c29

Download Submit
memory/1416-65-0x000007FEF3530000-0x000007FEF3F53000-memory.dmp

Filesize
10.1MB

Download
memory/1416-66-0x000007FEEE150000-0x000007FEEF1E6000-memory.dmp

Filesize
16.6MB

Download
memory/1416-67-0x0000000000B66000-0x0000000000B85000-memory.dmp

Filesize
124KB

Download
memory/1416-68-0x0000000000B66000-0x0000000000B85000-memory.dmp

Filesize
124KB

Download
memory/2012-59-0x0000000000AD6000-0x0000000000AF5000-memory.dmp

Filesize
124KB

Download
memory/2012-54-0x000007FEF3F60000-0x000007FEF4983000-memory.dmp

Filesize
10.1MB

Download
memory/2012-55-0x000007FEF2EC0000-0x000007FEF3F56000-memory.dmp

Filesize
16.6MB

Download