391c0c9765b0c6e269653d011db7a76f57628e08068a4e30943df0219ae9aca5

General

Target

Document.exe
Size

626KB
MD5

df7d93db1a1c0fcaac675dcc9542c6e8
SHA1

c457b5d87971821454278e9979115e213976d261
SHA256

391c0c9765b0c6e269653d011db7a76f57628e08068a4e30943df0219ae9aca5
SHA512

4cc79597e3213d18147165ea9b25b81c070d9fde81689a4790627a7bf13c3864ba3bbec42080bafab33934d80066a0634ce0e10c57a2046a2701905cdd71b411

Score

1^/10

Malware Config

Signatures

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Document.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\48CB770224DA2D1A923051BEF5F4CACF5233AE7C	Document.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\48CB770224DA2D1A923051BEF5F4CACF5233AE7C\Blob = 0f00000001000000200000004f5e531c4bb6b81f59c3673ce82caf9174591354817b7cbaa78f257e7b2667a203000000010000001400000048cb770224da2d1a923051bef5f4cacf5233ae7c2000000001000000f9020000308202f5308201dda00302010202104f0518e54b693d5a214689a77c245312300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3232303731383134303030305a170d3237303731373134303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100bc8e4592ea0a4cc4e7cb4db8aedd9709df0d4c4f5ec1694fba3f3792211465ae3d966fc1c76cab049188a4e2c68541eeb73643e3b12f07bf6749f8b3e5db2dbe51d0ef1bc2efe71dcd3a7bbdd915ee065dbdd704d7b47350aca1bb8d3e0316ba7ea1a14e4c3c8c7054b3e696b5974ece6317d83ca9d141f85e4acfee8476f946e319e1204c6e69d3c350f7915752a28e7dd5da364c95f163d92213d97eef75a9f1048fce26199f1c081c15a59820e867c00fd95abd541612528c57ea240c188e7e9c90a42024f5e37f22f1ba710e4e7845306f002c62d4f0256ec341742265128a096b0ecbc07df948cf5d65c917d4529cac33e58e5540be7ed705868fd3944f0203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e0416041443d9c73ad7a897dd1375ef57318662fc6811ee4c300d06092a864886f70d01010b050003820101000d8d7574550861813fa8d208a20b519a402a6c07d2b7ea84facb4d309c7f0775035c181ee228cccbfde8779b53c2835dc99198a81b9e2f690cf2f341a2d23369d92204f34d593e9738116661768424969d157c56dc47c7080a7358baac70ce2248b2c95800956bda9402e790c878538348a27d8f7077bd9329f161198952322fc09c82f10a4fcfdf8c0e6eac31beeb63d5b3e66ffeb73e8c2e53581f5b0ef9fc0192b1c91693f92e6892c7b270d49a2e0affc757a7c3d50d2966e5ec386670eff08ee3c14d30aa947851436d23fe63a8fee72bd8b162a4a9cc7074fb35986d7d7d7880224d2e7fc208e73c50b8c59d4d9da1800c9859fa4620df79aeb1732436	Document.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\48CB770224DA2D1A923051BEF5F4CACF5233AE7C\Blob = 14000000010000001400000043d9c73ad7a897dd1375ef57318662fc6811ee4c03000000010000001400000048cb770224da2d1a923051bef5f4cacf5233ae7c0f00000001000000200000004f5e531c4bb6b81f59c3673ce82caf9174591354817b7cbaa78f257e7b2667a22000000001000000f9020000308202f5308201dda00302010202104f0518e54b693d5a214689a77c245312300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3232303731383134303030305a170d3237303731373134303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100bc8e4592ea0a4cc4e7cb4db8aedd9709df0d4c4f5ec1694fba3f3792211465ae3d966fc1c76cab049188a4e2c68541eeb73643e3b12f07bf6749f8b3e5db2dbe51d0ef1bc2efe71dcd3a7bbdd915ee065dbdd704d7b47350aca1bb8d3e0316ba7ea1a14e4c3c8c7054b3e696b5974ece6317d83ca9d141f85e4acfee8476f946e319e1204c6e69d3c350f7915752a28e7dd5da364c95f163d92213d97eef75a9f1048fce26199f1c081c15a59820e867c00fd95abd541612528c57ea240c188e7e9c90a42024f5e37f22f1ba710e4e7845306f002c62d4f0256ec341742265128a096b0ecbc07df948cf5d65c917d4529cac33e58e5540be7ed705868fd3944f0203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e0416041443d9c73ad7a897dd1375ef57318662fc6811ee4c300d06092a864886f70d01010b050003820101000d8d7574550861813fa8d208a20b519a402a6c07d2b7ea84facb4d309c7f0775035c181ee228cccbfde8779b53c2835dc99198a81b9e2f690cf2f341a2d23369d92204f34d593e9738116661768424969d157c56dc47c7080a7358baac70ce2248b2c95800956bda9402e790c878538348a27d8f7077bd9329f161198952322fc09c82f10a4fcfdf8c0e6eac31beeb63d5b3e66ffeb73e8c2e53581f5b0ef9fc0192b1c91693f92e6892c7b270d49a2e0affc757a7c3d50d2966e5ec386670eff08ee3c14d30aa947851436d23fe63a8fee72bd8b162a4a9cc7074fb35986d7d7d7880224d2e7fc208e73c50b8c59d4d9da1800c9859fa4620df79aeb1732436	Document.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\48CB770224DA2D1A923051BEF5F4CACF5233AE7C\Blob = 190000000100000010000000327317f857b372d52d8bb3d6e16d0ab50f00000001000000200000004f5e531c4bb6b81f59c3673ce82caf9174591354817b7cbaa78f257e7b2667a203000000010000001400000048cb770224da2d1a923051bef5f4cacf5233ae7c14000000010000001400000043d9c73ad7a897dd1375ef57318662fc6811ee4c2000000001000000f9020000308202f5308201dda00302010202104f0518e54b693d5a214689a77c245312300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3232303731383134303030305a170d3237303731373134303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100bc8e4592ea0a4cc4e7cb4db8aedd9709df0d4c4f5ec1694fba3f3792211465ae3d966fc1c76cab049188a4e2c68541eeb73643e3b12f07bf6749f8b3e5db2dbe51d0ef1bc2efe71dcd3a7bbdd915ee065dbdd704d7b47350aca1bb8d3e0316ba7ea1a14e4c3c8c7054b3e696b5974ece6317d83ca9d141f85e4acfee8476f946e319e1204c6e69d3c350f7915752a28e7dd5da364c95f163d92213d97eef75a9f1048fce26199f1c081c15a59820e867c00fd95abd541612528c57ea240c188e7e9c90a42024f5e37f22f1ba710e4e7845306f002c62d4f0256ec341742265128a096b0ecbc07df948cf5d65c917d4529cac33e58e5540be7ed705868fd3944f0203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e0416041443d9c73ad7a897dd1375ef57318662fc6811ee4c300d06092a864886f70d01010b050003820101000d8d7574550861813fa8d208a20b519a402a6c07d2b7ea84facb4d309c7f0775035c181ee228cccbfde8779b53c2835dc99198a81b9e2f690cf2f341a2d23369d92204f34d593e9738116661768424969d157c56dc47c7080a7358baac70ce2248b2c95800956bda9402e790c878538348a27d8f7077bd9329f161198952322fc09c82f10a4fcfdf8c0e6eac31beeb63d5b3e66ffeb73e8c2e53581f5b0ef9fc0192b1c91693f92e6892c7b270d49a2e0affc757a7c3d50d2966e5ec386670eff08ee3c14d30aa947851436d23fe63a8fee72bd8b162a4a9cc7074fb35986d7d7d7880224d2e7fc208e73c50b8c59d4d9da1800c9859fa4620df79aeb1732436	Document.exe

C:\Users\Admin\AppData\Local\Temp\Document.exe
"C:\Users\Admin\AppData\Local\Temp\Document.exe"
1⤵
- Modifies system certificate store
PID:112

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/112-54-0x0000000076031000-0x0000000076033000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing