e01bb0869c559b895adf1e203a1e3498aa86e676731ff810183c8a0432559fee

Analysis

max time kernel
42s
max time network
108s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
19-09-2022 12:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Set-up.exe
Size

3.5MB
MD5

6600434532f969d8fb24ee51fef331b7
SHA1

f3dc4329ded8a0ef1292bebf97611c4ad2e552fe
SHA256

e01bb0869c559b895adf1e203a1e3498aa86e676731ff810183c8a0432559fee
SHA512

109655ea6989bb15ff5f912ea37a5f92e17af52f1b5d23775d9b2a5b384e0bb9edbe7b19b77d27165b1cf1fe9dbd82fd11d68524333f3cced3d5d75e0635f394
SSDEEP

98304:kAI+zy/rv/dDXsN3RUDF/QY0VJkXZf8Bomxl3:jtzyTvVDchRsUMXZfCj3

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

Set-up.exedwm.exeLogonUI.exe

pid process

2036 Set-up.exe
1768 dwm.exe
1012 LogonUI.exe

pid	process
2036	Set-up.exe
1768	dwm.exe
1012	LogonUI.exe

Loads dropped DLL 24 IoCs

Processes:

Set-up.exeWerFault.exeWerFault.exe

pid	process
820	Set-up.exe
820	Set-up.exe
820	Set-up.exe
820	Set-up.exe
820	Set-up.exe
820	Set-up.exe
820	Set-up.exe
820	Set-up.exe
820	Set-up.exe
888	WerFault.exe
888	WerFault.exe
888	WerFault.exe
888	WerFault.exe
888	WerFault.exe
820	Set-up.exe
820	Set-up.exe
820	Set-up.exe
820	Set-up.exe
820	Set-up.exe
1636	WerFault.exe
1636	WerFault.exe
1636	WerFault.exe
1636	WerFault.exe
1636	WerFault.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 3 IoCs

Processes:

Set-up.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe	Set-up.exe
File opened for modification	C:\Program Files (x86)\Adobe Inc\Adobe Installer\Uninstall.exe	Set-up.exe
File created	C:\Program Files (x86)\Adobe Inc\Adobe Installer\Uninstall.ini	Set-up.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

888 1768 WerFault.exe dwm.exe
1636 1012 WerFault.exe LogonUI.exe

pid	pid_target	process	target process
888	1768	WerFault.exe	dwm.exe
1636	1012	WerFault.exe	LogonUI.exe

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

Processes:

Set-up.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	Set-up.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	Set-up.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	Set-up.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	Set-up.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Set-up.exe = "11001"	Set-up.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Set-up.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Set-up.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	Set-up.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	Set-up.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	Set-up.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	Set-up.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	Set-up.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Set-up.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

Set-up.exedwm.exeLogonUI.exe

description	pid	process	target process
PID 820 wrote to memory of 2036	820	Set-up.exe	Set-up.exe
PID 820 wrote to memory of 2036	820	Set-up.exe	Set-up.exe
PID 820 wrote to memory of 2036	820	Set-up.exe	Set-up.exe
PID 820 wrote to memory of 2036	820	Set-up.exe	Set-up.exe
PID 820 wrote to memory of 2036	820	Set-up.exe	Set-up.exe
PID 820 wrote to memory of 2036	820	Set-up.exe	Set-up.exe
PID 820 wrote to memory of 2036	820	Set-up.exe	Set-up.exe
PID 820 wrote to memory of 1768	820	Set-up.exe	dwm.exe
PID 820 wrote to memory of 1768	820	Set-up.exe	dwm.exe
PID 820 wrote to memory of 1768	820	Set-up.exe	dwm.exe
PID 820 wrote to memory of 1768	820	Set-up.exe	dwm.exe
PID 1768 wrote to memory of 888	1768	dwm.exe	WerFault.exe
PID 1768 wrote to memory of 888	1768	dwm.exe	WerFault.exe
PID 1768 wrote to memory of 888	1768	dwm.exe	WerFault.exe
PID 1768 wrote to memory of 888	1768	dwm.exe	WerFault.exe
PID 820 wrote to memory of 1012	820	Set-up.exe	LogonUI.exe
PID 820 wrote to memory of 1012	820	Set-up.exe	LogonUI.exe
PID 820 wrote to memory of 1012	820	Set-up.exe	LogonUI.exe
PID 820 wrote to memory of 1012	820	Set-up.exe	LogonUI.exe
PID 1012 wrote to memory of 1636	1012	LogonUI.exe	WerFault.exe
PID 1012 wrote to memory of 1636	1012	LogonUI.exe	WerFault.exe
PID 1012 wrote to memory of 1636	1012	LogonUI.exe	WerFault.exe
PID 1012 wrote to memory of 1636	1012	LogonUI.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Set-up.exe
"C:\Users\Admin\AppData\Local\Temp\Set-up.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:820

C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe
"C:\Program Files (x86)\Adobe Inc.\Adobe Installer\Set-up.exe"
2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Modifies system certificate store
PID:2036

C:\Users\Admin\AppData\Local\Temp\dwm.exe
"C:\Users\Admin\AppData\Local\Temp\dwm.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 540
3⤵
- Loads dropped DLL
- Program crash
PID:888

C:\Users\Admin\AppData\Local\Temp\LogonUI.exe
"C:\Users\Admin\AppData\Local\Temp\LogonUI.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1012 -s 596
3⤵
- Loads dropped DLL
- Program crash
PID:1636

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe
Filesize
7.3MB

MD5
74ee6d49771e8c5dab119908e486add6

SHA1
c350d583c2d30f05e6243e7008a45a7c87836b17

SHA256
35eb5594af93361b530db8aff0d126d6f7da9ada30b0b8b000ea60e014e87375

SHA512
6362455e26b4bed0f20d5062914c1c07b4018957e8b4a237a51d6887f98dac68c207d1aa35c3806b705431caaa08eb1b61006ae8034e88b25c120db63e82c303

Download Submit
C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe
Filesize
7.3MB

MD5
74ee6d49771e8c5dab119908e486add6

SHA1
c350d583c2d30f05e6243e7008a45a7c87836b17

SHA256
35eb5594af93361b530db8aff0d126d6f7da9ada30b0b8b000ea60e014e87375

SHA512
6362455e26b4bed0f20d5062914c1c07b4018957e8b4a237a51d6887f98dac68c207d1aa35c3806b705431caaa08eb1b61006ae8034e88b25c120db63e82c303

Download Submit
C:\Users\Admin\AppData\Local\Temp\LogonUI.exe
Filesize
1.1MB

MD5
8817c22f2d53f5070ce6c2ea96bad83b

SHA1
9cb05fb4b2fd727da8be5b37a26ffd61ad423643

SHA256
d76212a7613603d25a3df9c5286c5eaa9ae6152a2e3f39679eabf803a340c2f4

SHA512
99b9f1336844374cff16c9b8d7c8b0523a2351becdf8253c61cb0364c5b9a89e7cedc5c2d7ddaf6a4e4253434535e344993082d530c58575a73e291b09efc3a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\LogonUI.exe
Filesize
1.1MB

MD5
8817c22f2d53f5070ce6c2ea96bad83b

SHA1
9cb05fb4b2fd727da8be5b37a26ffd61ad423643

SHA256
d76212a7613603d25a3df9c5286c5eaa9ae6152a2e3f39679eabf803a340c2f4

SHA512
99b9f1336844374cff16c9b8d7c8b0523a2351becdf8253c61cb0364c5b9a89e7cedc5c2d7ddaf6a4e4253434535e344993082d530c58575a73e291b09efc3a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\dwm.exe
Filesize
419KB

MD5
36199d74da34290f87be389bb6bb9515

SHA1
7d997bf1fc79f9d9cb1a5c47b721a7f1e310a4ff

SHA256
393b10aac7f59b3d7a146c654a24777d4b48648c3d8b842754de1ba58b1d5490

SHA512
7b7dcb98e36fed88e22435832a8dc604845a463ed82058c1cdbe060839f9926d772cc219890a5f55ef2cbf42cc2037f6404840f0124fbdf27e6820e5ec6b272f

Download Submit
C:\Users\Admin\AppData\Local\Temp\dwm.exe
Filesize
419KB

MD5
36199d74da34290f87be389bb6bb9515

SHA1
7d997bf1fc79f9d9cb1a5c47b721a7f1e310a4ff

SHA256
393b10aac7f59b3d7a146c654a24777d4b48648c3d8b842754de1ba58b1d5490

SHA512
7b7dcb98e36fed88e22435832a8dc604845a463ed82058c1cdbe060839f9926d772cc219890a5f55ef2cbf42cc2037f6404840f0124fbdf27e6820e5ec6b272f

Download Submit
\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe
Filesize
7.3MB

MD5
74ee6d49771e8c5dab119908e486add6

SHA1
c350d583c2d30f05e6243e7008a45a7c87836b17

SHA256
35eb5594af93361b530db8aff0d126d6f7da9ada30b0b8b000ea60e014e87375

SHA512
6362455e26b4bed0f20d5062914c1c07b4018957e8b4a237a51d6887f98dac68c207d1aa35c3806b705431caaa08eb1b61006ae8034e88b25c120db63e82c303

Download Submit
\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe
Filesize
7.3MB

MD5
74ee6d49771e8c5dab119908e486add6

SHA1
c350d583c2d30f05e6243e7008a45a7c87836b17

SHA256
35eb5594af93361b530db8aff0d126d6f7da9ada30b0b8b000ea60e014e87375

SHA512
6362455e26b4bed0f20d5062914c1c07b4018957e8b4a237a51d6887f98dac68c207d1aa35c3806b705431caaa08eb1b61006ae8034e88b25c120db63e82c303

Download Submit
\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe
Filesize
7.3MB

MD5
74ee6d49771e8c5dab119908e486add6

SHA1
c350d583c2d30f05e6243e7008a45a7c87836b17

SHA256
35eb5594af93361b530db8aff0d126d6f7da9ada30b0b8b000ea60e014e87375

SHA512
6362455e26b4bed0f20d5062914c1c07b4018957e8b4a237a51d6887f98dac68c207d1aa35c3806b705431caaa08eb1b61006ae8034e88b25c120db63e82c303

Download Submit
\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe
Filesize
7.3MB

MD5
74ee6d49771e8c5dab119908e486add6

SHA1
c350d583c2d30f05e6243e7008a45a7c87836b17

SHA256
35eb5594af93361b530db8aff0d126d6f7da9ada30b0b8b000ea60e014e87375

SHA512
6362455e26b4bed0f20d5062914c1c07b4018957e8b4a237a51d6887f98dac68c207d1aa35c3806b705431caaa08eb1b61006ae8034e88b25c120db63e82c303

Download Submit
\Users\Admin\AppData\Local\Temp\LogonUI.exe
Filesize
1.1MB

MD5
8817c22f2d53f5070ce6c2ea96bad83b

SHA1
9cb05fb4b2fd727da8be5b37a26ffd61ad423643

SHA256
d76212a7613603d25a3df9c5286c5eaa9ae6152a2e3f39679eabf803a340c2f4

SHA512
99b9f1336844374cff16c9b8d7c8b0523a2351becdf8253c61cb0364c5b9a89e7cedc5c2d7ddaf6a4e4253434535e344993082d530c58575a73e291b09efc3a6

Download Submit
\Users\Admin\AppData\Local\Temp\LogonUI.exe
Filesize
1.1MB

MD5
8817c22f2d53f5070ce6c2ea96bad83b

SHA1
9cb05fb4b2fd727da8be5b37a26ffd61ad423643

SHA256
d76212a7613603d25a3df9c5286c5eaa9ae6152a2e3f39679eabf803a340c2f4

SHA512
99b9f1336844374cff16c9b8d7c8b0523a2351becdf8253c61cb0364c5b9a89e7cedc5c2d7ddaf6a4e4253434535e344993082d530c58575a73e291b09efc3a6

Download Submit
\Users\Admin\AppData\Local\Temp\LogonUI.exe
Filesize
1.1MB

MD5
8817c22f2d53f5070ce6c2ea96bad83b

SHA1
9cb05fb4b2fd727da8be5b37a26ffd61ad423643

SHA256
d76212a7613603d25a3df9c5286c5eaa9ae6152a2e3f39679eabf803a340c2f4

SHA512
99b9f1336844374cff16c9b8d7c8b0523a2351becdf8253c61cb0364c5b9a89e7cedc5c2d7ddaf6a4e4253434535e344993082d530c58575a73e291b09efc3a6

Download Submit
\Users\Admin\AppData\Local\Temp\LogonUI.exe
Filesize
1.1MB

MD5
8817c22f2d53f5070ce6c2ea96bad83b

SHA1
9cb05fb4b2fd727da8be5b37a26ffd61ad423643

SHA256
d76212a7613603d25a3df9c5286c5eaa9ae6152a2e3f39679eabf803a340c2f4

SHA512
99b9f1336844374cff16c9b8d7c8b0523a2351becdf8253c61cb0364c5b9a89e7cedc5c2d7ddaf6a4e4253434535e344993082d530c58575a73e291b09efc3a6

Download Submit
\Users\Admin\AppData\Local\Temp\LogonUI.exe
Filesize
1.1MB

MD5
8817c22f2d53f5070ce6c2ea96bad83b

SHA1
9cb05fb4b2fd727da8be5b37a26ffd61ad423643

SHA256
d76212a7613603d25a3df9c5286c5eaa9ae6152a2e3f39679eabf803a340c2f4

SHA512
99b9f1336844374cff16c9b8d7c8b0523a2351becdf8253c61cb0364c5b9a89e7cedc5c2d7ddaf6a4e4253434535e344993082d530c58575a73e291b09efc3a6

Download Submit
\Users\Admin\AppData\Local\Temp\LogonUI.exe
Filesize
1.1MB

MD5
8817c22f2d53f5070ce6c2ea96bad83b

SHA1
9cb05fb4b2fd727da8be5b37a26ffd61ad423643

SHA256
d76212a7613603d25a3df9c5286c5eaa9ae6152a2e3f39679eabf803a340c2f4

SHA512
99b9f1336844374cff16c9b8d7c8b0523a2351becdf8253c61cb0364c5b9a89e7cedc5c2d7ddaf6a4e4253434535e344993082d530c58575a73e291b09efc3a6

Download Submit
\Users\Admin\AppData\Local\Temp\LogonUI.exe
Filesize
1.1MB

MD5
8817c22f2d53f5070ce6c2ea96bad83b

SHA1
9cb05fb4b2fd727da8be5b37a26ffd61ad423643

SHA256
d76212a7613603d25a3df9c5286c5eaa9ae6152a2e3f39679eabf803a340c2f4

SHA512
99b9f1336844374cff16c9b8d7c8b0523a2351becdf8253c61cb0364c5b9a89e7cedc5c2d7ddaf6a4e4253434535e344993082d530c58575a73e291b09efc3a6

Download Submit
\Users\Admin\AppData\Local\Temp\LogonUI.exe
Filesize
1.1MB

MD5
8817c22f2d53f5070ce6c2ea96bad83b

SHA1
9cb05fb4b2fd727da8be5b37a26ffd61ad423643

SHA256
d76212a7613603d25a3df9c5286c5eaa9ae6152a2e3f39679eabf803a340c2f4

SHA512
99b9f1336844374cff16c9b8d7c8b0523a2351becdf8253c61cb0364c5b9a89e7cedc5c2d7ddaf6a4e4253434535e344993082d530c58575a73e291b09efc3a6

Download Submit
\Users\Admin\AppData\Local\Temp\LogonUI.exe
Filesize
1.1MB

MD5
8817c22f2d53f5070ce6c2ea96bad83b

SHA1
9cb05fb4b2fd727da8be5b37a26ffd61ad423643

SHA256
d76212a7613603d25a3df9c5286c5eaa9ae6152a2e3f39679eabf803a340c2f4

SHA512
99b9f1336844374cff16c9b8d7c8b0523a2351becdf8253c61cb0364c5b9a89e7cedc5c2d7ddaf6a4e4253434535e344993082d530c58575a73e291b09efc3a6

Download Submit
\Users\Admin\AppData\Local\Temp\LogonUI.exe
Filesize
1.1MB

MD5
8817c22f2d53f5070ce6c2ea96bad83b

SHA1
9cb05fb4b2fd727da8be5b37a26ffd61ad423643

SHA256
d76212a7613603d25a3df9c5286c5eaa9ae6152a2e3f39679eabf803a340c2f4

SHA512
99b9f1336844374cff16c9b8d7c8b0523a2351becdf8253c61cb0364c5b9a89e7cedc5c2d7ddaf6a4e4253434535e344993082d530c58575a73e291b09efc3a6

Download Submit
\Users\Admin\AppData\Local\Temp\dwm.exe
Filesize
419KB

MD5
36199d74da34290f87be389bb6bb9515

SHA1
7d997bf1fc79f9d9cb1a5c47b721a7f1e310a4ff

SHA256
393b10aac7f59b3d7a146c654a24777d4b48648c3d8b842754de1ba58b1d5490

SHA512
7b7dcb98e36fed88e22435832a8dc604845a463ed82058c1cdbe060839f9926d772cc219890a5f55ef2cbf42cc2037f6404840f0124fbdf27e6820e5ec6b272f

Download Submit
\Users\Admin\AppData\Local\Temp\dwm.exe
Filesize
419KB

MD5
36199d74da34290f87be389bb6bb9515

SHA1
7d997bf1fc79f9d9cb1a5c47b721a7f1e310a4ff

SHA256
393b10aac7f59b3d7a146c654a24777d4b48648c3d8b842754de1ba58b1d5490

SHA512
7b7dcb98e36fed88e22435832a8dc604845a463ed82058c1cdbe060839f9926d772cc219890a5f55ef2cbf42cc2037f6404840f0124fbdf27e6820e5ec6b272f

Download Submit
\Users\Admin\AppData\Local\Temp\dwm.exe
Filesize
419KB

MD5
36199d74da34290f87be389bb6bb9515

SHA1
7d997bf1fc79f9d9cb1a5c47b721a7f1e310a4ff

SHA256
393b10aac7f59b3d7a146c654a24777d4b48648c3d8b842754de1ba58b1d5490

SHA512
7b7dcb98e36fed88e22435832a8dc604845a463ed82058c1cdbe060839f9926d772cc219890a5f55ef2cbf42cc2037f6404840f0124fbdf27e6820e5ec6b272f

Download Submit
\Users\Admin\AppData\Local\Temp\dwm.exe
Filesize
419KB

MD5
36199d74da34290f87be389bb6bb9515

SHA1
7d997bf1fc79f9d9cb1a5c47b721a7f1e310a4ff

SHA256
393b10aac7f59b3d7a146c654a24777d4b48648c3d8b842754de1ba58b1d5490

SHA512
7b7dcb98e36fed88e22435832a8dc604845a463ed82058c1cdbe060839f9926d772cc219890a5f55ef2cbf42cc2037f6404840f0124fbdf27e6820e5ec6b272f

Download Submit
\Users\Admin\AppData\Local\Temp\dwm.exe
Filesize
419KB

MD5
36199d74da34290f87be389bb6bb9515

SHA1
7d997bf1fc79f9d9cb1a5c47b721a7f1e310a4ff

SHA256
393b10aac7f59b3d7a146c654a24777d4b48648c3d8b842754de1ba58b1d5490

SHA512
7b7dcb98e36fed88e22435832a8dc604845a463ed82058c1cdbe060839f9926d772cc219890a5f55ef2cbf42cc2037f6404840f0124fbdf27e6820e5ec6b272f

Download Submit
\Users\Admin\AppData\Local\Temp\dwm.exe
Filesize
419KB

MD5
36199d74da34290f87be389bb6bb9515

SHA1
7d997bf1fc79f9d9cb1a5c47b721a7f1e310a4ff

SHA256
393b10aac7f59b3d7a146c654a24777d4b48648c3d8b842754de1ba58b1d5490

SHA512
7b7dcb98e36fed88e22435832a8dc604845a463ed82058c1cdbe060839f9926d772cc219890a5f55ef2cbf42cc2037f6404840f0124fbdf27e6820e5ec6b272f

Download Submit
\Users\Admin\AppData\Local\Temp\dwm.exe
Filesize
419KB

MD5
36199d74da34290f87be389bb6bb9515

SHA1
7d997bf1fc79f9d9cb1a5c47b721a7f1e310a4ff

SHA256
393b10aac7f59b3d7a146c654a24777d4b48648c3d8b842754de1ba58b1d5490

SHA512
7b7dcb98e36fed88e22435832a8dc604845a463ed82058c1cdbe060839f9926d772cc219890a5f55ef2cbf42cc2037f6404840f0124fbdf27e6820e5ec6b272f

Download Submit
\Users\Admin\AppData\Local\Temp\dwm.exe
Filesize
419KB

MD5
36199d74da34290f87be389bb6bb9515

SHA1
7d997bf1fc79f9d9cb1a5c47b721a7f1e310a4ff

SHA256
393b10aac7f59b3d7a146c654a24777d4b48648c3d8b842754de1ba58b1d5490

SHA512
7b7dcb98e36fed88e22435832a8dc604845a463ed82058c1cdbe060839f9926d772cc219890a5f55ef2cbf42cc2037f6404840f0124fbdf27e6820e5ec6b272f

Download Submit
\Users\Admin\AppData\Local\Temp\dwm.exe
Filesize
419KB

MD5
36199d74da34290f87be389bb6bb9515

SHA1
7d997bf1fc79f9d9cb1a5c47b721a7f1e310a4ff

SHA256
393b10aac7f59b3d7a146c654a24777d4b48648c3d8b842754de1ba58b1d5490

SHA512
7b7dcb98e36fed88e22435832a8dc604845a463ed82058c1cdbe060839f9926d772cc219890a5f55ef2cbf42cc2037f6404840f0124fbdf27e6820e5ec6b272f

Download Submit
\Users\Admin\AppData\Local\Temp\dwm.exe
Filesize
419KB

MD5
36199d74da34290f87be389bb6bb9515

SHA1
7d997bf1fc79f9d9cb1a5c47b721a7f1e310a4ff

SHA256
393b10aac7f59b3d7a146c654a24777d4b48648c3d8b842754de1ba58b1d5490

SHA512
7b7dcb98e36fed88e22435832a8dc604845a463ed82058c1cdbe060839f9926d772cc219890a5f55ef2cbf42cc2037f6404840f0124fbdf27e6820e5ec6b272f

Download Submit
memory/820-54-0x00000000762E1000-0x00000000762E3000-memory.dmp

Filesize
8KB

Download
memory/888-72-0x0000000000000000-mapping.dmp

Download
memory/1012-87-0x00000000004D0000-0x0000000000542000-memory.dmp

Filesize
456KB

Download
memory/1012-86-0x0000000001230000-0x0000000001340000-memory.dmp

Filesize
1.1MB

Download
memory/1012-83-0x0000000000000000-mapping.dmp

Download
memory/1636-88-0x0000000000000000-mapping.dmp

Download
memory/1768-71-0x0000000000180000-0x00000000001F0000-memory.dmp

Filesize
448KB

Download
memory/1768-68-0x0000000000000000-mapping.dmp

Download
memory/2036-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads