96c3b4fb74592d082c307fb9ee9aecc1dd99553afb000140dff4906248f0f3b4

Analysis

max time kernel
42s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
22/09/2022, 04:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

96c3b4fb74592d082c307fb9ee9aecc1dd99553afb000140dff4906248f0f3b4.exe
Size

699KB
MD5

6b43b10b3de0e6cdc299a30c4b7c3af2
SHA1

9a0f93fa091552b94632adff329c7c2686bfae33
SHA256

96c3b4fb74592d082c307fb9ee9aecc1dd99553afb000140dff4906248f0f3b4
SHA512

c2afb915459e2cdc0a05e8975d5719b0aeacc55f50eb110791779acb9a61f7d7c6f6be0becded2b9639197516e16ebd44953c33b34c6416436c049450c7100d2
SSDEEP

12288:qPP2sGT1u2iCW0HXmD5l3ESFhOdVkRWAmAx3MMz10gLJqUZ9r:qz1H0a5lfhOzkRfmsMMZ0OJNV

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1400	VISTA64_DriverInstall.exe
1040	GP_CLT_LNCA_Service.exe
1988	GP_CLT_LNCA_Service.exe
1444	GP_CLT_LNCA.exe

Loads dropped DLL 15 IoCs

pid	Process
1660	96c3b4fb74592d082c307fb9ee9aecc1dd99553afb000140dff4906248f0f3b4.exe
1660	96c3b4fb74592d082c307fb9ee9aecc1dd99553afb000140dff4906248f0f3b4.exe
1660	96c3b4fb74592d082c307fb9ee9aecc1dd99553afb000140dff4906248f0f3b4.exe
1660	96c3b4fb74592d082c307fb9ee9aecc1dd99553afb000140dff4906248f0f3b4.exe
1660	96c3b4fb74592d082c307fb9ee9aecc1dd99553afb000140dff4906248f0f3b4.exe
1660	96c3b4fb74592d082c307fb9ee9aecc1dd99553afb000140dff4906248f0f3b4.exe
1660	96c3b4fb74592d082c307fb9ee9aecc1dd99553afb000140dff4906248f0f3b4.exe
1660	96c3b4fb74592d082c307fb9ee9aecc1dd99553afb000140dff4906248f0f3b4.exe
1660	96c3b4fb74592d082c307fb9ee9aecc1dd99553afb000140dff4906248f0f3b4.exe
1660	96c3b4fb74592d082c307fb9ee9aecc1dd99553afb000140dff4906248f0f3b4.exe
1660	96c3b4fb74592d082c307fb9ee9aecc1dd99553afb000140dff4906248f0f3b4.exe
1660	96c3b4fb74592d082c307fb9ee9aecc1dd99553afb000140dff4906248f0f3b4.exe
1660	96c3b4fb74592d082c307fb9ee9aecc1dd99553afb000140dff4906248f0f3b4.exe
1444	GP_CLT_LNCA.exe
1444	GP_CLT_LNCA.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\GP_CLT_JIT = "C:\\Windows\\syswow64\\GP_CLT_LNCA.exe"	96c3b4fb74592d082c307fb9ee9aecc1dd99553afb000140dff4906248f0f3b4.exe

Drops file in System32 directory 41 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\Temp\{6acb77ff-5ce0-1d9f-6949-b32f068a2868}\SET1A74.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File created	C:\Windows\syswow64\GP_CSP_LNCA_EX.dll	96c3b4fb74592d082c307fb9ee9aecc1dd99553afb000140dff4906248f0f3b4.exe
File created	C:\Windows\syswow64\HDIFD20B.dll	96c3b4fb74592d082c307fb9ee9aecc1dd99553afb000140dff4906248f0f3b4.exe
File created	C:\Windows\syswow64\JIT_USBKEY_HD.dll	96c3b4fb74592d082c307fb9ee9aecc1dd99553afb000140dff4906248f0f3b4.exe
File created	C:\Windows\syswow64\HD_hdcos480.dll	96c3b4fb74592d082c307fb9ee9aecc1dd99553afb000140dff4906248f0f3b4.exe
File created	C:\Windows\System32\DriverStore\Temp\{6acb77ff-5ce0-1d9f-6949-b32f068a2868}\SET1A86.tmp	DrvInst.exe
File created	C:\Windows\syswow64\VISTA64_DriverInstall.exe	96c3b4fb74592d082c307fb9ee9aecc1dd99553afb000140dff4906248f0f3b4.exe
File created	C:\Windows\syswow64\GP_UNI_LNCA.exe.manifest	96c3b4fb74592d082c307fb9ee9aecc1dd99553afb000140dff4906248f0f3b4.exe
File created	C:\Windows\syswow64\HDCOS_LNCA.dll	96c3b4fb74592d082c307fb9ee9aecc1dd99553afb000140dff4906248f0f3b4.exe
File created	C:\Windows\syswow64\Cidcex.dll	96c3b4fb74592d082c307fb9ee9aecc1dd99553afb000140dff4906248f0f3b4.exe
File created	C:\Windows\syswow64\HD_SortDev.dll	96c3b4fb74592d082c307fb9ee9aecc1dd99553afb000140dff4906248f0f3b4.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{6acb77ff-5ce0-1d9f-6949-b32f068a2868}\SET1A75.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{6acb77ff-5ce0-1d9f-6949-b32f068a2868}\CIDCUSB.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\INFCACHE.0	DrvInst.exe
File created	C:\Windows\syswow64\cidcusb.cat	96c3b4fb74592d082c307fb9ee9aecc1dd99553afb000140dff4906248f0f3b4.exe
File created	C:\Windows\syswow64\GP_ADM_LNCA.exe	96c3b4fb74592d082c307fb9ee9aecc1dd99553afb000140dff4906248f0f3b4.exe
File created	C:\Windows\syswow64\GP_IFD_LNCA.dll	96c3b4fb74592d082c307fb9ee9aecc1dd99553afb000140dff4906248f0f3b4.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{6acb77ff-5ce0-1d9f-6949-b32f068a2868}\CIDCUSB.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\cidcusb.inf_amd64_neutral_9a0c40d0728b89ff\cidcusb.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{6acb77ff-5ce0-1d9f-6949-b32f068a2868}	DrvInst.exe
File created	C:\Windows\syswow64\CIDCUSB.inf	96c3b4fb74592d082c307fb9ee9aecc1dd99553afb000140dff4906248f0f3b4.exe
File created	C:\Windows\syswow64\Cidcex_LNCA.dll	96c3b4fb74592d082c307fb9ee9aecc1dd99553afb000140dff4906248f0f3b4.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{6acb77ff-5ce0-1d9f-6949-b32f068a2868}\SET1A86.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{6acb77ff-5ce0-1d9f-6949-b32f068a2868}\SET1A74.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\cidcusb.inf_amd64_neutral_9a0c40d0728b89ff\CIDCUSB.PNF	DrvInst.exe
File created	C:\Windows\syswow64\CIDCUSB.sys	96c3b4fb74592d082c307fb9ee9aecc1dd99553afb000140dff4906248f0f3b4.exe
File created	C:\Windows\syswow64\GP_UNI_LNCA.exe	96c3b4fb74592d082c307fb9ee9aecc1dd99553afb000140dff4906248f0f3b4.exe
File created	C:\Windows\syswow64\GP_CLT_LNCA_Service.exe	96c3b4fb74592d082c307fb9ee9aecc1dd99553afb000140dff4906248f0f3b4.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\cidcusb.inf_amd64_neutral_9a0c40d0728b89ff\cidcusb.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	VISTA64_DriverInstall.exe
File created	C:\Windows\syswow64\GP_CLT_LNCA.exe	96c3b4fb74592d082c307fb9ee9aecc1dd99553afb000140dff4906248f0f3b4.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{6acb77ff-5ce0-1d9f-6949-b32f068a2868}\cidcusb.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstor.dat	DrvInst.exe
File created	C:\Windows\syswow64\HD_HardAPI.dll	96c3b4fb74592d082c307fb9ee9aecc1dd99553afb000140dff4906248f0f3b4.exe
File created	C:\Windows\syswow64\lncaroot.cer	96c3b4fb74592d082c307fb9ee9aecc1dd99553afb000140dff4906248f0f3b4.exe
File created	C:\Windows\System32\DriverStore\Temp\{6acb77ff-5ce0-1d9f-6949-b32f068a2868}\SET1A75.tmp	DrvInst.exe
File created	C:\Windows\syswow64\GP_CSP_LNCA.dll	96c3b4fb74592d082c307fb9ee9aecc1dd99553afb000140dff4906248f0f3b4.exe
File created	C:\Windows\syswow64\GP_COS_LNCA.dll	96c3b4fb74592d082c307fb9ee9aecc1dd99553afb000140dff4906248f0f3b4.exe
File created	C:\Windows\syswow64\JIT_KEYTOOL_HD.dll	96c3b4fb74592d082c307fb9ee9aecc1dd99553afb000140dff4906248f0f3b4.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	VISTA64_DriverInstall.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\INF\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\oem2.inf	DrvInst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\48AE45DE0AED6F9866F4D71A8867166D8DF783AD	96c3b4fb74592d082c307fb9ee9aecc1dd99553afb000140dff4906248f0f3b4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\48AE45DE0AED6F9866F4D71A8867166D8DF783AD\Blob = 03000000010000001400000048ae45de0aed6f9866f4d71a8867166d8df783ad200000000100000003030000308202ff30820268a003020102021061f02588e2b5d003eef1984915bf1089300d06092a864886f70d0101050500308194310b300906035504061302434e3111300f060355040813084c69616f6e696e673111300f060355040713085368656e79616e673141303f060355040a13384c69616f6e696e67204469676974616c20436572746966696361746520417574686f72697479204d616e6167656d656e7420436f2e4c7464310d300b060355040b13046c6e6361310d300b060355040313044c4e4341301e170d3034303332343038323234365a170d3239303331383038323234365a308194310b300906035504061302434e3111300f060355040813084c69616f6e696e673111300f060355040713085368656e79616e673141303f060355040a13384c69616f6e696e67204469676974616c20436572746966696361746520417574686f72697479204d616e6167656d656e7420436f2e4c7464310d300b060355040b13046c6e6361310d300b060355040313044c4e434130819f300d06092a864886f70d010101050003818d0030818902818100de2cba27a6d42904388c3e3fd22bf5b1fc1aacbb076b2296a6195979fc39ca138258a4418f7b86c6a0aa959a21abd72ffac779f4966eee3865f2c1d0b84b3e779ef7512130af0b15eef9d7348240c85e3dda4a928022d33fb0073f52b39cf80d83dd881b47db6ed8d66ea55cd8a5156a18dec2daad3103ad0782de19fcf94d990203010001a350304e301f0603551d23041830168014a310a60246c7d893382ac0aeb8057eaee91dc5f3301d0603551d0e04160414a310a60246c7d893382ac0aeb8057eaee91dc5f3300c0603551d13040530030101ff300d06092a864886f70d01010505000381810079030699a1c579862eb970c70597fa35130d97d8ba0deca5894b02ff9a471ee77ae69b5bcb0f352dbcc6d9a42178d7ca7b84bf6a5cc302fe653323fba5f498f09e21ffc71e1b182fe8d472b02078b832409eb96bcbf343330021ba22b5e1b6eac1beeac8aa33e5a14a3043331a57d2bc1e19541314adfd84c49783a6661c784e	96c3b4fb74592d082c307fb9ee9aecc1dd99553afb000140dff4906248f0f3b4.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeRestorePrivilege	1400	VISTA64_DriverInstall.exe
Token: SeRestorePrivilege	1400	VISTA64_DriverInstall.exe
Token: SeRestorePrivilege	1400	VISTA64_DriverInstall.exe
Token: SeRestorePrivilege	1400	VISTA64_DriverInstall.exe
Token: SeRestorePrivilege	1400	VISTA64_DriverInstall.exe
Token: SeRestorePrivilege	1400	VISTA64_DriverInstall.exe
Token: SeRestorePrivilege	1400	VISTA64_DriverInstall.exe
Token: SeRestorePrivilege	1400	VISTA64_DriverInstall.exe
Token: SeRestorePrivilege	1400	VISTA64_DriverInstall.exe
Token: SeRestorePrivilege	1400	VISTA64_DriverInstall.exe
Token: SeRestorePrivilege	1400	VISTA64_DriverInstall.exe
Token: SeRestorePrivilege	1400	VISTA64_DriverInstall.exe
Token: SeRestorePrivilege	1400	VISTA64_DriverInstall.exe
Token: SeRestorePrivilege	1400	VISTA64_DriverInstall.exe
Token: SeRestorePrivilege	2000	DrvInst.exe
Token: SeRestorePrivilege	2000	DrvInst.exe
Token: SeRestorePrivilege	2000	DrvInst.exe
Token: SeRestorePrivilege	2000	DrvInst.exe
Token: SeRestorePrivilege	2000	DrvInst.exe
Token: SeRestorePrivilege	2000	DrvInst.exe
Token: SeRestorePrivilege	2000	DrvInst.exe
Token: SeRestorePrivilege	2000	DrvInst.exe
Token: SeRestorePrivilege	2000	DrvInst.exe
Token: SeRestorePrivilege	2000	DrvInst.exe
Token: SeRestorePrivilege	2000	DrvInst.exe
Token: SeRestorePrivilege	2000	DrvInst.exe
Token: SeRestorePrivilege	2000	DrvInst.exe
Token: SeRestorePrivilege	2000	DrvInst.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1444	GP_CLT_LNCA.exe
1444	GP_CLT_LNCA.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1444	GP_CLT_LNCA.exe
1444	GP_CLT_LNCA.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1444	GP_CLT_LNCA.exe
1444	GP_CLT_LNCA.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 1400	1660	96c3b4fb74592d082c307fb9ee9aecc1dd99553afb000140dff4906248f0f3b4.exe	28
PID 1660 wrote to memory of 1400	1660	96c3b4fb74592d082c307fb9ee9aecc1dd99553afb000140dff4906248f0f3b4.exe	28
PID 1660 wrote to memory of 1400	1660	96c3b4fb74592d082c307fb9ee9aecc1dd99553afb000140dff4906248f0f3b4.exe	28
PID 1660 wrote to memory of 1400	1660	96c3b4fb74592d082c307fb9ee9aecc1dd99553afb000140dff4906248f0f3b4.exe	28
PID 1660 wrote to memory of 1040	1660	96c3b4fb74592d082c307fb9ee9aecc1dd99553afb000140dff4906248f0f3b4.exe	29
PID 1660 wrote to memory of 1040	1660	96c3b4fb74592d082c307fb9ee9aecc1dd99553afb000140dff4906248f0f3b4.exe	29
PID 1660 wrote to memory of 1040	1660	96c3b4fb74592d082c307fb9ee9aecc1dd99553afb000140dff4906248f0f3b4.exe	29
PID 1660 wrote to memory of 1040	1660	96c3b4fb74592d082c307fb9ee9aecc1dd99553afb000140dff4906248f0f3b4.exe	29
PID 1660 wrote to memory of 1444	1660	96c3b4fb74592d082c307fb9ee9aecc1dd99553afb000140dff4906248f0f3b4.exe	32
PID 1660 wrote to memory of 1444	1660	96c3b4fb74592d082c307fb9ee9aecc1dd99553afb000140dff4906248f0f3b4.exe	32
PID 1660 wrote to memory of 1444	1660	96c3b4fb74592d082c307fb9ee9aecc1dd99553afb000140dff4906248f0f3b4.exe	32
PID 1660 wrote to memory of 1444	1660	96c3b4fb74592d082c307fb9ee9aecc1dd99553afb000140dff4906248f0f3b4.exe	32

C:\Users\Admin\AppData\Local\Temp\96c3b4fb74592d082c307fb9ee9aecc1dd99553afb000140dff4906248f0f3b4.exe
"C:\Users\Admin\AppData\Local\Temp\96c3b4fb74592d082c307fb9ee9aecc1dd99553afb000140dff4906248f0f3b4.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Windows\syswow64\VISTA64_DriverInstall.exe
  "C:\Windows\syswow64\VISTA64_DriverInstall.exe" -install
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1400
- C:\Windows\syswow64\GP_CLT_LNCA_Service.exe
  "C:\Windows\syswow64\GP_CLT_LNCA_Service.exe" -install
  2⤵
  - Executes dropped EXE
  PID:1040
- C:\Windows\syswow64\GP_CLT_LNCA.exe
  "C:\Windows\syswow64\GP_CLT_LNCA.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1444

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{25b8bfbd-262f-2300-7484-025961cc7064}\CIDCUSB.inf" "9" "6780558fb" "000000000000056C" "WinSta0\Default" "0000000000000328" "208" "C:\Windows\syswow64"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2000

C:\Windows\syswow64\GP_CLT_LNCA_Service.exe
C:\Windows\syswow64\GP_CLT_LNCA_Service.exe
1⤵
- Executes dropped EXE
PID:1988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\{25B8B~1\CIDCUSB.sys

Filesize
17KB

MD5
796a0d08823bc9ca9b03c51137a6a676

SHA1
0cd0e117d3055143d3aa5ccf3bdaa036f4ff8409

SHA256
bd436c7e3c03c20a88807a610fe7f17e6de3e21924edc2c77834801033d8ccd4

SHA512
18173c0e23cadd16b905699abc413d713a4bd6f2c658befb3232a19e66207f6bfcf2f0979ac1577d68c4bf8cbc3c5ee487baeda53bdeefb1e16dc31085c40c3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{25b8bfbd-262f-2300-7484-025961cc7064}\CIDCUSB.inf

Filesize
7KB

MD5
7486da61128fc1a30aad41d28a18d6bf

SHA1
c8e50522236b2ef730d9e33c4956a987858efb81

SHA256
09678517654185d91de64ac89639a01ea8f7922c90feb9d356c708bbd8006893

SHA512
1a653e6a30496f810c0b7ac911adac54f0bc263a43b3b8d3ce386161c5731dca1f2d2755af3d346c9d683809a7d037950482b1303d9e8e7e69966c955ebb43d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\{25b8bfbd-262f-2300-7484-025961cc7064}\cidcusb.cat

Filesize
11KB

MD5
c068d42c8140b61dce772f61786fd267

SHA1
8c3124a60cdbf75eb5aef874fb77905a68cce7e5

SHA256
3a6924b7e1268162ba801227c4cc26847e8d44025d135d81f419bc3fc60073d8

SHA512
14b36b5ad2900f0757af04a194c95f873c7badd8d3b943ebafc1baa868190ed4a0310c4df092833d2cd60eb247d85994764c5f1cb40730f9bd43caed9931e49d

Download Submit
C:\Windows\SysWOW64\GP_CLT_LNCA.exe

Filesize
236KB

MD5
1362d662e55d16d526c923eb11faa59e

SHA1
51c2932a85d1bcf08319cd58c441539d856280b2

SHA256
ff986fb70d1bb3b25351946d1e788d66284163234f46a33c3b80bd290565316f

SHA512
f83c351a03fcc76fce1ba069ca1a11d29bd5fca849008796bd3e308e9f7b059eb036dc07f43d7bf0f2d11123d81c8e11b20fdce988036c552978184fcc670642

Download Submit
C:\Windows\SysWOW64\GP_CLT_LNCA_Service.exe

Filesize
24KB

MD5
117637bf8e49ceac11dd381cb4b0f703

SHA1
77e9f575cb4f93d914c9371a53d6dfd2e61ce218

SHA256
82ddc3f2363c24cdd5550223a6686a3c0622692a2337a18a15a2d2bf95fc11f5

SHA512
f7ba0b208e77ae05158d6a3e5c1d8fd82c62c47a4f61e2adab711e2ed692c28260115b6fe43a95da7d4f8a03be27d94a1233d5901afdb8fca36ba5aa6a7a305e

Download Submit
C:\Windows\SysWOW64\GP_CLT_LNCA_Service.exe

Filesize
24KB

MD5
117637bf8e49ceac11dd381cb4b0f703

SHA1
77e9f575cb4f93d914c9371a53d6dfd2e61ce218

SHA256
82ddc3f2363c24cdd5550223a6686a3c0622692a2337a18a15a2d2bf95fc11f5

SHA512
f7ba0b208e77ae05158d6a3e5c1d8fd82c62c47a4f61e2adab711e2ed692c28260115b6fe43a95da7d4f8a03be27d94a1233d5901afdb8fca36ba5aa6a7a305e

Download Submit
C:\Windows\SysWOW64\VISTA64_DriverInstall.exe

Filesize
64KB

MD5
3ef08aaf04ece1ca290cc50946b6ac7d

SHA1
28bf0fd04e5aa03343b9d1f353aacd49fc08a768

SHA256
a3a1b84851a2544f55585da1e1ba8150350fdd3d3f80c5664b73089fcc9f3dfa

SHA512
6028d62fd440e450ebcdb1ae185e055773e5f2723254b50867915e1eafc9b41a0fe759651e3b4800c3b2d0153d56a8e795f38cfba739c97c96098f0cde88f753

Download Submit
C:\Windows\syswow64\CIDCUSB.inf

Filesize
7KB

MD5
7486da61128fc1a30aad41d28a18d6bf

SHA1
c8e50522236b2ef730d9e33c4956a987858efb81

SHA256
09678517654185d91de64ac89639a01ea8f7922c90feb9d356c708bbd8006893

SHA512
1a653e6a30496f810c0b7ac911adac54f0bc263a43b3b8d3ce386161c5731dca1f2d2755af3d346c9d683809a7d037950482b1303d9e8e7e69966c955ebb43d0

Download Submit
C:\Windows\syswow64\CIDCUSB.sys

Filesize
17KB

MD5
796a0d08823bc9ca9b03c51137a6a676

SHA1
0cd0e117d3055143d3aa5ccf3bdaa036f4ff8409

SHA256
bd436c7e3c03c20a88807a610fe7f17e6de3e21924edc2c77834801033d8ccd4

SHA512
18173c0e23cadd16b905699abc413d713a4bd6f2c658befb3232a19e66207f6bfcf2f0979ac1577d68c4bf8cbc3c5ee487baeda53bdeefb1e16dc31085c40c3f

Download Submit
C:\Windows\syswow64\GP_COS_LNCA.dll

Filesize
604KB

MD5
8575af4ef74168fc3e8ebbcda94d294c

SHA1
ce768c930c9efd19de252130ebdf4696c0403305

SHA256
0586d34c0cda53b6123bc6c5847e8863b08ffc38d2bdef54d2f80db51406a70f

SHA512
fc7e0f52cb3a23b752e68cb9d0e129e0b15ab1f7483817eea531201b691e69ad8c6a56407dbc438c42df323b64a8b8488a558597dcfe8955781f8b6a40a981e4

Download Submit
C:\Windows\syswow64\GP_IFD_LNCA.dll

Filesize
156KB

MD5
bdc9e891ea0eac91d292080a83d43997

SHA1
b42a613d1ac67723fcc1e2f1896c75d350bdd6db

SHA256
8a6bd5135f00f0cc4dc07efa37694a26bfbcda2e429d5847325ea891fdc9b1fe

SHA512
26aa70cb8182fc6edf884c84f0325a39d3c6879df33ebbd8173728dd3827d6e77ba145fd0165f97154c44eb732f3a73d8f6763bda698dd3dc20811eda0629605

Download Submit
C:\Windows\syswow64\cidcusb.cat

Filesize
11KB

MD5
c068d42c8140b61dce772f61786fd267

SHA1
8c3124a60cdbf75eb5aef874fb77905a68cce7e5

SHA256
3a6924b7e1268162ba801227c4cc26847e8d44025d135d81f419bc3fc60073d8

SHA512
14b36b5ad2900f0757af04a194c95f873c7badd8d3b943ebafc1baa868190ed4a0310c4df092833d2cd60eb247d85994764c5f1cb40730f9bd43caed9931e49d

Download Submit
\Windows\SysWOW64\GP_ADM_LNCA.exe

Filesize
88KB

MD5
156746591e8705b3e6ba0cba17dee0e5

SHA1
9144e390354e95df949b1267be15a6cf5d128678

SHA256
2a569fd1a4f433526b7dfe568e9ec37f5219739f92666307407475a6eb8b0e96

SHA512
8978bb7ff961ae671831d1bab369200e98dbe1327c25231b13867a1a497b4844d589820cd3c07c8b0c376970e0befb10460e1a002f6435ab15aa7e4bb7b8ec52

Download Submit
\Windows\SysWOW64\GP_CLT_LNCA.exe

Filesize
236KB

MD5
1362d662e55d16d526c923eb11faa59e

SHA1
51c2932a85d1bcf08319cd58c441539d856280b2

SHA256
ff986fb70d1bb3b25351946d1e788d66284163234f46a33c3b80bd290565316f

SHA512
f83c351a03fcc76fce1ba069ca1a11d29bd5fca849008796bd3e308e9f7b059eb036dc07f43d7bf0f2d11123d81c8e11b20fdce988036c552978184fcc670642

Download Submit
\Windows\SysWOW64\GP_CLT_LNCA.exe

Filesize
236KB

MD5
1362d662e55d16d526c923eb11faa59e

SHA1
51c2932a85d1bcf08319cd58c441539d856280b2

SHA256
ff986fb70d1bb3b25351946d1e788d66284163234f46a33c3b80bd290565316f

SHA512
f83c351a03fcc76fce1ba069ca1a11d29bd5fca849008796bd3e308e9f7b059eb036dc07f43d7bf0f2d11123d81c8e11b20fdce988036c552978184fcc670642

Download Submit
\Windows\SysWOW64\GP_CLT_LNCA.exe

Filesize
236KB

MD5
1362d662e55d16d526c923eb11faa59e

SHA1
51c2932a85d1bcf08319cd58c441539d856280b2

SHA256
ff986fb70d1bb3b25351946d1e788d66284163234f46a33c3b80bd290565316f

SHA512
f83c351a03fcc76fce1ba069ca1a11d29bd5fca849008796bd3e308e9f7b059eb036dc07f43d7bf0f2d11123d81c8e11b20fdce988036c552978184fcc670642

Download Submit
\Windows\SysWOW64\GP_CLT_LNCA.exe

Filesize
236KB

MD5
1362d662e55d16d526c923eb11faa59e

SHA1
51c2932a85d1bcf08319cd58c441539d856280b2

SHA256
ff986fb70d1bb3b25351946d1e788d66284163234f46a33c3b80bd290565316f

SHA512
f83c351a03fcc76fce1ba069ca1a11d29bd5fca849008796bd3e308e9f7b059eb036dc07f43d7bf0f2d11123d81c8e11b20fdce988036c552978184fcc670642

Download Submit
\Windows\SysWOW64\GP_CLT_LNCA.exe

Filesize
236KB

MD5
1362d662e55d16d526c923eb11faa59e

SHA1
51c2932a85d1bcf08319cd58c441539d856280b2

SHA256
ff986fb70d1bb3b25351946d1e788d66284163234f46a33c3b80bd290565316f

SHA512
f83c351a03fcc76fce1ba069ca1a11d29bd5fca849008796bd3e308e9f7b059eb036dc07f43d7bf0f2d11123d81c8e11b20fdce988036c552978184fcc670642

Download Submit
\Windows\SysWOW64\GP_CLT_LNCA_Service.exe

Filesize
24KB

MD5
117637bf8e49ceac11dd381cb4b0f703

SHA1
77e9f575cb4f93d914c9371a53d6dfd2e61ce218

SHA256
82ddc3f2363c24cdd5550223a6686a3c0622692a2337a18a15a2d2bf95fc11f5

SHA512
f7ba0b208e77ae05158d6a3e5c1d8fd82c62c47a4f61e2adab711e2ed692c28260115b6fe43a95da7d4f8a03be27d94a1233d5901afdb8fca36ba5aa6a7a305e

Download Submit
\Windows\SysWOW64\GP_CLT_LNCA_Service.exe

Filesize
24KB

MD5
117637bf8e49ceac11dd381cb4b0f703

SHA1
77e9f575cb4f93d914c9371a53d6dfd2e61ce218

SHA256
82ddc3f2363c24cdd5550223a6686a3c0622692a2337a18a15a2d2bf95fc11f5

SHA512
f7ba0b208e77ae05158d6a3e5c1d8fd82c62c47a4f61e2adab711e2ed692c28260115b6fe43a95da7d4f8a03be27d94a1233d5901afdb8fca36ba5aa6a7a305e

Download Submit
\Windows\SysWOW64\GP_CLT_LNCA_Service.exe

Filesize
24KB

MD5
117637bf8e49ceac11dd381cb4b0f703

SHA1
77e9f575cb4f93d914c9371a53d6dfd2e61ce218

SHA256
82ddc3f2363c24cdd5550223a6686a3c0622692a2337a18a15a2d2bf95fc11f5

SHA512
f7ba0b208e77ae05158d6a3e5c1d8fd82c62c47a4f61e2adab711e2ed692c28260115b6fe43a95da7d4f8a03be27d94a1233d5901afdb8fca36ba5aa6a7a305e

Download Submit
\Windows\SysWOW64\GP_CLT_LNCA_Service.exe

Filesize
24KB

MD5
117637bf8e49ceac11dd381cb4b0f703

SHA1
77e9f575cb4f93d914c9371a53d6dfd2e61ce218

SHA256
82ddc3f2363c24cdd5550223a6686a3c0622692a2337a18a15a2d2bf95fc11f5

SHA512
f7ba0b208e77ae05158d6a3e5c1d8fd82c62c47a4f61e2adab711e2ed692c28260115b6fe43a95da7d4f8a03be27d94a1233d5901afdb8fca36ba5aa6a7a305e

Download Submit
\Windows\SysWOW64\GP_CLT_LNCA_Service.exe

Filesize
24KB

MD5
117637bf8e49ceac11dd381cb4b0f703

SHA1
77e9f575cb4f93d914c9371a53d6dfd2e61ce218

SHA256
82ddc3f2363c24cdd5550223a6686a3c0622692a2337a18a15a2d2bf95fc11f5

SHA512
f7ba0b208e77ae05158d6a3e5c1d8fd82c62c47a4f61e2adab711e2ed692c28260115b6fe43a95da7d4f8a03be27d94a1233d5901afdb8fca36ba5aa6a7a305e

Download Submit
\Windows\SysWOW64\GP_COS_LNCA.dll

Filesize
604KB

MD5
8575af4ef74168fc3e8ebbcda94d294c

SHA1
ce768c930c9efd19de252130ebdf4696c0403305

SHA256
0586d34c0cda53b6123bc6c5847e8863b08ffc38d2bdef54d2f80db51406a70f

SHA512
fc7e0f52cb3a23b752e68cb9d0e129e0b15ab1f7483817eea531201b691e69ad8c6a56407dbc438c42df323b64a8b8488a558597dcfe8955781f8b6a40a981e4

Download Submit
\Windows\SysWOW64\GP_IFD_LNCA.dll

Filesize
156KB

MD5
bdc9e891ea0eac91d292080a83d43997

SHA1
b42a613d1ac67723fcc1e2f1896c75d350bdd6db

SHA256
8a6bd5135f00f0cc4dc07efa37694a26bfbcda2e429d5847325ea891fdc9b1fe

SHA512
26aa70cb8182fc6edf884c84f0325a39d3c6879df33ebbd8173728dd3827d6e77ba145fd0165f97154c44eb732f3a73d8f6763bda698dd3dc20811eda0629605

Download Submit
\Windows\SysWOW64\GP_UNI_LNCA.exe

Filesize
76KB

MD5
f9fde36a6b52ebf0bcfe616e26ea4927

SHA1
6b039d4708cde4f68bbbcf015a3db7b035dd6c76

SHA256
e0cbb06e5ff3f930b3280b10ab68872b15ddf45086d623c9300a5f605caaf5a0

SHA512
27873a7c2cb7b5ca6add7c8e027ea86ac32c92f16d1de5e24bdba312b86e0108b70ca46f5670669a292e2ee7a1e2a0a139cbd9c791acb071b297ffed70eade12

Download Submit
\Windows\SysWOW64\VISTA64_DriverInstall.exe

Filesize
64KB

MD5
3ef08aaf04ece1ca290cc50946b6ac7d

SHA1
28bf0fd04e5aa03343b9d1f353aacd49fc08a768

SHA256
a3a1b84851a2544f55585da1e1ba8150350fdd3d3f80c5664b73089fcc9f3dfa

SHA512
6028d62fd440e450ebcdb1ae185e055773e5f2723254b50867915e1eafc9b41a0fe759651e3b4800c3b2d0153d56a8e795f38cfba739c97c96098f0cde88f753

Download Submit
memory/1444-90-0x0000000002E40000-0x0000000002ED9000-memory.dmp

Filesize
612KB

Download
memory/1444-89-0x0000000002E41000-0x0000000002EA6000-memory.dmp

Filesize
404KB

Download
memory/1660-57-0x0000000000400000-0x000000000066E000-memory.dmp

Filesize
2.4MB

Download
memory/1660-55-0x0000000000400000-0x000000000066E000-memory.dmp

Filesize
2.4MB

Download
memory/1660-56-0x0000000000400000-0x000000000066E000-memory.dmp

Filesize
2.4MB

Download
memory/1660-54-0x0000000075FB1000-0x0000000075FB3000-memory.dmp

Filesize
8KB

Download
memory/1660-91-0x0000000000400000-0x000000000066E000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads