f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9

Analysis

max time kernel
127s
max time network
138s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29-09-2022 12:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Trojan-Ransom.Win32.Zerber.gdcz-f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9.exe
Size

149KB
MD5

7d8f0e539e50eb545d094c50aab0ea9e
SHA1

9368da690ace5328abc4461cd8322d78c1fdc290
SHA256

f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9
SHA512

092d05eb357da75c2a6646a353e1c1cf7f0ae66ea32ac4beff8fda87160c9226417b187b4ac34e7b5745aaa65c8a6b8b33b9f02e19d9a959627544b50a3eae7a
SSDEEP

3072:Pmpq7ybSPGccu5R9Wl7rSmpVYc7+DUltw/ArIW1:epqG2eM5R9kNj2UlgJ

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	Trojan-Ransom.Win32.Zerber.gdcz-f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	Trojan-Ransom.Win32.Zerber.gdcz-f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	288	Trojan-Ransom.Win32.Zerber.gdcz-f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9.exe

C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdcz-f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdcz-f9c5420c0f039a178f5495ecfb657f8da383624e0cf7f02c645fbdfa95e2e8b9.exe"
1⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:288

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/288-54-0x00000000011D0000-0x00000000011FC000-memory.dmp

Filesize
176KB

Download
memory/288-55-0x0000000000140000-0x0000000000156000-memory.dmp

Filesize
88KB

Download
memory/288-56-0x0000000000150000-0x0000000000156000-memory.dmp

Filesize
24KB

Download
memory/288-57-0x00000000006C0000-0x00000000006F8000-memory.dmp

Filesize
224KB

Download