d3c0a965821c6b1a088500094b81ebc6c34dd9af95ed7c14318ee102e5713b79

Analysis

max time kernel
69s
max time network
125s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
06-10-2022 20:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d3c0a965821c6b1a088500094b81ebc6c34dd9af95ed7c14318ee102e5713b79.exe
Size

5.7MB
MD5

48f8b740502412cccc79cecdbf7f4064
SHA1

9e8d1e5a67781ec6ba27822063009057a63c5cf0
SHA256

d3c0a965821c6b1a088500094b81ebc6c34dd9af95ed7c14318ee102e5713b79
SHA512

9e97f7ec44f04ed3412fc51f0e0a3c70f0c9c00766f82a9212c407fb40a111ae5920c0e3dabcf416ae93963a5f5784d57ae5596216cd4c646d51112aff01fdb3
SSDEEP

98304:rufaRACOnSgipE1UZQaYNeX6GcSLAzINGhDiL4j92JKAWl0PMbGfo3acSGoh:KUY2QmlYAXYSLzNuDisj92UAWl+gGiad

Score

8^/10

evasion

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
856	ver.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
836	netsh.exe

Loads dropped DLL 1 IoCs

pid	Process
2028	d3c0a965821c6b1a088500094b81ebc6c34dd9af95ed7c14318ee102e5713b79.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 3 IoCs

evasion

pid	Process
1904	taskkill.exe
1528	taskkill.exe
1920	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	d3c0a965821c6b1a088500094b81ebc6c34dd9af95ed7c14318ee102e5713b79.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	d3c0a965821c6b1a088500094b81ebc6c34dd9af95ed7c14318ee102e5713b79.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	d3c0a965821c6b1a088500094b81ebc6c34dd9af95ed7c14318ee102e5713b79.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	d3c0a965821c6b1a088500094b81ebc6c34dd9af95ed7c14318ee102e5713b79.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	d3c0a965821c6b1a088500094b81ebc6c34dd9af95ed7c14318ee102e5713b79.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	d3c0a965821c6b1a088500094b81ebc6c34dd9af95ed7c14318ee102e5713b79.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	d3c0a965821c6b1a088500094b81ebc6c34dd9af95ed7c14318ee102e5713b79.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	d3c0a965821c6b1a088500094b81ebc6c34dd9af95ed7c14318ee102e5713b79.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	d3c0a965821c6b1a088500094b81ebc6c34dd9af95ed7c14318ee102e5713b79.exe

Runs .reg file with regedit 2 IoCs

pid	Process
1972	regedit.exe
1084	regedit.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2028	d3c0a965821c6b1a088500094b81ebc6c34dd9af95ed7c14318ee102e5713b79.exe
2028	d3c0a965821c6b1a088500094b81ebc6c34dd9af95ed7c14318ee102e5713b79.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1904	taskkill.exe
Token: SeDebugPrivilege	1528	taskkill.exe
Token: SeDebugPrivilege	1920	taskkill.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2028	d3c0a965821c6b1a088500094b81ebc6c34dd9af95ed7c14318ee102e5713b79.exe
2028	d3c0a965821c6b1a088500094b81ebc6c34dd9af95ed7c14318ee102e5713b79.exe
2028	d3c0a965821c6b1a088500094b81ebc6c34dd9af95ed7c14318ee102e5713b79.exe
2028	d3c0a965821c6b1a088500094b81ebc6c34dd9af95ed7c14318ee102e5713b79.exe

Suspicious use of WriteProcessMemory 53 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 856	2028	d3c0a965821c6b1a088500094b81ebc6c34dd9af95ed7c14318ee102e5713b79.exe	29
PID 2028 wrote to memory of 856	2028	d3c0a965821c6b1a088500094b81ebc6c34dd9af95ed7c14318ee102e5713b79.exe	29
PID 2028 wrote to memory of 856	2028	d3c0a965821c6b1a088500094b81ebc6c34dd9af95ed7c14318ee102e5713b79.exe	29
PID 2028 wrote to memory of 856	2028	d3c0a965821c6b1a088500094b81ebc6c34dd9af95ed7c14318ee102e5713b79.exe	29
PID 856 wrote to memory of 1720	856	ver.exe	31
PID 856 wrote to memory of 1720	856	ver.exe	31
PID 856 wrote to memory of 1720	856	ver.exe	31
PID 856 wrote to memory of 1720	856	ver.exe	31
PID 1720 wrote to memory of 1904	1720	cmd.exe	32
PID 1720 wrote to memory of 1904	1720	cmd.exe	32
PID 1720 wrote to memory of 1904	1720	cmd.exe	32
PID 1720 wrote to memory of 1528	1720	cmd.exe	34
PID 1720 wrote to memory of 1528	1720	cmd.exe	34
PID 1720 wrote to memory of 1528	1720	cmd.exe	34
PID 1720 wrote to memory of 1920	1720	cmd.exe	35
PID 1720 wrote to memory of 1920	1720	cmd.exe	35
PID 1720 wrote to memory of 1920	1720	cmd.exe	35
PID 1720 wrote to memory of 1972	1720	cmd.exe	36
PID 1720 wrote to memory of 1972	1720	cmd.exe	36
PID 1720 wrote to memory of 1972	1720	cmd.exe	36
PID 1720 wrote to memory of 1084	1720	cmd.exe	37
PID 1720 wrote to memory of 1084	1720	cmd.exe	37
PID 1720 wrote to memory of 1084	1720	cmd.exe	37
PID 1720 wrote to memory of 1408	1720	cmd.exe	38
PID 1720 wrote to memory of 1408	1720	cmd.exe	38
PID 1720 wrote to memory of 1408	1720	cmd.exe	38
PID 1720 wrote to memory of 1120	1720	cmd.exe	39
PID 1720 wrote to memory of 1120	1720	cmd.exe	39
PID 1720 wrote to memory of 1120	1720	cmd.exe	39
PID 1720 wrote to memory of 1948	1720	cmd.exe	40
PID 1720 wrote to memory of 1948	1720	cmd.exe	40
PID 1720 wrote to memory of 1948	1720	cmd.exe	40
PID 1720 wrote to memory of 1072	1720	cmd.exe	41
PID 1720 wrote to memory of 1072	1720	cmd.exe	41
PID 1720 wrote to memory of 1072	1720	cmd.exe	41
PID 1720 wrote to memory of 1388	1720	cmd.exe	42
PID 1720 wrote to memory of 1388	1720	cmd.exe	42
PID 1720 wrote to memory of 1388	1720	cmd.exe	42
PID 1720 wrote to memory of 1592	1720	cmd.exe	43
PID 1720 wrote to memory of 1592	1720	cmd.exe	43
PID 1720 wrote to memory of 1592	1720	cmd.exe	43
PID 1720 wrote to memory of 1704	1720	cmd.exe	44
PID 1720 wrote to memory of 1704	1720	cmd.exe	44
PID 1720 wrote to memory of 1704	1720	cmd.exe	44
PID 1720 wrote to memory of 1928	1720	cmd.exe	45
PID 1720 wrote to memory of 1928	1720	cmd.exe	45
PID 1720 wrote to memory of 1928	1720	cmd.exe	45
PID 1720 wrote to memory of 1212	1720	cmd.exe	46
PID 1720 wrote to memory of 1212	1720	cmd.exe	46
PID 1720 wrote to memory of 1212	1720	cmd.exe	46
PID 1720 wrote to memory of 836	1720	cmd.exe	47
PID 1720 wrote to memory of 836	1720	cmd.exe	47
PID 1720 wrote to memory of 836	1720	cmd.exe	47

C:\Users\Admin\AppData\Local\Temp\d3c0a965821c6b1a088500094b81ebc6c34dd9af95ed7c14318ee102e5713b79.exe
"C:\Users\Admin\AppData\Local\Temp\d3c0a965821c6b1a088500094b81ebc6c34dd9af95ed7c14318ee102e5713b79.exe"
1⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Users\Admin\AppData\Local\Temp\ver.exe
  C:\Users\Admin\AppData\Local\Temp\ver.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:856
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\3FFE.tmp\3FFF.tmp\4000.bat C:\Users\Admin\AppData\Local\Temp\ver.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1720
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im openvpn.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1904
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im openvpn-gui.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1528
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im cstrike-online.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1920
  - - C:\Windows\regedit.exe
      regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\OpenVPN\reg\HKLM\*.reg"
      4⤵
      Runs .reg file with regedit
      PID:1972
  - - C:\Windows\regedit.exe
      regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\OpenVPN\reg\HKCU\*.reg"
      4⤵
      Runs .reg file with regedit
      PID:1084
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\SOFTWARE\OpenVPN-GUI" /v config_dir /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OpenVPN\config" /f
      4⤵
      PID:1408
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\OpenVPN-GUI" /v exe_path /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OpenVPN\bin\openvpn.exe" /f
      4⤵
      PID:1120
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\OpenVPN-GUI" /v config_dir /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OpenVPN\config" /f
      4⤵
      PID:1948
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\OpenVPN-GUI" /v log_dir /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OpenVPN\log" /f
      4⤵
      PID:1072
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\OpenVPN" /v exe_path /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OpenVPN\bin\openvpn.exe" /f
      4⤵
      PID:1388
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\OpenVPN" /v config_dir /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OpenVPN\config" /f
      4⤵
      PID:1592
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\OpenVPN" /v log_dir /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OpenVPN\log" /f
      4⤵
      PID:1704
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\OpenVPN" /ve /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OpenVPN" /f
      4⤵
      PID:1928
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_CURRENT_USER\Software\Nexon\CStrike-Online\Settings" /V EngineD3D /T REG_DWORD /D 0 /F
      4⤵
      PID:1212
  - - C:\Windows\system32\netsh.exe
      NetSh Advfirewall set allprofiles state off
      4⤵
      Modifies Windows Firewall
      PID:836

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3FFE.tmp\3FFF.tmp\4000.bat

Filesize
1KB

MD5
38711e5bd4bb651014ceabadf817ac8b

SHA1
3da32daf684e261fe228cfc2ed4470e26ea8c891

SHA256
c6adb8338163a42c0c32f98f86617eade59641f8ad99ed6a07d9264330611e41

SHA512
633180c2aad2787467c20a237be9fa8c62c1e1c686ac80e8ec323997b16b29b69e6f674469937d53ef9512350a37abb725aa6bae9823babd0eb125d0eb9f7142

Download Submit
C:\Users\Admin\AppData\Local\Temp\ver.exe

Filesize
113KB

MD5
717448338d945a169c78b051d7ecb397

SHA1
dc924a97785d3be9d85d205a054650bc17840ecf

SHA256
d394ffe8b88174635f30ff2d9cd34a53c038e47ff208945cf0abd99518555ea8

SHA512
7b814a33485b7aa426eb2957ba01812a9bd297223d6fead99f65b77e5e185e75a54e60de9018823dc62e55279fbad658c14b980b2bb827d86549b214fba62057

Download Submit
\Users\Admin\AppData\Local\Temp\ver.exe

Filesize
113KB

MD5
717448338d945a169c78b051d7ecb397

SHA1
dc924a97785d3be9d85d205a054650bc17840ecf

SHA256
d394ffe8b88174635f30ff2d9cd34a53c038e47ff208945cf0abd99518555ea8

SHA512
7b814a33485b7aa426eb2957ba01812a9bd297223d6fead99f65b77e5e185e75a54e60de9018823dc62e55279fbad658c14b980b2bb827d86549b214fba62057

Download Submit
memory/1972-66-0x000007FEFBEE1000-0x000007FEFBEE3000-memory.dmp

Filesize
8KB

Download
memory/2028-54-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download