818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474

Analysis

max time kernel
91s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
16/10/2022, 18:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474.exe
Size

1.5MB
MD5

6526fce1e0dae913d23d5d3cdfe490bb
SHA1

61735bdc0cacf7ae63d7476a1d9884b0520cbea2
SHA256

818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474
SHA512

a28a1a9830f0e4d7d3306dc5ed8693c8984e7c04e02760dc4ad9edcf1f22e42bcb8b5f1c09571a920fb99fb6f9d1a2c1c48a76a404bb6db8ca069cc7770a9144
SSDEEP

24576:Vx8RRrFbKWdSScnVesdIDCdrG5y7pMOoj8cUnDdr6Py4qfS:VyRhdSoswC8ARojCV/S

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
4864	818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474.exe
4864	818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\KoalCertCtl.ocx	818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474.exe
File created	C:\Windows\SysWOW64\KoalCspWrapper.ocx	818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE40E461-167A-4AAB-A91F-3F7168BD3EFB}\ProgID\ = "KOALCERT.KoalCertCtrl.1"	818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{97B82291-29CC-4F44-A64C-89A524C797B9}\Version\ = "1.0"	818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF00AA02-29A7-4F19-A0EF-227C43E06CDA}\TypeLib\Version = "1.0"	818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{135ED01F-CFB3-48DF-85D0-B3C41CA0DEAB}\ProxyStubClsid32	818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3612F9D0-1449-410B-B15A-D36F9831DD8C}\ = "_DKoalCspWrapperEvents"	818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\KOALCERT.KoalCertCtrl.1	818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{53C8E179-5169-4299-A221-D6A4C6983F74}\TypeLib\Version = "1.0"	818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE40E461-167A-4AAB-A91F-3F7168BD3EFB}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3612F9D0-1449-410B-B15A-D36F9831DD8C}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{97B82291-29CC-4F44-A64C-89A524C797B9}\ToolboxBitmap32	818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF00AA02-29A7-4F19-A0EF-227C43E06CDA}\ = "_DKoalCert"	818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3612F9D0-1449-410B-B15A-D36F9831DD8C}\ProxyStubClsid32	818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CF00AA02-29A7-4F19-A0EF-227C43E06CDA}\TypeLib	818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CF00AA02-29A7-4F19-A0EF-227C43E06CDA}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{53C8E179-5169-4299-A221-D6A4C6983F74}\TypeLib\ = "{226CB453-D48D-433A-9F37-3528F440B231}"	818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3612F9D0-1449-410B-B15A-D36F9831DD8C}\TypeLib	818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CF00AA02-29A7-4F19-A0EF-227C43E06CDA}	818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\KoalEAClient.CspWrapper.1\CLSID\ = "{97B82291-29CC-4F44-A64C-89A524C797B9}"	818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{135ED01F-CFB3-48DF-85D0-B3C41CA0DEAB}\TypeLib	818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3612F9D0-1449-410B-B15A-D36F9831DD8C}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3612F9D0-1449-410B-B15A-D36F9831DD8C}\TypeLib\ = "{4F5260E1-C1C4-442C-A343-6330D4307BA0}"	818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CF00AA02-29A7-4F19-A0EF-227C43E06CDA}\TypeLib\Version = "1.0"	818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE40E461-167A-4AAB-A91F-3F7168BD3EFB}\MiscStatus\ = "0"	818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{97B82291-29CC-4F44-A64C-89A524C797B9}\InprocServer32	818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CF00AA02-29A7-4F19-A0EF-227C43E06CDA}\ = "_DKoalCert"	818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CF00AA02-29A7-4F19-A0EF-227C43E06CDA}\ProxyStubClsid32	818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{97B82291-29CC-4F44-A64C-89A524C797B9}\InprocServer32\ = "C:\\Windows\\SysWow64\\KOALCS~1.OCX"	818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E2EE2C36-5938-4AE3-AB87-2251333A4150}	818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3612F9D0-1449-410B-B15A-D36F9831DD8C}\TypeLib\ = "{4F5260E1-C1C4-442C-A343-6330D4307BA0}"	818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4F5260E1-C1C4-442C-A343-6330D4307BA0}\1.0\FLAGS\ = "2"	818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3612F9D0-1449-410B-B15A-D36F9831DD8C}\TypeLib\Version = "1.0"	818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\KoalEAClient.CspWrapper.1\CLSID	818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE40E461-167A-4AAB-A91F-3F7168BD3EFB}\Version\ = "1.0"	818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0FF931E2-4D12-40FA-BA14-DF7FF21B6062}\InprocServer32\ = "C:\\Windows\\SysWow64\\KOALCE~1.OCX"	818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4F5260E1-C1C4-442C-A343-6330D4307BA0}\1.0\0	818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{135ED01F-CFB3-48DF-85D0-B3C41CA0DEAB}\ = "_DKoalCspWrapper"	818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3612F9D0-1449-410B-B15A-D36F9831DD8C}\ = "_DKoalCspWrapperEvents"	818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64E42E97-318D-48C8-9079-5A34FD2A1603}\InprocServer32	818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{226CB453-D48D-433A-9F37-3528F440B231}\1.0\0\win32	818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4F5260E1-C1C4-442C-A343-6330D4307BA0}\1.0	818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3612F9D0-1449-410B-B15A-D36F9831DD8C}	818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64E42E97-318D-48C8-9079-5A34FD2A1603}	818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE40E461-167A-4AAB-A91F-3F7168BD3EFB}\ToolboxBitmap32	818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{135ED01F-CFB3-48DF-85D0-B3C41CA0DEAB}\TypeLib\ = "{4F5260E1-C1C4-442C-A343-6330D4307BA0}"	818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{135ED01F-CFB3-48DF-85D0-B3C41CA0DEAB}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{53C8E179-5169-4299-A221-D6A4C6983F74}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{135ED01F-CFB3-48DF-85D0-B3C41CA0DEAB}\TypeLib\ = "{4F5260E1-C1C4-442C-A343-6330D4307BA0}"	818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{97B82291-29CC-4F44-A64C-89A524C797B9}	818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{97B82291-29CC-4F44-A64C-89A524C797B9}\MiscStatus	818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{97B82291-29CC-4F44-A64C-89A524C797B9}\InprocServer32\ThreadingModel = "Apartment"	818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{226CB453-D48D-433A-9F37-3528F440B231}\1.0	818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3612F9D0-1449-410B-B15A-D36F9831DD8C}\ProxyStubClsid32	818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{97B82291-29CC-4F44-A64C-89A524C797B9}\ProgID	818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{97B82291-29CC-4F44-A64C-89A524C797B9}\ProgID\ = "KoalEAClient.CspWrapper.1"	818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{97B82291-29CC-4F44-A64C-89A524C797B9}\MiscStatus\1\ = "131473"	818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E2EE2C36-5938-4AE3-AB87-2251333A4150}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{53C8E179-5169-4299-A221-D6A4C6983F74}\TypeLib\Version = "1.0"	818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{53C8E179-5169-4299-A221-D6A4C6983F74}\ProxyStubClsid32	818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE40E461-167A-4AAB-A91F-3F7168BD3EFB}\InprocServer32\ = "C:\\Windows\\SysWow64\\KOALCE~1.OCX"	818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE40E461-167A-4AAB-A91F-3F7168BD3EFB}\TypeLib	818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories	818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4F5260E1-C1C4-442C-A343-6330D4307BA0}\1.0\FLAGS	818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4F5260E1-C1C4-442C-A343-6330D4307BA0}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\KoalCspWrapper.ocx"	818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\b26fa75369d6fd879204d8e67fcc105ef35fcd84	818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\b26fa75369d6fd879204d8e67fcc105ef35fcd84\Blob = 040000000100000010000000ce0dca5a774adc3de979a7ce2f9654b01400000001000000140000002c7ae7b0c78de1a7958cc70293d76d2fe3ddf2681900000001000000100000008042815a4d8d7af8e9cc32084ec5370e030000000100000014000000b26fa75369d6fd879204d8e67fcc105ef35fcd840f0000000100000014000000beff8dcad805c5a5c8f3c2f19b08c69377281fbc200000000100000029030000308203253082020da003020102020c7bc5d8e2e4cd536949f6eaf3300d06092a864886f70d0101050500302d310b300906035504061302434e310c300a060355040a0c034e42533110300e06035504030c074e4253524f4f54301e170d3039303730383038333932365a170d3234303730343038333932365a302d310b300906035504061302434e310c300a060355040a0c034e42533110300e06035504030c074e4253524f4f5430820122300d06092a864886f70d01010105000382010f003082010a028201010099c64c4e2a4ac0a5320bbddeaa727c42f8107f3e0af2d305e3872bea1d36bb02a620fa83415de5d8d4ab8c1d00f93ad18eae77f415d6412bc169998e4db3c1b1ed8a5e503ef0971559edf122c9d807d2511c3d61dd9661918f9185665219892fe4f185be1ea693b43f96afd2561c3c9ff63c18aef0b0528cd925942569d2a4ae62d73c53cedd420155c534179d1c28776f1082bde59f89fd4e3bd04ad29fff618a9b4f0573582864fb7e105921797136fcc4816e9628576247d2664918813161edba5bf40c2d50ac62200e9ef221c264b75d007d46470d6ea1aca98fdb0d210d75386f32c532a93336d32471de8e0e9c1c80d10c9e28ee67f2ae61453e9d24c50203010001a3453043300e0603551d0f010100040403020086300f0603551d13010100040530030101ff30200603551d0e010100041604142c7ae7b0c78de1a7958cc70293d76d2fe3ddf268300d06092a864886f70d0101050500038201010010b27cc8b0460c16e5afaba8e206e21057b53681e974bb0c00a48c53ff192e527fcd22b68c76b11fbe02aa93a7a1e4843200fda2cfb1f09a64395278075effb0fa23f64105ca25fe61b53c5bdc99d1986adc0de33e3aa5c148130fd824a4ceb06a394d93471720f4db1f452a3077bb949a52d9a5fe3780ecfeddf27cf1dc6f5fe05e72735be9e1b957af225477139d5da1136723f25cb011e1f534a07e3a9dfacf7ed29e3b866922877702d918dcc582fe408d468d1856962285c7f3f2fdaa0a5eabca710d2512246d1943fa17bedf84e9ab189e3b0cc3b72d232a55f5f2bafd9084781bf192358bb5cdecf633811064f4b9bdf36d4ca2a78638f0ed4bd49136	818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\7630262c0d895ed6ff6ca702fcdb6da669851b55	818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\7630262c0d895ed6ff6ca702fcdb6da669851b55\Blob = 04000000010000001000000039a02ccdb5f3cce2e0f24df3a22d1b7d14000000010000001400000040b6850f0140408ae6d734d4fbf51a60c01300f4190000000100000010000000efd08499597ba4edd93094a92593ff730300000001000000140000007630262c0d895ed6ff6ca702fcdb6da669851b550f000000010000001400000009fad222e4400bea967e5d738e185c92290be1af2000000001000000d5020000308202d1308201b9a003020102020c51044920043a99fc30348111300d06092a864886f70d0101050500302d310b300906035504061302434e310c300a060355040a0c034e42533110300e06035504030c074e4253524f4f54301e170d3132303432373036343435345a170d3139303432363036343435345a3039310b300906035504061302434e311b3019060355040a0c12e8bebde5ae81e79c81e7bb9fe8aea1e5b180310d300b06035504030c044c4e434130819f300d06092a864886f70d010101050003818d003081890281810086727c870c5a87665e0268a4014635a6fe04ef4b6961276010942905b1fcedc95fbaa9208da3802eae49f7477af9fdd5f82a9ca3cf8e414db594b7a4eae86124e72065618367278ff0e18336f2baa8f49fdd120f5cd329cb76ee1a9a0fe24c05c37bbef37261c227668d65bb598a0b876e720f1090c338f1f6f5f32da3a04bcb0203010001a3693067300e0603551d0f010100040403020086300f0603551d13010100040530030101ff30220603551d230101000418301680142c7ae7b0c78de1a7958cc70293d76d2fe3ddf26830200603551d0e0101000416041440b6850f0140408ae6d734d4fbf51a60c01300f4300d06092a864886f70d0101050500038201010092ce0b1a2ff9944928492b472ae1a742bbc976e2491a80e1d893386023e6785ed0d0e910b701fa13e68dfee1dc9d2bd469d737564def636afde4df1441e46ebf47004aa53a14b05d2394fdab7bc32029b73c405dec559343c0fb46b54cdd4a180fbd0d7cf4813bd0437d5dbe0bb2eae4db9d1d98bdca559b28ec161397c8e524257e03c1f7538b4b56be8f1ea34df818ae342c55a67e7b2c32a5ab5ebc65819d9f65884446184f590007aa464607ca21a0d603321524e46f6e3d52d60c40de3b0198d32766d4748f1ef53d4e3135042a299468894d177063e570562bf43a489db0f1757c55b957c6ab0bada05b514478b421efce73de9067966d109fdf9ae23b	818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4864	818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474.exe

C:\Users\Admin\AppData\Local\Temp\818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474.exe
"C:\Users\Admin\AppData\Local\Temp\818c25dead553315d6a57090b13cc151a56a257cbf38009ec331a8f8a6b96474.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:4864

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\KoalCertCtl.ocx

Filesize
395KB

MD5
c9ad6129a6300c8ba85097846de8fcaa

SHA1
449d4913b2c61357c6e05373bd3b2517915cd641

SHA256
ec4f39f69a961d16cf9ac7b2e31ebd7b775fe72d6dd20270d45ab3e698f23e21

SHA512
d1ee5bea9b909896d2c71274841114b2e769184790be519a16da7670d33a46fd2b5db185dbdafcc0c8a0f0b45b1d1806450f9cdbd23f2063cf683f040de59e6c

Download Submit
C:\Windows\SysWOW64\KoalCspWrapper.ocx

Filesize
338KB

MD5
c1246be1af02577db6e8a0a35a508072

SHA1
2e13246248fe1dece8571787ddfeeae8a13bcde2

SHA256
13615176e69563ab8f136eef911f07b55533151b6593fe855863d37fcb8dd340

SHA512
7162b3bfdce475357aeb67ce12308774647b0aef355f61827ad80af1b16d09e0c3746caa526020b0f8438a232c480a12e201924b990cda49b7525c187a1d10a2

Download Submit
memory/4864-132-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4864-134-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4864-135-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/4864-138-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download