63099056cb799342f77361e6b5c8699c228f3a9721054309a419568069638434

Analysis

max time kernel
150s
max time network
105s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
24-10-2022 00:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Gui Gu Ba Huang Early Access Plus 54 Trainer Updated 2022.07.19.exe
Size

1.3MB
MD5

f33994ea6d1435c9ce022be397d577db
SHA1

d289253f905c33e0808a20634d02379285a81c6f
SHA256

9176d5869473bf0624ad1006a00df74d2e3042387ed43536ed84ebd3fe853847
SHA512

1230c1c5037521458c973055ff436759de848af2352b1218dd5e07eff7bd08d7b0e23a55f4b314d9a45cd863874cc71c4afe4c1dd13d6064c00b62b280997b26
SSDEEP

24576:d0f5g1jTVqnV0HNz2oKjHdlukYy8RfEQbJ74A9BDS:OhIknaHlHgdd2fEQV779

Score

1^/10

Malware Config

Signatures

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	Gui Gu Ba Huang Early Access Plus 54 Trainer Updated 2022.07.19.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	Gui Gu Ba Huang Early Access Plus 54 Trainer Updated 2022.07.19.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
564	Gui Gu Ba Huang Early Access Plus 54 Trainer Updated 2022.07.19.exe
564	Gui Gu Ba Huang Early Access Plus 54 Trainer Updated 2022.07.19.exe
564	Gui Gu Ba Huang Early Access Plus 54 Trainer Updated 2022.07.19.exe
564	Gui Gu Ba Huang Early Access Plus 54 Trainer Updated 2022.07.19.exe
564	Gui Gu Ba Huang Early Access Plus 54 Trainer Updated 2022.07.19.exe
564	Gui Gu Ba Huang Early Access Plus 54 Trainer Updated 2022.07.19.exe
564	Gui Gu Ba Huang Early Access Plus 54 Trainer Updated 2022.07.19.exe
564	Gui Gu Ba Huang Early Access Plus 54 Trainer Updated 2022.07.19.exe
564	Gui Gu Ba Huang Early Access Plus 54 Trainer Updated 2022.07.19.exe
564	Gui Gu Ba Huang Early Access Plus 54 Trainer Updated 2022.07.19.exe
564	Gui Gu Ba Huang Early Access Plus 54 Trainer Updated 2022.07.19.exe
564	Gui Gu Ba Huang Early Access Plus 54 Trainer Updated 2022.07.19.exe
564	Gui Gu Ba Huang Early Access Plus 54 Trainer Updated 2022.07.19.exe
564	Gui Gu Ba Huang Early Access Plus 54 Trainer Updated 2022.07.19.exe
564	Gui Gu Ba Huang Early Access Plus 54 Trainer Updated 2022.07.19.exe
564	Gui Gu Ba Huang Early Access Plus 54 Trainer Updated 2022.07.19.exe
564	Gui Gu Ba Huang Early Access Plus 54 Trainer Updated 2022.07.19.exe
564	Gui Gu Ba Huang Early Access Plus 54 Trainer Updated 2022.07.19.exe
564	Gui Gu Ba Huang Early Access Plus 54 Trainer Updated 2022.07.19.exe
564	Gui Gu Ba Huang Early Access Plus 54 Trainer Updated 2022.07.19.exe
564	Gui Gu Ba Huang Early Access Plus 54 Trainer Updated 2022.07.19.exe
564	Gui Gu Ba Huang Early Access Plus 54 Trainer Updated 2022.07.19.exe
564	Gui Gu Ba Huang Early Access Plus 54 Trainer Updated 2022.07.19.exe
564	Gui Gu Ba Huang Early Access Plus 54 Trainer Updated 2022.07.19.exe
564	Gui Gu Ba Huang Early Access Plus 54 Trainer Updated 2022.07.19.exe
564	Gui Gu Ba Huang Early Access Plus 54 Trainer Updated 2022.07.19.exe
564	Gui Gu Ba Huang Early Access Plus 54 Trainer Updated 2022.07.19.exe
564	Gui Gu Ba Huang Early Access Plus 54 Trainer Updated 2022.07.19.exe
564	Gui Gu Ba Huang Early Access Plus 54 Trainer Updated 2022.07.19.exe
564	Gui Gu Ba Huang Early Access Plus 54 Trainer Updated 2022.07.19.exe
564	Gui Gu Ba Huang Early Access Plus 54 Trainer Updated 2022.07.19.exe
564	Gui Gu Ba Huang Early Access Plus 54 Trainer Updated 2022.07.19.exe
564	Gui Gu Ba Huang Early Access Plus 54 Trainer Updated 2022.07.19.exe
564	Gui Gu Ba Huang Early Access Plus 54 Trainer Updated 2022.07.19.exe
564	Gui Gu Ba Huang Early Access Plus 54 Trainer Updated 2022.07.19.exe
564	Gui Gu Ba Huang Early Access Plus 54 Trainer Updated 2022.07.19.exe
564	Gui Gu Ba Huang Early Access Plus 54 Trainer Updated 2022.07.19.exe
564	Gui Gu Ba Huang Early Access Plus 54 Trainer Updated 2022.07.19.exe
564	Gui Gu Ba Huang Early Access Plus 54 Trainer Updated 2022.07.19.exe
564	Gui Gu Ba Huang Early Access Plus 54 Trainer Updated 2022.07.19.exe
564	Gui Gu Ba Huang Early Access Plus 54 Trainer Updated 2022.07.19.exe
564	Gui Gu Ba Huang Early Access Plus 54 Trainer Updated 2022.07.19.exe
564	Gui Gu Ba Huang Early Access Plus 54 Trainer Updated 2022.07.19.exe
564	Gui Gu Ba Huang Early Access Plus 54 Trainer Updated 2022.07.19.exe
564	Gui Gu Ba Huang Early Access Plus 54 Trainer Updated 2022.07.19.exe
564	Gui Gu Ba Huang Early Access Plus 54 Trainer Updated 2022.07.19.exe
564	Gui Gu Ba Huang Early Access Plus 54 Trainer Updated 2022.07.19.exe
564	Gui Gu Ba Huang Early Access Plus 54 Trainer Updated 2022.07.19.exe
564	Gui Gu Ba Huang Early Access Plus 54 Trainer Updated 2022.07.19.exe
564	Gui Gu Ba Huang Early Access Plus 54 Trainer Updated 2022.07.19.exe
564	Gui Gu Ba Huang Early Access Plus 54 Trainer Updated 2022.07.19.exe
564	Gui Gu Ba Huang Early Access Plus 54 Trainer Updated 2022.07.19.exe
564	Gui Gu Ba Huang Early Access Plus 54 Trainer Updated 2022.07.19.exe
564	Gui Gu Ba Huang Early Access Plus 54 Trainer Updated 2022.07.19.exe
564	Gui Gu Ba Huang Early Access Plus 54 Trainer Updated 2022.07.19.exe
564	Gui Gu Ba Huang Early Access Plus 54 Trainer Updated 2022.07.19.exe
564	Gui Gu Ba Huang Early Access Plus 54 Trainer Updated 2022.07.19.exe
564	Gui Gu Ba Huang Early Access Plus 54 Trainer Updated 2022.07.19.exe
564	Gui Gu Ba Huang Early Access Plus 54 Trainer Updated 2022.07.19.exe
564	Gui Gu Ba Huang Early Access Plus 54 Trainer Updated 2022.07.19.exe
564	Gui Gu Ba Huang Early Access Plus 54 Trainer Updated 2022.07.19.exe
564	Gui Gu Ba Huang Early Access Plus 54 Trainer Updated 2022.07.19.exe
564	Gui Gu Ba Huang Early Access Plus 54 Trainer Updated 2022.07.19.exe
564	Gui Gu Ba Huang Early Access Plus 54 Trainer Updated 2022.07.19.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	564	Gui Gu Ba Huang Early Access Plus 54 Trainer Updated 2022.07.19.exe

C:\Users\Admin\AppData\Local\Temp\Gui Gu Ba Huang Early Access Plus 54 Trainer Updated 2022.07.19.exe
"C:\Users\Admin\AppData\Local\Temp\Gui Gu Ba Huang Early Access Plus 54 Trainer Updated 2022.07.19.exe"
1⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:564

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/564-54-0x0000000000280000-0x00000000002B0000-memory.dmp

Filesize
192KB

Download
memory/564-56-0x00000000002B0000-0x00000000002BA000-memory.dmp

Filesize
40KB

Download
memory/564-57-0x000000001AFAA000-0x000000001AFC9000-memory.dmp

Filesize
124KB

Download
memory/564-55-0x00000000002B0000-0x00000000002BA000-memory.dmp

Filesize
40KB

Download
memory/564-58-0x00000000002B0000-0x00000000002BA000-memory.dmp

Filesize
40KB

Download
memory/564-59-0x00000000002B0000-0x00000000002BA000-memory.dmp

Filesize
40KB

Download
memory/564-60-0x000000001AFAA000-0x000000001AFC9000-memory.dmp

Filesize
124KB

Download