ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2

General

Target

ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe
Size

168KB
MD5

5ca217a200f8b18365d41e1c6536f929
SHA1

9e6a9dc8cb4c7f9eb433f6c930388225acb516ca
SHA256

ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2
SHA512

6b6a25d885a23155756446fe9e9458c4a73adeb750bfefa46e955f913e0821e5f0fd7da63253eb0d01f9e60858a776422a9c582c9b09ad19f7777428daf14a36
SSDEEP

3072:DK5Q3FoscbwKMD07DeDrVBRpg5lFknZqOIJ8z:DWGFOMF07DeD9pg5lFmwOIJ8

Score

8^/10

evasion trojan

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

servicesc.exe

pid process

1440 servicesc.exe

Loads dropped DLL 2 IoCs

Processes:

ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe

pid	process
2020	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe
2020	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\baidu.com\Total = "34486"	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.baidu.com\ = "5"	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.baidu.com\ = "65"	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.baidu.com\ = "28734"	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.baidu.com\ = "28742"	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "29054"	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.baidu.com\ = "34486"	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.baidu.com\ = "35"	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\baidu.com\Total = "87"	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "141"	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "18657"	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.baidu.com\ = "18657"	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "29042"	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.baidu.com\ = "0"	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "3"	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\baidu.com\Total = "132"	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\baidu.com\Total = "35"	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "79"	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.baidu.com\ = "141"	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.baidu.com\ = "28747"	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "122"	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "8"	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.baidu.com	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\baidu.com\Total = "54"	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\baidu.com\Total = "65"	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "119"	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\baidu.com\Total = "18657"	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\baidu.com\Total = "28747"	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.baidu.com\ = "8"	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "5"	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "35"	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\baidu.com\Total = "79"	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "132"	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.baidu.com\ = "28737"	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "34483"	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\baidu.com\Total = "34496"	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\baidu.com\Total = "3"	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.baidu.com\ = "122"	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "28866"	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\baidu.com\Total = "29042"	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\baidu.com\Total = "29054"	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\baidu.com\Total = "34483"	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "65"	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "87"	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.baidu.com\ = "87"	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "127"	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "28844"	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\baidu.com\Total = "28866"	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "34496"	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "34486"	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.baidu.com\ = "79"	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.baidu.com\ = "127"	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\baidu.com\Total = "28734"	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.baidu.com\ = "28866"	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.baidu.com\ = "29042"	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\baidu.com\Total = "141"	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\baidu.com	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\baidu.com\Total = "0"	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

servicesc.exe

pid	process
1440	servicesc.exe
1440	servicesc.exe
1440	servicesc.exe
1440	servicesc.exe
1440	servicesc.exe
1440	servicesc.exe
1440	servicesc.exe
1440	servicesc.exe
1440	servicesc.exe
1440	servicesc.exe
1440	servicesc.exe
1440	servicesc.exe
1440	servicesc.exe
1440	servicesc.exe
1440	servicesc.exe
1440	servicesc.exe
1440	servicesc.exe
1440	servicesc.exe
1440	servicesc.exe
1440	servicesc.exe
1440	servicesc.exe
1440	servicesc.exe
1440	servicesc.exe
1440	servicesc.exe
1440	servicesc.exe
1440	servicesc.exe
1440	servicesc.exe
1440	servicesc.exe
1440	servicesc.exe
1440	servicesc.exe
1440	servicesc.exe
1440	servicesc.exe
1440	servicesc.exe
1440	servicesc.exe
1440	servicesc.exe
1440	servicesc.exe
1440	servicesc.exe
1440	servicesc.exe
1440	servicesc.exe
1440	servicesc.exe
1440	servicesc.exe
1440	servicesc.exe
1440	servicesc.exe
1440	servicesc.exe
1440	servicesc.exe
1440	servicesc.exe
1440	servicesc.exe
1440	servicesc.exe
1440	servicesc.exe
1440	servicesc.exe
1440	servicesc.exe
1440	servicesc.exe
1440	servicesc.exe
1440	servicesc.exe
1440	servicesc.exe
1440	servicesc.exe
1440	servicesc.exe
1440	servicesc.exe
1440	servicesc.exe
1440	servicesc.exe
1440	servicesc.exe
1440	servicesc.exe
1440	servicesc.exe
1440	servicesc.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AUDIODG.EXE

description	pid	process
Token: 33	836	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	836	AUDIODG.EXE
Token: 33	836	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	836	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exeservicesc.exe

pid	process
2020	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe
2020	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe
2020	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe
1440	servicesc.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe

description	pid	process	target process
PID 2020 wrote to memory of 1440	2020	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe	servicesc.exe
PID 2020 wrote to memory of 1440	2020	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe	servicesc.exe
PID 2020 wrote to memory of 1440	2020	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe	servicesc.exe
PID 2020 wrote to memory of 1440	2020	ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe	servicesc.exe

C:\Users\Admin\AppData\Local\Temp\ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe
"C:\Users\Admin\AppData\Local\Temp\ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe"
1⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2020

C:\Users\Admin\AppData\Local\Temp\servicesc.exe
C:\Users\Admin\AppData\Local\Temp\servicesc.exe ea4d6467823685c440bd597507511c41b94c9d5903d14d4ea198f666032314d2.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1440

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x184
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:836

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\servicesc.exe

Filesize
32KB

MD5
d542fd20caac2c34bbec498c05b0d828

SHA1
5deb07503e212e23e1f6d23b7fd93289da20061f

SHA256
d74fca83e5cf20d9081e099a12e9c70d8c6ecaf52f4ec2963246353dc447b666

SHA512
0e853a822008229b81a89ebc80d0d7beef08c45471cf4a2d6eb12aa1e19d56c96b6f7ae18f49cc2c317941b2a1c18be6211e8447b22eb5498dbcd17a8ea5c78b

Download Submit
\Users\Admin\AppData\Local\Temp\servicesc.exe

Filesize
32KB

MD5
d542fd20caac2c34bbec498c05b0d828

SHA1
5deb07503e212e23e1f6d23b7fd93289da20061f

SHA256
d74fca83e5cf20d9081e099a12e9c70d8c6ecaf52f4ec2963246353dc447b666

SHA512
0e853a822008229b81a89ebc80d0d7beef08c45471cf4a2d6eb12aa1e19d56c96b6f7ae18f49cc2c317941b2a1c18be6211e8447b22eb5498dbcd17a8ea5c78b

Download Submit
\Users\Admin\AppData\Local\Temp\servicesc.exe

Filesize
32KB

MD5
d542fd20caac2c34bbec498c05b0d828

SHA1
5deb07503e212e23e1f6d23b7fd93289da20061f

SHA256
d74fca83e5cf20d9081e099a12e9c70d8c6ecaf52f4ec2963246353dc447b666

SHA512
0e853a822008229b81a89ebc80d0d7beef08c45471cf4a2d6eb12aa1e19d56c96b6f7ae18f49cc2c317941b2a1c18be6211e8447b22eb5498dbcd17a8ea5c78b

Download Submit
memory/1440-59-0x0000000000000000-mapping.dmp

Download
memory/2020-56-0x0000000075C21000-0x0000000075C23000-memory.dmp

Filesize
8KB

Download
memory/2020-63-0x0000000004251000-0x00000000050FD000-memory.dmp

Filesize
14.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads