4acb778f061b772d8b52634e8225be410788160f156ff6503e6548c37896bb55

Analysis

max time kernel
177s
max time network
188s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 01:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4acb778f061b772d8b52634e8225be410788160f156ff6503e6548c37896bb55.exe
Size

483KB
MD5

7bfa60f204b5c4cc84468af9ec76f9f6
SHA1

5c4f0ebbf0f43f09d46f9cf8c2513e211dd479bb
SHA256

4acb778f061b772d8b52634e8225be410788160f156ff6503e6548c37896bb55
SHA512

eaeaef1b42bae521a497d228290b7f164a71feac51f5aca7632d00b71678b400c9c840c57e9449a70c9127cd7ed57d9fb545c4424ff2eca14d2624df7560d710
SSDEEP

6144:TqNPTKSVqaGoZidNUvnovyda0crb2x7Qr+P7XQL/vjr9NF5+PLEtN9D4Zyo9KRP/:QidKQKdLcrbWa+P7AfrezGfN

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

duvii.exeduvii.exeduvii.exe

pid process

1188 duvii.exe
3032 duvii.exe
5072 duvii.exe

pid	process
1188	duvii.exe
3032	duvii.exe
5072	duvii.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

duvii.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Windows\Currentversion\Run	duvii.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Obkauzf = "C:\\Users\\Admin\\AppData\\Roaming\\Itpyo\\duvii.exe"	duvii.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

4acb778f061b772d8b52634e8225be410788160f156ff6503e6548c37896bb55.exeduvii.exe

description	pid	process	target process
PID 836 set thread context of 4800	836	4acb778f061b772d8b52634e8225be410788160f156ff6503e6548c37896bb55.exe	AppLaunch.exe
PID 836 set thread context of 4404	836	4acb778f061b772d8b52634e8225be410788160f156ff6503e6548c37896bb55.exe	4acb778f061b772d8b52634e8225be410788160f156ff6503e6548c37896bb55.exe
PID 1188 set thread context of 4820	1188	duvii.exe	AppLaunch.exe
PID 1188 set thread context of 5072	1188	duvii.exe	duvii.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

4acb778f061b772d8b52634e8225be410788160f156ff6503e6548c37896bb55.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868	4acb778f061b772d8b52634e8225be410788160f156ff6503e6548c37896bb55.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0400000001000000100000001d3554048578b03f42424dbf20730a3f0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d557e0000000100000008000000000063f58926d70103000000010000001400000002faf3e291435468607857694df5e45b6885186819000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	4acb778f061b772d8b52634e8225be410788160f156ff6503e6548c37896bb55.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 5c00000001000000040000000008000019000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c03000000010000001400000002faf3e291435468607857694df5e45b688518687e0000000100000008000000000063f58926d7011d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b0400000001000000100000001d3554048578b03f42424dbf20730a3f20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	4acb778f061b772d8b52634e8225be410788160f156ff6503e6548c37896bb55.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

4acb778f061b772d8b52634e8225be410788160f156ff6503e6548c37896bb55.exeduvii.exeduvii.exe

pid	process
836	4acb778f061b772d8b52634e8225be410788160f156ff6503e6548c37896bb55.exe
836	4acb778f061b772d8b52634e8225be410788160f156ff6503e6548c37896bb55.exe
836	4acb778f061b772d8b52634e8225be410788160f156ff6503e6548c37896bb55.exe
1188	duvii.exe
1188	duvii.exe
1188	duvii.exe
5072	duvii.exe
5072	duvii.exe
5072	duvii.exe
5072	duvii.exe
5072	duvii.exe
5072	duvii.exe
5072	duvii.exe
5072	duvii.exe
5072	duvii.exe
5072	duvii.exe
5072	duvii.exe
5072	duvii.exe
5072	duvii.exe
5072	duvii.exe
5072	duvii.exe
5072	duvii.exe
5072	duvii.exe
5072	duvii.exe
5072	duvii.exe
5072	duvii.exe
5072	duvii.exe
5072	duvii.exe
5072	duvii.exe
5072	duvii.exe
5072	duvii.exe
5072	duvii.exe
5072	duvii.exe
5072	duvii.exe
5072	duvii.exe
5072	duvii.exe
5072	duvii.exe
5072	duvii.exe
5072	duvii.exe
5072	duvii.exe
5072	duvii.exe
5072	duvii.exe
5072	duvii.exe
5072	duvii.exe
5072	duvii.exe
5072	duvii.exe
5072	duvii.exe
5072	duvii.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

4acb778f061b772d8b52634e8225be410788160f156ff6503e6548c37896bb55.exe4acb778f061b772d8b52634e8225be410788160f156ff6503e6548c37896bb55.exeduvii.exe

description	pid	process
Token: SeDebugPrivilege	836	4acb778f061b772d8b52634e8225be410788160f156ff6503e6548c37896bb55.exe
Token: SeSecurityPrivilege	4404	4acb778f061b772d8b52634e8225be410788160f156ff6503e6548c37896bb55.exe
Token: SeSecurityPrivilege	4404	4acb778f061b772d8b52634e8225be410788160f156ff6503e6548c37896bb55.exe
Token: SeDebugPrivilege	1188	duvii.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4acb778f061b772d8b52634e8225be410788160f156ff6503e6548c37896bb55.exe4acb778f061b772d8b52634e8225be410788160f156ff6503e6548c37896bb55.exeduvii.exeduvii.exe

description	pid	process	target process
PID 836 wrote to memory of 3400	836	4acb778f061b772d8b52634e8225be410788160f156ff6503e6548c37896bb55.exe	CMD.exe
PID 836 wrote to memory of 3400	836	4acb778f061b772d8b52634e8225be410788160f156ff6503e6548c37896bb55.exe	CMD.exe
PID 836 wrote to memory of 3400	836	4acb778f061b772d8b52634e8225be410788160f156ff6503e6548c37896bb55.exe	CMD.exe
PID 836 wrote to memory of 2908	836	4acb778f061b772d8b52634e8225be410788160f156ff6503e6548c37896bb55.exe	CMD.exe
PID 836 wrote to memory of 2908	836	4acb778f061b772d8b52634e8225be410788160f156ff6503e6548c37896bb55.exe	CMD.exe
PID 836 wrote to memory of 2908	836	4acb778f061b772d8b52634e8225be410788160f156ff6503e6548c37896bb55.exe	CMD.exe
PID 836 wrote to memory of 4800	836	4acb778f061b772d8b52634e8225be410788160f156ff6503e6548c37896bb55.exe	AppLaunch.exe
PID 836 wrote to memory of 4800	836	4acb778f061b772d8b52634e8225be410788160f156ff6503e6548c37896bb55.exe	AppLaunch.exe
PID 836 wrote to memory of 4800	836	4acb778f061b772d8b52634e8225be410788160f156ff6503e6548c37896bb55.exe	AppLaunch.exe
PID 836 wrote to memory of 4800	836	4acb778f061b772d8b52634e8225be410788160f156ff6503e6548c37896bb55.exe	AppLaunch.exe
PID 836 wrote to memory of 4800	836	4acb778f061b772d8b52634e8225be410788160f156ff6503e6548c37896bb55.exe	AppLaunch.exe
PID 836 wrote to memory of 4800	836	4acb778f061b772d8b52634e8225be410788160f156ff6503e6548c37896bb55.exe	AppLaunch.exe
PID 836 wrote to memory of 4800	836	4acb778f061b772d8b52634e8225be410788160f156ff6503e6548c37896bb55.exe	AppLaunch.exe
PID 836 wrote to memory of 4800	836	4acb778f061b772d8b52634e8225be410788160f156ff6503e6548c37896bb55.exe	AppLaunch.exe
PID 836 wrote to memory of 396	836	4acb778f061b772d8b52634e8225be410788160f156ff6503e6548c37896bb55.exe	4acb778f061b772d8b52634e8225be410788160f156ff6503e6548c37896bb55.exe
PID 836 wrote to memory of 396	836	4acb778f061b772d8b52634e8225be410788160f156ff6503e6548c37896bb55.exe	4acb778f061b772d8b52634e8225be410788160f156ff6503e6548c37896bb55.exe
PID 836 wrote to memory of 396	836	4acb778f061b772d8b52634e8225be410788160f156ff6503e6548c37896bb55.exe	4acb778f061b772d8b52634e8225be410788160f156ff6503e6548c37896bb55.exe
PID 836 wrote to memory of 4404	836	4acb778f061b772d8b52634e8225be410788160f156ff6503e6548c37896bb55.exe	4acb778f061b772d8b52634e8225be410788160f156ff6503e6548c37896bb55.exe
PID 836 wrote to memory of 4404	836	4acb778f061b772d8b52634e8225be410788160f156ff6503e6548c37896bb55.exe	4acb778f061b772d8b52634e8225be410788160f156ff6503e6548c37896bb55.exe
PID 836 wrote to memory of 4404	836	4acb778f061b772d8b52634e8225be410788160f156ff6503e6548c37896bb55.exe	4acb778f061b772d8b52634e8225be410788160f156ff6503e6548c37896bb55.exe
PID 836 wrote to memory of 4404	836	4acb778f061b772d8b52634e8225be410788160f156ff6503e6548c37896bb55.exe	4acb778f061b772d8b52634e8225be410788160f156ff6503e6548c37896bb55.exe
PID 836 wrote to memory of 4404	836	4acb778f061b772d8b52634e8225be410788160f156ff6503e6548c37896bb55.exe	4acb778f061b772d8b52634e8225be410788160f156ff6503e6548c37896bb55.exe
PID 836 wrote to memory of 4404	836	4acb778f061b772d8b52634e8225be410788160f156ff6503e6548c37896bb55.exe	4acb778f061b772d8b52634e8225be410788160f156ff6503e6548c37896bb55.exe
PID 836 wrote to memory of 4404	836	4acb778f061b772d8b52634e8225be410788160f156ff6503e6548c37896bb55.exe	4acb778f061b772d8b52634e8225be410788160f156ff6503e6548c37896bb55.exe
PID 836 wrote to memory of 4404	836	4acb778f061b772d8b52634e8225be410788160f156ff6503e6548c37896bb55.exe	4acb778f061b772d8b52634e8225be410788160f156ff6503e6548c37896bb55.exe
PID 4404 wrote to memory of 1188	4404	4acb778f061b772d8b52634e8225be410788160f156ff6503e6548c37896bb55.exe	duvii.exe
PID 4404 wrote to memory of 1188	4404	4acb778f061b772d8b52634e8225be410788160f156ff6503e6548c37896bb55.exe	duvii.exe
PID 4404 wrote to memory of 1188	4404	4acb778f061b772d8b52634e8225be410788160f156ff6503e6548c37896bb55.exe	duvii.exe
PID 1188 wrote to memory of 3608	1188	duvii.exe	CMD.exe
PID 1188 wrote to memory of 3608	1188	duvii.exe	CMD.exe
PID 1188 wrote to memory of 3608	1188	duvii.exe	CMD.exe
PID 1188 wrote to memory of 800	1188	duvii.exe	CMD.exe
PID 1188 wrote to memory of 800	1188	duvii.exe	CMD.exe
PID 1188 wrote to memory of 800	1188	duvii.exe	CMD.exe
PID 1188 wrote to memory of 4820	1188	duvii.exe	AppLaunch.exe
PID 1188 wrote to memory of 4820	1188	duvii.exe	AppLaunch.exe
PID 1188 wrote to memory of 4820	1188	duvii.exe	AppLaunch.exe
PID 1188 wrote to memory of 4820	1188	duvii.exe	AppLaunch.exe
PID 1188 wrote to memory of 4820	1188	duvii.exe	AppLaunch.exe
PID 1188 wrote to memory of 4820	1188	duvii.exe	AppLaunch.exe
PID 1188 wrote to memory of 4820	1188	duvii.exe	AppLaunch.exe
PID 1188 wrote to memory of 4820	1188	duvii.exe	AppLaunch.exe
PID 1188 wrote to memory of 3032	1188	duvii.exe	duvii.exe
PID 1188 wrote to memory of 3032	1188	duvii.exe	duvii.exe
PID 1188 wrote to memory of 3032	1188	duvii.exe	duvii.exe
PID 1188 wrote to memory of 5072	1188	duvii.exe	duvii.exe
PID 1188 wrote to memory of 5072	1188	duvii.exe	duvii.exe
PID 1188 wrote to memory of 5072	1188	duvii.exe	duvii.exe
PID 1188 wrote to memory of 5072	1188	duvii.exe	duvii.exe
PID 1188 wrote to memory of 5072	1188	duvii.exe	duvii.exe
PID 1188 wrote to memory of 5072	1188	duvii.exe	duvii.exe
PID 1188 wrote to memory of 5072	1188	duvii.exe	duvii.exe
PID 1188 wrote to memory of 5072	1188	duvii.exe	duvii.exe
PID 5072 wrote to memory of 2632	5072	duvii.exe	sihost.exe
PID 5072 wrote to memory of 2632	5072	duvii.exe	sihost.exe
PID 5072 wrote to memory of 2632	5072	duvii.exe	sihost.exe
PID 5072 wrote to memory of 2632	5072	duvii.exe	sihost.exe
PID 5072 wrote to memory of 2632	5072	duvii.exe	sihost.exe
PID 4404 wrote to memory of 4472	4404	4acb778f061b772d8b52634e8225be410788160f156ff6503e6548c37896bb55.exe	cmd.exe
PID 4404 wrote to memory of 4472	4404	4acb778f061b772d8b52634e8225be410788160f156ff6503e6548c37896bb55.exe	cmd.exe
PID 4404 wrote to memory of 4472	4404	4acb778f061b772d8b52634e8225be410788160f156ff6503e6548c37896bb55.exe	cmd.exe
PID 5072 wrote to memory of 2760	5072	duvii.exe	svchost.exe
PID 5072 wrote to memory of 2760	5072	duvii.exe	svchost.exe
PID 5072 wrote to memory of 2760	5072	duvii.exe	svchost.exe

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3412

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4804

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3776

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3488

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3336

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3240

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:404

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2552

C:\Users\Admin\AppData\Local\Temp\4acb778f061b772d8b52634e8225be410788160f156ff6503e6548c37896bb55.exe
"C:\Users\Admin\AppData\Local\Temp\4acb778f061b772d8b52634e8225be410788160f156ff6503e6548c37896bb55.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:836

C:\Windows\SysWOW64\CMD.exe
"CMD"
3⤵
PID:3400

C:\Windows\SysWOW64\CMD.exe
"CMD"
3⤵
PID:2908

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\\AppLaunch.exe"
3⤵
PID:4800

C:\Users\Admin\AppData\Local\Temp\4acb778f061b772d8b52634e8225be410788160f156ff6503e6548c37896bb55.exe
"C:\Users\Admin\AppData\Local\Temp\4acb778f061b772d8b52634e8225be410788160f156ff6503e6548c37896bb55.exe"
3⤵
PID:396

C:\Users\Admin\AppData\Local\Temp\4acb778f061b772d8b52634e8225be410788160f156ff6503e6548c37896bb55.exe
"C:\Users\Admin\AppData\Local\Temp\4acb778f061b772d8b52634e8225be410788160f156ff6503e6548c37896bb55.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4404

C:\Users\Admin\AppData\Roaming\Itpyo\duvii.exe
"C:\Users\Admin\AppData\Roaming\Itpyo\duvii.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1188

C:\Windows\SysWOW64\CMD.exe
"CMD"
5⤵
PID:3608

C:\Windows\SysWOW64\CMD.exe
"CMD"
5⤵
PID:800

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\\AppLaunch.exe"
5⤵
PID:4820

C:\Users\Admin\AppData\Roaming\Itpyo\duvii.exe
"C:\Users\Admin\AppData\Roaming\Itpyo\duvii.exe"
5⤵
- Executes dropped EXE
PID:3032

C:\Users\Admin\AppData\Roaming\Itpyo\duvii.exe
"C:\Users\Admin\AppData\Roaming\Itpyo\duvii.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5072

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp97dabf7c.bat"
4⤵
PID:4472

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2760

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2632

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4884

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:5088

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3424

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:1468

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1F356F4D07FE8C483E769E4586569404
Filesize
112KB

MD5
771eb0a15d95c59d4a1d9b96beb93036

SHA1
d6b4d56aabed4387031a0e201835ce90da95dd8d

SHA256
4ca40d5fbe9ee2d96dd73ee01ac8b76a8e3a763991202c9ed57e038140178a27

SHA512
85a65237cbfc61e51e6d79efe67b1ebfa9d4b366ba3068a2ae2ba01cd038a8b6819e929fbbb1bc17e4b675553263fd2d59a2655a675e4983a54be94a1509dc4e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3B6E683A7A45CC59BF035C9BA8C7AB9D
Filesize
494B

MD5
caf54a2f30f0d6581529aba69802a558

SHA1
861841c29f52d06dbed0b3d98882d17de2ebe5e5

SHA256
2f83623a8d36a5142131a2d4c9475446090afc3c8b90e30fb0494d5f2c3bb3cc

SHA512
d9f2f157d9a1d18eff1cae612904f22486655364e81d97ee3dd414101b9e1472cf2d2ad95ed630512ede1acc78964305c7edba038eb092383b7d6810b720fae2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1F356F4D07FE8C483E769E4586569404
Filesize
248B

MD5
2644c7583c95201e19323ebdae5d37e0

SHA1
f475e33d7b880ee6820d379147e6ce97472a79a3

SHA256
ac7b2d2b70e01b8fd67ee96aa25423266167bc7cec66e13cbd00c0610baa6ce4

SHA512
3f5ce7458cc0886c9f30354d84422501d58127f6cebfa1598322e28f431fc8aae4939858b1dcf8947eb8696474faf440480a1f9e5034a098da23c29297417e00

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3B6E683A7A45CC59BF035C9BA8C7AB9D
Filesize
250B

MD5
d92510bc809271356825889808d5b6fc

SHA1
672df369be60929ddebcd5a3b196fef5a2abb946

SHA256
b16fe0ebd68b2f588a6cdeaf9f6a79a3182b4618b4095dcf5fc02e50d3eeea34

SHA512
c03e47fbb989ea636c100b332b7a39874f4cf5227663942d9a916075af10dc74d0f9a9845e508dd208c18222be83a5f4ab45a8e010037426d25ef9abaa69f97e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp97dabf7c.bat
Filesize
307B

MD5
c2cff563cb06cf7a017417b7b7c3eea5

SHA1
1ac756f2b22e9441980f6123ad82a2d4d67f657b

SHA256
94fb62a7ed7c898465dfe01708ab84e4a464d19320a093e51e85220784a077d0

SHA512
2ca44646fbd0d9ee3c040c50b5135ff1d049fd0f0cdb0816205c805cc862588731f700182e47ed78adcb3a686f5c7f542fcca39f2ad3087ee51e7eda3487a8fb

Download Submit
C:\Users\Admin\AppData\Roaming\Itpyo\duvii.exe
Filesize
483KB

MD5
241139952667a1bfd15cb70ce8a458cf

SHA1
fe27f2cde91e31bfee06a2211677a4a8c0af51eb

SHA256
366bcad7f97104cd09ae9402bd3a0ac313affd1e212b2dd1848d0bff3101e74b

SHA512
fb3d7fb3bd8c5fe78181f4e16dae36415b3e09615ed2369e0a7f7926c76bbecc6c13f63a6ab65155624573a16fb7f5e10aa4e1f9b935e46cf50fa91c4ec8cd44

Download Submit
C:\Users\Admin\AppData\Roaming\Itpyo\duvii.exe
Filesize
483KB

MD5
241139952667a1bfd15cb70ce8a458cf

SHA1
fe27f2cde91e31bfee06a2211677a4a8c0af51eb

SHA256
366bcad7f97104cd09ae9402bd3a0ac313affd1e212b2dd1848d0bff3101e74b

SHA512
fb3d7fb3bd8c5fe78181f4e16dae36415b3e09615ed2369e0a7f7926c76bbecc6c13f63a6ab65155624573a16fb7f5e10aa4e1f9b935e46cf50fa91c4ec8cd44

Download Submit
C:\Users\Admin\AppData\Roaming\Itpyo\duvii.exe
Filesize
483KB

MD5
241139952667a1bfd15cb70ce8a458cf

SHA1
fe27f2cde91e31bfee06a2211677a4a8c0af51eb

SHA256
366bcad7f97104cd09ae9402bd3a0ac313affd1e212b2dd1848d0bff3101e74b

SHA512
fb3d7fb3bd8c5fe78181f4e16dae36415b3e09615ed2369e0a7f7926c76bbecc6c13f63a6ab65155624573a16fb7f5e10aa4e1f9b935e46cf50fa91c4ec8cd44

Download Submit
C:\Users\Admin\AppData\Roaming\Itpyo\duvii.exe
Filesize
483KB

MD5
241139952667a1bfd15cb70ce8a458cf

SHA1
fe27f2cde91e31bfee06a2211677a4a8c0af51eb

SHA256
366bcad7f97104cd09ae9402bd3a0ac313affd1e212b2dd1848d0bff3101e74b

SHA512
fb3d7fb3bd8c5fe78181f4e16dae36415b3e09615ed2369e0a7f7926c76bbecc6c13f63a6ab65155624573a16fb7f5e10aa4e1f9b935e46cf50fa91c4ec8cd44

Download Submit
memory/396-141-0x0000000000000000-mapping.dmp

Download
memory/800-160-0x0000000000000000-mapping.dmp

Download
memory/836-146-0x0000000074B10000-0x00000000750C1000-memory.dmp

Filesize
5.7MB

Download
memory/836-132-0x0000000074B10000-0x00000000750C1000-memory.dmp

Filesize
5.7MB

Download
memory/1188-155-0x0000000074A80000-0x0000000075031000-memory.dmp

Filesize
5.7MB

Download
memory/1188-173-0x0000000074A80000-0x0000000075031000-memory.dmp

Filesize
5.7MB

Download
memory/1188-161-0x0000000074A80000-0x0000000075031000-memory.dmp

Filesize
5.7MB

Download
memory/1188-150-0x0000000000000000-mapping.dmp

Download
memory/2908-134-0x0000000000000000-mapping.dmp

Download
memory/3032-167-0x0000000000000000-mapping.dmp

Download
memory/3400-133-0x0000000000000000-mapping.dmp

Download
memory/3608-159-0x0000000000000000-mapping.dmp

Download
memory/4404-145-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4404-149-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4404-148-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4404-142-0x0000000000000000-mapping.dmp

Download
memory/4404-147-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4404-177-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4404-156-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4472-178-0x00000000006D0000-0x000000000070B000-memory.dmp

Filesize
236KB

Download
memory/4472-176-0x0000000000000000-mapping.dmp

Download
memory/4472-180-0x00000000006D0000-0x000000000070B000-memory.dmp

Filesize
236KB

Download
memory/4800-140-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4800-135-0x0000000000000000-mapping.dmp

Download
memory/4800-136-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4800-138-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4800-139-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4820-166-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4820-162-0x0000000000000000-mapping.dmp

Download
memory/5072-169-0x0000000000000000-mapping.dmp

Download
memory/5072-175-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download