a9ead816ad4ef1617dc765c3d8ba00dd5e61263f39b8550a52ac663838f2b18b

Analysis

max time kernel
166s
max time network
189s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 07:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a9ead816ad4ef1617dc765c3d8ba00dd5e61263f39b8550a52ac663838f2b18b.exe
Size

103KB
MD5

901cadd69db589f3d3e345df5030d71c
SHA1

399b0cab118440a27634d9ee0cbb774ea17ae0fe
SHA256

a9ead816ad4ef1617dc765c3d8ba00dd5e61263f39b8550a52ac663838f2b18b
SHA512

45303396373aa1b8b3b57950f200819bfd1c68d48fb7b826cd776bd510fa235a3d0ec0f063ac4d9804b39a95da6bf515f4918e4b17ba01b0d4e9f87e70ecfaed
SSDEEP

1536:VCast2seKzwbCEKjG97jzqE67XX7Rv+CHUrq5ahO+c5KEsncH:0asttnwOEMOnzxcbRv3HUhOx59s

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

svchost.exesvchost.exe

pid process

812 svchost.exe
1396 svchost.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exesvchost.exe

pid process

1104 cmd.exe
812 svchost.exe

pid	process
812	svchost.exe
1396	svchost.exe

pid	process
1104	cmd.exe
812	svchost.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

regini.exeregini.exesvchost.exeregini.exeregini.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	regini.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run	regini.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\x86kernel2 = "c:\\users\\admin\\appdata\\roaming\\94077931\\svchost.exe"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run	regini.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	regini.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\x86kernel2 = "c:\\users\\admin\\appdata\\roaming\\94077931\\svchost.exe"	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

a9ead816ad4ef1617dc765c3d8ba00dd5e61263f39b8550a52ac663838f2b18b.exesvchost.exe

description	pid	process	target process
PID 1764 set thread context of 560	1764	a9ead816ad4ef1617dc765c3d8ba00dd5e61263f39b8550a52ac663838f2b18b.exe	a9ead816ad4ef1617dc765c3d8ba00dd5e61263f39b8550a52ac663838f2b18b.exe
PID 812 set thread context of 1396	812	svchost.exe	svchost.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

a9ead816ad4ef1617dc765c3d8ba00dd5e61263f39b8550a52ac663838f2b18b.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 190000000100000010000000e843ac3b52ec8c297fa948c9b1fb2819030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d461d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf67080b00000001000000140000005500530045005200540072007500730074000000140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d8090000000100000016000000301406082b0601050507030306082b060105050703080f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb20000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8	a9ead816ad4ef1617dc765c3d8ba00dd5e61263f39b8550a52ac663838f2b18b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 040000000100000010000000a7f2e41606411150306b9ce3b49cb0c90f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d80b000000010000001400000055005300450052005400720075007300740000001d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf6708030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d46190000000100000010000000e843ac3b52ec8c297fa948c9b1fb281920000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8	a9ead816ad4ef1617dc765c3d8ba00dd5e61263f39b8550a52ac663838f2b18b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46	a9ead816ad4ef1617dc765c3d8ba00dd5e61263f39b8550a52ac663838f2b18b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 0f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d80b000000010000001400000055005300450052005400720075007300740000001d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf6708030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d4620000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8	a9ead816ad4ef1617dc765c3d8ba00dd5e61263f39b8550a52ac663838f2b18b.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a9ead816ad4ef1617dc765c3d8ba00dd5e61263f39b8550a52ac663838f2b18b.exea9ead816ad4ef1617dc765c3d8ba00dd5e61263f39b8550a52ac663838f2b18b.execmd.execmd.execmd.exesvchost.exesvchost.exe

description	pid	process	target process
PID 1764 wrote to memory of 560	1764	a9ead816ad4ef1617dc765c3d8ba00dd5e61263f39b8550a52ac663838f2b18b.exe	a9ead816ad4ef1617dc765c3d8ba00dd5e61263f39b8550a52ac663838f2b18b.exe
PID 1764 wrote to memory of 560	1764	a9ead816ad4ef1617dc765c3d8ba00dd5e61263f39b8550a52ac663838f2b18b.exe	a9ead816ad4ef1617dc765c3d8ba00dd5e61263f39b8550a52ac663838f2b18b.exe
PID 1764 wrote to memory of 560	1764	a9ead816ad4ef1617dc765c3d8ba00dd5e61263f39b8550a52ac663838f2b18b.exe	a9ead816ad4ef1617dc765c3d8ba00dd5e61263f39b8550a52ac663838f2b18b.exe
PID 1764 wrote to memory of 560	1764	a9ead816ad4ef1617dc765c3d8ba00dd5e61263f39b8550a52ac663838f2b18b.exe	a9ead816ad4ef1617dc765c3d8ba00dd5e61263f39b8550a52ac663838f2b18b.exe
PID 1764 wrote to memory of 560	1764	a9ead816ad4ef1617dc765c3d8ba00dd5e61263f39b8550a52ac663838f2b18b.exe	a9ead816ad4ef1617dc765c3d8ba00dd5e61263f39b8550a52ac663838f2b18b.exe
PID 1764 wrote to memory of 560	1764	a9ead816ad4ef1617dc765c3d8ba00dd5e61263f39b8550a52ac663838f2b18b.exe	a9ead816ad4ef1617dc765c3d8ba00dd5e61263f39b8550a52ac663838f2b18b.exe
PID 1764 wrote to memory of 560	1764	a9ead816ad4ef1617dc765c3d8ba00dd5e61263f39b8550a52ac663838f2b18b.exe	a9ead816ad4ef1617dc765c3d8ba00dd5e61263f39b8550a52ac663838f2b18b.exe
PID 1764 wrote to memory of 560	1764	a9ead816ad4ef1617dc765c3d8ba00dd5e61263f39b8550a52ac663838f2b18b.exe	a9ead816ad4ef1617dc765c3d8ba00dd5e61263f39b8550a52ac663838f2b18b.exe
PID 1764 wrote to memory of 560	1764	a9ead816ad4ef1617dc765c3d8ba00dd5e61263f39b8550a52ac663838f2b18b.exe	a9ead816ad4ef1617dc765c3d8ba00dd5e61263f39b8550a52ac663838f2b18b.exe
PID 1764 wrote to memory of 560	1764	a9ead816ad4ef1617dc765c3d8ba00dd5e61263f39b8550a52ac663838f2b18b.exe	a9ead816ad4ef1617dc765c3d8ba00dd5e61263f39b8550a52ac663838f2b18b.exe
PID 560 wrote to memory of 1812	560	a9ead816ad4ef1617dc765c3d8ba00dd5e61263f39b8550a52ac663838f2b18b.exe	cmd.exe
PID 560 wrote to memory of 1812	560	a9ead816ad4ef1617dc765c3d8ba00dd5e61263f39b8550a52ac663838f2b18b.exe	cmd.exe
PID 560 wrote to memory of 1812	560	a9ead816ad4ef1617dc765c3d8ba00dd5e61263f39b8550a52ac663838f2b18b.exe	cmd.exe
PID 560 wrote to memory of 1812	560	a9ead816ad4ef1617dc765c3d8ba00dd5e61263f39b8550a52ac663838f2b18b.exe	cmd.exe
PID 1812 wrote to memory of 324	1812	cmd.exe	cmd.exe
PID 1812 wrote to memory of 324	1812	cmd.exe	cmd.exe
PID 1812 wrote to memory of 324	1812	cmd.exe	cmd.exe
PID 1812 wrote to memory of 324	1812	cmd.exe	cmd.exe
PID 1812 wrote to memory of 1856	1812	cmd.exe	cacls.exe
PID 1812 wrote to memory of 1856	1812	cmd.exe	cacls.exe
PID 1812 wrote to memory of 1856	1812	cmd.exe	cacls.exe
PID 1812 wrote to memory of 1856	1812	cmd.exe	cacls.exe
PID 560 wrote to memory of 1348	560	a9ead816ad4ef1617dc765c3d8ba00dd5e61263f39b8550a52ac663838f2b18b.exe	cmd.exe
PID 560 wrote to memory of 1348	560	a9ead816ad4ef1617dc765c3d8ba00dd5e61263f39b8550a52ac663838f2b18b.exe	cmd.exe
PID 560 wrote to memory of 1348	560	a9ead816ad4ef1617dc765c3d8ba00dd5e61263f39b8550a52ac663838f2b18b.exe	cmd.exe
PID 560 wrote to memory of 1348	560	a9ead816ad4ef1617dc765c3d8ba00dd5e61263f39b8550a52ac663838f2b18b.exe	cmd.exe
PID 1348 wrote to memory of 240	1348	cmd.exe	cmd.exe
PID 1348 wrote to memory of 240	1348	cmd.exe	cmd.exe
PID 1348 wrote to memory of 240	1348	cmd.exe	cmd.exe
PID 1348 wrote to memory of 240	1348	cmd.exe	cmd.exe
PID 1348 wrote to memory of 936	1348	cmd.exe	cacls.exe
PID 1348 wrote to memory of 936	1348	cmd.exe	cacls.exe
PID 1348 wrote to memory of 936	1348	cmd.exe	cacls.exe
PID 1348 wrote to memory of 936	1348	cmd.exe	cacls.exe
PID 560 wrote to memory of 1104	560	a9ead816ad4ef1617dc765c3d8ba00dd5e61263f39b8550a52ac663838f2b18b.exe	cmd.exe
PID 560 wrote to memory of 1104	560	a9ead816ad4ef1617dc765c3d8ba00dd5e61263f39b8550a52ac663838f2b18b.exe	cmd.exe
PID 560 wrote to memory of 1104	560	a9ead816ad4ef1617dc765c3d8ba00dd5e61263f39b8550a52ac663838f2b18b.exe	cmd.exe
PID 560 wrote to memory of 1104	560	a9ead816ad4ef1617dc765c3d8ba00dd5e61263f39b8550a52ac663838f2b18b.exe	cmd.exe
PID 1104 wrote to memory of 812	1104	cmd.exe	svchost.exe
PID 1104 wrote to memory of 812	1104	cmd.exe	svchost.exe
PID 1104 wrote to memory of 812	1104	cmd.exe	svchost.exe
PID 1104 wrote to memory of 812	1104	cmd.exe	svchost.exe
PID 812 wrote to memory of 1396	812	svchost.exe	svchost.exe
PID 812 wrote to memory of 1396	812	svchost.exe	svchost.exe
PID 812 wrote to memory of 1396	812	svchost.exe	svchost.exe
PID 812 wrote to memory of 1396	812	svchost.exe	svchost.exe
PID 812 wrote to memory of 1396	812	svchost.exe	svchost.exe
PID 812 wrote to memory of 1396	812	svchost.exe	svchost.exe
PID 812 wrote to memory of 1396	812	svchost.exe	svchost.exe
PID 812 wrote to memory of 1396	812	svchost.exe	svchost.exe
PID 812 wrote to memory of 1396	812	svchost.exe	svchost.exe
PID 812 wrote to memory of 1396	812	svchost.exe	svchost.exe
PID 1396 wrote to memory of 1828	1396	svchost.exe	regini.exe
PID 1396 wrote to memory of 1828	1396	svchost.exe	regini.exe
PID 1396 wrote to memory of 1828	1396	svchost.exe	regini.exe
PID 1396 wrote to memory of 1828	1396	svchost.exe	regini.exe
PID 1396 wrote to memory of 1604	1396	svchost.exe	regini.exe
PID 1396 wrote to memory of 1604	1396	svchost.exe	regini.exe
PID 1396 wrote to memory of 1604	1396	svchost.exe	regini.exe
PID 1396 wrote to memory of 1604	1396	svchost.exe	regini.exe
PID 1396 wrote to memory of 1336	1396	svchost.exe	regini.exe
PID 1396 wrote to memory of 1336	1396	svchost.exe	regini.exe
PID 1396 wrote to memory of 1336	1396	svchost.exe	regini.exe
PID 1396 wrote to memory of 1336	1396	svchost.exe	regini.exe

C:\Users\Admin\AppData\Local\Temp\a9ead816ad4ef1617dc765c3d8ba00dd5e61263f39b8550a52ac663838f2b18b.exe
"C:\Users\Admin\AppData\Local\Temp\a9ead816ad4ef1617dc765c3d8ba00dd5e61263f39b8550a52ac663838f2b18b.exe"
1⤵
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1764

C:\Users\Admin\AppData\Local\Temp\a9ead816ad4ef1617dc765c3d8ba00dd5e61263f39b8550a52ac663838f2b18b.exe
"C:\Users\Admin\AppData\Local\Temp\a9ead816ad4ef1617dc765c3d8ba00dd5e61263f39b8550a52ac663838f2b18b.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:560

C:\Windows\SysWOW64\cmd.exe
cmd /c echo Y|CACLS "c:\users\admin\appdata\roaming\94077931\svchost.exe" /P "Admin:R"
3⤵
- Suspicious use of WriteProcessMemory
PID:1812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:324

C:\Windows\SysWOW64\cacls.exe
CACLS "c:\users\admin\appdata\roaming\94077931\svchost.exe" /P "Admin:R"
4⤵
PID:1856

C:\Windows\SysWOW64\cmd.exe
cmd /c echo Y|CACLS "c:\users\admin\appdata\roaming\94077931" /P "Admin:R"
3⤵
- Suspicious use of WriteProcessMemory
PID:1348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:240

C:\Windows\SysWOW64\cacls.exe
CACLS "c:\users\admin\appdata\roaming\94077931" /P "Admin:R"
4⤵
PID:936

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\94077931\svchost.exe
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1104

C:\Users\Admin\AppData\Roaming\94077931\svchost.exe
C:\Users\Admin\AppData\Roaming\94077931\svchost.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:812

C:\Users\Admin\AppData\Roaming\94077931\svchost.exe
C:\Users\Admin\AppData\Roaming\94077931\svchost.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1396

C:\Windows\SysWOW64\regini.exe
regini per
6⤵
- Adds Run key to start application
PID:1828

C:\Windows\SysWOW64\regini.exe
regini perper
6⤵
- Adds Run key to start application
PID:1604

C:\Windows\SysWOW64\regini.exe
regini perperper
6⤵
- Adds Run key to start application
PID:1336

C:\Windows\SysWOW64\regini.exe
regini perperperper
6⤵
- Adds Run key to start application
PID:1180

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B90B117906B8A74C79D1BC450C2B94B1_A54F26A8A41DE52C237D54D67F12793F
Filesize
1KB

MD5
e8866d725021f499e976a858b36b16e0

SHA1
faf2edc4733e24711c30219a18d548e637a3a539

SHA256
6f963398ecbd90ca076430a8e250859c88b92b73f6f79bee081498b73510fcc8

SHA512
c0bdebc6be4656e204506904e43b5a6a618cda42a4c878d33f4d4cb3014784c53193b669e8e0a7bd64d2d4ec9b220aef55e7dfca7cf1814b974fe21f36a1ce1d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F4D9C889B7AEBCF4E1A2DAABC5C3628A_2950BF8CA08767F531ADC0C83BCDAE94
Filesize
526B

MD5
0f5e022966638bf2b8f9d5a609d59266

SHA1
4a03783a74e1a1d30efd29ec0b2322dd73530b10

SHA256
3e9ca68c46be890ce64db591bd2730e5f0ba92dfb464c059d98e4a4fbe0fd07e

SHA512
91e5ebec18dbf6546e34265d3e0772897e0d75ed347c3d2539d7ce6c4c27e7fa2b4b42e5a251ed60cbd3ca103f63e1871914407f396a2bdd95933492f1005a12

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
97fcd17208a387a22c61ee50db158fc1

SHA1
7008a192cf22964ff3a66eb28fd58311b644f581

SHA256
58bef249da3daa561ddf944ad290c12a778cf4998da83c901294a9128a42df33

SHA512
9883e71da57293ccdbd8339ed679d5a8f82dd7864dfe39b858c513d796015ef773a49654943ff036001390d91184d43d7e307f7f6756ac9f8b3dc322343cb1fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B90B117906B8A74C79D1BC450C2B94B1_A54F26A8A41DE52C237D54D67F12793F
Filesize
500B

MD5
9f800d080ca15658b53c8ba3d3eeec78

SHA1
dc6d48ca0918c77537312741ed8510918913f23d

SHA256
7a83175d3409b77e4d2c39de34b06e61fd9687d8668688530bf88bbafaf811ff

SHA512
7713d6931179dc08c9cae7543da5b23d8987077468a29b569298727af87dc2a43888adf1855363b8fe63644646434d802e5b63c176bc590ff838efb9e00bc3ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F4D9C889B7AEBCF4E1A2DAABC5C3628A_2950BF8CA08767F531ADC0C83BCDAE94
Filesize
490B

MD5
453d054c66159e5fa459c5121fee31e0

SHA1
bcc61d9542a86f0d85ccfb9940738ef101850ed3

SHA256
d53837911fe7a6ccb27fff0c35792e29b30242c27f7240226f076b70a8906f1c

SHA512
cda05656ad09c95c1b6abf6c1d96197e4b25d429ca6a901a86c57286298825b811d1aa05fde87ad4cebdf6514d3ae4133d2bce4bfbc7363b791f545afe597c6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\per
Filesize
68B

MD5
77612e763aacc6671e0c81713b419a41

SHA1
99c986a0e3bc15532bbca5a18ff90de93fefe7fc

SHA256
08f53032b63ada0a816ab77088624bef24a5451b7c7e0de05f958e5bd4e6977b

SHA512
99f94d1016eb7bff8deed9eb68c6d26756b2b02a30c4aa5dcc111429e0117acfbc15d7f4119fe06abead5039ee241afc1e6756d2e2250a08fcc818a50598b6cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\perper
Filesize
68B

MD5
a6585d9cf9d692905da3ed6c1b9dd4c1

SHA1
166b3aece6d5a7d172acd0a1327af9265a5bf5d4

SHA256
50a38aee5de374bab740c163c3debc500041a2ee3aad01d466347eecf2540015

SHA512
a402fcebe80023edc9322adeecc89b8df845a80061008c26b890e33636869817460b57a326ee65dcd2bd7275933f9407be96aba7bfeae17530b55985ad00c65c

Download Submit
C:\Users\Admin\AppData\Local\Temp\perperper
Filesize
67B

MD5
e4bcd320585af9f77671cc6e91fe9de6

SHA1
15f12439eb3e133affb37b29e41e57d89fc90e06

SHA256
a1e0f5a9cfc9615222f04e65455c7c4c1ba86710275afffd472428a293c31ec8

SHA512
00497885531c0b84fe869828e5f2c0631f2f175f961c62175736487ae703252ba7393f882ffe99d8c4bcdb951172e35daa9ca41f45e64ce97fbae7721b25c112

Download Submit
C:\Users\Admin\AppData\Local\Temp\perperperper
Filesize
67B

MD5
58b2f90cc0182925ae0bab51700b14ab

SHA1
d2975adeb8dc68f2f5e10edee524de78e79828db

SHA256
8114822fe9a58e5ba08abb480dd595109c66a49d9afc404f85843915694c2964

SHA512
de6154d3d44c7e332f5cf1f3b1e4f20612ecd37f08fa60382ecc5008af2d9a55216357d6927e706fd2ef60b772e7941631fdfe9b1d615e5264e99cffe59ad782

Download Submit
C:\Users\Admin\AppData\Roaming\94077931\svchost.exe
Filesize
103KB

MD5
901cadd69db589f3d3e345df5030d71c

SHA1
399b0cab118440a27634d9ee0cbb774ea17ae0fe

SHA256
a9ead816ad4ef1617dc765c3d8ba00dd5e61263f39b8550a52ac663838f2b18b

SHA512
45303396373aa1b8b3b57950f200819bfd1c68d48fb7b826cd776bd510fa235a3d0ec0f063ac4d9804b39a95da6bf515f4918e4b17ba01b0d4e9f87e70ecfaed

Download Submit
C:\Users\Admin\AppData\Roaming\94077931\svchost.exe
Filesize
103KB

MD5
901cadd69db589f3d3e345df5030d71c

SHA1
399b0cab118440a27634d9ee0cbb774ea17ae0fe

SHA256
a9ead816ad4ef1617dc765c3d8ba00dd5e61263f39b8550a52ac663838f2b18b

SHA512
45303396373aa1b8b3b57950f200819bfd1c68d48fb7b826cd776bd510fa235a3d0ec0f063ac4d9804b39a95da6bf515f4918e4b17ba01b0d4e9f87e70ecfaed

Download Submit
\??\c:\users\admin\appdata\roaming\94077931\svchost.exe
Filesize
103KB

MD5
901cadd69db589f3d3e345df5030d71c

SHA1
399b0cab118440a27634d9ee0cbb774ea17ae0fe

SHA256
a9ead816ad4ef1617dc765c3d8ba00dd5e61263f39b8550a52ac663838f2b18b

SHA512
45303396373aa1b8b3b57950f200819bfd1c68d48fb7b826cd776bd510fa235a3d0ec0f063ac4d9804b39a95da6bf515f4918e4b17ba01b0d4e9f87e70ecfaed

Download Submit
\Users\Admin\AppData\Roaming\94077931\svchost.exe
Filesize
103KB

MD5
901cadd69db589f3d3e345df5030d71c

SHA1
399b0cab118440a27634d9ee0cbb774ea17ae0fe

SHA256
a9ead816ad4ef1617dc765c3d8ba00dd5e61263f39b8550a52ac663838f2b18b

SHA512
45303396373aa1b8b3b57950f200819bfd1c68d48fb7b826cd776bd510fa235a3d0ec0f063ac4d9804b39a95da6bf515f4918e4b17ba01b0d4e9f87e70ecfaed

Download Submit
\Users\Admin\AppData\Roaming\94077931\svchost.exe
Filesize
103KB

MD5
901cadd69db589f3d3e345df5030d71c

SHA1
399b0cab118440a27634d9ee0cbb774ea17ae0fe

SHA256
a9ead816ad4ef1617dc765c3d8ba00dd5e61263f39b8550a52ac663838f2b18b

SHA512
45303396373aa1b8b3b57950f200819bfd1c68d48fb7b826cd776bd510fa235a3d0ec0f063ac4d9804b39a95da6bf515f4918e4b17ba01b0d4e9f87e70ecfaed

Download Submit
memory/240-75-0x0000000000000000-mapping.dmp

Download
memory/324-71-0x0000000000000000-mapping.dmp

Download
memory/560-69-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/560-68-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/560-65-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/560-64-0x0000000000CB1FCE-mapping.dmp

Download
memory/560-63-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/560-61-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/560-60-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/560-58-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/560-57-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/812-79-0x0000000000000000-mapping.dmp

Download
memory/812-98-0x00000000744B0000-0x0000000074A5B000-memory.dmp

Filesize
5.7MB

Download
memory/936-76-0x0000000000000000-mapping.dmp

Download
memory/1104-77-0x0000000000000000-mapping.dmp

Download
memory/1180-108-0x0000000000000000-mapping.dmp

Download
memory/1336-106-0x0000000000000000-mapping.dmp

Download
memory/1348-74-0x0000000000000000-mapping.dmp

Download
memory/1396-110-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1396-95-0x0000000000AD1FCE-mapping.dmp

Download
memory/1396-100-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1396-101-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1604-104-0x0000000000000000-mapping.dmp

Download
memory/1764-66-0x0000000074A60000-0x000000007500B000-memory.dmp

Filesize
5.7MB

Download
memory/1764-54-0x00000000767F1000-0x00000000767F3000-memory.dmp

Filesize
8KB

Download
memory/1764-56-0x0000000004F4C000-0x0000000004F56000-memory.dmp

Filesize
40KB

Download
memory/1764-55-0x0000000074A60000-0x000000007500B000-memory.dmp

Filesize
5.7MB

Download
memory/1812-70-0x0000000000000000-mapping.dmp

Download
memory/1828-102-0x0000000000000000-mapping.dmp

Download
memory/1856-72-0x0000000000000000-mapping.dmp

Download