cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70

Analysis

max time kernel
151s
max time network
119s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
27/11/2022, 17:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe
Size

396KB
MD5

55c1ae00df0bb836a2b3293de3b22292
SHA1

807b5f6c24324ca87d2f795ce43a973ea92443bc
SHA256

cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70
SHA512

f0b592768ee0dc57f4443f8adadcdffadca6aa0ae938eeade23bda286710282689cacabd0859d5dfbd9ad6e80af4d8ca7ac5cfecef5ec27acc5a9cc759a5a29f
SSDEEP

12288:MesbhRXGHra5NQfsO7WadPVBGg/UgHN/TpkiiVjbxCsYaw:Dgh0a5NtO7W0fG25ZpYJts

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
792	ORIGINAL STUB.EXE
1128	TE.EXE

Loads dropped DLL 3 IoCs

pid	Process
2044	applaunch.exe
2044	applaunch.exe
2044	applaunch.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\My Product = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe"	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MaOb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TE.EXE"	TE.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1204 set thread context of 2044	1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe	27

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	ORIGINAL STUB.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	ORIGINAL STUB.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	ORIGINAL STUB.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	ORIGINAL STUB.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe
1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe
1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe
1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe
1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe
1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe
792	ORIGINAL STUB.EXE
1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe
1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe
1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe
1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe
1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe
1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe
1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe
1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe
1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe
1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe
1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe
1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe
1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe
1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe
1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe
1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe
1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe
1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe
1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe
1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe
1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe
1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe
1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe
1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe
1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe
1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe
1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe
1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe
1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe
1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe
1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe
1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe
1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe
1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe
1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe
1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe
1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe
1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe
1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe
1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe
1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe
1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe
1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe
1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe
1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe
1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe
1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe
1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe
1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe
1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe
1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe
1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe
1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe
1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe
1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe
1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe
1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe
Token: SeDebugPrivilege	792	ORIGINAL STUB.EXE

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 1204 wrote to memory of 2044	1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe	27
PID 1204 wrote to memory of 2044	1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe	27
PID 1204 wrote to memory of 2044	1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe	27
PID 1204 wrote to memory of 2044	1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe	27
PID 1204 wrote to memory of 2044	1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe	27
PID 1204 wrote to memory of 2044	1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe	27
PID 1204 wrote to memory of 2044	1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe	27
PID 1204 wrote to memory of 2044	1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe	27
PID 1204 wrote to memory of 2044	1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe	27
PID 1204 wrote to memory of 2044	1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe	27
PID 1204 wrote to memory of 2044	1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe	27
PID 1204 wrote to memory of 2044	1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe	27
PID 1204 wrote to memory of 2044	1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe	27
PID 1204 wrote to memory of 2044	1204	cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe	27
PID 2044 wrote to memory of 792	2044	applaunch.exe	28
PID 2044 wrote to memory of 792	2044	applaunch.exe	28
PID 2044 wrote to memory of 792	2044	applaunch.exe	28
PID 2044 wrote to memory of 792	2044	applaunch.exe	28
PID 2044 wrote to memory of 792	2044	applaunch.exe	28
PID 2044 wrote to memory of 792	2044	applaunch.exe	28
PID 2044 wrote to memory of 792	2044	applaunch.exe	28
PID 2044 wrote to memory of 1128	2044	applaunch.exe	29
PID 2044 wrote to memory of 1128	2044	applaunch.exe	29
PID 2044 wrote to memory of 1128	2044	applaunch.exe	29
PID 2044 wrote to memory of 1128	2044	applaunch.exe	29
PID 2044 wrote to memory of 1128	2044	applaunch.exe	29
PID 2044 wrote to memory of 1128	2044	applaunch.exe	29
PID 2044 wrote to memory of 1128	2044	applaunch.exe	29
PID 1128 wrote to memory of 1044	1128	TE.EXE	30
PID 1128 wrote to memory of 1044	1128	TE.EXE	30
PID 1128 wrote to memory of 1044	1128	TE.EXE	30
PID 1128 wrote to memory of 1044	1128	TE.EXE	30
PID 1128 wrote to memory of 1044	1128	TE.EXE	30
PID 1128 wrote to memory of 1044	1128	TE.EXE	30
PID 1128 wrote to memory of 1044	1128	TE.EXE	30
PID 1128 wrote to memory of 1044	1128	TE.EXE	30
PID 1128 wrote to memory of 1044	1128	TE.EXE	30
PID 1128 wrote to memory of 1044	1128	TE.EXE	30

C:\Users\Admin\AppData\Local\Temp\cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe
"C:\Users\Admin\AppData\Local\Temp\cc5f82ccb563ab8bb6f4c53881ce5c61e35c8726d0b93d3338646eebc05b6e70.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\applaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\applaunch.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Users\Admin\AppData\Local\Temp\ORIGINAL STUB.EXE
    "C:\Users\Admin\AppData\Local\Temp\ORIGINAL STUB.EXE"
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:792
- - C:\Users\Admin\AppData\Local\Temp\TE.EXE
    "C:\Users\Admin\AppData\Local\Temp\TE.EXE"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1128
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\applaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\applaunch.exe"
      4⤵
      PID:1044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ORIGINAL STUB.EXE

Filesize
257KB

MD5
ac46ab8b46b9bbe78064a8a469cab5b7

SHA1
17afffe37f27d7d96f7959d8a704f9b4eef6cdf3

SHA256
e6cb6f5807245f4aec0ecb586d86612af4ed8fdc1b7ff38b8893e24b1762d909

SHA512
0a5d7c07e3755d2c4586c890b6597f3efca070b799b9f4f5c0be5ee599f7bc2bca0888e2732e1a9e790e9c28f4c7b9d4ed2f4b079859b8ef042c48e36a95377a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ORIGINAL STUB.EXE

Filesize
257KB

MD5
ac46ab8b46b9bbe78064a8a469cab5b7

SHA1
17afffe37f27d7d96f7959d8a704f9b4eef6cdf3

SHA256
e6cb6f5807245f4aec0ecb586d86612af4ed8fdc1b7ff38b8893e24b1762d909

SHA512
0a5d7c07e3755d2c4586c890b6597f3efca070b799b9f4f5c0be5ee599f7bc2bca0888e2732e1a9e790e9c28f4c7b9d4ed2f4b079859b8ef042c48e36a95377a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TE.EXE

Filesize
100KB

MD5
1284fb178fe83acab852cd4775ec65b6

SHA1
d89c0302fc2120bfdb3aac98e838f3352da89726

SHA256
7a597628dd933c41768f9d349e40e08340ddab3540a6b06f3ece354463dffb69

SHA512
90fc4f8c9ad547b74dc55226e1e56cd0bc0857404b51906dac6f1f3f627ee6082713831cdebff5d07a4396572fcbe8c9fc2543b70cd66def085aa2eb197aba3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TE.EXE

Filesize
100KB

MD5
1284fb178fe83acab852cd4775ec65b6

SHA1
d89c0302fc2120bfdb3aac98e838f3352da89726

SHA256
7a597628dd933c41768f9d349e40e08340ddab3540a6b06f3ece354463dffb69

SHA512
90fc4f8c9ad547b74dc55226e1e56cd0bc0857404b51906dac6f1f3f627ee6082713831cdebff5d07a4396572fcbe8c9fc2543b70cd66def085aa2eb197aba3d

Download Submit
\Users\Admin\AppData\Local\Temp\ORIGINAL STUB.EXE

Filesize
257KB

MD5
ac46ab8b46b9bbe78064a8a469cab5b7

SHA1
17afffe37f27d7d96f7959d8a704f9b4eef6cdf3

SHA256
e6cb6f5807245f4aec0ecb586d86612af4ed8fdc1b7ff38b8893e24b1762d909

SHA512
0a5d7c07e3755d2c4586c890b6597f3efca070b799b9f4f5c0be5ee599f7bc2bca0888e2732e1a9e790e9c28f4c7b9d4ed2f4b079859b8ef042c48e36a95377a

Download Submit
\Users\Admin\AppData\Local\Temp\TE.EXE

Filesize
100KB

MD5
1284fb178fe83acab852cd4775ec65b6

SHA1
d89c0302fc2120bfdb3aac98e838f3352da89726

SHA256
7a597628dd933c41768f9d349e40e08340ddab3540a6b06f3ece354463dffb69

SHA512
90fc4f8c9ad547b74dc55226e1e56cd0bc0857404b51906dac6f1f3f627ee6082713831cdebff5d07a4396572fcbe8c9fc2543b70cd66def085aa2eb197aba3d

Download Submit
\Users\Admin\AppData\Local\Temp\TE.EXE

Filesize
100KB

MD5
1284fb178fe83acab852cd4775ec65b6

SHA1
d89c0302fc2120bfdb3aac98e838f3352da89726

SHA256
7a597628dd933c41768f9d349e40e08340ddab3540a6b06f3ece354463dffb69

SHA512
90fc4f8c9ad547b74dc55226e1e56cd0bc0857404b51906dac6f1f3f627ee6082713831cdebff5d07a4396572fcbe8c9fc2543b70cd66def085aa2eb197aba3d

Download Submit
memory/792-95-0x0000000074030000-0x00000000745DB000-memory.dmp

Filesize
5.7MB

Download
memory/792-81-0x0000000074030000-0x00000000745DB000-memory.dmp

Filesize
5.7MB

Download
memory/1044-86-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1044-87-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1044-89-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1044-91-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1128-93-0x0000000074030000-0x00000000745DB000-memory.dmp

Filesize
5.7MB

Download
memory/1128-96-0x0000000074030000-0x00000000745DB000-memory.dmp

Filesize
5.7MB

Download
memory/1204-54-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download
memory/1204-94-0x0000000074030000-0x00000000745DB000-memory.dmp

Filesize
5.7MB

Download
memory/1204-55-0x0000000074030000-0x00000000745DB000-memory.dmp

Filesize
5.7MB

Download
memory/2044-64-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2044-83-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2044-77-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2044-70-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2044-66-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2044-62-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2044-61-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2044-59-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2044-56-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2044-57-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download