f6dcaf7e1cde58926559f73f15e81ba784cf031a8450d7fba2f9fd06c9935a27

Analysis

max time kernel
256s
max time network
279s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
01-12-2022 19:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

gihyzfcrpl.exe
Size

668KB
MD5

a67e730e0fc4059867fd5cb74009f67a
SHA1

3ac1e7697a6e7b0438fb90838085eb9338a36221
SHA256

2fffb658018c0d96a770c573f7c04060582bd3be5054458ff87b59aea95d9d2e
SHA512

8e8477ebc5ccb82e5ac609362bcd3e433980a7883b7b4c2a1ad53a474edadd4c1eb36cf6ac56ca9af1b2905a54ab30f95f86d5c0709db6846e86ef32d1f6555d
SSDEEP

12288:RVceIQP+Zdi7GNzhmvaB8EUzw0RgORPQ9ODT4KWDcmrOCHiNLj84F:j9IQPui7GPmvf1w0+IiOAKW1r/OjjF

Score

1^/10

Malware Config

Signatures

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\BDB1B93CD5978D45C6261455F8DB95C75AD153AF	gihyzfcrpl.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\BDB1B93CD5978D45C6261455F8DB95C75AD153AF\Blob = 040000000100000010000000d39ec41e233ca6dfcfa37e6de014e6e50f00000001000000300000008b04cf52924a57d8897c7fb00ad3105027a82f519893a39046aad97f048a8d002fcbc201ee1307e8327746b3df58578d62000000010000002000000069729b8e15a86efc177a57afb7171dfc64add28c2fca8cf1507e34453ccb14700b000000010000001a0000004900530052004700200052006f006f0074002000580032000000090000000100000016000000301406082b0601050507030206082b060105050703011400000001000000140000007c4296aede4b483bfa92f89e8ccf6d8ba97237951d0000000100000010000000e3b494871af5dc80ac5089a40ec3c4c7030000000100000014000000bdb1b93cd5978d45c6261455f8db95c75ad153af19000000010000001000000070d4f0bec2078234214bd651643b024020000000010000001f0200003082021b308201a1a003020102021041d29dd172eaeea780c12c6ce92f8752300a06082a8648ce3d040303304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205832301e170d3230303930343030303030305a170d3430303931373136303030305a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f742058323076301006072a8648ce3d020106052b8104002203620004cd9bd59f80830aec094af3164a3e5ccf77acde67050d1d07b6dc16fb5a8b14dbe27160c4ba459511898eea06dff72a161ca4b9c5c532e003e01e8218388bd745d80a6a6ee60077fb02517d22d80a6e9a5b77dff0fa41ec39dc75ca68070c1feaa3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604147c4296aede4b483bfa92f89e8ccf6d8ba9723795300a06082a8648ce3d040303036800306502307b794e465084c24487461b4570ff5899def4fda4d255a6202d74d634bc41a3505f012756b4be277506af122e75988dfc0231008bf5776cd4c865aae00b2cee149d2737a4f953a551e42983d7f890315b429f0af5feae0068e78c490fb66f5b5b15f2e7	gihyzfcrpl.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\BDB1B93CD5978D45C6261455F8DB95C75AD153AF\Blob = 5c00000001000000040000008001000019000000010000001000000070d4f0bec2078234214bd651643b0240030000000100000014000000bdb1b93cd5978d45c6261455f8db95c75ad153af1d0000000100000010000000e3b494871af5dc80ac5089a40ec3c4c71400000001000000140000007c4296aede4b483bfa92f89e8ccf6d8ba9723795090000000100000016000000301406082b0601050507030206082b060105050703010b000000010000001a0000004900530052004700200052006f006f007400200058003200000062000000010000002000000069729b8e15a86efc177a57afb7171dfc64add28c2fca8cf1507e34453ccb14700f00000001000000300000008b04cf52924a57d8897c7fb00ad3105027a82f519893a39046aad97f048a8d002fcbc201ee1307e8327746b3df58578d040000000100000010000000d39ec41e233ca6dfcfa37e6de014e6e520000000010000001f0200003082021b308201a1a003020102021041d29dd172eaeea780c12c6ce92f8752300a06082a8648ce3d040303304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205832301e170d3230303930343030303030305a170d3430303931373136303030305a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f742058323076301006072a8648ce3d020106052b8104002203620004cd9bd59f80830aec094af3164a3e5ccf77acde67050d1d07b6dc16fb5a8b14dbe27160c4ba459511898eea06dff72a161ca4b9c5c532e003e01e8218388bd745d80a6a6ee60077fb02517d22d80a6e9a5b77dff0fa41ec39dc75ca68070c1feaa3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604147c4296aede4b483bfa92f89e8ccf6d8ba9723795300a06082a8648ce3d040303036800306502307b794e465084c24487461b4570ff5899def4fda4d255a6202d74d634bc41a3505f012756b4be277506af122e75988dfc0231008bf5776cd4c865aae00b2cee149d2737a4f953a551e42983d7f890315b429f0af5feae0068e78c490fb66f5b5b15f2e7	gihyzfcrpl.exe

C:\Users\Admin\AppData\Local\Temp\gihyzfcrpl.exe
"C:\Users\Admin\AppData\Local\Temp\gihyzfcrpl.exe"
1⤵
- Modifies system certificate store
PID:4432

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4432-132-0x0000000140000000-0x00000001400DA000-memory.dmp

Filesize
872KB

Download