bb73b426561556eda342253cd9c79f96157cbb07f89e69eeb5f6177f6349ae29

Analysis

max time kernel
183s
max time network
220s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 06:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bb73b426561556eda342253cd9c79f96157cbb07f89e69eeb5f6177f6349ae29.exe
Size

124KB
MD5

eb6f786f619c2b9d097f67ceb7188e59
SHA1

d0ac3ced98871a10668232517e3d5a0c36ab9d28
SHA256

bb73b426561556eda342253cd9c79f96157cbb07f89e69eeb5f6177f6349ae29
SHA512

3b89f4cc2de477f80ddf73a641b0abc6ec59950ed12d0dbefda0212097f7dfcf9025095982a2066282d2b39110661a74a9cfde11c41d1588774ec2ef9a319646
SSDEEP

1536:9wtvbBiTYB1Z+tKimD/p4t2A+yBKmsXPdTXmgBE8+5HgszOw6Y9yX75KgW:96b2MDDp4tJ+yBKmmdnE6YMPW

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1188	taskhost.exe
1204	taskhost.exe

Loads dropped DLL 2 IoCs

pid	Process
1216	bb73b426561556eda342253cd9c79f96157cbb07f89e69eeb5f6177f6349ae29.exe
1216	bb73b426561556eda342253cd9c79f96157cbb07f89e69eeb5f6177f6349ae29.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	bb73b426561556eda342253cd9c79f96157cbb07f89e69eeb5f6177f6349ae29.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Taskhost = "C:\\Users\\Admin\\AppData\\Roaming\\taskhost.exe"	bb73b426561556eda342253cd9c79f96157cbb07f89e69eeb5f6177f6349ae29.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1364 set thread context of 1216	1364	bb73b426561556eda342253cd9c79f96157cbb07f89e69eeb5f6177f6349ae29.exe	28
PID 1188 set thread context of 1204	1188	taskhost.exe	31

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	bb73b426561556eda342253cd9c79f96157cbb07f89e69eeb5f6177f6349ae29.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	bb73b426561556eda342253cd9c79f96157cbb07f89e69eeb5f6177f6349ae29.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	bb73b426561556eda342253cd9c79f96157cbb07f89e69eeb5f6177f6349ae29.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	bb73b426561556eda342253cd9c79f96157cbb07f89e69eeb5f6177f6349ae29.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	taskhost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e1900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	taskhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	bb73b426561556eda342253cd9c79f96157cbb07f89e69eeb5f6177f6349ae29.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	bb73b426561556eda342253cd9c79f96157cbb07f89e69eeb5f6177f6349ae29.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 1216	1364	bb73b426561556eda342253cd9c79f96157cbb07f89e69eeb5f6177f6349ae29.exe	28
PID 1364 wrote to memory of 1216	1364	bb73b426561556eda342253cd9c79f96157cbb07f89e69eeb5f6177f6349ae29.exe	28
PID 1364 wrote to memory of 1216	1364	bb73b426561556eda342253cd9c79f96157cbb07f89e69eeb5f6177f6349ae29.exe	28
PID 1364 wrote to memory of 1216	1364	bb73b426561556eda342253cd9c79f96157cbb07f89e69eeb5f6177f6349ae29.exe	28
PID 1364 wrote to memory of 1216	1364	bb73b426561556eda342253cd9c79f96157cbb07f89e69eeb5f6177f6349ae29.exe	28
PID 1364 wrote to memory of 1216	1364	bb73b426561556eda342253cd9c79f96157cbb07f89e69eeb5f6177f6349ae29.exe	28
PID 1216 wrote to memory of 1188	1216	bb73b426561556eda342253cd9c79f96157cbb07f89e69eeb5f6177f6349ae29.exe	29
PID 1216 wrote to memory of 1188	1216	bb73b426561556eda342253cd9c79f96157cbb07f89e69eeb5f6177f6349ae29.exe	29
PID 1216 wrote to memory of 1188	1216	bb73b426561556eda342253cd9c79f96157cbb07f89e69eeb5f6177f6349ae29.exe	29
PID 1216 wrote to memory of 1188	1216	bb73b426561556eda342253cd9c79f96157cbb07f89e69eeb5f6177f6349ae29.exe	29
PID 1188 wrote to memory of 1204	1188	taskhost.exe	31
PID 1188 wrote to memory of 1204	1188	taskhost.exe	31
PID 1188 wrote to memory of 1204	1188	taskhost.exe	31
PID 1188 wrote to memory of 1204	1188	taskhost.exe	31
PID 1188 wrote to memory of 1204	1188	taskhost.exe	31
PID 1188 wrote to memory of 1204	1188	taskhost.exe	31

C:\Users\Admin\AppData\Local\Temp\bb73b426561556eda342253cd9c79f96157cbb07f89e69eeb5f6177f6349ae29.exe
"C:\Users\Admin\AppData\Local\Temp\bb73b426561556eda342253cd9c79f96157cbb07f89e69eeb5f6177f6349ae29.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Users\Admin\AppData\Local\Temp\bb73b426561556eda342253cd9c79f96157cbb07f89e69eeb5f6177f6349ae29.exe
  C:\Users\Admin\AppData\Local\Temp\bb73b426561556eda342253cd9c79f96157cbb07f89e69eeb5f6177f6349ae29.exe
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:1216
- - C:\Users\Admin\AppData\Roaming\taskhost.exe
    C:\Users\Admin\AppData\Roaming\taskhost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1188
  - - C:\Users\Admin\AppData\Roaming\taskhost.exe
      C:\Users\Admin\AppData\Roaming\taskhost.exe
      4⤵
      Executes dropped EXE
      Modifies system certificate store
      PID:1204

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
ec8ff3b1ded0246437b1472c69dd1811

SHA1
d813e874c2524e3a7da6c466c67854ad16800326

SHA256
e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab

SHA512
e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1B1495DD322A24490E2BF2FAABAE1C61

Filesize
300B

MD5
bf034518c3427206cc85465dc2e296e5

SHA1
ef3d8f548ad3c26e08fa41f2a74e68707cfc3d3a

SHA256
e5da797df9533a2fcae7a6aa79f2b9872c8f227dd1c901c91014c7a9fa82ff7e

SHA512
c307eaf605bd02e03f25b58fa38ff8e59f4fb5672ef6cb5270c8bdb004bca56e47450777bfb7662797ffb18ab409cde66df4536510bc5a435cc945e662bddb78

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A0A8D44D6023E63325E1C8F3C93C4E67

Filesize
345B

MD5
9b49400d06466e4aaf47feca6c636515

SHA1
3aa2d7dc31fed0208a5b852c1dd1116018be88f5

SHA256
dcb2bb87ed9a163849d1618d6a2a1313ce87584a7f7186bf7649e80e8c5273ef

SHA512
60e1519716510134aaef04cfc7fce0d95fa260acd4710c0d3917ad34d9a97f221901559f031a28859ac85e065a8160c4b38c8091e80f9c7572c1ab323b4885e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A

Filesize
893B

MD5
d4ae187b4574036c2d76b6df8a8c1a30

SHA1
b06f409fa14bab33cbaf4a37811b8740b624d9e5

SHA256
a2ce3a0fa7d2a833d1801e01ec48e35b70d84f3467cc9f8fab370386e13879c7

SHA512
1f44a360e8bb8ada22bc5bfe001f1babb4e72005a46bc2a94c33c4bd149ff256cce6f35d65ca4f7fc2a5b9e15494155449830d2809c8cf218d0b9196ec646b0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A

Filesize
893B

MD5
d4ae187b4574036c2d76b6df8a8c1a30

SHA1
b06f409fa14bab33cbaf4a37811b8740b624d9e5

SHA256
a2ce3a0fa7d2a833d1801e01ec48e35b70d84f3467cc9f8fab370386e13879c7

SHA512
1f44a360e8bb8ada22bc5bfe001f1babb4e72005a46bc2a94c33c4bd149ff256cce6f35d65ca4f7fc2a5b9e15494155449830d2809c8cf218d0b9196ec646b0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
a98c5046f44e274830df40d9f2b6aff3

SHA1
5cab62af454a85d03ef2cdd267f5933895425dff

SHA256
7faa35196e57bc648501b8843f566e3cf352eb5cefecd2cc108cdcceb013cc1d

SHA512
9591e699f5f33d67ed317c206a361aac9e8ac236e5f1d174145fe68e841f76aa294dbbeb69413e2035f5ec07594e4ae9f56d54e213d2ead13c69eac99d67f50f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1B1495DD322A24490E2BF2FAABAE1C61

Filesize
192B

MD5
1c5372d982e50475d8fd9859532ac4d7

SHA1
5b6c6b77029f59b9ff89356ad9d6711af880d021

SHA256
088f4746fb0bb499f7103d2027a83c7fb1fa7f7c7fc5914508656014de300de9

SHA512
35d0b266950db731fcc4cd6d7c8f49c6b40ac5c3b43d4ac9e28567e4454ed3d8987cd1b518379a235ffb94f2e0e55b3cdd24eaf874364b5b4f1177d9af2dee63

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
54414cd0b69f45cda80c34d0a16de668

SHA1
665f5fa14cb142e526cf10417cab47beb6445df5

SHA256
6e3e004947b3a1525e0155f049f51b6985c0b96dd966f704c3055e478e5911c5

SHA512
506b4fc58954b0c4821a6a77badf7cff289ba0202b1c0561c041216f3127f39f08e89cc0a3b6e66b625b5400502b99aae5b5ef4ed42a32887ffe577363ceca3f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dfb73c3a47b4d29ffe8f610ca0943ac8

SHA1
b1fbbc266124cb08a3343280757049f42d50fbd6

SHA256
ac869c4c06bf243db3eaaf66123d9bf8972776311c5230085156352d12e00ded

SHA512
c9ea9ac2d5ec15fb60857bc2509793b057a17b60cd4494cc1b3cb66bff21c4515675b054a860154a7fb460f45dfd4cc650b42de33c13556d83d2f42465c16ccf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a52fa4607b7b604651d1f8031921b4d4

SHA1
3fbf336a869e12862fc5f235f37663383507fa33

SHA256
aeec6bfb000b85eeec68892d708a240920993900972d16b3d16e773a79901d78

SHA512
183ca089f47f46c706454e6119cc94f4a4ca09e5106ed243ecec1a3572d9654b05fa598685e9a886d9b257e1c873ab9eda9767dab2aa2b7ae77febf498571482

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a52fa4607b7b604651d1f8031921b4d4

SHA1
3fbf336a869e12862fc5f235f37663383507fa33

SHA256
aeec6bfb000b85eeec68892d708a240920993900972d16b3d16e773a79901d78

SHA512
183ca089f47f46c706454e6119cc94f4a4ca09e5106ed243ecec1a3572d9654b05fa598685e9a886d9b257e1c873ab9eda9767dab2aa2b7ae77febf498571482

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A0A8D44D6023E63325E1C8F3C93C4E67

Filesize
548B

MD5
93e4136c9bb7451514c85548fa0127a3

SHA1
7d8921e9eadf294f508d7a83d74940b1fadf32cd

SHA256
a442b8f0f996da6d2ee5f249c519b95c6116db9823d139d87213fdb87c0c391d

SHA512
bd94da102ddfb6458a9c396e210c4eb27e8c510d8f80979152bae622f0a4f747ea9269ae7cf946cc34a87986ec1e0ff1e6c81c7d6d816a5ffba8e599a9c97476

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A

Filesize
252B

MD5
be534a1ea4a1df28124a949ef9c643bf

SHA1
6e0ea552e8536512baef6e145697f392fff2eda7

SHA256
3a7ec3020f5923055f8c589f05943036b460e7bb435e41a34f7606ea792a39b1

SHA512
1c65858ce1bd75a26bd141691f15dad6bf4f49c8b8ad3cd593af23f3eff354f68f83388410cd671750afda363ce583b9631f4d1b154a43fa157e7de3f792b9e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A

Filesize
252B

MD5
be534a1ea4a1df28124a949ef9c643bf

SHA1
6e0ea552e8536512baef6e145697f392fff2eda7

SHA256
3a7ec3020f5923055f8c589f05943036b460e7bb435e41a34f7606ea792a39b1

SHA512
1c65858ce1bd75a26bd141691f15dad6bf4f49c8b8ad3cd593af23f3eff354f68f83388410cd671750afda363ce583b9631f4d1b154a43fa157e7de3f792b9e9

Download Submit
C:\Users\Admin\AppData\Roaming\taskhost.exe

Filesize
124KB

MD5
abc98a4a2d3ee6170e177caa3fdef677

SHA1
6fe44544efee8e8f5c6ecdc698031a836e761c03

SHA256
ec8902800741e26a5cc6a674ecb4b65ced76b83c29ae6c727ec4f1f707a7d48d

SHA512
e09c13db6eb847810241e2135e07cf75133bbeb36182555698d998a3463ef3b07b2eba36f199a4dbe875e856d4572bcee8de8bce547f78767e0c61f428831129

Download Submit
C:\Users\Admin\AppData\Roaming\taskhost.exe

Filesize
124KB

MD5
abc98a4a2d3ee6170e177caa3fdef677

SHA1
6fe44544efee8e8f5c6ecdc698031a836e761c03

SHA256
ec8902800741e26a5cc6a674ecb4b65ced76b83c29ae6c727ec4f1f707a7d48d

SHA512
e09c13db6eb847810241e2135e07cf75133bbeb36182555698d998a3463ef3b07b2eba36f199a4dbe875e856d4572bcee8de8bce547f78767e0c61f428831129

Download Submit
C:\Users\Admin\AppData\Roaming\taskhost.exe

Filesize
124KB

MD5
abc98a4a2d3ee6170e177caa3fdef677

SHA1
6fe44544efee8e8f5c6ecdc698031a836e761c03

SHA256
ec8902800741e26a5cc6a674ecb4b65ced76b83c29ae6c727ec4f1f707a7d48d

SHA512
e09c13db6eb847810241e2135e07cf75133bbeb36182555698d998a3463ef3b07b2eba36f199a4dbe875e856d4572bcee8de8bce547f78767e0c61f428831129

Download Submit
\Users\Admin\AppData\Roaming\taskhost.exe

Filesize
124KB

MD5
abc98a4a2d3ee6170e177caa3fdef677

SHA1
6fe44544efee8e8f5c6ecdc698031a836e761c03

SHA256
ec8902800741e26a5cc6a674ecb4b65ced76b83c29ae6c727ec4f1f707a7d48d

SHA512
e09c13db6eb847810241e2135e07cf75133bbeb36182555698d998a3463ef3b07b2eba36f199a4dbe875e856d4572bcee8de8bce547f78767e0c61f428831129

Download Submit
\Users\Admin\AppData\Roaming\taskhost.exe

Filesize
124KB

MD5
abc98a4a2d3ee6170e177caa3fdef677

SHA1
6fe44544efee8e8f5c6ecdc698031a836e761c03

SHA256
ec8902800741e26a5cc6a674ecb4b65ced76b83c29ae6c727ec4f1f707a7d48d

SHA512
e09c13db6eb847810241e2135e07cf75133bbeb36182555698d998a3463ef3b07b2eba36f199a4dbe875e856d4572bcee8de8bce547f78767e0c61f428831129

Download Submit
memory/1204-75-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1216-54-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1216-65-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1216-60-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1216-59-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download
memory/1216-56-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads