b48bc4afd0de7142cad22adfa148b57b7c70cf4f99e59b2c518675eab56b5a82

General

Target

b48bc4afd0de7142cad22adfa148b57b7c70cf4f99e59b2c518675eab56b5a82.exe
Size

132KB
MD5

972c08e8b341ef46a0d7fb453890839c
SHA1

8924bf0ee6444ecdf0e62cc228d394ef132a2370
SHA256

b48bc4afd0de7142cad22adfa148b57b7c70cf4f99e59b2c518675eab56b5a82
SHA512

d496a0b6df840e76775822433ebdf1b9ca805fbc3d93e7c50708459698569f0e070cede4aae0073faad00d35a081f4887c4f916fcdd5626f5265d21d5d32f09d
SSDEEP

1536:uvABbebP+9jC8Nf4FctKDNFBQjURgSIXlY4bP5rX5OXSRAKvSr9jSwnf:rbroFctmKcGY+xrJOiRANx2wn

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1096	taskhost.exe
764	taskhost.exe

Loads dropped DLL 2 IoCs

pid	Process
956	b48bc4afd0de7142cad22adfa148b57b7c70cf4f99e59b2c518675eab56b5a82.exe
956	b48bc4afd0de7142cad22adfa148b57b7c70cf4f99e59b2c518675eab56b5a82.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Taskhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\taskhost.exe"	taskhost.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1792 set thread context of 956	1792	b48bc4afd0de7142cad22adfa148b57b7c70cf4f99e59b2c518675eab56b5a82.exe	28
PID 1096 set thread context of 764	1096	taskhost.exe	30

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	taskhost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	taskhost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	taskhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	taskhost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	taskhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	taskhost.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1792 wrote to memory of 956	1792	b48bc4afd0de7142cad22adfa148b57b7c70cf4f99e59b2c518675eab56b5a82.exe	28
PID 1792 wrote to memory of 956	1792	b48bc4afd0de7142cad22adfa148b57b7c70cf4f99e59b2c518675eab56b5a82.exe	28
PID 1792 wrote to memory of 956	1792	b48bc4afd0de7142cad22adfa148b57b7c70cf4f99e59b2c518675eab56b5a82.exe	28
PID 1792 wrote to memory of 956	1792	b48bc4afd0de7142cad22adfa148b57b7c70cf4f99e59b2c518675eab56b5a82.exe	28
PID 1792 wrote to memory of 956	1792	b48bc4afd0de7142cad22adfa148b57b7c70cf4f99e59b2c518675eab56b5a82.exe	28
PID 1792 wrote to memory of 956	1792	b48bc4afd0de7142cad22adfa148b57b7c70cf4f99e59b2c518675eab56b5a82.exe	28
PID 956 wrote to memory of 1096	956	b48bc4afd0de7142cad22adfa148b57b7c70cf4f99e59b2c518675eab56b5a82.exe	29
PID 956 wrote to memory of 1096	956	b48bc4afd0de7142cad22adfa148b57b7c70cf4f99e59b2c518675eab56b5a82.exe	29
PID 956 wrote to memory of 1096	956	b48bc4afd0de7142cad22adfa148b57b7c70cf4f99e59b2c518675eab56b5a82.exe	29
PID 956 wrote to memory of 1096	956	b48bc4afd0de7142cad22adfa148b57b7c70cf4f99e59b2c518675eab56b5a82.exe	29
PID 1096 wrote to memory of 764	1096	taskhost.exe	30
PID 1096 wrote to memory of 764	1096	taskhost.exe	30
PID 1096 wrote to memory of 764	1096	taskhost.exe	30
PID 1096 wrote to memory of 764	1096	taskhost.exe	30
PID 1096 wrote to memory of 764	1096	taskhost.exe	30
PID 1096 wrote to memory of 764	1096	taskhost.exe	30

C:\Users\Admin\AppData\Local\Temp\b48bc4afd0de7142cad22adfa148b57b7c70cf4f99e59b2c518675eab56b5a82.exe
"C:\Users\Admin\AppData\Local\Temp\b48bc4afd0de7142cad22adfa148b57b7c70cf4f99e59b2c518675eab56b5a82.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1792
- C:\Users\Admin\AppData\Local\Temp\b48bc4afd0de7142cad22adfa148b57b7c70cf4f99e59b2c518675eab56b5a82.exe
  C:\Users\Admin\AppData\Local\Temp\b48bc4afd0de7142cad22adfa148b57b7c70cf4f99e59b2c518675eab56b5a82.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:956
- - C:\Users\Admin\AppData\Roaming\Microsoft\taskhost.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\taskhost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1096
  - - C:\Users\Admin\AppData\Roaming\Microsoft\taskhost.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\taskhost.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Modifies system certificate store
      PID:764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\taskhost.exe

Filesize
132KB

MD5
c85faceb195e59c8c09d1db03fb578bb

SHA1
9ce4bc9668941b26e3a616594535ec2fd7a59dad

SHA256
24f9a21fb3bf4585878503a4289ba9511e9847669d3eac23d4c01e521398bb76

SHA512
668d3b02fd069a1be26847cbd00381ec222ffcaed868db65ef69dc3d026dd9266199416b37ae7589c5792403e50fc09793b46386cbbd700512fe6c25e9388f41

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\taskhost.exe

Filesize
132KB

MD5
c85faceb195e59c8c09d1db03fb578bb

SHA1
9ce4bc9668941b26e3a616594535ec2fd7a59dad

SHA256
24f9a21fb3bf4585878503a4289ba9511e9847669d3eac23d4c01e521398bb76

SHA512
668d3b02fd069a1be26847cbd00381ec222ffcaed868db65ef69dc3d026dd9266199416b37ae7589c5792403e50fc09793b46386cbbd700512fe6c25e9388f41

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\taskhost.exe

Filesize
132KB

MD5
c85faceb195e59c8c09d1db03fb578bb

SHA1
9ce4bc9668941b26e3a616594535ec2fd7a59dad

SHA256
24f9a21fb3bf4585878503a4289ba9511e9847669d3eac23d4c01e521398bb76

SHA512
668d3b02fd069a1be26847cbd00381ec222ffcaed868db65ef69dc3d026dd9266199416b37ae7589c5792403e50fc09793b46386cbbd700512fe6c25e9388f41

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\taskhost.exe

Filesize
132KB

MD5
c85faceb195e59c8c09d1db03fb578bb

SHA1
9ce4bc9668941b26e3a616594535ec2fd7a59dad

SHA256
24f9a21fb3bf4585878503a4289ba9511e9847669d3eac23d4c01e521398bb76

SHA512
668d3b02fd069a1be26847cbd00381ec222ffcaed868db65ef69dc3d026dd9266199416b37ae7589c5792403e50fc09793b46386cbbd700512fe6c25e9388f41

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\taskhost.exe

Filesize
132KB

MD5
c85faceb195e59c8c09d1db03fb578bb

SHA1
9ce4bc9668941b26e3a616594535ec2fd7a59dad

SHA256
24f9a21fb3bf4585878503a4289ba9511e9847669d3eac23d4c01e521398bb76

SHA512
668d3b02fd069a1be26847cbd00381ec222ffcaed868db65ef69dc3d026dd9266199416b37ae7589c5792403e50fc09793b46386cbbd700512fe6c25e9388f41

Download Submit
memory/764-75-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/956-65-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/956-54-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/956-59-0x00000000760A1000-0x00000000760A3000-memory.dmp

Filesize
8KB

Download
memory/956-60-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/956-56-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads