fe2b61dd86bf64fe084a50831ba01211c52ec6fdc77d5a5e6931b25a25c64e11

General

Target

fe2b61dd86bf64fe084a50831ba01211c52ec6fdc77d5a5e6931b25a25c64e11.exe
Size

1.1MB
MD5

2f969320b014a432edea0a2c25f7030b
SHA1

1dcaecad9a65d61486e10e4871692cad1aa2a92e
SHA256

fe2b61dd86bf64fe084a50831ba01211c52ec6fdc77d5a5e6931b25a25c64e11
SHA512

87919f3f635103993333a9bce3adbae366b7695e732b1e9c78268a61a0f900be87ffb756e04a5638e889247a1b2a58c7bbc4e790d8aef6005476208a27e2cf1b
SSDEEP

12288:kCSPzc2+LuQf/tYBdm2fIpjEhWVETVcDmx1yo:VJt1TVd2omXyo

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1432	advhost.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 2 IoCs

pid	Process
1760	fe2b61dd86bf64fe084a50831ba01211c52ec6fdc77d5a5e6931b25a25c64e11.exe
1432	advhost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\adlaunch32.dll.tmp	fe2b61dd86bf64fe084a50831ba01211c52ec6fdc77d5a5e6931b25a25c64e11.exe
File created	C:\Windows\SysWOW64\advhost.exe.tmp	fe2b61dd86bf64fe084a50831ba01211c52ec6fdc77d5a5e6931b25a25c64e11.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\REQUEST	fe2b61dd86bf64fe084a50831ba01211c52ec6fdc77d5a5e6931b25a25c64e11.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\REQUEST\Certificates	fe2b61dd86bf64fe084a50831ba01211c52ec6fdc77d5a5e6931b25a25c64e11.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\REQUEST\CRLs	fe2b61dd86bf64fe084a50831ba01211c52ec6fdc77d5a5e6931b25a25c64e11.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\REQUEST\CTLs	fe2b61dd86bf64fe084a50831ba01211c52ec6fdc77d5a5e6931b25a25c64e11.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C182152A34EFCEEBF10F3F56723529D5078EE4A0	fe2b61dd86bf64fe084a50831ba01211c52ec6fdc77d5a5e6931b25a25c64e11.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C182152A34EFCEEBF10F3F56723529D5078EE4A0\Blob = 040000000100000010000000c05dc6c5109ef0b3b9ff9148a16b96560f0000000100000010000000e0e30fcf38dffe20a435cde013f1a730140000000100000014000000d49b9f8da2dd348ac734cae57455ae776a32faac190000000100000010000000bbfa78dd81e83a96066af0cbb108209e030000000100000014000000c182152a34efceebf10f3f56723529d5078ee4a020000000010000002d0200003082022930820192a003020102021035e37efc0efda2ad47c031bd14d239d0300d06092a864886f70d01010405003020311e301c060355040313154d6963726f736f667420436f72706f726174696f6e301e170d3039303330393034333431365a170d3339313233313233353935395a3020311e301c060355040313154d6963726f736f667420436f72706f726174696f6e30819f300d06092a864886f70d010101050003818d0030818902818100bde7211745d1bc8999e706cbf78c1cbcc58963856d5ab01a30d7e4a5a96ba562c74496af957a8c51474aab84950d94588e8be6d37100c8e78e60d3d63d6523b1b8dbd0d6b15ecbbdfaa07a784a6b4f2128b526ad3964bc3d85bdaea16b48fc48ad0391ba2f09e1681dada10a2b6c584f5f5421e288f6f581e26e8d9d9e707e670203010001a3643062300d0603551d0a04063004030206c030510603551d01044a3048801015e6e7b5a0d43ba5823a8e51932ec042a1223020311e301c060355040313154d6963726f736f667420436f72706f726174696f6e821035e37efc0efda2ad47c031bd14d239d0300d06092a864886f70d01010405000381810068cb5f1f1c97955463a992530e880546b00767a01cd9be7682c828d1a08044e963ffd412fccc6ea79fdc07972864bef1b5a517617aea9f90035da647fb03af88761cf227b5b689abeb7bf8e0ab38ffc8648cc1967dc7764a5a98cabf0a15375f87941285a914144ea11520e9f8663234092686c50fe7ede6c6ae0525e5ab809c	fe2b61dd86bf64fe084a50831ba01211c52ec6fdc77d5a5e6931b25a25c64e11.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1760	fe2b61dd86bf64fe084a50831ba01211c52ec6fdc77d5a5e6931b25a25c64e11.exe
1432	advhost.exe
1432	advhost.exe
1432	advhost.exe
1432	advhost.exe
1432	advhost.exe
1432	advhost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1432	advhost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 1432	1760	fe2b61dd86bf64fe084a50831ba01211c52ec6fdc77d5a5e6931b25a25c64e11.exe	28
PID 1760 wrote to memory of 1432	1760	fe2b61dd86bf64fe084a50831ba01211c52ec6fdc77d5a5e6931b25a25c64e11.exe	28
PID 1760 wrote to memory of 1432	1760	fe2b61dd86bf64fe084a50831ba01211c52ec6fdc77d5a5e6931b25a25c64e11.exe	28
PID 1760 wrote to memory of 1432	1760	fe2b61dd86bf64fe084a50831ba01211c52ec6fdc77d5a5e6931b25a25c64e11.exe	28

C:\Users\Admin\AppData\Local\Temp\fe2b61dd86bf64fe084a50831ba01211c52ec6fdc77d5a5e6931b25a25c64e11.exe
"C:\Users\Admin\AppData\Local\Temp\fe2b61dd86bf64fe084a50831ba01211c52ec6fdc77d5a5e6931b25a25c64e11.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Windows\SysWOW64\advhost.exe
  "C:\Windows\system32\advhost.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1432

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\adlaunch32.dll

Filesize
84KB

MD5
b6e20a48eefd44b2e597fc93b40d7aeb

SHA1
b1234fafe04bad83896304c862b19f15d52c5b72

SHA256
5f37bea07a0438cf5564e22ffca3650e6bebc26c1a78da39fc188195b619f2bb

SHA512
ab34ccf43d378d3e1110195320d601ec370fd2bda777ba9e4c6aadbbdaf5ec4b437237fd24602b3815e30e62727e3cc5007fce045218e402804beffb9a1bfe5a

Download Submit
C:\Windows\SysWOW64\advhost.exe

Filesize
968KB

MD5
c88644da84be1519255c33217790e26e

SHA1
3949500b0b2a7eba04b67adec41d477b1264ed73

SHA256
4a277ec7db1f5aabc782c6c3f27b0b619c46d519359330a965863c24dbdeef33

SHA512
3cc4bd92f1535f875a3acbc7507ee69d93f3f4ff88de235ef8c24c0337df4f99603aec746b9681da738fffe6265fdd439312177265905ba849cafc1320539167

Download Submit
\Windows\SysWOW64\adlaunch32.dll

Filesize
84KB

MD5
b6e20a48eefd44b2e597fc93b40d7aeb

SHA1
b1234fafe04bad83896304c862b19f15d52c5b72

SHA256
5f37bea07a0438cf5564e22ffca3650e6bebc26c1a78da39fc188195b619f2bb

SHA512
ab34ccf43d378d3e1110195320d601ec370fd2bda777ba9e4c6aadbbdaf5ec4b437237fd24602b3815e30e62727e3cc5007fce045218e402804beffb9a1bfe5a

Download Submit
\Windows\SysWOW64\advhost.exe

Filesize
968KB

MD5
c88644da84be1519255c33217790e26e

SHA1
3949500b0b2a7eba04b67adec41d477b1264ed73

SHA256
4a277ec7db1f5aabc782c6c3f27b0b619c46d519359330a965863c24dbdeef33

SHA512
3cc4bd92f1535f875a3acbc7507ee69d93f3f4ff88de235ef8c24c0337df4f99603aec746b9681da738fffe6265fdd439312177265905ba849cafc1320539167

Download Submit
memory/1760-54-0x0000000075C51000-0x0000000075C53000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing