27c1ed01c767f504642801a7e7a7de8d87dbc87dee88fbc5f6adb99f069afde4

General

Target

6cc7d9664c1a89c58549e57b5959bb38.exe
Size

2.3MB
MD5

6cc7d9664c1a89c58549e57b5959bb38
SHA1

85b665c501b9ab38710050e9a5c1b6d2e96acccc
SHA256

27c1ed01c767f504642801a7e7a7de8d87dbc87dee88fbc5f6adb99f069afde4
SHA512

294ee9c688a22df3d8311d040c56ffd66ae49982d7ad7de044b3b521533e380ced9058a43396fde49bb618db96bd6899c4db3926731df460cb66814f1a3965d9
SSDEEP

49152:kHEP1Ytp7MnOYoH7NzvsfZHXlIZELxmuY88jIvnPojMuHmsMtTQpw:GEPuBSONzvsfZ3eCxmQ8cWmsM

Score

6^/10

Malware Config

Signatures

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

13 api.db-ip.com
14 api.db-ip.com
6 ipinfo.io

flow	ioc
13	api.db-ip.com
14	api.db-ip.com
6	ipinfo.io

Drops file in System32 directory 4 IoCs

Processes:

6cc7d9664c1a89c58549e57b5959bb38.exe

description	ioc	process
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	6cc7d9664c1a89c58549e57b5959bb38.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	6cc7d9664c1a89c58549e57b5959bb38.exe
File opened for modification	C:\Windows\System32\GroupPolicy	6cc7d9664c1a89c58549e57b5959bb38.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	6cc7d9664c1a89c58549e57b5959bb38.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

584 1872 WerFault.exe 6cc7d9664c1a89c58549e57b5959bb38.exe

pid	pid_target	process	target process
584	1872	WerFault.exe	6cc7d9664c1a89c58549e57b5959bb38.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

6cc7d9664c1a89c58549e57b5959bb38.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	6cc7d9664c1a89c58549e57b5959bb38.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	6cc7d9664c1a89c58549e57b5959bb38.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

6cc7d9664c1a89c58549e57b5959bb38.exe

description	pid	process	target process
PID 1872 wrote to memory of 584	1872	6cc7d9664c1a89c58549e57b5959bb38.exe	WerFault.exe
PID 1872 wrote to memory of 584	1872	6cc7d9664c1a89c58549e57b5959bb38.exe	WerFault.exe
PID 1872 wrote to memory of 584	1872	6cc7d9664c1a89c58549e57b5959bb38.exe	WerFault.exe
PID 1872 wrote to memory of 584	1872	6cc7d9664c1a89c58549e57b5959bb38.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\6cc7d9664c1a89c58549e57b5959bb38.exe
"C:\Users\Admin\AppData\Local\Temp\6cc7d9664c1a89c58549e57b5959bb38.exe"
1⤵
- Drops file in System32 directory
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1872 -s 992
2⤵
- Program crash
PID:584

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/584-55-0x0000000000000000-mapping.dmp

Download
memory/1872-54-0x0000000075571000-0x0000000075573000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads