dc99c368b270693cc948f5f66a1aae232b739712b28d0f627b9ffb09616d4edd

Analysis

max time kernel
45s
max time network
130s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
24-02-2023 04:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc99c368b270693cc948f5f66a1aae232b739712b28d0f627b9ffb09616d4edd.exe
Size

1.5MB
MD5

48b6e029cdd1b415973793abbc7f67d1
SHA1

b1bd655d6312aa58404081d1754f8d9f0f9a8e47
SHA256

dc99c368b270693cc948f5f66a1aae232b739712b28d0f627b9ffb09616d4edd
SHA512

bd24d7d5298718aed28ea561f8d7446824b9cda2b92b5c46108df6d79be5222714b7520891f70f6083d746814eb8ffe7e5be0107506cad3fbdcd222313775e78
SSDEEP

24576:RGHCm8uPdJPbYY3n0z0sKikxYqj6vRmJPtMWmop8TDAVaCYz5GxX:ouW8YkzrKikqw6vmtpNiXAVak

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

LiteClient.exe

pid process

1676 LiteClient.exe

pid	process
1676	LiteClient.exe

Loads dropped DLL 4 IoCs

Processes:

dc99c368b270693cc948f5f66a1aae232b739712b28d0f627b9ffb09616d4edd.exe

pid	process
1372	dc99c368b270693cc948f5f66a1aae232b739712b28d0f627b9ffb09616d4edd.exe
1372	dc99c368b270693cc948f5f66a1aae232b739712b28d0f627b9ffb09616d4edd.exe
1372	dc99c368b270693cc948f5f66a1aae232b739712b28d0f627b9ffb09616d4edd.exe
1372	dc99c368b270693cc948f5f66a1aae232b739712b28d0f627b9ffb09616d4edd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

LiteClient.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	LiteClient.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	LiteClient.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

dc99c368b270693cc948f5f66a1aae232b739712b28d0f627b9ffb09616d4edd.exe

description	pid	process	target process
PID 1372 wrote to memory of 1676	1372	dc99c368b270693cc948f5f66a1aae232b739712b28d0f627b9ffb09616d4edd.exe	LiteClient.exe
PID 1372 wrote to memory of 1676	1372	dc99c368b270693cc948f5f66a1aae232b739712b28d0f627b9ffb09616d4edd.exe	LiteClient.exe
PID 1372 wrote to memory of 1676	1372	dc99c368b270693cc948f5f66a1aae232b739712b28d0f627b9ffb09616d4edd.exe	LiteClient.exe
PID 1372 wrote to memory of 1676	1372	dc99c368b270693cc948f5f66a1aae232b739712b28d0f627b9ffb09616d4edd.exe	LiteClient.exe
PID 1372 wrote to memory of 1676	1372	dc99c368b270693cc948f5f66a1aae232b739712b28d0f627b9ffb09616d4edd.exe	LiteClient.exe
PID 1372 wrote to memory of 1676	1372	dc99c368b270693cc948f5f66a1aae232b739712b28d0f627b9ffb09616d4edd.exe	LiteClient.exe
PID 1372 wrote to memory of 1676	1372	dc99c368b270693cc948f5f66a1aae232b739712b28d0f627b9ffb09616d4edd.exe	LiteClient.exe

C:\Users\Admin\AppData\Local\Temp\dc99c368b270693cc948f5f66a1aae232b739712b28d0f627b9ffb09616d4edd.exe
"C:\Users\Admin\AppData\Local\Temp\dc99c368b270693cc948f5f66a1aae232b739712b28d0f627b9ffb09616d4edd.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1372

C:\Users\Admin\AppData\Local\Temp\LiteClient\LiteClient.exe
"C:\Users\Admin\AppData\Local\Temp\LiteClient\LiteClient.exe"
2⤵
- Executes dropped EXE
- Modifies system certificate store
PID:1676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TF0W5LQL\Forward2[1].txt
Filesize
5KB

MD5
a59c0ac04785150bb15bc2722af8a475

SHA1
a8d4219c0206a37362a1688502f7bdeb6f80df0d

SHA256
2936938c77b0abef7db4f11d54da6e5ee9c8e31e019fd24269525cb89a7b3b11

SHA512
f4fc61a37407edfaa87ccd49c1d89bca8a6a4d9e49ffb3af724b3ce8d5d5e7497917521d7a67bc64448ca773427378134a63a16a20a37b793e9c6b31d06f81e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\LiteClient\LiteClient.exe
Filesize
2.6MB

MD5
b3f2a7d89da814729ba1c47f96804b64

SHA1
38ba46a41a48dbe21bbb08719cc3d52aa8bf1bbf

SHA256
aae9b395b9e327d2719c98e8b7a44974b029e62977bfef3bf18ae8793de993b0

SHA512
8a6c6b1314aea141b0b7552539a2b81604d15b06b85ec515791c1b17eb4dbbdd1fa49cc2a6bcb63ad2c3a9ea773720f665467625727c77b0713515fb979bf36d

Download Submit
C:\Users\Admin\AppData\Local\Temp\LiteClient\LiteClient.exe
Filesize
2.6MB

MD5
b3f2a7d89da814729ba1c47f96804b64

SHA1
38ba46a41a48dbe21bbb08719cc3d52aa8bf1bbf

SHA256
aae9b395b9e327d2719c98e8b7a44974b029e62977bfef3bf18ae8793de993b0

SHA512
8a6c6b1314aea141b0b7552539a2b81604d15b06b85ec515791c1b17eb4dbbdd1fa49cc2a6bcb63ad2c3a9ea773720f665467625727c77b0713515fb979bf36d

Download Submit
C:\Users\Admin\AppData\Local\Temp\LiteClient\LiteClient.exe
Filesize
2.6MB

MD5
b3f2a7d89da814729ba1c47f96804b64

SHA1
38ba46a41a48dbe21bbb08719cc3d52aa8bf1bbf

SHA256
aae9b395b9e327d2719c98e8b7a44974b029e62977bfef3bf18ae8793de993b0

SHA512
8a6c6b1314aea141b0b7552539a2b81604d15b06b85ec515791c1b17eb4dbbdd1fa49cc2a6bcb63ad2c3a9ea773720f665467625727c77b0713515fb979bf36d

Download Submit
C:\Users\Admin\AppData\Local\Temp\LiteClient\temp\GGDesk.exe
Filesize
7.8MB

MD5
81becd20791a06adbcb85f54feeed973

SHA1
e39270df9df3451ed7bc010cb9a2faefb9d86ee5

SHA256
c77afd4aaea3eb5c2e50090333b88731772d5005274865c817f5e63757d2f8d2

SHA512
8a997ca056aebdba81b56c96abd23c3ebf33898edd47bc5bcd80855c18d2474bcf07d4a0661cea475f4856f8873d5875cab90c018dee85d945ba14f143cdf044

Download Submit
C:\Users\Admin\AppData\Local\Temp\LiteClient\temp\common.dll
Filesize
3.2MB

MD5
e7d7e0c1a1ea778cfe06951ff07ca309

SHA1
05eabed664344683f02b074456d61dd931feecef

SHA256
70aefe276b8b7809f16895693b6e5d15dc288657dbcfb1c323b404a2fe1fa236

SHA512
ee1e05646bf93b474c77da052277509feb8f3259ef8e5009b74aa250874889402fa709e8565281b5ba7b0f7d8a0b66521c46c464c7d5afb60c0e61e54f858176

Download Submit
C:\Users\Admin\AppData\Local\Temp\LiteClient\temp\libcurl.dll
Filesize
422KB

MD5
90c219a30be18b83d18274db4f3a398a

SHA1
ae59f90c2e8c0ebc36d2acca61fe3867268c806a

SHA256
d1dea7adc762c684f0fb6c54015bf444d1f2c9616cb2132fc03680dfeb09b7b5

SHA512
dbcc2459f57e7fb9b30eb97dea438108431475d0d669e31adc881b4ba8191c29ea68ac227f5ce094aec362aefa415b1483708c7a27f65b446f6af2c2f4dd3365

Download Submit
C:\Users\Admin\AppData\Local\Temp\LiteClient\temp\log.dll
Filesize
3.3MB

MD5
ae8d33e1482e702e0ef272913f324a37

SHA1
a040b21c9a7282ba5bc7bbe0b3db12517127eef6

SHA256
5f11dd6735c5450f0dda2b7472bcddf3cbfc89e20aed68341eeb74eb0f2f87ac

SHA512
58ef0b9fb1b7398de61b2a3042fd1f710b5f3c677e661fc639340e610cee6e5f4e264c15e551413770d51f0c39a759ad58adf49f35a56b4bb4f82cbfd63baecc

Download Submit
C:\Users\Admin\AppData\Local\Temp\LiteClient\temp\sciter.dll
Filesize
7.9MB

MD5
c00d3e7b9b836caa751658362d58b084

SHA1
7befdd7da3afc152d9b1046bd6b6b0de0143a10f

SHA256
1807ffe13a5cf47fe100e0e088cb8d563198e5d376bd1881982fc22dcb2b9d02

SHA512
dc5970a82f17a00092735ca2b75776f25b8353eb2e97f28306c964b8dbfc68487a10464c0d8a2c8612789bca9567ae99dcbb0b226f9dd0299aba23de2b354ebc

Download Submit
C:\Users\Admin\AppData\Local\Temp\LiteClient\temp\update.xml
Filesize
714B

MD5
98ecfca52ad8e095f116aae2601951c5

SHA1
f7f69284dcba3c711ac1a3266620737085e9f6b7

SHA256
f642bf6b710cbf8b48afa6c55fc1150f7827d61481a50e10665cbddf502c6f1f

SHA512
8936f3e5efb16b8f731875ae16c2ed28332d61f1412189cb84f78896e84503006b9b2a7e7623a5398a4dcbf593dd5b7a1d5946d049d1f3f5edf0e92df9ca8bd0

Download Submit
\Users\Admin\AppData\Local\Temp\LiteClient\LiteClient.exe
Filesize
2.6MB

MD5
b3f2a7d89da814729ba1c47f96804b64

SHA1
38ba46a41a48dbe21bbb08719cc3d52aa8bf1bbf

SHA256
aae9b395b9e327d2719c98e8b7a44974b029e62977bfef3bf18ae8793de993b0

SHA512
8a6c6b1314aea141b0b7552539a2b81604d15b06b85ec515791c1b17eb4dbbdd1fa49cc2a6bcb63ad2c3a9ea773720f665467625727c77b0713515fb979bf36d

Download Submit
\Users\Admin\AppData\Local\Temp\LiteClient\LiteClient.exe
Filesize
2.6MB

MD5
b3f2a7d89da814729ba1c47f96804b64

SHA1
38ba46a41a48dbe21bbb08719cc3d52aa8bf1bbf

SHA256
aae9b395b9e327d2719c98e8b7a44974b029e62977bfef3bf18ae8793de993b0

SHA512
8a6c6b1314aea141b0b7552539a2b81604d15b06b85ec515791c1b17eb4dbbdd1fa49cc2a6bcb63ad2c3a9ea773720f665467625727c77b0713515fb979bf36d

Download Submit
\Users\Admin\AppData\Local\Temp\LiteClient\LiteClient.exe
Filesize
2.6MB

MD5
b3f2a7d89da814729ba1c47f96804b64

SHA1
38ba46a41a48dbe21bbb08719cc3d52aa8bf1bbf

SHA256
aae9b395b9e327d2719c98e8b7a44974b029e62977bfef3bf18ae8793de993b0

SHA512
8a6c6b1314aea141b0b7552539a2b81604d15b06b85ec515791c1b17eb4dbbdd1fa49cc2a6bcb63ad2c3a9ea773720f665467625727c77b0713515fb979bf36d

Download Submit
\Users\Admin\AppData\Local\Temp\LiteClient\LiteClient.exe
Filesize
2.6MB

MD5
b3f2a7d89da814729ba1c47f96804b64

SHA1
38ba46a41a48dbe21bbb08719cc3d52aa8bf1bbf

SHA256
aae9b395b9e327d2719c98e8b7a44974b029e62977bfef3bf18ae8793de993b0

SHA512
8a6c6b1314aea141b0b7552539a2b81604d15b06b85ec515791c1b17eb4dbbdd1fa49cc2a6bcb63ad2c3a9ea773720f665467625727c77b0713515fb979bf36d

Download Submit