fc1fb33aa35668af6193a2d521edc97e10b3f64cbd3640de7da1dd3e8a158b68

General

Target

1af69713a366a92c3b264e3a0e1565ba.exe
Size

3.5MB
MD5

1af69713a366a92c3b264e3a0e1565ba
SHA1

72c9ab603da34bfb19af604489089d9fe9ed8653
SHA256

fc1fb33aa35668af6193a2d521edc97e10b3f64cbd3640de7da1dd3e8a158b68
SHA512

991fbde8bc838e165e97a7a0d242253060f762e2f579b007a29ac816461cd0e51758e740f45ff31d618a8aed057f89f6240cea3a0a7d3f3bb51eb98d08e5c8b9
SSDEEP

24576:gfRd0GtFA0vCpl0og+0q56UGEL5mSewB7CWq22d9nIcnHke6Q2lYeRVCFMjYg6Co:xB0diHNF3ynElzHcg6rv

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

AutoClicker.exeAutoClicker.exe

pid process

628 AutoClicker.exe
1764 AutoClicker.exe
Loads dropped DLL 2 IoCs

Processes:

1af69713a366a92c3b264e3a0e1565ba.exe

pid process

1408 1af69713a366a92c3b264e3a0e1565ba.exe
1408 1af69713a366a92c3b264e3a0e1565ba.exe

pid	process
628	AutoClicker.exe
1764	AutoClicker.exe

pid	process
1408	1af69713a366a92c3b264e3a0e1565ba.exe
1408	1af69713a366a92c3b264e3a0e1565ba.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1af69713a366a92c3b264e3a0e1565ba.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Run\1af69713a366a92c3b264e3a0e1565ba.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1af69713a366a92c3b264e3a0e1565ba.exe"	1af69713a366a92c3b264e3a0e1565ba.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1816 1408 WerFault.exe 1af69713a366a92c3b264e3a0e1565ba.exe

pid	pid_target	process	target process
1816	1408	WerFault.exe	1af69713a366a92c3b264e3a0e1565ba.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

1af69713a366a92c3b264e3a0e1565ba.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	1af69713a366a92c3b264e3a0e1565ba.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	1af69713a366a92c3b264e3a0e1565ba.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

824 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

1af69713a366a92c3b264e3a0e1565ba.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1408 1af69713a366a92c3b264e3a0e1565ba.exe
Token: SeDebugPrivilege 824 powershell.exe

pid	process
824	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1408	1af69713a366a92c3b264e3a0e1565ba.exe
Token: SeDebugPrivilege	824	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

1af69713a366a92c3b264e3a0e1565ba.exeAutoClicker.exe

description	pid	process	target process
PID 1408 wrote to memory of 628	1408	1af69713a366a92c3b264e3a0e1565ba.exe	AutoClicker.exe
PID 1408 wrote to memory of 628	1408	1af69713a366a92c3b264e3a0e1565ba.exe	AutoClicker.exe
PID 1408 wrote to memory of 628	1408	1af69713a366a92c3b264e3a0e1565ba.exe	AutoClicker.exe
PID 1408 wrote to memory of 628	1408	1af69713a366a92c3b264e3a0e1565ba.exe	AutoClicker.exe
PID 1408 wrote to memory of 1764	1408	1af69713a366a92c3b264e3a0e1565ba.exe	AutoClicker.exe
PID 1408 wrote to memory of 1764	1408	1af69713a366a92c3b264e3a0e1565ba.exe	AutoClicker.exe
PID 1408 wrote to memory of 1764	1408	1af69713a366a92c3b264e3a0e1565ba.exe	AutoClicker.exe
PID 1408 wrote to memory of 1764	1408	1af69713a366a92c3b264e3a0e1565ba.exe	AutoClicker.exe
PID 1764 wrote to memory of 824	1764	AutoClicker.exe	powershell.exe
PID 1764 wrote to memory of 824	1764	AutoClicker.exe	powershell.exe
PID 1764 wrote to memory of 824	1764	AutoClicker.exe	powershell.exe
PID 1764 wrote to memory of 824	1764	AutoClicker.exe	powershell.exe
PID 1408 wrote to memory of 1816	1408	1af69713a366a92c3b264e3a0e1565ba.exe	WerFault.exe
PID 1408 wrote to memory of 1816	1408	1af69713a366a92c3b264e3a0e1565ba.exe	WerFault.exe
PID 1408 wrote to memory of 1816	1408	1af69713a366a92c3b264e3a0e1565ba.exe	WerFault.exe
PID 1408 wrote to memory of 1816	1408	1af69713a366a92c3b264e3a0e1565ba.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\1af69713a366a92c3b264e3a0e1565ba.exe
"C:\Users\Admin\AppData\Local\Temp\1af69713a366a92c3b264e3a0e1565ba.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1408

C:\ProgramData\AutoClicker.exe
"C:\ProgramData\AutoClicker.exe"
2⤵
- Executes dropped EXE
PID:628

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\AutoClicker.exe
"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\AutoClicker.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1764

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $file='C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\AutoClicker.exe';for($i=1;$i -le 600 -and (Test-Path $file -PathType leaf);$i++){Remove-Item $file;Start-Sleep -m 100}
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 1776
2⤵
- Program crash
PID:1816

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Install Root Certificate

1

T1130

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AutoClicker.exe
Filesize
265KB

MD5
c2c70b1f958ffffe4afc8b3ee0ebc546

SHA1
514af7e302b3c777836f04a4e5619929b86994f3

SHA256
062e27da766f61b20623071d6d1075732e41bcacb83dad88f4112211c8b28cf2

SHA512
70dc59704a4dd7a736721f388c63b7d1e02d1c9572e2cb403516491859098773ae54fe47e1cd55a77db8081a80a0d5c568f961e5a085feefd750a43dc25c7e12

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\AutoClicker.exe
Filesize
783KB

MD5
2331722cb92d6f0ff5cdf06f06a1838d

SHA1
0d8a45c8c0d58ef84fa6c90d7c945b786dc987e4

SHA256
708da8066dbed516693fc9f57f930b99dc0477aaadb47a706c59c3beb03ef3ef

SHA512
780e444faaf82af735840acf62f7aa60b8801f5bfcbf33827f03a54c2d1fb46596e973d08f262b2d7c916602933f15686dad8f4b2b2d7f017e56a9df82af929d

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\AutoClicker.exe
Filesize
783KB

MD5
2331722cb92d6f0ff5cdf06f06a1838d

SHA1
0d8a45c8c0d58ef84fa6c90d7c945b786dc987e4

SHA256
708da8066dbed516693fc9f57f930b99dc0477aaadb47a706c59c3beb03ef3ef

SHA512
780e444faaf82af735840acf62f7aa60b8801f5bfcbf33827f03a54c2d1fb46596e973d08f262b2d7c916602933f15686dad8f4b2b2d7f017e56a9df82af929d

Download Submit
C:\Users\Admin\AppData\Local\Temp\AutoClicker.exe
Filesize
130KB

MD5
4ec08c005a1e69cdac84c98e920af634

SHA1
3cc63a15aa7f0a26ea81ff7e02bc00327e2001b6

SHA256
f7d2ab0f7668e1a263847f9cff18fb536ee0a8ab9d8d7bc67bd435a136bec83d

SHA512
282e13b6a01408e0ef63c51a682f458faf1179b80f08b63c0486b0267f7fa3ba70a147a48b1d643dafd51a8439ba427fa88e00b137d83882611bc23306e5eebe

Download Submit
\ProgramData\AutoClicker.exe
Filesize
265KB

MD5
c2c70b1f958ffffe4afc8b3ee0ebc546

SHA1
514af7e302b3c777836f04a4e5619929b86994f3

SHA256
062e27da766f61b20623071d6d1075732e41bcacb83dad88f4112211c8b28cf2

SHA512
70dc59704a4dd7a736721f388c63b7d1e02d1c9572e2cb403516491859098773ae54fe47e1cd55a77db8081a80a0d5c568f961e5a085feefd750a43dc25c7e12

Download Submit
\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\AutoClicker.exe
Filesize
783KB

MD5
2331722cb92d6f0ff5cdf06f06a1838d

SHA1
0d8a45c8c0d58ef84fa6c90d7c945b786dc987e4

SHA256
708da8066dbed516693fc9f57f930b99dc0477aaadb47a706c59c3beb03ef3ef

SHA512
780e444faaf82af735840acf62f7aa60b8801f5bfcbf33827f03a54c2d1fb46596e973d08f262b2d7c916602933f15686dad8f4b2b2d7f017e56a9df82af929d

Download Submit
memory/628-62-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/824-76-0x00000000027A0000-0x00000000027E0000-memory.dmp

Filesize
256KB

Download
memory/824-77-0x00000000027A0000-0x00000000027E0000-memory.dmp

Filesize
256KB

Download
memory/824-78-0x00000000027A0000-0x00000000027E0000-memory.dmp

Filesize
256KB

Download
memory/1408-54-0x00000000012C0000-0x0000000001640000-memory.dmp

Filesize
3.5MB

Download
memory/1408-55-0x0000000004E40000-0x0000000004E80000-memory.dmp

Filesize
256KB

Download
memory/1408-80-0x0000000004E40000-0x0000000004E80000-memory.dmp

Filesize
256KB

Download
memory/1764-70-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads