bb7a3834b1e8f94560df24fbfc744f8fc6771f40eb5cb66bd5844134c4838944

Analysis

max time kernel
144s
max time network
181s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
04-04-2023 19:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CellebriteReader.exe
Size

521.2MB
MD5

4ee6c8c467042231f679373b235a3277
SHA1

473b6be91286e95af2c5f4dc020fb0a0cfb8a64e
SHA256

bb7a3834b1e8f94560df24fbfc744f8fc6771f40eb5cb66bd5844134c4838944
SHA512

ca0a8356109a86b1dbea3d57ba642f88f979e34400dca37f9002e7501808bc0400dcb135eef8118ae573a6a99eb8f3501cc8eba88924ea13bfffdaad38321135
SSDEEP

6291456:merX4TNsSd5LTgMFz2KJbTbOA2yeCpc8xFs5:mu4iSvTysZPe2xs

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 12 IoCs

Processes:

CellebriteReader.exe

pid	process
1760	CellebriteReader.exe
1760	CellebriteReader.exe
1760	CellebriteReader.exe
1760	CellebriteReader.exe
1760	CellebriteReader.exe
1760	CellebriteReader.exe
1760	CellebriteReader.exe
1760	CellebriteReader.exe
1760	CellebriteReader.exe
1760	CellebriteReader.exe
1760	CellebriteReader.exe
1760	CellebriteReader.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

CellebriteReader.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	CellebriteReader.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	CellebriteReader.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	CellebriteReader.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

CellebriteReader.exe

pid process

1760 CellebriteReader.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

CellebriteReader.exe

description pid process

Token: SeDebugPrivilege 1760 CellebriteReader.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

CellebriteReader.exe

pid process

1760 CellebriteReader.exe
1760 CellebriteReader.exe

description	pid	process
Token: SeDebugPrivilege	1760	CellebriteReader.exe

C:\Users\Admin\AppData\Local\Temp\CellebriteReader.exe
"C:\Users\Admin\AppData\Local\Temp\CellebriteReader.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1760

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CefSharp.dll
Filesize
221KB

MD5
87e6a6b7cf19961bb608b4ea2b02e66b

SHA1
bd84586d4c1277cf2be91e9d8212b22a612cb0a8

SHA256
9c2dd6803e0a02a2ded6f0b0fd1a2e509aec49a03fa33af6a02763e4d35e0c31

SHA512
58491a89096fa25aae0814f41938664d156fe2479827f09145b9f2d62ee39b8fb8bec4e6193608b1cc5eebe5995f4f6b049005770769d3795ce005425f192fa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\CefSharp.dll
Filesize
221KB

MD5
87e6a6b7cf19961bb608b4ea2b02e66b

SHA1
bd84586d4c1277cf2be91e9d8212b22a612cb0a8

SHA256
9c2dd6803e0a02a2ded6f0b0fd1a2e509aec49a03fa33af6a02763e4d35e0c31

SHA512
58491a89096fa25aae0814f41938664d156fe2479827f09145b9f2d62ee39b8fb8bec4e6193608b1cc5eebe5995f4f6b049005770769d3795ce005425f192fa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\CommonERM.dll
Filesize
485KB

MD5
7430bf25a02a37330b1c8515f09dc6d7

SHA1
b4b01fbaa30ac69079b278879890776d7dc406dc

SHA256
3afeee07cafb768c249e2d7ae84c7e5cc2fee096e0be6a8754693aedea972829

SHA512
6084012fd2b650e863951f8edd0a603debb4e50ba1b8fe44ac3459b56f6e445813b354f3568c0a8851f9df19d3b8b19b5ab06a903b1a4356ba7a9ffd81e923f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\CommonERM.dll
Filesize
485KB

MD5
7430bf25a02a37330b1c8515f09dc6d7

SHA1
b4b01fbaa30ac69079b278879890776d7dc406dc

SHA256
3afeee07cafb768c249e2d7ae84c7e5cc2fee096e0be6a8754693aedea972829

SHA512
6084012fd2b650e863951f8edd0a603debb4e50ba1b8fe44ac3459b56f6e445813b354f3568c0a8851f9df19d3b8b19b5ab06a903b1a4356ba7a9ffd81e923f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\CommonERM.dll
Filesize
485KB

MD5
7430bf25a02a37330b1c8515f09dc6d7

SHA1
b4b01fbaa30ac69079b278879890776d7dc406dc

SHA256
3afeee07cafb768c249e2d7ae84c7e5cc2fee096e0be6a8754693aedea972829

SHA512
6084012fd2b650e863951f8edd0a603debb4e50ba1b8fe44ac3459b56f6e445813b354f3568c0a8851f9df19d3b8b19b5ab06a903b1a4356ba7a9ffd81e923f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\CommonERM.dll
Filesize
485KB

MD5
7430bf25a02a37330b1c8515f09dc6d7

SHA1
b4b01fbaa30ac69079b278879890776d7dc406dc

SHA256
3afeee07cafb768c249e2d7ae84c7e5cc2fee096e0be6a8754693aedea972829

SHA512
6084012fd2b650e863951f8edd0a603debb4e50ba1b8fe44ac3459b56f6e445813b354f3568c0a8851f9df19d3b8b19b5ab06a903b1a4356ba7a9ffd81e923f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\CommonERM.dll
Filesize
485KB

MD5
7430bf25a02a37330b1c8515f09dc6d7

SHA1
b4b01fbaa30ac69079b278879890776d7dc406dc

SHA256
3afeee07cafb768c249e2d7ae84c7e5cc2fee096e0be6a8754693aedea972829

SHA512
6084012fd2b650e863951f8edd0a603debb4e50ba1b8fe44ac3459b56f6e445813b354f3568c0a8851f9df19d3b8b19b5ab06a903b1a4356ba7a9ffd81e923f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dll
Filesize
288KB

MD5
b3ecb7645717e4e0b3daaacbedc7962d

SHA1
6f4fa9e4dd4d15cda757c527921248ad6f914ad2

SHA256
75551655a7473aa582e64dca59d2ae97fa2ba0293b05a0bbc69be001621f32d9

SHA512
5dab84eb7fbe8c3cd30ac67b987c8cad98e9145435bb72957ff1744ba0e09947a34d24e3133209d8f9332a552cc43a950d05a099cc00efdce530ca9dd5b3395c

Download Submit
C:\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dll
Filesize
288KB

MD5
b3ecb7645717e4e0b3daaacbedc7962d

SHA1
6f4fa9e4dd4d15cda757c527921248ad6f914ad2

SHA256
75551655a7473aa582e64dca59d2ae97fa2ba0293b05a0bbc69be001621f32d9

SHA512
5dab84eb7fbe8c3cd30ac67b987c8cad98e9145435bb72957ff1744ba0e09947a34d24e3133209d8f9332a552cc43a950d05a099cc00efdce530ca9dd5b3395c

Download Submit
C:\Users\Admin\AppData\Local\Temp\libeay32.dll
Filesize
2.2MB

MD5
54c61976fa3e68a06ae171e6de256003

SHA1
c4949c398e9b5a878634d07c19b92c2ee557241a

SHA256
d98bb0a0bcbb5332c4ed1fc2d11b2d5b456a3e863890e5476e0adda9fd2310f0

SHA512
9eaca66467e85875a09f8a478337b7a9f116c26034ea89030790dea4ce844fc5c96c8637b66c977366313c8a783afb37e367c35168f94b6e75d0dba9f30743d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\msvcp140.dll
Filesize
618KB

MD5
9ff712c25312821b8aec84c4f8782a34

SHA1
1a7a250d92a59c3af72a9573cffec2fcfa525f33

SHA256
517cd3aac2177a357cca6032f07ad7360ee8ca212a02dd6e1301bf6cfade2094

SHA512
5a65da337e64ea42bcc461b411ae622ce4dec1036638b1e5de4757b366875d7f13c1290f2ee345f358994f648c5941db35aa5d2313f547605508fd2bcc047e33

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqlite3.dll
Filesize
1.2MB

MD5
28ab35ca1a3804109f43177552446c46

SHA1
dc4aea6bf488f61d09f195fc99b1128c270dce4a

SHA256
65428cf68340ebc65c399a4e8ae082ac51d31d9476180d94e8fa71d729ffdefa

SHA512
741bddff0de1a6484ac34e547cd1127597899ff893f73beeb9a15c5ec989a48bae8526f88df9af7cd7d1ba141e86278a0a7b32c3835b8d50d2ea9bc8a7a0499e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vcruntime140.dll
Filesize
85KB

MD5
edf9d5c18111d82cf10ec99f6afa6b47

SHA1
d247f5b9d4d3061e3d421e0e623595aa40d9493c

SHA256
d89c7b863fc1ac3a179d45d5fe1b9fd35fb6fbd45171ca68d0d68ab1c1ad04fb

SHA512
bf017aa8275c5b6d064984a606c5d40852aa70047759468395fe520f7f68b5452befc3145efaa7c51f8ec3bf71d9e32dbd5633637f040d58ff9a4b6953bf1cbf

Download Submit
C:\Users\Admin\AppData\Roaming\Cellebrite Mobile Synchronization\UFED Physical Analyzer\b0a2ce81acad647240996dc498dca521\settings.s3db
Filesize
12KB

MD5
4fb960669a8d1a88f294bbc12c3cf4fe

SHA1
ad06ca540febf211aa53a7021e1d4ccb536f9af4

SHA256
8320325ffa544029a60b86dd843b4c280ba6dd8278e685bdc394bcd2e2d5d8a6

SHA512
14505ac6838e2b8eabaeac4ea6890f127e47bb36eac15032fb883ae4afa2ad3157f6eb2ff294d070ca78b3782008361d2e866259313a4693df9ec4ea30610f7e

Download Submit
C:\Users\Admin\AppData\Roaming\Cellebrite Mobile Synchronization\UFED Physical Analyzer\b0a2ce81acad647240996dc498dca521\settings.s3db
Filesize
15KB

MD5
5e83b0b3c4ed98d697c5670c933eaa35

SHA1
7779b3bae967e06ed49eb413f501d219969173ce

SHA256
415bb48f3227de30fdfcefdeabfc523dfc7f0f39eb5f29de913dca69592bbc93

SHA512
0d7049b25cdac8b34877a71963f4943f1f612807078772f0ec1673b17b6369115e7257d628e9d252734deb27e4f2f972f2be9acb3b561f1a7a182dc3fc946f1c

Download Submit
memory/1760-244-0x0000014F81870000-0x0000014F81880000-memory.dmp

Filesize
64KB

Download
memory/1760-208-0x0000014FAB300000-0x0000014FAB34C000-memory.dmp

Filesize
304KB

Download
memory/1760-184-0x0000014FA8C50000-0x0000014FA8C8C000-memory.dmp

Filesize
240KB

Download
memory/1760-186-0x0000014FF98B0000-0x0000014FF98B8000-memory.dmp

Filesize
32KB

Download
memory/1760-179-0x0000014F81870000-0x0000014F81880000-memory.dmp

Filesize
64KB

Download
memory/1760-178-0x0000014FF98A0000-0x0000014FF98AE000-memory.dmp

Filesize
56KB

Download
memory/1760-177-0x0000014FF9980000-0x0000014FF99B8000-memory.dmp

Filesize
224KB

Download
memory/1760-272-0x0000014FF99C0000-0x0000014FF99DC000-memory.dmp

Filesize
112KB

Download
memory/1760-136-0x0000014F81870000-0x0000014F81880000-memory.dmp

Filesize
64KB

Download
memory/1760-135-0x0000014FF9930000-0x0000014FF997A000-memory.dmp

Filesize
296KB

Download
memory/1760-212-0x0000014FAB350000-0x0000014FAB38A000-memory.dmp

Filesize
232KB

Download
memory/1760-218-0x0000014FADF80000-0x0000014FAE4A8000-memory.dmp

Filesize
5.2MB

Download
memory/1760-219-0x0000014FF9900000-0x0000014FF9912000-memory.dmp

Filesize
72KB

Download
memory/1760-134-0x0000014FF98C0000-0x0000014FF98DA000-memory.dmp

Filesize
104KB

Download
memory/1760-235-0x0000014FF9A30000-0x0000014FF9A52000-memory.dmp

Filesize
136KB

Download
memory/1760-243-0x0000014F81870000-0x0000014F81880000-memory.dmp

Filesize
64KB

Download
memory/1760-180-0x0000014F81870000-0x0000014F81880000-memory.dmp

Filesize
64KB

Download
memory/1760-185-0x0000014F81870000-0x0000014F81880000-memory.dmp

Filesize
64KB

Download
memory/1760-220-0x0000014FF9A70000-0x0000014FF9AAC000-memory.dmp

Filesize
240KB

Download
memory/1760-301-0x0000014F81870000-0x0000014F81880000-memory.dmp

Filesize
64KB

Download
memory/1760-312-0x0000014FF9BC0000-0x0000014FF9CCA000-memory.dmp

Filesize
1.0MB

Download
memory/1760-133-0x0000015000000000-0x0000015001000000-memory.dmp

Filesize
16.0MB

Download
memory/1760-898-0x0000014FF9AF0000-0x0000014FF9B30000-memory.dmp

Filesize
256KB

Download
memory/1760-899-0x0000014FF98E0000-0x0000014FF98E8000-memory.dmp

Filesize
32KB

Download
memory/1760-904-0x0000014FF98F0000-0x0000014FF98F8000-memory.dmp

Filesize
32KB

Download
memory/1760-905-0x0000014FF9CD0000-0x0000014FF9D4C000-memory.dmp

Filesize
496KB

Download
memory/1760-906-0x0000014FF9920000-0x0000014FF9928000-memory.dmp

Filesize
32KB

Download
memory/1760-907-0x0000014FF99F0000-0x0000014FF99F8000-memory.dmp

Filesize
32KB

Download
memory/1760-908-0x0000014F81870000-0x0000014F81880000-memory.dmp

Filesize
64KB

Download
memory/1760-915-0x0000014FAAF30000-0x0000014FAB030000-memory.dmp

Filesize
1024KB

Download
memory/1760-916-0x0000014FAAF30000-0x0000014FAB030000-memory.dmp

Filesize
1024KB

Download
memory/1760-917-0x0000014F81870000-0x0000014F81880000-memory.dmp

Filesize
64KB

Download
memory/1760-918-0x0000014F81870000-0x0000014F81880000-memory.dmp

Filesize
64KB

Download