323d3041896331e8524602b6d6b14f2f32fc863fe407391246ccfba66f7ab478

Analysis

max time kernel
103s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2023, 17:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

SupportAssistLauncher.exe
Size

686KB
MD5

0ca1e6a0a638a7efabef115682185549
SHA1

59736725665269b2309f69413cf0d55d81df14ad
SHA256

323d3041896331e8524602b6d6b14f2f32fc863fe407391246ccfba66f7ab478
SHA512

8157deb52b41305619812b5342f684525fa4b031d706a93e410b33bf16c22dc0d3cda8648283e650e7626496a3daeff7a10d384c25ffa4fa0be2fa4003dae033
SSDEEP

12288:/21WbdWpy7EbWryd/rEbdQiZc35t+4igGtRTk36/EyHz6lZgQmWP+2PxjaN2LzrK:vNQjO3Q5g4igGHTvEG6laUy9T1

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4176	SupportAssistInstaller.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\503006091D97D4F5AE39F7CBE7927D7D652D3431\Blob = 0f0000000100000014000000327fc447408de9bf596f83d4b2fa4b8e3e7097d8090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b060105050703076200000001000000200000006dc47172e01cbcb0bf62580d895fe2b8ac9ad4f873801e0c10b9c837d21eb1770b000000010000001e00000045006e00740072007500730074002000280032003000340038002900000014000000010000001400000055e481d11180bed889b908a331f9a1240916b9701d0000000100000010000000e871723e266f38af5d49cda2a502669c7e000000010000000800000000c001b39667d601030000000100000014000000503006091d97d4f5ae39f7cbe7927d7d652d343120000000010000002e0400003082042a30820312a00302010202043863def8300d06092a864886f70d01010505003081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f7269747920283230343829301e170d3939313232343137353035315a170d3239303732343134313531325a3081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f726974792028323034382930820122300d06092a864886f70d01010105000382010f003082010a0282010100ad4d4ba91286b2eaa320071516642a2b4bd1bf0b4a4d8eed8076a567b77840c07342c868c0db532bdd5eb8769835938b1a9d7c133a0e1f5bb71ecfe524141eb181a98d7db8cc6b4b03f1020cdcaba54024007f7494a19d0829b3880bf587779d55cde4c37ed76a64ab851486955b9732506f3dc8ba660ce3fcbdb849c176894919fdc0a8bd89a3672fc69fbc711960b82de92cc99076667b94e2af78d665535d3cd69cb2cf2903f92fa450b2d448ce0532558afdb2644c0ee4980775db7fdfb9085560853029f97b48a46986e3353f1e865d7a7a15bdef008e1522541700902693bc0e496891bff847d39d9542c10e4ddf6f26cfc3182162664370d6d5c007e10203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041455e481d11180bed889b908a331f9a1240916b970300d06092a864886f70d010105050003820101003b9b8f569b30e753997c7a79a74d97d7199590fb061fca337c46638f966624fa401b2127cae67273f24ffe3199fdc80c4c6853c680821398fab6adda5d3df1ce6ef6151194820cee3f95af11ab0fd72fde1f038f572c1ec9bb9a1a4495eb184fa61fcd7d57102f9b04095a84b56ed81d3ae1d69ed16c795e791c14c5e3d04c933b653ceddf3dbea6e5951ac3b519c3bd5e5bbbff23ef6819cb1293275c032d6f30d01eb61aacde5af7d1aaa827a6fe7981c479993357ba12b0a9e0426c93ca56defe6d840b088b7e8dead79821c6f3e73c792f5e9cd14c158de1ec2237cc9a430b97dc80908db3679b6f48081556cfbff12b7c5e9a76e95990c57c8335116551	SupportAssistLauncher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\503006091D97D4F5AE39F7CBE7927D7D652D3431\Blob = 19000000010000001000000091fad483f14848a8a69b18b805cdbb3a0f0000000100000014000000327fc447408de9bf596f83d4b2fa4b8e3e7097d8090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b060105050703076200000001000000200000006dc47172e01cbcb0bf62580d895fe2b8ac9ad4f873801e0c10b9c837d21eb1770b000000010000001e00000045006e00740072007500730074002000280032003000340038002900000014000000010000001400000055e481d11180bed889b908a331f9a1240916b9701d0000000100000010000000e871723e266f38af5d49cda2a502669c7e000000010000000800000000c001b39667d601030000000100000014000000503006091d97d4f5ae39f7cbe7927d7d652d343120000000010000002e0400003082042a30820312a00302010202043863def8300d06092a864886f70d01010505003081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f7269747920283230343829301e170d3939313232343137353035315a170d3239303732343134313531325a3081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f726974792028323034382930820122300d06092a864886f70d01010105000382010f003082010a0282010100ad4d4ba91286b2eaa320071516642a2b4bd1bf0b4a4d8eed8076a567b77840c07342c868c0db532bdd5eb8769835938b1a9d7c133a0e1f5bb71ecfe524141eb181a98d7db8cc6b4b03f1020cdcaba54024007f7494a19d0829b3880bf587779d55cde4c37ed76a64ab851486955b9732506f3dc8ba660ce3fcbdb849c176894919fdc0a8bd89a3672fc69fbc711960b82de92cc99076667b94e2af78d665535d3cd69cb2cf2903f92fa450b2d448ce0532558afdb2644c0ee4980775db7fdfb9085560853029f97b48a46986e3353f1e865d7a7a15bdef008e1522541700902693bc0e496891bff847d39d9542c10e4ddf6f26cfc3182162664370d6d5c007e10203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041455e481d11180bed889b908a331f9a1240916b970300d06092a864886f70d010105050003820101003b9b8f569b30e753997c7a79a74d97d7199590fb061fca337c46638f966624fa401b2127cae67273f24ffe3199fdc80c4c6853c680821398fab6adda5d3df1ce6ef6151194820cee3f95af11ab0fd72fde1f038f572c1ec9bb9a1a4495eb184fa61fcd7d57102f9b04095a84b56ed81d3ae1d69ed16c795e791c14c5e3d04c933b653ceddf3dbea6e5951ac3b519c3bd5e5bbbff23ef6819cb1293275c032d6f30d01eb61aacde5af7d1aaa827a6fe7981c479993357ba12b0a9e0426c93ca56defe6d840b088b7e8dead79821c6f3e73c792f5e9cd14c158de1ec2237cc9a430b97dc80908db3679b6f48081556cfbff12b7c5e9a76e95990c57c8335116551	SupportAssistLauncher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\503006091D97D4F5AE39F7CBE7927D7D652D3431\Blob = 040000000100000010000000ee2931bc327e9ae6e8b5f751b4347190030000000100000014000000503006091d97d4f5ae39f7cbe7927d7d652d34317e000000010000000800000000c001b39667d6011d0000000100000010000000e871723e266f38af5d49cda2a502669c14000000010000001400000055e481d11180bed889b908a331f9a1240916b9700b000000010000001e00000045006e0074007200750073007400200028003200300034003800290000006200000001000000200000006dc47172e01cbcb0bf62580d895fe2b8ac9ad4f873801e0c10b9c837d21eb1777f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b06010505070307530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f0000000100000014000000327fc447408de9bf596f83d4b2fa4b8e3e7097d819000000010000001000000091fad483f14848a8a69b18b805cdbb3a20000000010000002e0400003082042a30820312a00302010202043863def8300d06092a864886f70d01010505003081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f7269747920283230343829301e170d3939313232343137353035315a170d3239303732343134313531325a3081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f726974792028323034382930820122300d06092a864886f70d01010105000382010f003082010a0282010100ad4d4ba91286b2eaa320071516642a2b4bd1bf0b4a4d8eed8076a567b77840c07342c868c0db532bdd5eb8769835938b1a9d7c133a0e1f5bb71ecfe524141eb181a98d7db8cc6b4b03f1020cdcaba54024007f7494a19d0829b3880bf587779d55cde4c37ed76a64ab851486955b9732506f3dc8ba660ce3fcbdb849c176894919fdc0a8bd89a3672fc69fbc711960b82de92cc99076667b94e2af78d665535d3cd69cb2cf2903f92fa450b2d448ce0532558afdb2644c0ee4980775db7fdfb9085560853029f97b48a46986e3353f1e865d7a7a15bdef008e1522541700902693bc0e496891bff847d39d9542c10e4ddf6f26cfc3182162664370d6d5c007e10203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041455e481d11180bed889b908a331f9a1240916b970300d06092a864886f70d010105050003820101003b9b8f569b30e753997c7a79a74d97d7199590fb061fca337c46638f966624fa401b2127cae67273f24ffe3199fdc80c4c6853c680821398fab6adda5d3df1ce6ef6151194820cee3f95af11ab0fd72fde1f038f572c1ec9bb9a1a4495eb184fa61fcd7d57102f9b04095a84b56ed81d3ae1d69ed16c795e791c14c5e3d04c933b653ceddf3dbea6e5951ac3b519c3bd5e5bbbff23ef6819cb1293275c032d6f30d01eb61aacde5af7d1aaa827a6fe7981c479993357ba12b0a9e0426c93ca56defe6d840b088b7e8dead79821c6f3e73c792f5e9cd14c158de1ec2237cc9a430b97dc80908db3679b6f48081556cfbff12b7c5e9a76e95990c57c8335116551	SupportAssistLauncher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\503006091D97D4F5AE39F7CBE7927D7D652D3431\Blob = 5c00000001000000040000000008000019000000010000001000000091fad483f14848a8a69b18b805cdbb3a0f0000000100000014000000327fc447408de9bf596f83d4b2fa4b8e3e7097d8090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b060105050703076200000001000000200000006dc47172e01cbcb0bf62580d895fe2b8ac9ad4f873801e0c10b9c837d21eb1770b000000010000001e00000045006e00740072007500730074002000280032003000340038002900000014000000010000001400000055e481d11180bed889b908a331f9a1240916b9701d0000000100000010000000e871723e266f38af5d49cda2a502669c7e000000010000000800000000c001b39667d601030000000100000014000000503006091d97d4f5ae39f7cbe7927d7d652d3431040000000100000010000000ee2931bc327e9ae6e8b5f751b434719020000000010000002e0400003082042a30820312a00302010202043863def8300d06092a864886f70d01010505003081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f7269747920283230343829301e170d3939313232343137353035315a170d3239303732343134313531325a3081b431143012060355040a130b456e74727573742e6e65743140303e060355040b14377777772e656e74727573742e6e65742f4350535f3230343820696e636f72702e206279207265662e20286c696d697473206c6961622e2931253023060355040b131c286329203139393920456e74727573742e6e6574204c696d69746564313330310603550403132a456e74727573742e6e65742043657274696669636174696f6e20417574686f726974792028323034382930820122300d06092a864886f70d01010105000382010f003082010a0282010100ad4d4ba91286b2eaa320071516642a2b4bd1bf0b4a4d8eed8076a567b77840c07342c868c0db532bdd5eb8769835938b1a9d7c133a0e1f5bb71ecfe524141eb181a98d7db8cc6b4b03f1020cdcaba54024007f7494a19d0829b3880bf587779d55cde4c37ed76a64ab851486955b9732506f3dc8ba660ce3fcbdb849c176894919fdc0a8bd89a3672fc69fbc711960b82de92cc99076667b94e2af78d665535d3cd69cb2cf2903f92fa450b2d448ce0532558afdb2644c0ee4980775db7fdfb9085560853029f97b48a46986e3353f1e865d7a7a15bdef008e1522541700902693bc0e496891bff847d39d9542c10e4ddf6f26cfc3182162664370d6d5c007e10203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041455e481d11180bed889b908a331f9a1240916b970300d06092a864886f70d010105050003820101003b9b8f569b30e753997c7a79a74d97d7199590fb061fca337c46638f966624fa401b2127cae67273f24ffe3199fdc80c4c6853c680821398fab6adda5d3df1ce6ef6151194820cee3f95af11ab0fd72fde1f038f572c1ec9bb9a1a4495eb184fa61fcd7d57102f9b04095a84b56ed81d3ae1d69ed16c795e791c14c5e3d04c933b653ceddf3dbea6e5951ac3b519c3bd5e5bbbff23ef6819cb1293275c032d6f30d01eb61aacde5af7d1aaa827a6fe7981c479993357ba12b0a9e0426c93ca56defe6d840b088b7e8dead79821c6f3e73c792f5e9cd14c158de1ec2237cc9a430b97dc80908db3679b6f48081556cfbff12b7c5e9a76e95990c57c8335116551	SupportAssistLauncher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4	SupportAssistInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 0400000001000000100000004be2c99196650cf40e5a9392a00afeb20f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd94090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b0601050507030762000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3390b000000010000001800000045006e00740072007500730074002e006e006500740000001400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab1d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d347e000000010000000800000000c001b39667d6010300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d4190000000100000010000000fa46ce7cbb85cfb4310075313a09ee052000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	SupportAssistInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 5c000000010000000400000000080000190000000100000010000000fa46ce7cbb85cfb4310075313a09ee050300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d47e000000010000000800000000c001b39667d6011d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d341400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab0b000000010000001800000045006e00740072007500730074002e006e0065007400000062000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3397f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b06010505070307530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd940400000001000000100000004be2c99196650cf40e5a9392a00afeb22000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	SupportAssistInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\503006091D97D4F5AE39F7CBE7927D7D652D3431	SupportAssistLauncher.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4620	SupportAssistLauncher.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4620	SupportAssistLauncher.exe
Token: SeDebugPrivilege	4176	SupportAssistInstaller.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4620 wrote to memory of 4176	4620	SupportAssistLauncher.exe	84
PID 4620 wrote to memory of 4176	4620	SupportAssistLauncher.exe	84

C:\Users\Admin\AppData\Local\Temp\SupportAssistLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\SupportAssistLauncher.exe"
1⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4620
- C:\Users\Admin\AppData\Local\Temp\SAExtract\SupportAssistInstaller.exe
  "C:\Users\Admin\AppData\Local\Temp\SAExtract\SupportAssistInstaller.exe" "esupport"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  PID:4176

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\026A86A161D256DBB33076EDF20C0E5E_586120603910E6A9024E2F8513B0F104

Filesize
812B

MD5
0aafe769ab80a74d94ca6d96d47cf3bc

SHA1
37aaa1d8ee97558048a5fa2d0ec008783c045c38

SHA256
a5c07c8989fe4f4988bde97b93e4b4c3e598d412dce8a668c0e2ddc068537510

SHA512
a0a70fdf1960e050a88913a486116ddbd62dd845f7acb73e774e5e30282fc1b9f1ef4f3fe8042e348fa82e8ede106bd59f52a66b96646efe7293cf0be603069f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A37B8BA80004D3266CB4D93B2052DC10_EBDB5A7037F08CDFB408DBFC0D44B43D

Filesize
1KB

MD5
901021d8dcd9875772785c756ff54c2e

SHA1
11e1bac41dfa2129ed32b4bf38a3c181af43ad64

SHA256
ccec2ff74742bca0789627d58781ee46077ed5e00bcb10f05d0b90b2a3cc9867

SHA512
c5197300279fbbae033fba35d629604cae5e91fdf963dd411a51c902da189bbfe766c639d75652f71a6a6988adb548f522e8112614240707e269221c16f9231b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B44415D7D09A541D4434BC30A996B105_979DACFD4391707412A3C7ADC09936DC

Filesize
786B

MD5
ace27695bef5afc8cbc61c25838c6e5b

SHA1
70ce8a7267e9795bddd8caf204f5c4623d6779a1

SHA256
ae6ab8fb7ed449df9ad8d350b1ac5d6213e3b5772f5744854fa87c3778f35646

SHA512
761de08ba6fb9d2fd26c30a443e3461ef4616902b3debc4091bab3c82039c04fb8607e5a65455f44e617119aa6f63d5a086b62eda2dd637fec0450370db7ec1d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\026A86A161D256DBB33076EDF20C0E5E_586120603910E6A9024E2F8513B0F104

Filesize
532B

MD5
8bbea55ff7a28e2283f712f3a4c53c62

SHA1
1c72cf0ca50406ca449ce8a9f31afe2cff665116

SHA256
8fa12904814c7c4e3bdfb792dce0a0b11d757701135ccc643f3420ae445c0500

SHA512
7d290dec4489a216c54f05ecbd9e2a8f4b5bcd1dc392c073cc843c43140194defcec2e6287817ddb9118c48029f67ad8d07ce744b5377612a77cf85735c45585

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A37B8BA80004D3266CB4D93B2052DC10_EBDB5A7037F08CDFB408DBFC0D44B43D

Filesize
528B

MD5
169009368270eaf225db941d74227f2e

SHA1
ed5c9d95705734425173522d7ae3a7cf5cad034c

SHA256
d0a9cb04ae09f03df784531a93b5c1e21676eebd09866c46c0235c42b4608c49

SHA512
95829629d187d3261fb99cbcf9563348d3f6af7d4c200216b86f17b9dd18128ff033f0fc576d3c2cf0b1d5414d5dc237ff584741a5128c7919b5aa50022c8148

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B44415D7D09A541D4434BC30A996B105_979DACFD4391707412A3C7ADC09936DC

Filesize
532B

MD5
75718bee37fca29b18c3f4cc006c0f1f

SHA1
dcc64d61b97c9ff13b038d114047c3c889c44d41

SHA256
148fad28acb6b45ee7d279e96cb4fa5a6379c3c0362c1b1768df850c02cf628f

SHA512
62e082f5176795955eb5b4e7c3b2534b935f049344882cd13742e422ab1e7d78a52adf0dfe1ac27d495a0b166b6317fa10c3393edaefbc2952e7b845b30e617e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAExtract\Dell.SupportAssist.Client.FrameworkLogger.dll

Filesize
18KB

MD5
cca8253e8d2382ee5786fa0b3524dd03

SHA1
3623474f9d6557ead43f6c19066beb2af16fdcb4

SHA256
54558aee109e725b85a8e3b2ad80c2c05aac3fe11b4767e41e107a0037c494d1

SHA512
cf0f04db6c59f76921f095c5a1ae86673aff8b954cbc3d9d80fed0eea3a1d9e8b5f8bfafed9ae55fe42cf49a70364e346af83531b225d831bac66dfb177b26a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAExtract\Microsoft.Practices.Unity.dll

Filesize
143KB

MD5
ff0036559e10d8a5a1397068afc048a5

SHA1
4c1966ec73bdad20edf08ecf576ae5c71003e9db

SHA256
aed378510bbeea3405b97b156f34ab54fdb82c719f2658f89e81af15b9bcf11d

SHA512
ab251274bf59ac231c7e9e13b80c74238865528272b5b8936106ef0b09eaae781709b2534688665e1ba96462a851db81f96f88db94ddd7e1316bda0fb1d81d33

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAExtract\Newtonsoft.Json.dll

Filesize
688KB

MD5
627dfdc58840ec76e971ad80c9234862

SHA1
59923257d4780178415fc4f2023a37835edb308d

SHA256
224d82fafc2c9b9d0f4042492128b65a11c2a01b87cd8b49f177fc2ab1f636f5

SHA512
3aaad140957b38e6e4eac2ec8ed5739497dc3a4ba1f34b394d390fdf3b3080363bc17acc4c00be6887ced3479265ac7e7f3db4368333204cf98da3e26815ab9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAExtract\Resource\Dell_SupportAssistAgent.ico

Filesize
398KB

MD5
ff86e0f60d31e8cfd9f53f96c733d287

SHA1
4820eae4ea33848b8e89750bdeacba59f9e6ebc0

SHA256
ac44db099b66c1168fa590bde9c7f9a4fcace385fbf4fe779b106fb7edcb7115

SHA512
4071ddd0d22bbf7612d942579251b8b34b78a42d4263993d5892838f230bf2c2aa9a84cdb1fe6c8d1e78cc08abbe298ea957e5050984f7500e63b4392d9d6567

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAExtract\Resource\New-Dell-Logo-White.png

Filesize
1KB

MD5
18ae7c444367fb4bf43e20dcd4f721f0

SHA1
5e1ef40acfac3e3a2d6fd0fcd98ba823de0e2b83

SHA256
c3b07610d159518dfbf0087bd3ad60193b2814d391d5f960538397422ec2fcf7

SHA512
6927b547441ad5d401fce6ca48e52172921876f905228074ef336d7a770df719632763a318e93d7f35e02ad57bea8fa792d85e516c48c4e29ee80ab75efaa0b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAExtract\Resource\en-US\Installer.json

Filesize
6KB

MD5
e77a2feffb5098a2ebcce3fa59f3b16d

SHA1
a0efede7cde8cf19139fa120d1c4e224bc0a2210

SHA256
6f4fec7192e742333159e5430aec626c690993154cea79574f149f7518084b6d

SHA512
0c8cf8aef7aa1ec80f17637c7fb8add1d9db181c54b80f4a09d40ddd5c8bc7087949bac7b20660d76298ad4d73b30528aa3c5a1f4e4f42fada3c044533c137e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAExtract\Resource\greenTick_28x28.png

Filesize
437B

MD5
7910e3985d12331c628b93037de44e43

SHA1
25a5e741673b5ac43afcbc5a5131779d39de0596

SHA256
92403fbb74777ea753908726d2548f3d08ce242aa61afe0dcd19cbb0325dcb2f

SHA512
8237efaa34165f5d465787ce3976d224f35f9a2b8c2092193675906eef3a1aab341ccff30706876b8d39947f24aefa86176a4698f2ca28cc20e652d3f475c8d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAExtract\SupportAssistInstaller.exe

Filesize
650KB

MD5
eb126994579ac1d28bbff59c47a96d9d

SHA1
9f826a221bb2803fa274796a85b5b37c59805de8

SHA256
bdc2e292032f4085aab7fcfdc8fb61de67facb7681ce9bb543daa8e5558ef5b2

SHA512
6f33ae2b349c873ea185af484c06c903210e6785fb9e8d6e2d11f33df467fb393dfad2df55322b09065536864dfd074aa8d88b494a6501473692694ffab98d51

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAExtract\SupportAssistInstaller.exe

Filesize
650KB

MD5
eb126994579ac1d28bbff59c47a96d9d

SHA1
9f826a221bb2803fa274796a85b5b37c59805de8

SHA256
bdc2e292032f4085aab7fcfdc8fb61de67facb7681ce9bb543daa8e5558ef5b2

SHA512
6f33ae2b349c873ea185af484c06c903210e6785fb9e8d6e2d11f33df467fb393dfad2df55322b09065536864dfd074aa8d88b494a6501473692694ffab98d51

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAExtract\SupportAssistInstaller.exe

Filesize
650KB

MD5
eb126994579ac1d28bbff59c47a96d9d

SHA1
9f826a221bb2803fa274796a85b5b37c59805de8

SHA256
bdc2e292032f4085aab7fcfdc8fb61de67facb7681ce9bb543daa8e5558ef5b2

SHA512
6f33ae2b349c873ea185af484c06c903210e6785fb9e8d6e2d11f33df467fb393dfad2df55322b09065536864dfd074aa8d88b494a6501473692694ffab98d51

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAExtract\SupportAssistInstaller.exe.config

Filesize
538B

MD5
e97ac84664026547fb344425a89c0edd

SHA1
6fd4dc83604a75e8c8057fb3008d044da91e16e1

SHA256
e93f8fbaece629c2d4621e7ca82ec57d1f05a746a06f45f8b41a43413885e518

SHA512
465a0ff55c6911cd6dcd1fc20b9d80ae45213994ddcc61b5dfbf0f84ec1994b87618d430952b41e7a242af44682cb38fb490d9a3a4f5fa23f4725e0daf410038

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAExtract\log4net.config

Filesize
813B

MD5
f6f8cd68eabfb8b7131d0d4de878272f

SHA1
ddc0655264cfee990bcd96b834bcf6b0e76de7f9

SHA256
087197e3b5820d8b79cad05db5331ecc114e701f273571e2b833e01472897ea5

SHA512
617b6227542b25e0c53cf36897018e524895676d07ddbf95550c18091aaa1af23aedf2fb969b2c752364867d03252c624a537ffa23523e5bd10850e81b426e85

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAExtract\log4net.dll

Filesize
274KB

MD5
ff01bb7a3df70d72c4df2f891fd5390c

SHA1
bbc878a683210fdbd65d4c96f9ee4c1a60eeff9c

SHA256
f5ae00a619e0f1d176260edf70a0fe25451e0215507be487ddd39da51d2338d1

SHA512
8969ee36c2305e55b2f7985e07116d0c4831286ef0f357130fd4b70bc66e7503cfc4722eefa985b73e128a1b82311be0e3e3923e66d9da2f75971b573ce160af

Download Submit
memory/4176-255-0x000001CA69580000-0x000001CA69588000-memory.dmp

Filesize
32KB

Download
memory/4176-267-0x000001CA69AE0000-0x000001CA69B90000-memory.dmp

Filesize
704KB

Download
memory/4176-243-0x000001CA4DD90000-0x000001CA4DD98000-memory.dmp

Filesize
32KB

Download
memory/4176-241-0x000001CA4DD80000-0x000001CA4DD8A000-memory.dmp

Filesize
40KB

Download
memory/4176-240-0x000001CA67AA0000-0x000001CA67AC8000-memory.dmp

Filesize
160KB

Download
memory/4176-253-0x000001CA695E0000-0x000001CA695F0000-memory.dmp

Filesize
64KB

Download
memory/4176-254-0x000001CA69590000-0x000001CA69598000-memory.dmp

Filesize
32KB

Download
memory/4176-288-0x000001CA695E0000-0x000001CA695F0000-memory.dmp

Filesize
64KB

Download
memory/4176-256-0x000001CA695B0000-0x000001CA695B8000-memory.dmp

Filesize
32KB

Download
memory/4176-257-0x000001CA695C0000-0x000001CA695C8000-memory.dmp

Filesize
32KB

Download
memory/4176-258-0x000001CA695D0000-0x000001CA695D8000-memory.dmp

Filesize
32KB

Download
memory/4176-259-0x000001CA698E0000-0x000001CA698E8000-memory.dmp

Filesize
32KB

Download
memory/4176-260-0x000001CA695A0000-0x000001CA695A8000-memory.dmp

Filesize
32KB

Download
memory/4176-261-0x000001CA69900000-0x000001CA69908000-memory.dmp

Filesize
32KB

Download
memory/4176-262-0x000001CA698F0000-0x000001CA698F8000-memory.dmp

Filesize
32KB

Download
memory/4176-238-0x000001CA695E0000-0x000001CA695F0000-memory.dmp

Filesize
64KB

Download
memory/4176-237-0x000001CA4D600000-0x000001CA4D6A4000-memory.dmp

Filesize
656KB

Download
memory/4176-245-0x000001CA67B20000-0x000001CA67B66000-memory.dmp

Filesize
280KB

Download
memory/4176-287-0x000001CA695E0000-0x000001CA695F0000-memory.dmp

Filesize
64KB

Download
memory/4176-269-0x000001CA69A80000-0x000001CA69AA2000-memory.dmp

Filesize
136KB

Download
memory/4176-270-0x000001CA695E0000-0x000001CA695F0000-memory.dmp

Filesize
64KB

Download
memory/4176-286-0x000001CA695E0000-0x000001CA695F0000-memory.dmp

Filesize
64KB

Download
memory/4176-272-0x000001CA69C50000-0x000001CA69D0A000-memory.dmp

Filesize
744KB

Download
memory/4176-273-0x000001CA69A40000-0x000001CA69A48000-memory.dmp

Filesize
32KB

Download
memory/4176-274-0x000001CA69A50000-0x000001CA69A58000-memory.dmp

Filesize
32KB

Download
memory/4176-285-0x000001CA695E0000-0x000001CA695F0000-memory.dmp

Filesize
64KB

Download
memory/4176-277-0x000001CA69C10000-0x000001CA69C18000-memory.dmp

Filesize
32KB

Download
memory/4176-278-0x000001CA695E0000-0x000001CA695F0000-memory.dmp

Filesize
64KB

Download
memory/4176-279-0x000001CA6C350000-0x000001CA6C388000-memory.dmp

Filesize
224KB

Download
memory/4176-280-0x000001CA6BE20000-0x000001CA6BE2E000-memory.dmp

Filesize
56KB

Download
memory/4176-282-0x000001CA6D5E0000-0x000001CA6D7A2000-memory.dmp

Filesize
1.8MB

Download
memory/4620-284-0x00000000054D0000-0x00000000054E0000-memory.dmp

Filesize
64KB

Download
memory/4620-134-0x00000000053A0000-0x00000000053AA000-memory.dmp

Filesize
40KB

Download
memory/4620-136-0x00000000053D0000-0x00000000053E2000-memory.dmp

Filesize
72KB

Download
memory/4620-214-0x00000000054D0000-0x00000000054E0000-memory.dmp

Filesize
64KB

Download
memory/4620-133-0x0000000000B90000-0x0000000000C3E000-memory.dmp

Filesize
696KB

Download