e001b3164b91eb4bf414293f28d49adf4c71ebaad40b440d599bf3bcce9e46c7

Analysis

max time kernel
34s
max time network
130s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
05/06/2023, 12:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d78b2574eaa9fdca7ae33c3a79f51cb7.exe
Size

6.4MB
MD5

d78b2574eaa9fdca7ae33c3a79f51cb7
SHA1

dbcfcecaeaf6ab7fd69b59aebbe4ce8f137ad6d0
SHA256

e001b3164b91eb4bf414293f28d49adf4c71ebaad40b440d599bf3bcce9e46c7
SHA512

f3aee34b7e1f73d146eb75eafc4c5dd03633f2bc6331913cf44c6884c940035e836c6e872d4644dae4d419bb053e6f777a25cd7a9c09391bdc9af1e6d2a7c2ca
SSDEEP

98304:IGFyirBhA31HvYTOQHxSCcM2oBvafGgz0CEC0cCecHL1Rg6zCTwrTDBEH4GlCq:IGgMA6iKxhcJUaSwCecHTnzCGDBKNC

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
1740	d78b2574eaa9fdca7ae33c3a79f51cb7.exe
1740	d78b2574eaa9fdca7ae33c3a79f51cb7.exe
1740	d78b2574eaa9fdca7ae33c3a79f51cb7.exe
1740	d78b2574eaa9fdca7ae33c3a79f51cb7.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1648	1740	WerFault.exe	25

Kills process with taskkill 6 IoCs

evasion

pid	Process
752	taskkill.exe
2024	taskkill.exe
680	taskkill.exe
1136	taskkill.exe
1500	taskkill.exe
1380	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	d78b2574eaa9fdca7ae33c3a79f51cb7.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	d78b2574eaa9fdca7ae33c3a79f51cb7.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1740	d78b2574eaa9fdca7ae33c3a79f51cb7.exe
1740	d78b2574eaa9fdca7ae33c3a79f51cb7.exe
1740	d78b2574eaa9fdca7ae33c3a79f51cb7.exe
1740	d78b2574eaa9fdca7ae33c3a79f51cb7.exe
1740	d78b2574eaa9fdca7ae33c3a79f51cb7.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1380	taskkill.exe
Token: SeDebugPrivilege	752	taskkill.exe
Token: SeDebugPrivilege	2024	taskkill.exe
Token: SeDebugPrivilege	680	taskkill.exe
Token: SeDebugPrivilege	1136	taskkill.exe
Token: SeDebugPrivilege	1500	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1740	d78b2574eaa9fdca7ae33c3a79f51cb7.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 1900	1740	d78b2574eaa9fdca7ae33c3a79f51cb7.exe	27
PID 1740 wrote to memory of 1900	1740	d78b2574eaa9fdca7ae33c3a79f51cb7.exe	27
PID 1740 wrote to memory of 1900	1740	d78b2574eaa9fdca7ae33c3a79f51cb7.exe	27
PID 1900 wrote to memory of 556	1900	cmd.exe	28
PID 1900 wrote to memory of 556	1900	cmd.exe	28
PID 1900 wrote to memory of 556	1900	cmd.exe	28
PID 1740 wrote to memory of 360	1740	d78b2574eaa9fdca7ae33c3a79f51cb7.exe	29
PID 1740 wrote to memory of 360	1740	d78b2574eaa9fdca7ae33c3a79f51cb7.exe	29
PID 1740 wrote to memory of 360	1740	d78b2574eaa9fdca7ae33c3a79f51cb7.exe	29
PID 360 wrote to memory of 1380	360	cmd.exe	30
PID 360 wrote to memory of 1380	360	cmd.exe	30
PID 360 wrote to memory of 1380	360	cmd.exe	30
PID 1740 wrote to memory of 636	1740	d78b2574eaa9fdca7ae33c3a79f51cb7.exe	33
PID 1740 wrote to memory of 636	1740	d78b2574eaa9fdca7ae33c3a79f51cb7.exe	33
PID 1740 wrote to memory of 636	1740	d78b2574eaa9fdca7ae33c3a79f51cb7.exe	33
PID 636 wrote to memory of 752	636	cmd.exe	34
PID 636 wrote to memory of 752	636	cmd.exe	34
PID 636 wrote to memory of 752	636	cmd.exe	34
PID 1740 wrote to memory of 1264	1740	d78b2574eaa9fdca7ae33c3a79f51cb7.exe	35
PID 1740 wrote to memory of 1264	1740	d78b2574eaa9fdca7ae33c3a79f51cb7.exe	35
PID 1740 wrote to memory of 1264	1740	d78b2574eaa9fdca7ae33c3a79f51cb7.exe	35
PID 1264 wrote to memory of 2024	1264	cmd.exe	36
PID 1264 wrote to memory of 2024	1264	cmd.exe	36
PID 1264 wrote to memory of 2024	1264	cmd.exe	36
PID 1740 wrote to memory of 1528	1740	d78b2574eaa9fdca7ae33c3a79f51cb7.exe	37
PID 1740 wrote to memory of 1528	1740	d78b2574eaa9fdca7ae33c3a79f51cb7.exe	37
PID 1740 wrote to memory of 1528	1740	d78b2574eaa9fdca7ae33c3a79f51cb7.exe	37
PID 1528 wrote to memory of 680	1528	cmd.exe	38
PID 1528 wrote to memory of 680	1528	cmd.exe	38
PID 1528 wrote to memory of 680	1528	cmd.exe	38
PID 1740 wrote to memory of 1492	1740	d78b2574eaa9fdca7ae33c3a79f51cb7.exe	39
PID 1740 wrote to memory of 1492	1740	d78b2574eaa9fdca7ae33c3a79f51cb7.exe	39
PID 1740 wrote to memory of 1492	1740	d78b2574eaa9fdca7ae33c3a79f51cb7.exe	39
PID 1492 wrote to memory of 1136	1492	cmd.exe	40
PID 1492 wrote to memory of 1136	1492	cmd.exe	40
PID 1492 wrote to memory of 1136	1492	cmd.exe	40
PID 1740 wrote to memory of 800	1740	d78b2574eaa9fdca7ae33c3a79f51cb7.exe	41
PID 1740 wrote to memory of 800	1740	d78b2574eaa9fdca7ae33c3a79f51cb7.exe	41
PID 1740 wrote to memory of 800	1740	d78b2574eaa9fdca7ae33c3a79f51cb7.exe	41
PID 800 wrote to memory of 1500	800	cmd.exe	42
PID 800 wrote to memory of 1500	800	cmd.exe	42
PID 800 wrote to memory of 1500	800	cmd.exe	42
PID 1740 wrote to memory of 1648	1740	d78b2574eaa9fdca7ae33c3a79f51cb7.exe	43
PID 1740 wrote to memory of 1648	1740	d78b2574eaa9fdca7ae33c3a79f51cb7.exe	43
PID 1740 wrote to memory of 1648	1740	d78b2574eaa9fdca7ae33c3a79f51cb7.exe	43

C:\Users\Admin\AppData\Local\Temp\d78b2574eaa9fdca7ae33c3a79f51cb7.exe
"C:\Users\Admin\AppData\Local\Temp\d78b2574eaa9fdca7ae33c3a79f51cb7.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c mode con:cols=60 lines=30
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Windows\system32\mode.com
    mode con:cols=60 lines=30
    3⤵
    PID:556
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FileActivityWatch.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:360
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FileActivityWatch.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im DiskPulse.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:636
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im DiskPulse.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im procexp.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1264
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im procexp.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im procexp.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1528
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im procexp.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im procexp64.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1492
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im procexp64.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im procexp64.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:800
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im procexp64.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1500
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1740 -s 1344
  2⤵
  - Program crash
  PID:1648

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1740-54-0x0000000077080000-0x0000000077082000-memory.dmp

Filesize
8KB

Download
memory/1740-55-0x0000000077080000-0x0000000077082000-memory.dmp

Filesize
8KB

Download
memory/1740-56-0x0000000077080000-0x0000000077082000-memory.dmp

Filesize
8KB

Download
memory/1740-57-0x00000000770B0000-0x00000000770B2000-memory.dmp

Filesize
8KB

Download
memory/1740-58-0x00000000770B0000-0x00000000770B2000-memory.dmp

Filesize
8KB

Download
memory/1740-59-0x00000000770B0000-0x00000000770B2000-memory.dmp

Filesize
8KB

Download
memory/1740-60-0x0000000140000000-0x0000000140C17000-memory.dmp

Filesize
12.1MB

Download