e6f69ffc88998be1023154813636ba18ca2905e03faf92a33ce77fa01848cd0b

Analysis

max time kernel
121s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
03-07-2023 08:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f_001917.exe
Size

4.9MB
MD5

b04bf24c595cc63b27fc383e4ef8cf08
SHA1

c0339e7ad57976cde8f3c7b892081a13b30b9848
SHA256

7e955543f89c1cdddf7f507be671f7a5ce976cd59d80e12383ead2dd655ef2e3
SHA512

0e5394da301d069dacfa8e060136241e9cc7a19148f67b1bbc660ebb1a65dbac9c0a7e512812cf5f205a95905c45d97aebfd4b6cb20f5e7ed2f9ba3098515180
SSDEEP

98304:n33U6vME7QCEmCvAPsxgaLna/bxNrf4cUMGOnk6LPVkoVc0KR4jLqmWaJdVC/y:0ohiBvAPKgKndcUMzFPxtDFr

Score

1^/10

Malware Config

Signatures

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

f_001917.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	f_001917.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	f_001917.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	f_001917.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

f_001917.exe

pid process

2012 f_001917.exe
2012 f_001917.exe
2012 f_001917.exe
2012 f_001917.exe
2012 f_001917.exe
2012 f_001917.exe

pid	process
2012	f_001917.exe
2012	f_001917.exe
2012	f_001917.exe
2012	f_001917.exe
2012	f_001917.exe
2012	f_001917.exe

C:\Users\Admin\AppData\Local\Temp\f_001917.exe
"C:\Users\Admin\AppData\Local\Temp\f_001917.exe"
1⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:2012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2012-133-0x0000000002F40000-0x0000000002F41000-memory.dmp

Filesize
4KB

Download
memory/2012-134-0x0000000002F50000-0x0000000002F51000-memory.dmp

Filesize
4KB

Download
memory/2012-135-0x0000000002F60000-0x0000000002F61000-memory.dmp

Filesize
4KB

Download
memory/2012-136-0x0000000002F80000-0x0000000002F81000-memory.dmp

Filesize
4KB

Download
memory/2012-137-0x0000000002F90000-0x0000000002F91000-memory.dmp

Filesize
4KB

Download
memory/2012-138-0x0000000002FA0000-0x0000000002FA1000-memory.dmp

Filesize
4KB

Download
memory/2012-139-0x0000000000570000-0x0000000000DFB000-memory.dmp

Filesize
8.5MB

Download
memory/2012-142-0x0000000000570000-0x0000000000DFB000-memory.dmp

Filesize
8.5MB

Download
memory/2012-143-0x0000000000570000-0x0000000000DFB000-memory.dmp

Filesize
8.5MB

Download
memory/2012-144-0x0000000000570000-0x0000000000DFB000-memory.dmp

Filesize
8.5MB

Download
memory/2012-145-0x0000000000570000-0x0000000000DFB000-memory.dmp

Filesize
8.5MB

Download
memory/2012-146-0x0000000077DB0000-0x0000000077DC0000-memory.dmp

Filesize
64KB

Download
memory/2012-147-0x0000000000570000-0x0000000000DFB000-memory.dmp

Filesize
8.5MB

Download
memory/2012-148-0x0000000000570000-0x0000000000DFB000-memory.dmp

Filesize
8.5MB

Download
memory/2012-149-0x0000000000570000-0x0000000000DFB000-memory.dmp

Filesize
8.5MB

Download
memory/2012-150-0x0000000000570000-0x0000000000DFB000-memory.dmp

Filesize
8.5MB

Download
memory/2012-151-0x0000000000570000-0x0000000000DFB000-memory.dmp

Filesize
8.5MB

Download
memory/2012-152-0x0000000077DB0000-0x0000000077DC0000-memory.dmp

Filesize
64KB

Download
memory/2012-153-0x0000000000570000-0x0000000000DFB000-memory.dmp

Filesize
8.5MB

Download
memory/2012-154-0x0000000000570000-0x0000000000DFB000-memory.dmp

Filesize
8.5MB

Download
memory/2012-156-0x0000000000570000-0x0000000000DFB000-memory.dmp

Filesize
8.5MB

Download
memory/2012-157-0x0000000000570000-0x0000000000DFB000-memory.dmp

Filesize
8.5MB

Download
memory/2012-158-0x0000000000570000-0x0000000000DFB000-memory.dmp

Filesize
8.5MB

Download
memory/2012-159-0x0000000000570000-0x0000000000DFB000-memory.dmp

Filesize
8.5MB

Download
memory/2012-160-0x0000000000570000-0x0000000000DFB000-memory.dmp

Filesize
8.5MB

Download
memory/2012-161-0x0000000000570000-0x0000000000DFB000-memory.dmp

Filesize
8.5MB

Download
memory/2012-162-0x0000000000570000-0x0000000000DFB000-memory.dmp

Filesize
8.5MB

Download
memory/2012-168-0x0000000000570000-0x0000000000DFB000-memory.dmp

Filesize
8.5MB

Download
memory/2012-170-0x0000000000570000-0x0000000000DFB000-memory.dmp

Filesize
8.5MB

Download
memory/2012-169-0x0000000000570000-0x0000000000DFB000-memory.dmp

Filesize
8.5MB

Download
memory/2012-171-0x0000000000570000-0x0000000000DFB000-memory.dmp

Filesize
8.5MB

Download
memory/2012-172-0x0000000000570000-0x0000000000DFB000-memory.dmp

Filesize
8.5MB

Download
memory/2012-173-0x0000000000570000-0x0000000000DFB000-memory.dmp

Filesize
8.5MB

Download
memory/2012-174-0x0000000000570000-0x0000000000DFB000-memory.dmp

Filesize
8.5MB

Download
memory/2012-175-0x0000000000570000-0x0000000000DFB000-memory.dmp

Filesize
8.5MB

Download
memory/2012-176-0x0000000000570000-0x0000000000DFB000-memory.dmp

Filesize
8.5MB

Download
memory/2012-177-0x0000000000570000-0x0000000000DFB000-memory.dmp

Filesize
8.5MB

Download
memory/2012-178-0x0000000000570000-0x0000000000DFB000-memory.dmp

Filesize
8.5MB

Download
memory/2012-179-0x0000000000570000-0x0000000000DFB000-memory.dmp

Filesize
8.5MB

Download
memory/2012-180-0x0000000000570000-0x0000000000DFB000-memory.dmp

Filesize
8.5MB

Download
memory/2012-181-0x0000000000570000-0x0000000000DFB000-memory.dmp

Filesize
8.5MB

Download
memory/2012-182-0x0000000000570000-0x0000000000DFB000-memory.dmp

Filesize
8.5MB

Download
memory/2012-184-0x0000000000570000-0x0000000000DFB000-memory.dmp

Filesize
8.5MB

Download
memory/2012-183-0x0000000000570000-0x0000000000DFB000-memory.dmp

Filesize
8.5MB

Download
memory/2012-185-0x0000000000570000-0x0000000000DFB000-memory.dmp

Filesize
8.5MB

Download
memory/2012-186-0x0000000000570000-0x0000000000DFB000-memory.dmp

Filesize
8.5MB

Download
memory/2012-188-0x0000000000570000-0x0000000000DFB000-memory.dmp

Filesize
8.5MB

Download
memory/2012-189-0x0000000003700000-0x000000000377A000-memory.dmp

Filesize
488KB

Download
memory/2012-187-0x0000000000570000-0x0000000000DFB000-memory.dmp

Filesize
8.5MB

Download
memory/2012-190-0x0000000000570000-0x0000000000DFB000-memory.dmp

Filesize
8.5MB

Download
memory/2012-191-0x0000000000570000-0x0000000000DFB000-memory.dmp

Filesize
8.5MB

Download
memory/2012-192-0x0000000000570000-0x0000000000DFB000-memory.dmp

Filesize
8.5MB

Download
memory/2012-193-0x0000000000570000-0x0000000000DFB000-memory.dmp

Filesize
8.5MB

Download
memory/2012-194-0x0000000000570000-0x0000000000DFB000-memory.dmp

Filesize
8.5MB

Download
memory/2012-195-0x0000000000570000-0x0000000000DFB000-memory.dmp

Filesize
8.5MB

Download
memory/2012-196-0x0000000000570000-0x0000000000DFB000-memory.dmp

Filesize
8.5MB

Download
memory/2012-197-0x0000000000570000-0x0000000000DFB000-memory.dmp

Filesize
8.5MB

Download