fc247e6789254b76bd8cfb301d0cb0118189cce740a0187835ccc9b94ef7291f

Analysis

max time kernel
24s
max time network
16s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
06-07-2023 05:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Age of Empires IV v1.0-v17718 Plus 11 Trainer.exe
Size

1.5MB
MD5

f998e3ed9d29a42da397df15518a96b6
SHA1

58bafa0cb613f7e862402aae96e1215fe9e932d2
SHA256

fc247e6789254b76bd8cfb301d0cb0118189cce740a0187835ccc9b94ef7291f
SHA512

19dc735e77c2e375fffd9ca5bde44c1e7b6a19c7cf97ffa62d2e09a6465f515cbfa4c28c6566cf1a165593fadb0600d040c34e800d92f6dd478182beda21bc5c
SSDEEP

24576:BJenhwPDC3wvm01GPp0FBI2eOppTB6DSX/ab+bJ7i7Y7gbaVD:yhmCgvm+YULib+V70YsbaV

Score

1^/10

Malware Config

Signatures

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Age of Empires IV v1.0-v17718 Plus 11 Trainer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Age of Empires IV v1.0-v17718 Plus 11 Trainer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Age of Empires IV v1.0-v17718 Plus 11 Trainer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Age of Empires IV v1.0-v17718 Plus 11 Trainer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Age of Empires IV v1.0-v17718 Plus 11 Trainer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Age of Empires IV v1.0-v17718 Plus 11 Trainer.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
1152	Age of Empires IV v1.0-v17718 Plus 11 Trainer.exe
1152	Age of Empires IV v1.0-v17718 Plus 11 Trainer.exe
1152	Age of Empires IV v1.0-v17718 Plus 11 Trainer.exe
1152	Age of Empires IV v1.0-v17718 Plus 11 Trainer.exe
1152	Age of Empires IV v1.0-v17718 Plus 11 Trainer.exe
1152	Age of Empires IV v1.0-v17718 Plus 11 Trainer.exe
1152	Age of Empires IV v1.0-v17718 Plus 11 Trainer.exe
1152	Age of Empires IV v1.0-v17718 Plus 11 Trainer.exe
1152	Age of Empires IV v1.0-v17718 Plus 11 Trainer.exe
1152	Age of Empires IV v1.0-v17718 Plus 11 Trainer.exe
1152	Age of Empires IV v1.0-v17718 Plus 11 Trainer.exe
1152	Age of Empires IV v1.0-v17718 Plus 11 Trainer.exe
1152	Age of Empires IV v1.0-v17718 Plus 11 Trainer.exe
1152	Age of Empires IV v1.0-v17718 Plus 11 Trainer.exe
1152	Age of Empires IV v1.0-v17718 Plus 11 Trainer.exe
1152	Age of Empires IV v1.0-v17718 Plus 11 Trainer.exe
1152	Age of Empires IV v1.0-v17718 Plus 11 Trainer.exe
1152	Age of Empires IV v1.0-v17718 Plus 11 Trainer.exe
1152	Age of Empires IV v1.0-v17718 Plus 11 Trainer.exe
1152	Age of Empires IV v1.0-v17718 Plus 11 Trainer.exe
1152	Age of Empires IV v1.0-v17718 Plus 11 Trainer.exe
1152	Age of Empires IV v1.0-v17718 Plus 11 Trainer.exe
1152	Age of Empires IV v1.0-v17718 Plus 11 Trainer.exe
1152	Age of Empires IV v1.0-v17718 Plus 11 Trainer.exe
1152	Age of Empires IV v1.0-v17718 Plus 11 Trainer.exe
1152	Age of Empires IV v1.0-v17718 Plus 11 Trainer.exe
1152	Age of Empires IV v1.0-v17718 Plus 11 Trainer.exe
1152	Age of Empires IV v1.0-v17718 Plus 11 Trainer.exe
1152	Age of Empires IV v1.0-v17718 Plus 11 Trainer.exe
1152	Age of Empires IV v1.0-v17718 Plus 11 Trainer.exe
1152	Age of Empires IV v1.0-v17718 Plus 11 Trainer.exe
1152	Age of Empires IV v1.0-v17718 Plus 11 Trainer.exe
1152	Age of Empires IV v1.0-v17718 Plus 11 Trainer.exe
1152	Age of Empires IV v1.0-v17718 Plus 11 Trainer.exe
1152	Age of Empires IV v1.0-v17718 Plus 11 Trainer.exe
1152	Age of Empires IV v1.0-v17718 Plus 11 Trainer.exe
1152	Age of Empires IV v1.0-v17718 Plus 11 Trainer.exe
1152	Age of Empires IV v1.0-v17718 Plus 11 Trainer.exe
1152	Age of Empires IV v1.0-v17718 Plus 11 Trainer.exe
1152	Age of Empires IV v1.0-v17718 Plus 11 Trainer.exe
1152	Age of Empires IV v1.0-v17718 Plus 11 Trainer.exe
1152	Age of Empires IV v1.0-v17718 Plus 11 Trainer.exe
1152	Age of Empires IV v1.0-v17718 Plus 11 Trainer.exe
1152	Age of Empires IV v1.0-v17718 Plus 11 Trainer.exe
1152	Age of Empires IV v1.0-v17718 Plus 11 Trainer.exe
1152	Age of Empires IV v1.0-v17718 Plus 11 Trainer.exe
1152	Age of Empires IV v1.0-v17718 Plus 11 Trainer.exe
1152	Age of Empires IV v1.0-v17718 Plus 11 Trainer.exe
1152	Age of Empires IV v1.0-v17718 Plus 11 Trainer.exe
1152	Age of Empires IV v1.0-v17718 Plus 11 Trainer.exe
1152	Age of Empires IV v1.0-v17718 Plus 11 Trainer.exe
1152	Age of Empires IV v1.0-v17718 Plus 11 Trainer.exe
1152	Age of Empires IV v1.0-v17718 Plus 11 Trainer.exe
1152	Age of Empires IV v1.0-v17718 Plus 11 Trainer.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1152	Age of Empires IV v1.0-v17718 Plus 11 Trainer.exe

C:\Users\Admin\AppData\Local\Temp\Age of Empires IV v1.0-v17718 Plus 11 Trainer.exe
"C:\Users\Admin\AppData\Local\Temp\Age of Empires IV v1.0-v17718 Plus 11 Trainer.exe"
1⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1152

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c47162c94fd6cad46d13c62f048da9d6

SHA1
4de92a27ffd8d57ce6f93a91a603e6c168d9c789

SHA256
7c34090057bb59eb467c53248895359015d7442f0723dcc3d9f7612b9ce467ff

SHA512
67a989c0bb4a0ea664b5c6af0c1b7ae721739cc039302726531a01eba6a1452922f306e75d80e056745daab4851388e6831a12b9cbecf04be77a13ab5370a01e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4a5428d96ac3848180fe084103813311

SHA1
8f211ad280561640275b29360802e4be39e78387

SHA256
68438bad05294ea8cc4e5f3840df9c5c32d3cfdd3030b98accbfb28ebfa170e5

SHA512
d584e4ecf117339df15c1eb46f53c33937daba806704aec866bde2ee534b93a27e804161bbe214f51df2bcab182b9819b405134a1733b4047e149fd675b602dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4C01.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4CFE.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
memory/1152-56-0x0000000001CC0000-0x0000000001CF0000-memory.dmp

Filesize
192KB

Download
memory/1152-59-0x000000001B090000-0x000000001B110000-memory.dmp

Filesize
512KB

Download
memory/1152-60-0x000000001B090000-0x000000001B110000-memory.dmp

Filesize
512KB

Download
memory/1152-62-0x000000001B090000-0x000000001B110000-memory.dmp

Filesize
512KB

Download
memory/1152-61-0x0000000001BA0000-0x0000000001BAA000-memory.dmp

Filesize
40KB

Download
memory/1152-173-0x000000001B090000-0x000000001B110000-memory.dmp

Filesize
512KB

Download