a00e0ffba9c2c81ef3a2f30a3fab80606bb943f9bf30233d3c26dd14c3a795c4

Analysis

max time kernel
141s
max time network
121s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
08/08/2023, 18:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a00e0ffba9c2c81ef3a2f30a3fab80606bb943f9bf30233d3c26dd14c3a795c4exe_JC.exe
Size

2.1MB
MD5

dd8a9df687159b7b689e39f52ea24e59
SHA1

4725058cb525289ac4dea8a90c2ff70ce110b77a
SHA256

a00e0ffba9c2c81ef3a2f30a3fab80606bb943f9bf30233d3c26dd14c3a795c4
SHA512

3b1fd10bde94721e1b5e33bc0380680b0ddfdc4616d6ee0eeb5201812ea9117f49a5b094507ae4b5aaf78e681eb1c240fbabf6c4a33f1d3d26bf91958b9c131a
SSDEEP

49152:Yb6L/TPtEcWM0kZLH4rYZZFeEcvAJaU2hVv:YuTucmY1ZFm

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3068	1036	WerFault.exe	27

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1424	schtasks.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2524	wmic.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	a00e0ffba9c2c81ef3a2f30a3fab80606bb943f9bf30233d3c26dd14c3a795c4exe_JC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	a00e0ffba9c2c81ef3a2f30a3fab80606bb943f9bf30233d3c26dd14c3a795c4exe_JC.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2000	powershell.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1036	a00e0ffba9c2c81ef3a2f30a3fab80606bb943f9bf30233d3c26dd14c3a795c4exe_JC.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeIncreaseQuotaPrivilege	2524	wmic.exe
Token: SeSecurityPrivilege	2524	wmic.exe
Token: SeTakeOwnershipPrivilege	2524	wmic.exe
Token: SeLoadDriverPrivilege	2524	wmic.exe
Token: SeSystemProfilePrivilege	2524	wmic.exe
Token: SeSystemtimePrivilege	2524	wmic.exe
Token: SeProfSingleProcessPrivilege	2524	wmic.exe
Token: SeIncBasePriorityPrivilege	2524	wmic.exe
Token: SeCreatePagefilePrivilege	2524	wmic.exe
Token: SeBackupPrivilege	2524	wmic.exe
Token: SeRestorePrivilege	2524	wmic.exe
Token: SeShutdownPrivilege	2524	wmic.exe
Token: SeDebugPrivilege	2524	wmic.exe
Token: SeSystemEnvironmentPrivilege	2524	wmic.exe
Token: SeRemoteShutdownPrivilege	2524	wmic.exe
Token: SeUndockPrivilege	2524	wmic.exe
Token: SeManageVolumePrivilege	2524	wmic.exe
Token: 33	2524	wmic.exe
Token: 34	2524	wmic.exe
Token: 35	2524	wmic.exe
Token: SeIncreaseQuotaPrivilege	2524	wmic.exe
Token: SeSecurityPrivilege	2524	wmic.exe
Token: SeTakeOwnershipPrivilege	2524	wmic.exe
Token: SeLoadDriverPrivilege	2524	wmic.exe
Token: SeSystemProfilePrivilege	2524	wmic.exe
Token: SeSystemtimePrivilege	2524	wmic.exe
Token: SeProfSingleProcessPrivilege	2524	wmic.exe
Token: SeIncBasePriorityPrivilege	2524	wmic.exe
Token: SeCreatePagefilePrivilege	2524	wmic.exe
Token: SeBackupPrivilege	2524	wmic.exe
Token: SeRestorePrivilege	2524	wmic.exe
Token: SeShutdownPrivilege	2524	wmic.exe
Token: SeDebugPrivilege	2524	wmic.exe
Token: SeSystemEnvironmentPrivilege	2524	wmic.exe
Token: SeRemoteShutdownPrivilege	2524	wmic.exe
Token: SeUndockPrivilege	2524	wmic.exe
Token: SeManageVolumePrivilege	2524	wmic.exe
Token: 33	2524	wmic.exe
Token: 34	2524	wmic.exe
Token: 35	2524	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1036 wrote to memory of 2000	1036	a00e0ffba9c2c81ef3a2f30a3fab80606bb943f9bf30233d3c26dd14c3a795c4exe_JC.exe	28
PID 1036 wrote to memory of 2000	1036	a00e0ffba9c2c81ef3a2f30a3fab80606bb943f9bf30233d3c26dd14c3a795c4exe_JC.exe	28
PID 1036 wrote to memory of 2000	1036	a00e0ffba9c2c81ef3a2f30a3fab80606bb943f9bf30233d3c26dd14c3a795c4exe_JC.exe	28
PID 1036 wrote to memory of 2000	1036	a00e0ffba9c2c81ef3a2f30a3fab80606bb943f9bf30233d3c26dd14c3a795c4exe_JC.exe	28
PID 1036 wrote to memory of 2396	1036	a00e0ffba9c2c81ef3a2f30a3fab80606bb943f9bf30233d3c26dd14c3a795c4exe_JC.exe	30
PID 1036 wrote to memory of 2396	1036	a00e0ffba9c2c81ef3a2f30a3fab80606bb943f9bf30233d3c26dd14c3a795c4exe_JC.exe	30
PID 1036 wrote to memory of 2396	1036	a00e0ffba9c2c81ef3a2f30a3fab80606bb943f9bf30233d3c26dd14c3a795c4exe_JC.exe	30
PID 1036 wrote to memory of 2396	1036	a00e0ffba9c2c81ef3a2f30a3fab80606bb943f9bf30233d3c26dd14c3a795c4exe_JC.exe	30
PID 1036 wrote to memory of 2524	1036	a00e0ffba9c2c81ef3a2f30a3fab80606bb943f9bf30233d3c26dd14c3a795c4exe_JC.exe	32
PID 1036 wrote to memory of 2524	1036	a00e0ffba9c2c81ef3a2f30a3fab80606bb943f9bf30233d3c26dd14c3a795c4exe_JC.exe	32
PID 1036 wrote to memory of 2524	1036	a00e0ffba9c2c81ef3a2f30a3fab80606bb943f9bf30233d3c26dd14c3a795c4exe_JC.exe	32
PID 1036 wrote to memory of 2524	1036	a00e0ffba9c2c81ef3a2f30a3fab80606bb943f9bf30233d3c26dd14c3a795c4exe_JC.exe	32
PID 2396 wrote to memory of 1424	2396	cmd.exe	34
PID 2396 wrote to memory of 1424	2396	cmd.exe	34
PID 2396 wrote to memory of 1424	2396	cmd.exe	34
PID 2396 wrote to memory of 1424	2396	cmd.exe	34
PID 1036 wrote to memory of 3068	1036	a00e0ffba9c2c81ef3a2f30a3fab80606bb943f9bf30233d3c26dd14c3a795c4exe_JC.exe	36
PID 1036 wrote to memory of 3068	1036	a00e0ffba9c2c81ef3a2f30a3fab80606bb943f9bf30233d3c26dd14c3a795c4exe_JC.exe	36
PID 1036 wrote to memory of 3068	1036	a00e0ffba9c2c81ef3a2f30a3fab80606bb943f9bf30233d3c26dd14c3a795c4exe_JC.exe	36
PID 1036 wrote to memory of 3068	1036	a00e0ffba9c2c81ef3a2f30a3fab80606bb943f9bf30233d3c26dd14c3a795c4exe_JC.exe	36
PID 2808 wrote to memory of 2888	2808	taskeng.exe	40
PID 2808 wrote to memory of 2888	2808	taskeng.exe	40
PID 2808 wrote to memory of 2888	2808	taskeng.exe	40
PID 2808 wrote to memory of 2888	2808	taskeng.exe	40
PID 2808 wrote to memory of 2512	2808	taskeng.exe	41
PID 2808 wrote to memory of 2512	2808	taskeng.exe	41
PID 2808 wrote to memory of 2512	2808	taskeng.exe	41
PID 2808 wrote to memory of 2512	2808	taskeng.exe	41

C:\Users\Admin\AppData\Local\Temp\a00e0ffba9c2c81ef3a2f30a3fab80606bb943f9bf30233d3c26dd14c3a795c4exe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\a00e0ffba9c2c81ef3a2f30a3fab80606bb943f9bf30233d3c26dd14c3a795c4exe_JC.exe"
1⤵
- Modifies system certificate store
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1036
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\AppData\Local\Temp\\\""
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2000
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /C SCHTASKS /Create /SC MINUTE /TN MicrosoftEdgeUpdateTaskMain /RL HIGHEST /TR C:\Users\Admin\AppData\Local\Temp\a00e0ffba9c2c81ef3a2f30a3fab80606bb943f9bf30233d3c26dd14c3a795c4exe_JC.exe /F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Windows\SysWOW64\schtasks.exe
    SCHTASKS /Create /SC MINUTE /TN MicrosoftEdgeUpdateTaskMain /RL HIGHEST /TR C:\Users\Admin\AppData\Local\Temp\a00e0ffba9c2c81ef3a2f30a3fab80606bb943f9bf30233d3c26dd14c3a795c4exe_JC.exe /F
    3⤵
    - Creates scheduled task(s)
    PID:1424
- C:\Windows\SysWOW64\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  - Suspicious use of AdjustPrivilegeToken
  PID:2524
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 896
  2⤵
  - Program crash
  PID:3068

C:\Windows\system32\taskeng.exe
taskeng.exe {22C91869-F9C5-4297-A4A6-F86CB475C3E0} S-1-5-21-1014134971-2480516131-292343513-1000:NYBYVYTJ\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Users\Admin\AppData\Local\Temp\a00e0ffba9c2c81ef3a2f30a3fab80606bb943f9bf30233d3c26dd14c3a795c4exe_JC.exe
  C:\Users\Admin\AppData\Local\Temp\a00e0ffba9c2c81ef3a2f30a3fab80606bb943f9bf30233d3c26dd14c3a795c4exe_JC.exe
  2⤵
  PID:2888
- C:\Users\Admin\AppData\Local\Temp\a00e0ffba9c2c81ef3a2f30a3fab80606bb943f9bf30233d3c26dd14c3a795c4exe_JC.exe
  C:\Users\Admin\AppData\Local\Temp\a00e0ffba9c2c81ef3a2f30a3fab80606bb943f9bf30233d3c26dd14c3a795c4exe_JC.exe
  2⤵
  PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1036-65-0x00000000009B0000-0x0000000000BC9000-memory.dmp

Filesize
2.1MB

Download
memory/1036-66-0x00000000009B0000-0x0000000000BC9000-memory.dmp

Filesize
2.1MB

Download
memory/2000-56-0x0000000073E00000-0x00000000743AB000-memory.dmp

Filesize
5.7MB

Download
memory/2000-57-0x0000000073E00000-0x00000000743AB000-memory.dmp

Filesize
5.7MB

Download
memory/2000-58-0x0000000002680000-0x00000000026C0000-memory.dmp

Filesize
256KB

Download
memory/2000-59-0x0000000002680000-0x00000000026C0000-memory.dmp

Filesize
256KB

Download
memory/2000-60-0x0000000073E00000-0x00000000743AB000-memory.dmp

Filesize
5.7MB

Download
memory/2512-75-0x00000000009B0000-0x0000000000BC9000-memory.dmp

Filesize
2.1MB

Download
memory/2888-68-0x00000000009B0000-0x0000000000BC9000-memory.dmp

Filesize
2.1MB

Download