e00cc33b937cc95abf1bf1105f4e4c461578d39c0dfee8d37e198e21e4cd9976

Analysis

max time kernel
118s
max time network
125s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
18-08-2023 14:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e00cc33b937cc95abf1bf1105f4e4c461578d39c0dfee8d37e198e21e4cd9976.exe
Size

8.0MB
MD5

99a5729e7a1ff29bb5efc0402411c22c
SHA1

37d3373b084f963498d8d45bc3fa5bb1cc187e26
SHA256

e00cc33b937cc95abf1bf1105f4e4c461578d39c0dfee8d37e198e21e4cd9976
SHA512

31df6687c7b6586c05b740b9cd12a222ab18b7c415ad494e9b2690951b483a3d5600f1af354b386de756a9f1ddf913c9357fe42580a1f0f3f884afc204fcfd1c
SSDEEP

196608:5YoJFED8vH2Q48cXKhYWcqlpLBB5YNwwHVaUTbV8:h1v1ZKT78

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 11 IoCs

pid	Process
2596	e00cc33b937cc95abf1bf1105f4e4c461578d39c0dfee8d37e198e21e4cd9976.exe
2596	e00cc33b937cc95abf1bf1105f4e4c461578d39c0dfee8d37e198e21e4cd9976.exe
2596	e00cc33b937cc95abf1bf1105f4e4c461578d39c0dfee8d37e198e21e4cd9976.exe
2596	e00cc33b937cc95abf1bf1105f4e4c461578d39c0dfee8d37e198e21e4cd9976.exe
2596	e00cc33b937cc95abf1bf1105f4e4c461578d39c0dfee8d37e198e21e4cd9976.exe
2596	e00cc33b937cc95abf1bf1105f4e4c461578d39c0dfee8d37e198e21e4cd9976.exe
2596	e00cc33b937cc95abf1bf1105f4e4c461578d39c0dfee8d37e198e21e4cd9976.exe
2596	e00cc33b937cc95abf1bf1105f4e4c461578d39c0dfee8d37e198e21e4cd9976.exe
2596	e00cc33b937cc95abf1bf1105f4e4c461578d39c0dfee8d37e198e21e4cd9976.exe
2596	e00cc33b937cc95abf1bf1105f4e4c461578d39c0dfee8d37e198e21e4cd9976.exe
2596	e00cc33b937cc95abf1bf1105f4e4c461578d39c0dfee8d37e198e21e4cd9976.exe

Modifies system certificate store 2 TTPs 2 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\810F700B8D1E6BA209088EFD9541302C1F52544C	e00cc33b937cc95abf1bf1105f4e4c461578d39c0dfee8d37e198e21e4cd9976.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\810F700B8D1E6BA209088EFD9541302C1F52544C\Blob = 030000000100000014000000810f700b8d1e6ba209088efd9541302c1f52544c2000000001000000a7030000308203a33082028ba003020102021000c5c06d8d7c5ab01271359e83785f51300d06092a864886f70d01010b0500306a312b3029060355040b0c224372656174656420627920687474703a2f2f7777772e666964646c6572322e636f6d31183016060355040a0c0f444f5f4e4f545f54525553545f42433121301f06035504030c18444f5f4e4f545f54525553545f466964646c6572526f6f74301e170d3233303831313030303030305a170d3333303831383134333934375a306a312b3029060355040b0c224372656174656420627920687474703a2f2f7777772e666964646c6572322e636f6d31183016060355040a0c0f444f5f4e4f545f54525553545f42433121301f06035504030c18444f5f4e4f545f54525553545f466964646c6572526f6f7430820122300d06092a864886f70d01010105000382010f003082010a02820101008c500ccfcb41c449006818374be0f7e9af0d68cff9752546247245c755e6e666449f867e9e031b4f2ecb416be5c5f1b061285ba63f0745b1776878fc80e9237ef50d223e6041a3aadd934f8d35bdba3a1bb7525fa360ad1931d6c2df6c27be40b1e798da303fa04f9c4a743c62ffd53992f9c0c51adbda4e0cbd01a3266e83b68af11380bee2e88ddde3466193abfc5339e79cc4673b9de30da8c0d714e665ea1686e1e5c00f9c1a02cd9aba45784a4bcecffe157c616cff55f566f8235f912306a6a27ac0d6e8bbed5898254c54edca3f233cedccde873ea5837b98d9490989d339a39866ac21e05fb3ce8a289499bf048d21244d2cc8051caf0cee347891cb0203010001a345304330120603551d130101ff040830060101ff020100300e0603551d0f0101ff040403020204301d0603551d0e041604145da95ab422938aef3a42e8c1acfbd8faef4846cd300d06092a864886f70d01010b0500038201010046c2ff07eed0e47acde0311625e7bcceda75335e721d008424a80e82c40a89a91053015233d370d17f5dd27fd59cd3654f7f33e44d6c639353feb6401293b7290a74ff33ff16edd9950f2edfa9b29ce3dad244eeac8ec44aa4bb7f7146057f5e4450989f327f0f4d6d78c979e752dd45c35179af861ce3d06dfd701dba8688260eba7476feefee635281b632932148f12ef82b82cc172d7382f856ebce694656b3567ae4904523fbb5f2d7327bf8d0891f6afa5abef61085bfca850aa015b1e5b66377b27cd8ac7174f2344c3b57a9d8c3db0096bf0bb978f1fb9ab20b2dc3e72d7e08e5c50d7c983305b637f0f0ba6c0a09f8944321f9b60385136af3605c6f	e00cc33b937cc95abf1bf1105f4e4c461578d39c0dfee8d37e198e21e4cd9976.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2596	e00cc33b937cc95abf1bf1105f4e4c461578d39c0dfee8d37e198e21e4cd9976.exe
2596	e00cc33b937cc95abf1bf1105f4e4c461578d39c0dfee8d37e198e21e4cd9976.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2596	e00cc33b937cc95abf1bf1105f4e4c461578d39c0dfee8d37e198e21e4cd9976.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2596	e00cc33b937cc95abf1bf1105f4e4c461578d39c0dfee8d37e198e21e4cd9976.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2596	e00cc33b937cc95abf1bf1105f4e4c461578d39c0dfee8d37e198e21e4cd9976.exe
2596	e00cc33b937cc95abf1bf1105f4e4c461578d39c0dfee8d37e198e21e4cd9976.exe

C:\Users\Admin\AppData\Local\Temp\e00cc33b937cc95abf1bf1105f4e4c461578d39c0dfee8d37e198e21e4cd9976.exe
"C:\Users\Admin\AppData\Local\Temp\e00cc33b937cc95abf1bf1105f4e4c461578d39c0dfee8d37e198e21e4cd9976.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Config.ini

Filesize
79B

MD5
f693bb15e715fa7c53aef54c611fb0a5

SHA1
50b2a22fae368818ba787c21756531d9a3c44ee4

SHA256
1977250655346b5f9cccccfe094755a1af4631288f1f44172ef235d34269bca6

SHA512
a86d7664a80f8b083299bc3a44b0265f617ec79bc0f707a47e7fe51ac978230e24574abac319671c64a85e89e4fb26691f26a0ec3faebe72f2eefcf58c134849

Download Submit
C:\Users\Admin\AppData\Local\Temp\efd.dll

Filesize
37KB

MD5
5df37d5f681e6510d70a7980ec1bd1ed

SHA1
4a6832c6ee35d6b834847a9c648edc028ea0d30f

SHA256
932cb9dd22637532df47ed17f529649d959a7115077820d7e856299321d53a4b

SHA512
2d13020417f9069a060561fefc2c3ee4519548b12ce0db4ece4447f6ad89e18c8677d8e89bc63cfe88a0145ed194c08dced82c5736e0b85d804dd7a0cb708d5c

Download Submit
\Users\Admin\AppData\Local\Temp\BCMakeCert.dll

Filesize
474KB

MD5
5d895d1c6cee56d206b6cd973479638d

SHA1
08fa15d13454b1113d3818133f7a10f3cb3dd451

SHA256
bcfc362b42422cede445c8a119d454484b3842eb808b7ddf1b5aeb7242e06abb

SHA512
8f2b3b76b84fc62b4f8660e4b6e32510c70db5b00ddccfcf4a41a1c5416b974b282cb375b60222884f3c04e9e97cf6f86223f93cadf3d45ebc641c6d703f077c

Download Submit
\Users\Admin\AppData\Local\Temp\BCMakeCert.dll

Filesize
474KB

MD5
5d895d1c6cee56d206b6cd973479638d

SHA1
08fa15d13454b1113d3818133f7a10f3cb3dd451

SHA256
bcfc362b42422cede445c8a119d454484b3842eb808b7ddf1b5aeb7242e06abb

SHA512
8f2b3b76b84fc62b4f8660e4b6e32510c70db5b00ddccfcf4a41a1c5416b974b282cb375b60222884f3c04e9e97cf6f86223f93cadf3d45ebc641c6d703f077c

Download Submit
\Users\Admin\AppData\Local\Temp\CertMaker.dll

Filesize
44KB

MD5
eccc93a46c56da30635aab9946d3773a

SHA1
ebd3dc61655b938fbfc9371f8e3ba87e5c718caf

SHA256
476a9a6ccf39353ca004118829dda91ff771906ea18f5db7db9a73044dda3bd8

SHA512
4ad695ebeaa66cc19066431e86cd1064d0ac359733452effac36dcb98aafd4a5c7ce31925baaf33964520daf4e78718bf6a2294fd323ee33f1e8eddd311cca5c

Download Submit
\Users\Admin\AppData\Local\Temp\CertMaker.dll

Filesize
44KB

MD5
eccc93a46c56da30635aab9946d3773a

SHA1
ebd3dc61655b938fbfc9371f8e3ba87e5c718caf

SHA256
476a9a6ccf39353ca004118829dda91ff771906ea18f5db7db9a73044dda3bd8

SHA512
4ad695ebeaa66cc19066431e86cd1064d0ac359733452effac36dcb98aafd4a5c7ce31925baaf33964520daf4e78718bf6a2294fd323ee33f1e8eddd311cca5c

Download Submit
\Users\Admin\AppData\Local\Temp\CertMaker.dll

Filesize
44KB

MD5
eccc93a46c56da30635aab9946d3773a

SHA1
ebd3dc61655b938fbfc9371f8e3ba87e5c718caf

SHA256
476a9a6ccf39353ca004118829dda91ff771906ea18f5db7db9a73044dda3bd8

SHA512
4ad695ebeaa66cc19066431e86cd1064d0ac359733452effac36dcb98aafd4a5c7ce31925baaf33964520daf4e78718bf6a2294fd323ee33f1e8eddd311cca5c

Download Submit
\Users\Admin\AppData\Local\Temp\CertMaker.dll

Filesize
44KB

MD5
eccc93a46c56da30635aab9946d3773a

SHA1
ebd3dc61655b938fbfc9371f8e3ba87e5c718caf

SHA256
476a9a6ccf39353ca004118829dda91ff771906ea18f5db7db9a73044dda3bd8

SHA512
4ad695ebeaa66cc19066431e86cd1064d0ac359733452effac36dcb98aafd4a5c7ce31925baaf33964520daf4e78718bf6a2294fd323ee33f1e8eddd311cca5c

Download Submit
\Users\Admin\AppData\Local\Temp\FiddlerCore4.dll

Filesize
505KB

MD5
79fe5228b7ccdc88cf7ddba2893ea71f

SHA1
4313028e5354d66be81fd2103a16b16e1ad1a6f3

SHA256
5850d403352d76e7f7ebda93a7bff5ab1ea57c91a54a2f6c2cfaf1c9d356d55f

SHA512
f46380ccd2fcb8246206f176f17c1931d57c3bc1312c95e059cf9feab4bc392ad31fa6ffc6a1dac3b0bd70c5393ab1c2cf21729e357cb7c523d487dd92aacac3

Download Submit
\Users\Admin\AppData\Local\Temp\FiddlerCore4.dll

Filesize
505KB

MD5
79fe5228b7ccdc88cf7ddba2893ea71f

SHA1
4313028e5354d66be81fd2103a16b16e1ad1a6f3

SHA256
5850d403352d76e7f7ebda93a7bff5ab1ea57c91a54a2f6c2cfaf1c9d356d55f

SHA512
f46380ccd2fcb8246206f176f17c1931d57c3bc1312c95e059cf9feab4bc392ad31fa6ffc6a1dac3b0bd70c5393ab1c2cf21729e357cb7c523d487dd92aacac3

Download Submit
\Users\Admin\AppData\Local\Temp\efd.dll

Filesize
37KB

MD5
5df37d5f681e6510d70a7980ec1bd1ed

SHA1
4a6832c6ee35d6b834847a9c648edc028ea0d30f

SHA256
932cb9dd22637532df47ed17f529649d959a7115077820d7e856299321d53a4b

SHA512
2d13020417f9069a060561fefc2c3ee4519548b12ce0db4ece4447f6ad89e18c8677d8e89bc63cfe88a0145ed194c08dced82c5736e0b85d804dd7a0cb708d5c

Download Submit
\Users\Admin\AppData\Local\Temp\efd.dll

Filesize
37KB

MD5
5df37d5f681e6510d70a7980ec1bd1ed

SHA1
4a6832c6ee35d6b834847a9c648edc028ea0d30f

SHA256
932cb9dd22637532df47ed17f529649d959a7115077820d7e856299321d53a4b

SHA512
2d13020417f9069a060561fefc2c3ee4519548b12ce0db4ece4447f6ad89e18c8677d8e89bc63cfe88a0145ed194c08dced82c5736e0b85d804dd7a0cb708d5c

Download Submit
\Users\Admin\AppData\Local\Temp\efd.dll

Filesize
37KB

MD5
5df37d5f681e6510d70a7980ec1bd1ed

SHA1
4a6832c6ee35d6b834847a9c648edc028ea0d30f

SHA256
932cb9dd22637532df47ed17f529649d959a7115077820d7e856299321d53a4b

SHA512
2d13020417f9069a060561fefc2c3ee4519548b12ce0db4ece4447f6ad89e18c8677d8e89bc63cfe88a0145ed194c08dced82c5736e0b85d804dd7a0cb708d5c

Download Submit
memory/2596-69-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2596-66-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2596-81-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2596-79-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2596-76-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2596-91-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2596-89-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2596-86-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2596-74-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2596-71-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2596-136-0x0000000003BC0000-0x0000000003C00000-memory.dmp

Filesize
256KB

Download
memory/2596-140-0x0000000003B20000-0x0000000003B2D000-memory.dmp

Filesize
52KB

Download
memory/2596-54-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2596-67-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2596-141-0x0000000073CC0000-0x00000000743AE000-memory.dmp

Filesize
6.9MB

Download
memory/2596-84-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2596-61-0x0000000000400000-0x00000000014D6000-memory.dmp

Filesize
16.8MB

Download
memory/2596-145-0x0000000006CD0000-0x0000000006D52000-memory.dmp

Filesize
520KB

Download
memory/2596-63-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2596-64-0x00000000774E0000-0x00000000774E1000-memory.dmp

Filesize
4KB

Download
memory/2596-149-0x0000000003BB0000-0x0000000003BBE000-memory.dmp

Filesize
56KB

Download
memory/2596-60-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2596-59-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2596-154-0x0000000003BB0000-0x0000000003BBE000-memory.dmp

Filesize
56KB

Download
memory/2596-56-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2596-57-0x0000000000400000-0x00000000014D6000-memory.dmp

Filesize
16.8MB

Download
memory/2596-158-0x0000000007040000-0x00000000070BA000-memory.dmp

Filesize
488KB

Download
memory/2596-159-0x0000000000400000-0x00000000014D6000-memory.dmp

Filesize
16.8MB

Download
memory/2596-162-0x0000000003BC0000-0x0000000003C00000-memory.dmp

Filesize
256KB

Download
memory/2596-163-0x0000000073CC0000-0x00000000743AE000-memory.dmp

Filesize
6.9MB

Download