b4bc8a8e4787a9811407772604e2b5114ec92daf2f9bf6451cae6317f7506f95

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
20-08-2023 13:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4bc8a8e4787a9811407772604e2b5114ec92daf2f9bf6451cae6317f7506f95.exe
Size

1.2MB
MD5

72454df7224a37d549040cbe80a7a566
SHA1

d6e9e453d29240f808a8117d1483902dfaea818d
SHA256

b4bc8a8e4787a9811407772604e2b5114ec92daf2f9bf6451cae6317f7506f95
SHA512

0e5ac43e1c0deac2f3635246c803e5bae14e4013b016243bc2d2ba12ba428a523fce0f8baf40155a45ae02b6ef90e5e5268670e6d814eb7e3b797b08122985be
SSDEEP

24576:NP9lAcnmHhyNsO11OsKKwvvYyyahDSVXT5X:NEcnihyNJ1IoyvV1GXT5X

Score

1^/10

Malware Config

Signatures

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	b4bc8a8e4787a9811407772604e2b5114ec92daf2f9bf6451cae6317f7506f95.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	b4bc8a8e4787a9811407772604e2b5114ec92daf2f9bf6451cae6317f7506f95.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	b4bc8a8e4787a9811407772604e2b5114ec92daf2f9bf6451cae6317f7506f95.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	b4bc8a8e4787a9811407772604e2b5114ec92daf2f9bf6451cae6317f7506f95.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1944	b4bc8a8e4787a9811407772604e2b5114ec92daf2f9bf6451cae6317f7506f95.exe
1944	b4bc8a8e4787a9811407772604e2b5114ec92daf2f9bf6451cae6317f7506f95.exe
1944	b4bc8a8e4787a9811407772604e2b5114ec92daf2f9bf6451cae6317f7506f95.exe
1944	b4bc8a8e4787a9811407772604e2b5114ec92daf2f9bf6451cae6317f7506f95.exe
1944	b4bc8a8e4787a9811407772604e2b5114ec92daf2f9bf6451cae6317f7506f95.exe
1944	b4bc8a8e4787a9811407772604e2b5114ec92daf2f9bf6451cae6317f7506f95.exe
1944	b4bc8a8e4787a9811407772604e2b5114ec92daf2f9bf6451cae6317f7506f95.exe
1944	b4bc8a8e4787a9811407772604e2b5114ec92daf2f9bf6451cae6317f7506f95.exe
1944	b4bc8a8e4787a9811407772604e2b5114ec92daf2f9bf6451cae6317f7506f95.exe
1944	b4bc8a8e4787a9811407772604e2b5114ec92daf2f9bf6451cae6317f7506f95.exe
1944	b4bc8a8e4787a9811407772604e2b5114ec92daf2f9bf6451cae6317f7506f95.exe
1944	b4bc8a8e4787a9811407772604e2b5114ec92daf2f9bf6451cae6317f7506f95.exe
1944	b4bc8a8e4787a9811407772604e2b5114ec92daf2f9bf6451cae6317f7506f95.exe
1944	b4bc8a8e4787a9811407772604e2b5114ec92daf2f9bf6451cae6317f7506f95.exe
1944	b4bc8a8e4787a9811407772604e2b5114ec92daf2f9bf6451cae6317f7506f95.exe
1944	b4bc8a8e4787a9811407772604e2b5114ec92daf2f9bf6451cae6317f7506f95.exe
1944	b4bc8a8e4787a9811407772604e2b5114ec92daf2f9bf6451cae6317f7506f95.exe
1944	b4bc8a8e4787a9811407772604e2b5114ec92daf2f9bf6451cae6317f7506f95.exe
1944	b4bc8a8e4787a9811407772604e2b5114ec92daf2f9bf6451cae6317f7506f95.exe
1944	b4bc8a8e4787a9811407772604e2b5114ec92daf2f9bf6451cae6317f7506f95.exe
1944	b4bc8a8e4787a9811407772604e2b5114ec92daf2f9bf6451cae6317f7506f95.exe
1944	b4bc8a8e4787a9811407772604e2b5114ec92daf2f9bf6451cae6317f7506f95.exe
1944	b4bc8a8e4787a9811407772604e2b5114ec92daf2f9bf6451cae6317f7506f95.exe
1944	b4bc8a8e4787a9811407772604e2b5114ec92daf2f9bf6451cae6317f7506f95.exe
1944	b4bc8a8e4787a9811407772604e2b5114ec92daf2f9bf6451cae6317f7506f95.exe
1944	b4bc8a8e4787a9811407772604e2b5114ec92daf2f9bf6451cae6317f7506f95.exe
1944	b4bc8a8e4787a9811407772604e2b5114ec92daf2f9bf6451cae6317f7506f95.exe
1944	b4bc8a8e4787a9811407772604e2b5114ec92daf2f9bf6451cae6317f7506f95.exe
1944	b4bc8a8e4787a9811407772604e2b5114ec92daf2f9bf6451cae6317f7506f95.exe
1944	b4bc8a8e4787a9811407772604e2b5114ec92daf2f9bf6451cae6317f7506f95.exe
1944	b4bc8a8e4787a9811407772604e2b5114ec92daf2f9bf6451cae6317f7506f95.exe
1944	b4bc8a8e4787a9811407772604e2b5114ec92daf2f9bf6451cae6317f7506f95.exe
1944	b4bc8a8e4787a9811407772604e2b5114ec92daf2f9bf6451cae6317f7506f95.exe
1944	b4bc8a8e4787a9811407772604e2b5114ec92daf2f9bf6451cae6317f7506f95.exe
1944	b4bc8a8e4787a9811407772604e2b5114ec92daf2f9bf6451cae6317f7506f95.exe
1944	b4bc8a8e4787a9811407772604e2b5114ec92daf2f9bf6451cae6317f7506f95.exe
1944	b4bc8a8e4787a9811407772604e2b5114ec92daf2f9bf6451cae6317f7506f95.exe
1944	b4bc8a8e4787a9811407772604e2b5114ec92daf2f9bf6451cae6317f7506f95.exe
1944	b4bc8a8e4787a9811407772604e2b5114ec92daf2f9bf6451cae6317f7506f95.exe
1944	b4bc8a8e4787a9811407772604e2b5114ec92daf2f9bf6451cae6317f7506f95.exe
1944	b4bc8a8e4787a9811407772604e2b5114ec92daf2f9bf6451cae6317f7506f95.exe
1944	b4bc8a8e4787a9811407772604e2b5114ec92daf2f9bf6451cae6317f7506f95.exe
1944	b4bc8a8e4787a9811407772604e2b5114ec92daf2f9bf6451cae6317f7506f95.exe
1944	b4bc8a8e4787a9811407772604e2b5114ec92daf2f9bf6451cae6317f7506f95.exe
1944	b4bc8a8e4787a9811407772604e2b5114ec92daf2f9bf6451cae6317f7506f95.exe
1944	b4bc8a8e4787a9811407772604e2b5114ec92daf2f9bf6451cae6317f7506f95.exe
1944	b4bc8a8e4787a9811407772604e2b5114ec92daf2f9bf6451cae6317f7506f95.exe
1944	b4bc8a8e4787a9811407772604e2b5114ec92daf2f9bf6451cae6317f7506f95.exe
1944	b4bc8a8e4787a9811407772604e2b5114ec92daf2f9bf6451cae6317f7506f95.exe
1944	b4bc8a8e4787a9811407772604e2b5114ec92daf2f9bf6451cae6317f7506f95.exe
1944	b4bc8a8e4787a9811407772604e2b5114ec92daf2f9bf6451cae6317f7506f95.exe
1944	b4bc8a8e4787a9811407772604e2b5114ec92daf2f9bf6451cae6317f7506f95.exe
1944	b4bc8a8e4787a9811407772604e2b5114ec92daf2f9bf6451cae6317f7506f95.exe
1944	b4bc8a8e4787a9811407772604e2b5114ec92daf2f9bf6451cae6317f7506f95.exe
1944	b4bc8a8e4787a9811407772604e2b5114ec92daf2f9bf6451cae6317f7506f95.exe
1944	b4bc8a8e4787a9811407772604e2b5114ec92daf2f9bf6451cae6317f7506f95.exe
1944	b4bc8a8e4787a9811407772604e2b5114ec92daf2f9bf6451cae6317f7506f95.exe
1944	b4bc8a8e4787a9811407772604e2b5114ec92daf2f9bf6451cae6317f7506f95.exe
1944	b4bc8a8e4787a9811407772604e2b5114ec92daf2f9bf6451cae6317f7506f95.exe
1944	b4bc8a8e4787a9811407772604e2b5114ec92daf2f9bf6451cae6317f7506f95.exe
1944	b4bc8a8e4787a9811407772604e2b5114ec92daf2f9bf6451cae6317f7506f95.exe
1944	b4bc8a8e4787a9811407772604e2b5114ec92daf2f9bf6451cae6317f7506f95.exe
1944	b4bc8a8e4787a9811407772604e2b5114ec92daf2f9bf6451cae6317f7506f95.exe
1944	b4bc8a8e4787a9811407772604e2b5114ec92daf2f9bf6451cae6317f7506f95.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1944	b4bc8a8e4787a9811407772604e2b5114ec92daf2f9bf6451cae6317f7506f95.exe
Token: SeDebugPrivilege	1944	b4bc8a8e4787a9811407772604e2b5114ec92daf2f9bf6451cae6317f7506f95.exe

C:\Users\Admin\AppData\Local\Temp\b4bc8a8e4787a9811407772604e2b5114ec92daf2f9bf6451cae6317f7506f95.exe
"C:\Users\Admin\AppData\Local\Temp\b4bc8a8e4787a9811407772604e2b5114ec92daf2f9bf6451cae6317f7506f95.exe"
1⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4f149213b3e24f106a4c5d8af7ee096a

SHA1
beb1443ec07d3a66674c8eea26e0101af48abbc8

SHA256
fb8e890969fc899816fc928f38bd00ac18a395a6fb079dc9554398a0406f44c8

SHA512
dbb63aec8dcd01e332a24b4e4aa1829422df6c42461c36e57d55782c37501f0187ba5d55b250c54d040d73be0cf31b3e273cfcc5dd12101185e3a177816817cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
320ac73a877d7d5fa345c8494d3db128

SHA1
cf81f1637ee736dd3daf7b2ae8f59a9fd8ed4744

SHA256
8f72c25cc99642d0461c9bc92f0842033d17146917857c15f95d1134084afc0d

SHA512
758e0fd489071006272ec300152c5c5cdaa1ca043c1bdaa7f1a2528d5570bbd31aadb2aafac8c22cb39140c8b8b596875f25340be8c53c85761dbe0fe58bfc53

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE7B2.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE9D9.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
memory/1944-59-0x000000001AF50000-0x000000001AFD0000-memory.dmp

Filesize
512KB

Download
memory/1944-57-0x000000001AF50000-0x000000001AFD0000-memory.dmp

Filesize
512KB

Download
memory/1944-60-0x0000000000390000-0x000000000039A000-memory.dmp

Filesize
40KB

Download
memory/1944-61-0x0000000000390000-0x000000000039A000-memory.dmp

Filesize
40KB

Download
memory/1944-62-0x000000001AF50000-0x000000001AFD0000-memory.dmp

Filesize
512KB

Download
memory/1944-66-0x000000001AF50000-0x000000001AFD0000-memory.dmp

Filesize
512KB

Download
memory/1944-67-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/1944-54-0x0000000000340000-0x0000000000374000-memory.dmp

Filesize
208KB

Download
memory/1944-87-0x000000001AF50000-0x000000001AFD0000-memory.dmp

Filesize
512KB

Download
memory/1944-86-0x000000001AF50000-0x000000001AFD0000-memory.dmp

Filesize
512KB

Download
memory/1944-58-0x000000001AF50000-0x000000001AFD0000-memory.dmp

Filesize
512KB

Download
memory/1944-55-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/1944-56-0x000000001AF50000-0x000000001AFD0000-memory.dmp

Filesize
512KB

Download
memory/1944-182-0x000000001AF50000-0x000000001AFD0000-memory.dmp

Filesize
512KB

Download
memory/1944-186-0x000000001AF50000-0x000000001AFD0000-memory.dmp

Filesize
512KB

Download
memory/1944-187-0x000000001AF50000-0x000000001AFD0000-memory.dmp

Filesize
512KB

Download