9e70b80b3e6a59fcf20958082769f40d72c7beb0e1873b61461febdaf0d41d7b

Analysis

max time kernel
14s
max time network
47s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
23/08/2023, 00:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e70b80b3e6a59fcf20958082769f40d72c7beb0e1873b61461febdaf0d41d7b.exe
Size

536KB
MD5

bd872ddd903a1e56e1f512f96323a91b
SHA1

83befe1f65e355d8c675f891999574288a96c989
SHA256

9e70b80b3e6a59fcf20958082769f40d72c7beb0e1873b61461febdaf0d41d7b
SHA512

9833946c05afcdb47c646e88d387c28acd9e068c9a87ea25671acf1b6832271996b1c437a95e2326695744d60fa018713f8e93cd42273cdc833d285f7d6877c5
SSDEEP

12288:3oBUS7SwpvY5ZYJ7dB+bmY5ZAUXyzOkx2LIa:YiS7NkqxB+HSOkx2LF

Score

10^/10

upx

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 1260 created 424	1260	Explorer.EXE	3
PID 1260 created 424	1260	Explorer.EXE	3

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\0SG0Ki1.sys	FXSSVC.exe

Deletes itself 1 IoCs

pid	Process
2692	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2588	autochk.exe
2804	FXSSVC.exe

Loads dropped DLL 1 IoCs

pid	Process
1260	Explorer.EXE

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2140-54-0x0000000000950000-0x0000000000A52000-memory.dmp	upx
behavioral1/memory/2140-90-0x0000000000950000-0x0000000000A52000-memory.dmp	upx
behavioral1/memory/2140-128-0x0000000000950000-0x0000000000A52000-memory.dmp	upx

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C	FXSSVC.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C	FXSSVC.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B	FXSSVC.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B	FXSSVC.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3	FXSSVC.exe
File created	C:\Windows\system32\ \Windows\System32\4oUqMDs.sys	FXSSVC.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_ADB601E2C381343DA1163E5F08582475	FXSSVC.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_ADB601E2C381343DA1163E5F08582475	FXSSVC.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3	FXSSVC.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\349D186F1CB5682FA0194D4F3754EF36_CE21678B3713ACF5F5ED4AAA700C6173	FXSSVC.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\349D186F1CB5682FA0194D4F3754EF36_CE21678B3713ACF5F5ED4AAA700C6173	FXSSVC.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\autochk.exe	Explorer.EXE
File opened for modification	C:\Program Files\Common Files\autochk.exe	Explorer.EXE

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Logs\FXSSVC.exe	Explorer.EXE
File created	C:\Windows\TfF3o9f.sys	FXSSVC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2760	timeout.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	FXSSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	FXSSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	FXSSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	FXSSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	FXSSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	FXSSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	FXSSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	FXSSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0DB09EC3-A2EE-4A89-AE78-8C3D1B98237E}	FXSSVC.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-6a-17-70-65-e7\WpadDecisionTime = 3020b97557d5d901	FXSSVC.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	FXSSVC.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	FXSSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	FXSSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	FXSSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	FXSSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	FXSSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	FXSSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	FXSSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	FXSSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-6a-17-70-65-e7	FXSSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0DB09EC3-A2EE-4A89-AE78-8C3D1B98237E}\76-6a-17-70-65-e7	FXSSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	FXSSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	FXSSVC.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0DB09EC3-A2EE-4A89-AE78-8C3D1B98237E}\WpadDecision = "0"	FXSSVC.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0DB09EC3-A2EE-4A89-AE78-8C3D1B98237E}\WpadNetworkName = "Network 3"	FXSSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	FXSSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	FXSSVC.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0DB09EC3-A2EE-4A89-AE78-8C3D1B98237E}\WpadDecisionReason = "1"	FXSSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	FXSSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	FXSSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	FXSSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	FXSSVC.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	FXSSVC.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	FXSSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	FXSSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	FXSSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	FXSSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	FXSSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	FXSSVC.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-6a-17-70-65-e7\WpadDecisionReason = "1"	FXSSVC.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	FXSSVC.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	FXSSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	FXSSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	FXSSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	FXSSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	FXSSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	FXSSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	FXSSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	FXSSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	FXSSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	FXSSVC.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00bd000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	FXSSVC.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	FXSSVC.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	FXSSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	FXSSVC.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0DB09EC3-A2EE-4A89-AE78-8C3D1B98237E}\WpadDecisionTime = 3020b97557d5d901	FXSSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	FXSSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	FXSSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	FXSSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	FXSSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	FXSSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	FXSSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	FXSSVC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	FXSSVC.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	FXSSVC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	FXSSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	FXSSVC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	FXSSVC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	FXSSVC.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2140	9e70b80b3e6a59fcf20958082769f40d72c7beb0e1873b61461febdaf0d41d7b.exe
2140	9e70b80b3e6a59fcf20958082769f40d72c7beb0e1873b61461febdaf0d41d7b.exe
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	2140	9e70b80b3e6a59fcf20958082769f40d72c7beb0e1873b61461febdaf0d41d7b.exe
Token: SeTcbPrivilege	2140	9e70b80b3e6a59fcf20958082769f40d72c7beb0e1873b61461febdaf0d41d7b.exe
Token: SeDebugPrivilege	2140	9e70b80b3e6a59fcf20958082769f40d72c7beb0e1873b61461febdaf0d41d7b.exe
Token: SeDebugPrivilege	1260	Explorer.EXE
Token: SeTcbPrivilege	1260	Explorer.EXE
Token: SeDebugPrivilege	1260	Explorer.EXE
Token: SeDebugPrivilege	1260	Explorer.EXE
Token: SeDebugPrivilege	1260	Explorer.EXE
Token: SeDebugPrivilege	1260	Explorer.EXE
Token: SeIncBasePriorityPrivilege	2140	9e70b80b3e6a59fcf20958082769f40d72c7beb0e1873b61461febdaf0d41d7b.exe
Token: SeDebugPrivilege	2804	FXSSVC.exe
Token: SeDebugPrivilege	2804	FXSSVC.exe
Token: SeDebugPrivilege	2804	FXSSVC.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 1260	2140	9e70b80b3e6a59fcf20958082769f40d72c7beb0e1873b61461febdaf0d41d7b.exe	11
PID 2140 wrote to memory of 1260	2140	9e70b80b3e6a59fcf20958082769f40d72c7beb0e1873b61461febdaf0d41d7b.exe	11
PID 2140 wrote to memory of 1260	2140	9e70b80b3e6a59fcf20958082769f40d72c7beb0e1873b61461febdaf0d41d7b.exe	11
PID 1260 wrote to memory of 2804	1260	Explorer.EXE	29
PID 1260 wrote to memory of 2804	1260	Explorer.EXE	29
PID 1260 wrote to memory of 2804	1260	Explorer.EXE	29
PID 1260 wrote to memory of 2804	1260	Explorer.EXE	29
PID 1260 wrote to memory of 2804	1260	Explorer.EXE	29
PID 1260 wrote to memory of 2804	1260	Explorer.EXE	29
PID 1260 wrote to memory of 2804	1260	Explorer.EXE	29
PID 1260 wrote to memory of 2804	1260	Explorer.EXE	29
PID 1260 wrote to memory of 424	1260	Explorer.EXE	3
PID 1260 wrote to memory of 424	1260	Explorer.EXE	3
PID 1260 wrote to memory of 424	1260	Explorer.EXE	3
PID 1260 wrote to memory of 424	1260	Explorer.EXE	3
PID 1260 wrote to memory of 424	1260	Explorer.EXE	3
PID 2140 wrote to memory of 2692	2140	9e70b80b3e6a59fcf20958082769f40d72c7beb0e1873b61461febdaf0d41d7b.exe	33
PID 2140 wrote to memory of 2692	2140	9e70b80b3e6a59fcf20958082769f40d72c7beb0e1873b61461febdaf0d41d7b.exe	33
PID 2140 wrote to memory of 2692	2140	9e70b80b3e6a59fcf20958082769f40d72c7beb0e1873b61461febdaf0d41d7b.exe	33
PID 2140 wrote to memory of 2692	2140	9e70b80b3e6a59fcf20958082769f40d72c7beb0e1873b61461febdaf0d41d7b.exe	33
PID 2692 wrote to memory of 2760	2692	cmd.exe	31
PID 2692 wrote to memory of 2760	2692	cmd.exe	31
PID 2692 wrote to memory of 2760	2692	cmd.exe	31
PID 2692 wrote to memory of 2760	2692	cmd.exe	31

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:424
- C:\Program Files\Common Files\autochk.exe
  "C:\Program Files\Common Files\autochk.exe"
  2⤵
  - Executes dropped EXE
  PID:2588
- C:\Windows\Logs\FXSSVC.exe
  "C:\Windows\Logs\FXSSVC.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  PID:2804

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Users\Admin\AppData\Local\Temp\9e70b80b3e6a59fcf20958082769f40d72c7beb0e1873b61461febdaf0d41d7b.exe
  "C:\Users\Admin\AppData\Local\Temp\9e70b80b3e6a59fcf20958082769f40d72c7beb0e1873b61461febdaf0d41d7b.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\9e70b80b3e6a59fcf20958082769f40d72c7beb0e1873b61461febdaf0d41d7b.exe"
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:2692

C:\Windows\SysWOW64\timeout.exe
timeout /t 1
1⤵
- Delays execution with timeout.exe
PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\autochk.exe

Filesize
759KB

MD5
3b536a8bec3b4f23ffdfd78b11a2ab93

SHA1
a017204d7e47bc183d81dcabf047dea32b120343

SHA256
7bc847ce6c2d29c334f0d1600bbbde3933ff45f6bee5186f442e6270a3f9ec4e

SHA512
8465927d1e50ee51b6ffc47a198b7f5c2687a1768f7d52213c978160383e68abf8bf23d2142b9a1dc87e7e438ac815c576432572f36b32790b6291d08111ba3a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
e56ec378251cd65923ad88c1e14d0b6e

SHA1
7f5d986e0a34dd81487f6439fb0446ffa52a712e

SHA256
32ccf567c07b62b6078cf03d097e21cbf7ef67a4ce312c9c34a47f865b3ad0a0

SHA512
2737a622ca45b532aebc202184b3e35cde8684e5296cb1f008e7831921be2895a43f952c1df88d33011a7b9586aafbd88483f6c134cb5e8e98c236f5abb5f3aa

Download Submit
C:\Windows\Logs\FXSSVC.exe

Filesize
673KB

MD5
dbefd454f8318a0ef691fdd2eaab44eb

SHA1
3b37b281eed08998c37563c90c3fb6f784d34b6c

SHA256
7f52ae222ff28503b6fc4a5852bd0caeaf187be69af4b577d3de474c24366099

SHA512
a0259c3bc6c3fea22290b46472ee24783dae88c95a3d36502cb6a897d02cb367e29067469c13ab7493d278b7d3a80dd56b9716f6efc1da72b067f62af4e53cfe

Download Submit
\Windows\Logs\FXSSVC.exe

Filesize
673KB

MD5
dbefd454f8318a0ef691fdd2eaab44eb

SHA1
3b37b281eed08998c37563c90c3fb6f784d34b6c

SHA256
7f52ae222ff28503b6fc4a5852bd0caeaf187be69af4b577d3de474c24366099

SHA512
a0259c3bc6c3fea22290b46472ee24783dae88c95a3d36502cb6a897d02cb367e29067469c13ab7493d278b7d3a80dd56b9716f6efc1da72b067f62af4e53cfe

Download Submit
memory/424-115-0x00000000003B0000-0x00000000003D1000-memory.dmp

Filesize
132KB

Download
memory/424-127-0x0000000000800000-0x0000000000828000-memory.dmp

Filesize
160KB

Download
memory/424-125-0x0000000000310000-0x0000000000313000-memory.dmp

Filesize
12KB

Download
memory/1260-91-0x0000000007420000-0x0000000007519000-memory.dmp

Filesize
996KB

Download
memory/1260-85-0x0000000003890000-0x0000000003893000-memory.dmp

Filesize
12KB

Download
memory/1260-57-0x0000000002AC0000-0x0000000002AC3000-memory.dmp

Filesize
12KB

Download
memory/1260-92-0x0000000003A70000-0x0000000003AE9000-memory.dmp

Filesize
484KB

Download
memory/1260-88-0x0000000003890000-0x0000000003893000-memory.dmp

Filesize
12KB

Download
memory/1260-55-0x0000000002AC0000-0x0000000002AC3000-memory.dmp

Filesize
12KB

Download
memory/1260-79-0x0000000002E60000-0x0000000002E61000-memory.dmp

Filesize
4KB

Download
memory/1260-151-0x0000000007420000-0x0000000007519000-memory.dmp

Filesize
996KB

Download
memory/1260-77-0x0000000007280000-0x0000000007374000-memory.dmp

Filesize
976KB

Download
memory/1260-56-0x0000000003A70000-0x0000000003AE9000-memory.dmp

Filesize
484KB

Download
memory/1260-59-0x0000000003A70000-0x0000000003AE9000-memory.dmp

Filesize
484KB

Download
memory/2140-128-0x0000000000950000-0x0000000000A52000-memory.dmp

Filesize
1.0MB

Download
memory/2140-54-0x0000000000950000-0x0000000000A52000-memory.dmp

Filesize
1.0MB

Download
memory/2140-90-0x0000000000950000-0x0000000000A52000-memory.dmp

Filesize
1.0MB

Download
memory/2804-114-0x000007FEBF810000-0x000007FEBF820000-memory.dmp

Filesize
64KB

Download
memory/2804-113-0x0000000002000000-0x00000000020CB000-memory.dmp

Filesize
812KB

Download
memory/2804-111-0x0000000002000000-0x00000000020CB000-memory.dmp

Filesize
812KB

Download
memory/2804-110-0x0000000000160000-0x0000000000163000-memory.dmp

Filesize
12KB

Download
memory/2804-99-0x0000000000060000-0x0000000000123000-memory.dmp

Filesize
780KB

Download
memory/2804-178-0x0000000037840000-0x0000000037850000-memory.dmp

Filesize
64KB

Download
memory/2804-180-0x0000000002000000-0x00000000020CB000-memory.dmp

Filesize
812KB

Download
memory/2804-181-0x0000000000800000-0x0000000000828000-memory.dmp

Filesize
160KB

Download