5df7764b9dfe34172d37a51e22ccf0fac5d6891add0d083a31ce014f652768df

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
25/08/2023, 23:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5df7764b9dfe34172d37a51e22ccf0fac5d6891add0d083a31ce014f652768df.exe
Size

2.1MB
MD5

a614f22998fa7982527b9b61d091e864
SHA1

c95eca1aea9d5bc391b599aa3954cfdd12b85bbb
SHA256

5df7764b9dfe34172d37a51e22ccf0fac5d6891add0d083a31ce014f652768df
SHA512

0863b4517ee8648525247e8512f8df26b5f2e5bc0962610c52748d52ef28ef913db80679914f61708aea8608b525e77c710e08ee0c850d98232fffeed2f5ea46
SSDEEP

24576:C4ZIiDRSOwO4pMqhwDaudNGDh5SYWia0RZGvJ1LqBRffecaR3554WCHBIZr40Q5k:CRsHa7tWJvJqJ1aRJWWCh+Q3Jzgp

Score

1^/10

Malware Config

Signatures

Modifies system certificate store 2 TTPs 2 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	5df7764b9dfe34172d37a51e22ccf0fac5d6891add0d083a31ce014f652768df.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	5df7764b9dfe34172d37a51e22ccf0fac5d6891add0d083a31ce014f652768df.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeDebugPrivilege	2780	5df7764b9dfe34172d37a51e22ccf0fac5d6891add0d083a31ce014f652768df.exe
Token: 1	2780	5df7764b9dfe34172d37a51e22ccf0fac5d6891add0d083a31ce014f652768df.exe
Token: SeCreateTokenPrivilege	2780	5df7764b9dfe34172d37a51e22ccf0fac5d6891add0d083a31ce014f652768df.exe
Token: SeAssignPrimaryTokenPrivilege	2780	5df7764b9dfe34172d37a51e22ccf0fac5d6891add0d083a31ce014f652768df.exe
Token: SeLockMemoryPrivilege	2780	5df7764b9dfe34172d37a51e22ccf0fac5d6891add0d083a31ce014f652768df.exe
Token: SeIncreaseQuotaPrivilege	2780	5df7764b9dfe34172d37a51e22ccf0fac5d6891add0d083a31ce014f652768df.exe
Token: SeMachineAccountPrivilege	2780	5df7764b9dfe34172d37a51e22ccf0fac5d6891add0d083a31ce014f652768df.exe
Token: SeTcbPrivilege	2780	5df7764b9dfe34172d37a51e22ccf0fac5d6891add0d083a31ce014f652768df.exe
Token: SeSecurityPrivilege	2780	5df7764b9dfe34172d37a51e22ccf0fac5d6891add0d083a31ce014f652768df.exe
Token: SeTakeOwnershipPrivilege	2780	5df7764b9dfe34172d37a51e22ccf0fac5d6891add0d083a31ce014f652768df.exe
Token: SeLoadDriverPrivilege	2780	5df7764b9dfe34172d37a51e22ccf0fac5d6891add0d083a31ce014f652768df.exe
Token: SeSystemProfilePrivilege	2780	5df7764b9dfe34172d37a51e22ccf0fac5d6891add0d083a31ce014f652768df.exe
Token: SeSystemtimePrivilege	2780	5df7764b9dfe34172d37a51e22ccf0fac5d6891add0d083a31ce014f652768df.exe
Token: SeProfSingleProcessPrivilege	2780	5df7764b9dfe34172d37a51e22ccf0fac5d6891add0d083a31ce014f652768df.exe
Token: SeIncBasePriorityPrivilege	2780	5df7764b9dfe34172d37a51e22ccf0fac5d6891add0d083a31ce014f652768df.exe
Token: SeCreatePagefilePrivilege	2780	5df7764b9dfe34172d37a51e22ccf0fac5d6891add0d083a31ce014f652768df.exe
Token: SeCreatePermanentPrivilege	2780	5df7764b9dfe34172d37a51e22ccf0fac5d6891add0d083a31ce014f652768df.exe
Token: SeBackupPrivilege	2780	5df7764b9dfe34172d37a51e22ccf0fac5d6891add0d083a31ce014f652768df.exe
Token: SeRestorePrivilege	2780	5df7764b9dfe34172d37a51e22ccf0fac5d6891add0d083a31ce014f652768df.exe
Token: SeShutdownPrivilege	2780	5df7764b9dfe34172d37a51e22ccf0fac5d6891add0d083a31ce014f652768df.exe
Token: SeDebugPrivilege	2780	5df7764b9dfe34172d37a51e22ccf0fac5d6891add0d083a31ce014f652768df.exe
Token: SeAuditPrivilege	2780	5df7764b9dfe34172d37a51e22ccf0fac5d6891add0d083a31ce014f652768df.exe
Token: SeSystemEnvironmentPrivilege	2780	5df7764b9dfe34172d37a51e22ccf0fac5d6891add0d083a31ce014f652768df.exe
Token: SeChangeNotifyPrivilege	2780	5df7764b9dfe34172d37a51e22ccf0fac5d6891add0d083a31ce014f652768df.exe
Token: SeRemoteShutdownPrivilege	2780	5df7764b9dfe34172d37a51e22ccf0fac5d6891add0d083a31ce014f652768df.exe
Token: SeUndockPrivilege	2780	5df7764b9dfe34172d37a51e22ccf0fac5d6891add0d083a31ce014f652768df.exe
Token: SeSyncAgentPrivilege	2780	5df7764b9dfe34172d37a51e22ccf0fac5d6891add0d083a31ce014f652768df.exe
Token: SeEnableDelegationPrivilege	2780	5df7764b9dfe34172d37a51e22ccf0fac5d6891add0d083a31ce014f652768df.exe
Token: SeManageVolumePrivilege	2780	5df7764b9dfe34172d37a51e22ccf0fac5d6891add0d083a31ce014f652768df.exe
Token: SeImpersonatePrivilege	2780	5df7764b9dfe34172d37a51e22ccf0fac5d6891add0d083a31ce014f652768df.exe
Token: SeCreateGlobalPrivilege	2780	5df7764b9dfe34172d37a51e22ccf0fac5d6891add0d083a31ce014f652768df.exe
Token: 31	2780	5df7764b9dfe34172d37a51e22ccf0fac5d6891add0d083a31ce014f652768df.exe
Token: 32	2780	5df7764b9dfe34172d37a51e22ccf0fac5d6891add0d083a31ce014f652768df.exe
Token: 33	2780	5df7764b9dfe34172d37a51e22ccf0fac5d6891add0d083a31ce014f652768df.exe
Token: 34	2780	5df7764b9dfe34172d37a51e22ccf0fac5d6891add0d083a31ce014f652768df.exe
Token: 35	2780	5df7764b9dfe34172d37a51e22ccf0fac5d6891add0d083a31ce014f652768df.exe
Token: 36	2780	5df7764b9dfe34172d37a51e22ccf0fac5d6891add0d083a31ce014f652768df.exe
Token: 37	2780	5df7764b9dfe34172d37a51e22ccf0fac5d6891add0d083a31ce014f652768df.exe
Token: 38	2780	5df7764b9dfe34172d37a51e22ccf0fac5d6891add0d083a31ce014f652768df.exe
Token: 39	2780	5df7764b9dfe34172d37a51e22ccf0fac5d6891add0d083a31ce014f652768df.exe
Token: 40	2780	5df7764b9dfe34172d37a51e22ccf0fac5d6891add0d083a31ce014f652768df.exe
Token: 41	2780	5df7764b9dfe34172d37a51e22ccf0fac5d6891add0d083a31ce014f652768df.exe
Token: 42	2780	5df7764b9dfe34172d37a51e22ccf0fac5d6891add0d083a31ce014f652768df.exe
Token: 43	2780	5df7764b9dfe34172d37a51e22ccf0fac5d6891add0d083a31ce014f652768df.exe
Token: 44	2780	5df7764b9dfe34172d37a51e22ccf0fac5d6891add0d083a31ce014f652768df.exe
Token: 45	2780	5df7764b9dfe34172d37a51e22ccf0fac5d6891add0d083a31ce014f652768df.exe
Token: 46	2780	5df7764b9dfe34172d37a51e22ccf0fac5d6891add0d083a31ce014f652768df.exe
Token: 47	2780	5df7764b9dfe34172d37a51e22ccf0fac5d6891add0d083a31ce014f652768df.exe
Token: 48	2780	5df7764b9dfe34172d37a51e22ccf0fac5d6891add0d083a31ce014f652768df.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2780	5df7764b9dfe34172d37a51e22ccf0fac5d6891add0d083a31ce014f652768df.exe
2780	5df7764b9dfe34172d37a51e22ccf0fac5d6891add0d083a31ce014f652768df.exe

C:\Users\Admin\AppData\Local\Temp\5df7764b9dfe34172d37a51e22ccf0fac5d6891add0d083a31ce014f652768df.exe
"C:\Users\Admin\AppData\Local\Temp\5df7764b9dfe34172d37a51e22ccf0fac5d6891add0d083a31ce014f652768df.exe"
1⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2780-6-0x0000000010000000-0x000000001003C000-memory.dmp

Filesize
240KB

Download
memory/2780-7-0x0000000002A20000-0x0000000002B21000-memory.dmp

Filesize
1.0MB

Download