ce829d4833ecf7aa182a0b474207c51d7f870208449b5064e546f6496912b4aa

Analysis

max time kernel
118s
max time network
124s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
28/08/2023, 18:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

abc.exe
Size

20.8MB
MD5

02e754c0da0c44cc6c278a2ea406ec23
SHA1

a8b8b4dc77b6c957b96597e9d48eabc6be684bab
SHA256

ce829d4833ecf7aa182a0b474207c51d7f870208449b5064e546f6496912b4aa
SHA512

56e97f53a2bf5f5a484a1b17471c408c7370bfc71e84e0080cf4352acccd3809997a9ebc0c47e13521c9c06e2061b246ee3b2c6d7f4fb3a1d9b182f67ef890da
SSDEEP

393216:qdjhYSpz4MeBTyKaMszgQEQ2y3o43eWfOQ4UzEKwCPEs8TrTv/hnJwkC:Yf6r9uO2zZLPUnTv5E

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2472	rar.exe

Loads dropped DLL 1 IoCs

pid	Process
2564	abc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	abc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	abc.exe

Runs .reg file with regedit 3 IoCs

pid	Process
612	regedit.exe
444	regedit.exe
2464	regedit.exe

Suspicious use of AdjustPrivilegeToken 54 IoCs

description	pid	Process
Token: SeDebugPrivilege	2564	abc.exe
Token: 1	2564	abc.exe
Token: SeCreateTokenPrivilege	2564	abc.exe
Token: SeAssignPrimaryTokenPrivilege	2564	abc.exe
Token: SeLockMemoryPrivilege	2564	abc.exe
Token: SeIncreaseQuotaPrivilege	2564	abc.exe
Token: SeMachineAccountPrivilege	2564	abc.exe
Token: SeTcbPrivilege	2564	abc.exe
Token: SeSecurityPrivilege	2564	abc.exe
Token: SeTakeOwnershipPrivilege	2564	abc.exe
Token: SeLoadDriverPrivilege	2564	abc.exe
Token: SeSystemProfilePrivilege	2564	abc.exe
Token: SeSystemtimePrivilege	2564	abc.exe
Token: SeProfSingleProcessPrivilege	2564	abc.exe
Token: SeIncBasePriorityPrivilege	2564	abc.exe
Token: SeCreatePagefilePrivilege	2564	abc.exe
Token: SeCreatePermanentPrivilege	2564	abc.exe
Token: SeBackupPrivilege	2564	abc.exe
Token: SeRestorePrivilege	2564	abc.exe
Token: SeShutdownPrivilege	2564	abc.exe
Token: SeDebugPrivilege	2564	abc.exe
Token: SeAuditPrivilege	2564	abc.exe
Token: SeSystemEnvironmentPrivilege	2564	abc.exe
Token: SeChangeNotifyPrivilege	2564	abc.exe
Token: SeRemoteShutdownPrivilege	2564	abc.exe
Token: SeUndockPrivilege	2564	abc.exe
Token: SeSyncAgentPrivilege	2564	abc.exe
Token: SeEnableDelegationPrivilege	2564	abc.exe
Token: SeManageVolumePrivilege	2564	abc.exe
Token: SeImpersonatePrivilege	2564	abc.exe
Token: SeCreateGlobalPrivilege	2564	abc.exe
Token: 31	2564	abc.exe
Token: 32	2564	abc.exe
Token: 33	2564	abc.exe
Token: 34	2564	abc.exe
Token: 35	2564	abc.exe
Token: 36	2564	abc.exe
Token: 37	2564	abc.exe
Token: 38	2564	abc.exe
Token: 39	2564	abc.exe
Token: 40	2564	abc.exe
Token: 41	2564	abc.exe
Token: 42	2564	abc.exe
Token: 43	2564	abc.exe
Token: 44	2564	abc.exe
Token: 45	2564	abc.exe
Token: 46	2564	abc.exe
Token: 47	2564	abc.exe
Token: 48	2564	abc.exe
Token: SeDebugPrivilege	2564	abc.exe
Token: SeBackupPrivilege	1660	Robocopy.exe
Token: SeRestorePrivilege	1660	Robocopy.exe
Token: SeSecurityPrivilege	1660	Robocopy.exe
Token: SeTakeOwnershipPrivilege	1660	Robocopy.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2564	abc.exe
2564	abc.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2564 wrote to memory of 2644	2564	abc.exe	28
PID 2564 wrote to memory of 2644	2564	abc.exe	28
PID 2564 wrote to memory of 2644	2564	abc.exe	28
PID 2564 wrote to memory of 2644	2564	abc.exe	28
PID 2564 wrote to memory of 2472	2564	abc.exe	30
PID 2564 wrote to memory of 2472	2564	abc.exe	30
PID 2564 wrote to memory of 2472	2564	abc.exe	30
PID 2564 wrote to memory of 2472	2564	abc.exe	30
PID 2564 wrote to memory of 1300	2564	abc.exe	32
PID 2564 wrote to memory of 1300	2564	abc.exe	32
PID 2564 wrote to memory of 1300	2564	abc.exe	32
PID 2564 wrote to memory of 1300	2564	abc.exe	32
PID 2564 wrote to memory of 612	2564	abc.exe	34
PID 2564 wrote to memory of 612	2564	abc.exe	34
PID 2564 wrote to memory of 612	2564	abc.exe	34
PID 2564 wrote to memory of 612	2564	abc.exe	34
PID 1300 wrote to memory of 1660	1300	cmd.exe	35
PID 1300 wrote to memory of 1660	1300	cmd.exe	35
PID 1300 wrote to memory of 1660	1300	cmd.exe	35
PID 1300 wrote to memory of 1660	1300	cmd.exe	35
PID 2564 wrote to memory of 444	2564	abc.exe	36
PID 2564 wrote to memory of 444	2564	abc.exe	36
PID 2564 wrote to memory of 444	2564	abc.exe	36
PID 2564 wrote to memory of 444	2564	abc.exe	36
PID 2564 wrote to memory of 2464	2564	abc.exe	37
PID 2564 wrote to memory of 2464	2564	abc.exe	37
PID 2564 wrote to memory of 2464	2564	abc.exe	37
PID 2564 wrote to memory of 2464	2564	abc.exe	37

C:\Users\Admin\AppData\Local\Temp\abc.exe
"C:\Users\Admin\AppData\Local\Temp\abc.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\ys\ys_resources\regDLL.bat
  2⤵
  PID:2644
- C:\Users\Admin\AppData\Local\Temp\rar.exe
  "C:\Users\Admin\AppData\Local\Temp\rar.exe" x -iext -ow -o+ "C:\Users\Admin\AppData\Local\Temp\pic.rar" "C:\Users\Admin\AppData\Local\Temp\" -psxy
  2⤵
  - Executes dropped EXE
  PID:2472
- C:\Windows\SysWOW64\cmd.exe
  cmd /c robocopy Z:\D\YS C:\YS /e /copyall
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1300
- - C:\Windows\SysWOW64\Robocopy.exe
    robocopy Z:\D\YS C:\YS /e /copyall
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1660
- C:\Windows\SysWOW64\regedit.exe
  regedit -s C:\Users\Admin\AppData\Local\Temp\pic\sc.reg
  2⤵
  - Runs .reg file with regedit
  PID:612
- C:\Windows\SysWOW64\regedit.exe
  regedit -s C:\Users\Admin\AppData\Local\Temp\pic\gf.reg
  2⤵
  - Runs .reg file with regedit
  PID:444
- C:\Windows\SysWOW64\regedit.exe
  regedit -s C:\Users\Admin\AppData\Local\Temp\pic\gjf.reg
  2⤵
  - Runs .reg file with regedit
  PID:2464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\pic.rar

Filesize
493KB

MD5
eb2526f9a1952f9605e7f26a842eee2f

SHA1
f7667eab6f33071052f3fc9c6b75e99b07dadbe6

SHA256
ac10abd01cb9d58f992e6badccae5470e80e0f5807508109a9f929c57fde17b3

SHA512
a096eaa827774a53850d4f8718c10cf19106f634b731852f34c324b76f44062e103214fe2a22e24b5d9a72264708f3918150b6ff696186d320e310dc3ae0ef0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\pic\1.txt

Filesize
25KB

MD5
ce05aeee9d6506c8f8c223baf39707f2

SHA1
647428c771635fcf23ce1564460a4878519e9e61

SHA256
14c8c6fdc2a01a3e99299cc42494902364db06a74626bfb2431b155901cc2da5

SHA512
5c70fd9156a11a741fdf701e05535d7e9833e6e69846ca7bc3e8be35a96f1a1a5d957bfeb2baac174a52c70bffd110379c0b23b9b731c4fcfa1249ff05bf1ebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\pic\3.txt

Filesize
13KB

MD5
a3677a0cd40977dfc1305334d8627ca5

SHA1
1704c3c90ba6222fc5996e8fa5755c3d0c4d9b5d

SHA256
3b0eb9c21faca4a884e8984c2ab675ccab1a88f43da769925660ca1a5dc3471d

SHA512
89ff0b70bd0aad8db2eb85164212d3199a0b936bffdbb99a3789a000845c2144c53de278e299f6ab19783650e91628d69e066641e4a71857f3cad66319d87edd

Download Submit
C:\Users\Admin\AppData\Local\Temp\pic\4.txt

Filesize
21KB

MD5
10fdd0340ec2864e3851c4ae8dbba99c

SHA1
741fcd847f8229e57937b932f95370505bcb77c5

SHA256
72f3d35d52051e4a3a156dfeda1a3c4f8d2c9ea32367d1f85a8fec9618bc2ac0

SHA512
2733a03c949f0d642ec83a19f3511c63b507746c2b8520ab0d6327ffd70b5a98f46ab65f7c8077d14c513a28415e20bc4b2ec45a62c5a522c974646f702300d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\pic\gf.reg

Filesize
1KB

MD5
2aa4fd65a7c0512eb7f65605084e09c3

SHA1
66ffb415a68faa7691d13510683fb1584f6b651c

SHA256
378c87085012770b1dfbcc0a8eced856e05e5f67d35ac52f1b5b53c2038a0813

SHA512
7f46369a04348b523c4590fe77e4c70f828003ea8971b55626059c2489b70889208c69b7c395ac711ab86aaef4b4f691a9c39ba43bb39d19e585ce28f3b186a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\pic\gjf.reg

Filesize
1KB

MD5
900a8868b7322429148265e0814770aa

SHA1
be6f3cf8ab3cc9ff872b84ce98d7a54e481ed932

SHA256
684956781eef2a059574916bd06691e6b81e0d3e2d0a59c3958fef433e3a5c4b

SHA512
b286ee3993eedae6f8d607b9698f22bd5abd1b0e73d207487f73efe285953d8e72410f784540573c094cd6c5dddf7900a5f0a72907f0c3d02228639fbe490001

Download Submit
C:\Users\Admin\AppData\Local\Temp\pic\sc.reg

Filesize
236B

MD5
e0b5ae70e4218f37427a4284013892db

SHA1
c49846030ed7592e1fdb6fc34bb909b45308ea1f

SHA256
901b529933a98ad905e7adc09e1816ad7a4bd346add4156447b9d0d46565bc5c

SHA512
814d56aca96a7f28638132b2a2777f7ea790b21dd1da4fdb83ceb78a9c144bab011a81652a8766dd83d595474747636298237ab8e9fd2751d47ea43428005d7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pic\欧服1.bmp

Filesize
1KB

MD5
b1ab9e344f0ee1c9ebf183ccde590de4

SHA1
a9e37dfb7f41a8c417bf0cb5707db238d230127c

SHA256
0102261f18806549ac4bd9ccd19f36adb7d4f5576a978e294bbe620993d083fa

SHA512
6a530de68fcb7330cd6378b243417b7ae9d4943c3a87e5058dac340575cdb1f10b7be50490af60d22aa5eee1fe02023c43b46701c6b24b26fc40ee49c8427545

Download Submit
C:\Users\Admin\AppData\Local\Temp\rar.exe

Filesize
411KB

MD5
a88fa89a5d81958246c52245fa00d654

SHA1
25074e75745873d4d4aa685273d69049127757c2

SHA256
fbade60d16b120a4cfc84bf65e0b80239f49accb2aa063283ae3c8e33df40738

SHA512
791febeecfdfb2131ea942718e2ce081db83ace5309ceca6c2e08a3f1bd6b563b791e07f9606ab77328dc9b031b1a3d137e69b2226d9b5a79b5dc8d4b8dff5b8

Download Submit
\Users\Admin\AppData\Local\Temp\rar.exe

Filesize
411KB

MD5
a88fa89a5d81958246c52245fa00d654

SHA1
25074e75745873d4d4aa685273d69049127757c2

SHA256
fbade60d16b120a4cfc84bf65e0b80239f49accb2aa063283ae3c8e33df40738

SHA512
791febeecfdfb2131ea942718e2ce081db83ace5309ceca6c2e08a3f1bd6b563b791e07f9606ab77328dc9b031b1a3d137e69b2226d9b5a79b5dc8d4b8dff5b8

Download Submit
memory/2564-0-0x0000000010000000-0x000000001003C000-memory.dmp

Filesize
240KB

Download
memory/2564-7-0x00000000038F0000-0x00000000039F1000-memory.dmp

Filesize
1.0MB

Download
memory/2564-1003-0x0000000010000000-0x000000001003C000-memory.dmp

Filesize
240KB

Download