9ac9567d900573922ecadc81a165acb92d638fbc2eafe98f2d574e0e7f8428b9

Analysis

max time kernel
146s
max time network
125s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
03/09/2023, 06:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9ac9567d900573922ecadc81a165acb92d638fbc2eafe98f2d574e0e7f8428b9.exe
Size

889KB
MD5

771b63756e09ab724dc4ae1c58d4cee4
SHA1

891f864d16cdfe0e24e87089fed7ddd74de3f181
SHA256

9ac9567d900573922ecadc81a165acb92d638fbc2eafe98f2d574e0e7f8428b9
SHA512

596c07a404a1972e9892c288348fbc0605fdeb9a58af5df4be5cab86c1f1da5d073c64b5844314d595a1f6143a0c8567156d1d66e85b0d7f0fae9be74498fb2c
SSDEEP

6144:PJ1etoAWIVpTiAKhft1JEqwLcEOkCybEaQRXr9HNdvOa7AXGSqLr4Eza:hAoo7i5FMqwTOkx2LIa0EC

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2816	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2484	edd61628
2872	tabcal.exe

Loads dropped DLL 1 IoCs

pid	Process
1180	Explorer.EXE

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1032-0-0x0000000000C30000-0x0000000000CBE000-memory.dmp	upx
behavioral1/files/0x000900000001201c-2.dat	upx
behavioral1/memory/2484-3-0x0000000000E20000-0x0000000000EAE000-memory.dmp	upx
behavioral1/memory/1032-4-0x0000000000C30000-0x0000000000CBE000-memory.dmp	upx
behavioral1/memory/2484-6-0x0000000000E20000-0x0000000000EAE000-memory.dmp	upx
behavioral1/memory/2484-45-0x0000000000E20000-0x0000000000EAE000-memory.dmp	upx
behavioral1/memory/1032-54-0x0000000000C30000-0x0000000000CBE000-memory.dmp	upx
behavioral1/memory/2484-58-0x0000000000E20000-0x0000000000EAE000-memory.dmp	upx
behavioral1/memory/2484-96-0x0000000000E20000-0x0000000000EAE000-memory.dmp	upx
behavioral1/files/0x000900000001201c-97.dat	upx

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E	edd61628
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E	edd61628
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A	edd61628
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A	edd61628
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	edd61628
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	edd61628
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	edd61628
File created	C:\Windows\Syswow64\edd61628	9ac9567d900573922ecadc81a165acb92d638fbc2eafe98f2d574e0e7f8428b9.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	edd61628
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	edd61628

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Inf\tabcal.exe	Explorer.EXE
File opened for modification	C:\Windows\Inf\tabcal.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
2208	timeout.exe
1780	timeout.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	edd61628
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	edd61628
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7a-f2-33-d9-e1-39\WpadDecision = "0"	edd61628
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	edd61628
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	edd61628
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	edd61628
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	edd61628
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	edd61628
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	edd61628
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	edd61628
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	edd61628
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	edd61628
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	edd61628
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	edd61628
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DF134DD9-537B-404B-A3ED-CA719A97378C}\WpadDecisionTime = d06907bb30ded901	edd61628
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DF134DD9-537B-404B-A3ED-CA719A97378C}\7a-f2-33-d9-e1-39	edd61628
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	edd61628
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	edd61628
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7a-f2-33-d9-e1-39\WpadDecisionTime = d06907bb30ded901	edd61628
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	edd61628
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	edd61628
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	edd61628
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	edd61628
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	edd61628
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	edd61628
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	edd61628
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	edd61628
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	edd61628
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	edd61628
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	edd61628
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	edd61628
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	edd61628
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	edd61628
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	edd61628
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	edd61628
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	edd61628
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00db000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	edd61628
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DF134DD9-537B-404B-A3ED-CA719A97378C}\WpadDecisionReason = "1"	edd61628
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	edd61628
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	edd61628
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	edd61628
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	edd61628
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	edd61628
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	edd61628
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	edd61628
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	edd61628
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	edd61628
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	edd61628
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	edd61628
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	edd61628
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	edd61628
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	edd61628
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DF134DD9-537B-404B-A3ED-CA719A97378C}\WpadDecision = "0"	edd61628
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7a-f2-33-d9-e1-39\WpadDecisionReason = "1"	edd61628
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	edd61628
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	edd61628
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DF134DD9-537B-404B-A3ED-CA719A97378C}	edd61628
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	edd61628
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	edd61628
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	edd61628
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7a-f2-33-d9-e1-39	edd61628
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	edd61628
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	edd61628
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	edd61628

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	edd61628
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	edd61628
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	edd61628
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	edd61628

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2484	edd61628
2484	edd61628
2484	edd61628
2484	edd61628
2484	edd61628
2484	edd61628
2484	edd61628
2484	edd61628
2484	edd61628
2484	edd61628
2484	edd61628
2484	edd61628
1180	Explorer.EXE
1180	Explorer.EXE
1180	Explorer.EXE
2484	edd61628
1180	Explorer.EXE
1180	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1180	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	1032	9ac9567d900573922ecadc81a165acb92d638fbc2eafe98f2d574e0e7f8428b9.exe
Token: SeTcbPrivilege	1032	9ac9567d900573922ecadc81a165acb92d638fbc2eafe98f2d574e0e7f8428b9.exe
Token: SeDebugPrivilege	2484	edd61628
Token: SeTcbPrivilege	2484	edd61628
Token: SeDebugPrivilege	2484	edd61628
Token: SeDebugPrivilege	1180	Explorer.EXE
Token: SeDebugPrivilege	1180	Explorer.EXE
Token: SeIncBasePriorityPrivilege	1032	9ac9567d900573922ecadc81a165acb92d638fbc2eafe98f2d574e0e7f8428b9.exe
Token: SeDebugPrivilege	2484	edd61628
Token: SeDebugPrivilege	1180	Explorer.EXE
Token: SeIncBasePriorityPrivilege	2484	edd61628

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 1180	2484	edd61628	15
PID 2484 wrote to memory of 1180	2484	edd61628	15
PID 2484 wrote to memory of 1180	2484	edd61628	15
PID 2484 wrote to memory of 1180	2484	edd61628	15
PID 2484 wrote to memory of 1180	2484	edd61628	15
PID 1180 wrote to memory of 2872	1180	Explorer.EXE	29
PID 1180 wrote to memory of 2872	1180	Explorer.EXE	29
PID 1180 wrote to memory of 2872	1180	Explorer.EXE	29
PID 1180 wrote to memory of 2872	1180	Explorer.EXE	29
PID 1180 wrote to memory of 2872	1180	Explorer.EXE	29
PID 1180 wrote to memory of 2872	1180	Explorer.EXE	29
PID 1180 wrote to memory of 2872	1180	Explorer.EXE	29
PID 1180 wrote to memory of 2872	1180	Explorer.EXE	29
PID 2484 wrote to memory of 424	2484	edd61628	3
PID 2484 wrote to memory of 424	2484	edd61628	3
PID 2484 wrote to memory of 424	2484	edd61628	3
PID 2484 wrote to memory of 424	2484	edd61628	3
PID 2484 wrote to memory of 424	2484	edd61628	3
PID 1032 wrote to memory of 2816	1032	9ac9567d900573922ecadc81a165acb92d638fbc2eafe98f2d574e0e7f8428b9.exe	32
PID 1032 wrote to memory of 2816	1032	9ac9567d900573922ecadc81a165acb92d638fbc2eafe98f2d574e0e7f8428b9.exe	32
PID 1032 wrote to memory of 2816	1032	9ac9567d900573922ecadc81a165acb92d638fbc2eafe98f2d574e0e7f8428b9.exe	32
PID 1032 wrote to memory of 2816	1032	9ac9567d900573922ecadc81a165acb92d638fbc2eafe98f2d574e0e7f8428b9.exe	32
PID 2816 wrote to memory of 2208	2816	cmd.exe	33
PID 2816 wrote to memory of 2208	2816	cmd.exe	33
PID 2816 wrote to memory of 2208	2816	cmd.exe	33
PID 2816 wrote to memory of 2208	2816	cmd.exe	33
PID 2484 wrote to memory of 1352	2484	edd61628	36
PID 2484 wrote to memory of 1352	2484	edd61628	36
PID 2484 wrote to memory of 1352	2484	edd61628	36
PID 2484 wrote to memory of 1352	2484	edd61628	36
PID 1352 wrote to memory of 1780	1352	cmd.exe	38
PID 1352 wrote to memory of 1780	1352	cmd.exe	38
PID 1352 wrote to memory of 1780	1352	cmd.exe	38
PID 1352 wrote to memory of 1780	1352	cmd.exe	38

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:424

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1180
- C:\Users\Admin\AppData\Local\Temp\9ac9567d900573922ecadc81a165acb92d638fbc2eafe98f2d574e0e7f8428b9.exe
  "C:\Users\Admin\AppData\Local\Temp\9ac9567d900573922ecadc81a165acb92d638fbc2eafe98f2d574e0e7f8428b9.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1032
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\9ac9567d900573922ecadc81a165acb92d638fbc2eafe98f2d574e0e7f8428b9.exe"
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 1
      4⤵
      Delays execution with timeout.exe
      PID:2208
- C:\Windows\Inf\tabcal.exe
  "C:\Windows\Inf\tabcal.exe"
  2⤵
  - Executes dropped EXE
  PID:2872

C:\Windows\Syswow64\edd61628
C:\Windows\Syswow64\edd61628
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Windows\Syswow64\edd61628"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1352
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:1780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Tar94A2.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Windows\SysWOW64\edd61628

Filesize
889KB

MD5
9100dcb2d80ba5f75a14f1068ad009fc

SHA1
3bc85afad70d8feb1ae8fed79c32163a0444cf74

SHA256
772cd4111b1fbe69a109fc5750de13d15aa59be4c6fba123a012be481318412f

SHA512
ff2e8ef98980505cc0c5dea48a9f24d13ed8c866865e8acb84b85cb8ff48d5ec38bc386325258bb2aca169146386eecf0ada9aee860c211295f3d9c042f4f337

Download Submit
C:\Windows\Syswow64\edd61628

Filesize
889KB

MD5
9100dcb2d80ba5f75a14f1068ad009fc

SHA1
3bc85afad70d8feb1ae8fed79c32163a0444cf74

SHA256
772cd4111b1fbe69a109fc5750de13d15aa59be4c6fba123a012be481318412f

SHA512
ff2e8ef98980505cc0c5dea48a9f24d13ed8c866865e8acb84b85cb8ff48d5ec38bc386325258bb2aca169146386eecf0ada9aee860c211295f3d9c042f4f337

Download Submit
C:\Windows\inf\tabcal.exe

Filesize
77KB

MD5
98e7911befe83f76777317ce6905666d

SHA1
2780088dffe1dd1356c5dd5112a9f04afee3ee8d

SHA256
3fe8b63367b4298e70d46e87ce04cc7af5f30dfdb86b79eae41d0731d9415ea1

SHA512
fc0226381d9a6984cccac8282697c78966524e1359f7f6044559b8223e773d3c108dda08a2dd283aa171dca3390801f2c92a5d1dbb978dd7f92a67bd8877b8b6

Download Submit
\Windows\inf\tabcal.exe

Filesize
77KB

MD5
98e7911befe83f76777317ce6905666d

SHA1
2780088dffe1dd1356c5dd5112a9f04afee3ee8d

SHA256
3fe8b63367b4298e70d46e87ce04cc7af5f30dfdb86b79eae41d0731d9415ea1

SHA512
fc0226381d9a6984cccac8282697c78966524e1359f7f6044559b8223e773d3c108dda08a2dd283aa171dca3390801f2c92a5d1dbb978dd7f92a67bd8877b8b6

Download Submit
memory/424-60-0x0000000000770000-0x0000000000798000-memory.dmp

Filesize
160KB

Download
memory/1032-4-0x0000000000C30000-0x0000000000CBE000-memory.dmp

Filesize
568KB

Download
memory/1032-54-0x0000000000C30000-0x0000000000CBE000-memory.dmp

Filesize
568KB

Download
memory/1032-0-0x0000000000C30000-0x0000000000CBE000-memory.dmp

Filesize
568KB

Download
memory/1180-21-0x00000000029B0000-0x00000000029B3000-memory.dmp

Filesize
12KB

Download
memory/1180-22-0x00000000064C0000-0x00000000065B7000-memory.dmp

Filesize
988KB

Download
memory/1180-19-0x00000000029B0000-0x00000000029B3000-memory.dmp

Filesize
12KB

Download
memory/1180-82-0x0000000002A70000-0x0000000002A71000-memory.dmp

Filesize
4KB

Download
memory/1180-23-0x00000000064C0000-0x00000000065B7000-memory.dmp

Filesize
988KB

Download
memory/1180-81-0x0000000006A60000-0x0000000006B2B000-memory.dmp

Filesize
812KB

Download
memory/1180-73-0x000007FEBE980000-0x000007FEBE990000-memory.dmp

Filesize
64KB

Download
memory/1180-71-0x0000000002A70000-0x0000000002A71000-memory.dmp

Filesize
4KB

Download
memory/1180-70-0x0000000006A60000-0x0000000006B2B000-memory.dmp

Filesize
812KB

Download
memory/1180-46-0x00000000064C0000-0x00000000065B7000-memory.dmp

Filesize
988KB

Download
memory/1180-69-0x0000000006A60000-0x0000000006B2B000-memory.dmp

Filesize
812KB

Download
memory/1180-20-0x00000000029B0000-0x00000000029B3000-memory.dmp

Filesize
12KB

Download
memory/2484-58-0x0000000000E20000-0x0000000000EAE000-memory.dmp

Filesize
568KB

Download
memory/2484-45-0x0000000000E20000-0x0000000000EAE000-memory.dmp

Filesize
568KB

Download
memory/2484-96-0x0000000000E20000-0x0000000000EAE000-memory.dmp

Filesize
568KB

Download
memory/2484-6-0x0000000000E20000-0x0000000000EAE000-memory.dmp

Filesize
568KB

Download
memory/2484-3-0x0000000000E20000-0x0000000000EAE000-memory.dmp

Filesize
568KB

Download
memory/2872-27-0x0000000000060000-0x0000000000123000-memory.dmp

Filesize
780KB

Download
memory/2872-50-0x0000000001CA0000-0x0000000001D6B000-memory.dmp

Filesize
812KB

Download
memory/2872-49-0x0000000001CA0000-0x0000000001D6B000-memory.dmp

Filesize
812KB

Download
memory/2872-44-0x000007FEBE980000-0x000007FEBE990000-memory.dmp

Filesize
64KB

Download
memory/2872-43-0x0000000001CA0000-0x0000000001D6B000-memory.dmp

Filesize
812KB

Download
memory/2872-41-0x0000000001CA0000-0x0000000001D6B000-memory.dmp

Filesize
812KB

Download
memory/2872-35-0x0000000000160000-0x0000000000163000-memory.dmp

Filesize
12KB

Download
memory/2872-29-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download