84d72b8fd291a03e3abe63e37f18ac9fe3c7328574d889aeb09019e1d661b54c

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
22/09/2023, 06:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

84d72b8fd291a03e3abe63e37f18ac9fe3c7328574d889aeb09019e1d661b54c.exe
Size

536KB
MD5

74bcc42a4bb2f206d76f562d21bb2284
SHA1

355dbb36f5088ba5ebd2fb2e84f2ff2f4cfa46eb
SHA256

84d72b8fd291a03e3abe63e37f18ac9fe3c7328574d889aeb09019e1d661b54c
SHA512

43a42aefe9f79e1f5a5983f0e9aea87b388a293322ad9701ffef99aa93759ac8d1a94a921dc6f0cee96b3fd3ef10d9cde4fd3569b04480fd7c6568401025e02e
SSDEEP

12288:xhf0Bs9bDDq9huzJgIJzgXaEw9Stu/aB9a/Okx2LIa:xdQyDLzJTveuK0/Okx2LF

Score

10^/10

upx

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1260 created 424	1260	Explorer.EXE	3

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\wq1exezh.sys	unregmp2.exe

Deletes itself 1 IoCs

pid	Process
2520	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2740	unregmp2.exe

Loads dropped DLL 1 IoCs

pid	Process
1260	Explorer.EXE

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1924-0-0x0000000000BA0000-0x0000000000CA2000-memory.dmp	upx
behavioral1/memory/1924-37-0x0000000000BA0000-0x0000000000CA2000-memory.dmp	upx
behavioral1/memory/1924-72-0x0000000000BA0000-0x0000000000CA2000-memory.dmp	upx

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_ADB601E2C381343DA1163E5F08582475	unregmp2.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B	unregmp2.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3	unregmp2.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3	unregmp2.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\349D186F1CB5682FA0194D4F3754EF36_CE21678B3713ACF5F5ED4AAA700C6173	unregmp2.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\349D186F1CB5682FA0194D4F3754EF36_CE21678B3713ACF5F5ED4AAA700C6173	unregmp2.exe
File created	C:\Windows\system32\ \Windows\System32\PsuZeAoH.sys	unregmp2.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C	unregmp2.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C	unregmp2.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_ADB601E2C381343DA1163E5F08582475	unregmp2.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B	unregmp2.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\20f088	84d72b8fd291a03e3abe63e37f18ac9fe3c7328574d889aeb09019e1d661b54c.exe
File created	C:\Windows\Logs\unregmp2.exe	Explorer.EXE
File opened for modification	C:\Windows\Logs\unregmp2.exe	Explorer.EXE
File created	C:\Windows\14SZ0ly2.sys	unregmp2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3036	timeout.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	unregmp2.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	unregmp2.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	unregmp2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	unregmp2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	unregmp2.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	unregmp2.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	unregmp2.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	unregmp2.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	unregmp2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	unregmp2.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	unregmp2.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	unregmp2.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-be-a4-4e-85-29\WpadDecision = "0"	unregmp2.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-be-a4-4e-85-29	unregmp2.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-be-a4-4e-85-29\WpadDecisionReason = "1"	unregmp2.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	unregmp2.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	unregmp2.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	unregmp2.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	unregmp2.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	unregmp2.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{960CCD6C-7A92-4842-AF61-6358238A1833}\WpadDecisionTime = c0bcd2b220edd901	unregmp2.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	unregmp2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	unregmp2.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	unregmp2.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	unregmp2.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	unregmp2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	unregmp2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	unregmp2.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	unregmp2.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{960CCD6C-7A92-4842-AF61-6358238A1833}	unregmp2.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-be-a4-4e-85-29\WpadDecisionTime = c0bcd2b220edd901	unregmp2.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	unregmp2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	unregmp2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	unregmp2.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	unregmp2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	unregmp2.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	unregmp2.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	unregmp2.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	unregmp2.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{960CCD6C-7A92-4842-AF61-6358238A1833}\5a-be-a4-4e-85-29	unregmp2.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	unregmp2.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	unregmp2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	unregmp2.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0093000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	unregmp2.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	unregmp2.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	unregmp2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	unregmp2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	unregmp2.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	unregmp2.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{960CCD6C-7A92-4842-AF61-6358238A1833}\WpadDecision = "0"	unregmp2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	unregmp2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	unregmp2.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	unregmp2.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	unregmp2.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{960CCD6C-7A92-4842-AF61-6358238A1833}\WpadDecisionReason = "1"	unregmp2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	unregmp2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	unregmp2.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	unregmp2.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	unregmp2.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	unregmp2.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	unregmp2.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	unregmp2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	unregmp2.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	unregmp2.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	unregmp2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	unregmp2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	unregmp2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	unregmp2.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1924	84d72b8fd291a03e3abe63e37f18ac9fe3c7328574d889aeb09019e1d661b54c.exe
1924	84d72b8fd291a03e3abe63e37f18ac9fe3c7328574d889aeb09019e1d661b54c.exe
1924	84d72b8fd291a03e3abe63e37f18ac9fe3c7328574d889aeb09019e1d661b54c.exe
1924	84d72b8fd291a03e3abe63e37f18ac9fe3c7328574d889aeb09019e1d661b54c.exe
1924	84d72b8fd291a03e3abe63e37f18ac9fe3c7328574d889aeb09019e1d661b54c.exe
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
2740	unregmp2.exe
2740	unregmp2.exe
2740	unregmp2.exe
2740	unregmp2.exe
2740	unregmp2.exe
2740	unregmp2.exe
2740	unregmp2.exe
2740	unregmp2.exe
2740	unregmp2.exe
2740	unregmp2.exe
2740	unregmp2.exe
2740	unregmp2.exe
2740	unregmp2.exe
2740	unregmp2.exe
2740	unregmp2.exe
2740	unregmp2.exe
2740	unregmp2.exe
2740	unregmp2.exe
2740	unregmp2.exe
2740	unregmp2.exe
2740	unregmp2.exe
2740	unregmp2.exe
2740	unregmp2.exe
2740	unregmp2.exe
2740	unregmp2.exe
2740	unregmp2.exe
2740	unregmp2.exe
2740	unregmp2.exe
2740	unregmp2.exe
2740	unregmp2.exe
2740	unregmp2.exe
2740	unregmp2.exe
2740	unregmp2.exe
2740	unregmp2.exe
2740	unregmp2.exe
2740	unregmp2.exe
2740	unregmp2.exe
2740	unregmp2.exe
2740	unregmp2.exe
2740	unregmp2.exe
2740	unregmp2.exe
2740	unregmp2.exe
2740	unregmp2.exe
2740	unregmp2.exe
2740	unregmp2.exe
2740	unregmp2.exe
2740	unregmp2.exe
2740	unregmp2.exe
2740	unregmp2.exe
2740	unregmp2.exe
2740	unregmp2.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1260	Explorer.EXE

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
472	Process not Found
472	Process not Found
472	Process not Found

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	1924	84d72b8fd291a03e3abe63e37f18ac9fe3c7328574d889aeb09019e1d661b54c.exe
Token: SeTcbPrivilege	1924	84d72b8fd291a03e3abe63e37f18ac9fe3c7328574d889aeb09019e1d661b54c.exe
Token: SeDebugPrivilege	1924	84d72b8fd291a03e3abe63e37f18ac9fe3c7328574d889aeb09019e1d661b54c.exe
Token: SeDebugPrivilege	1260	Explorer.EXE
Token: SeTcbPrivilege	1260	Explorer.EXE
Token: SeDebugPrivilege	1260	Explorer.EXE
Token: SeDebugPrivilege	1260	Explorer.EXE
Token: SeDebugPrivilege	1260	Explorer.EXE
Token: SeIncBasePriorityPrivilege	1924	84d72b8fd291a03e3abe63e37f18ac9fe3c7328574d889aeb09019e1d661b54c.exe
Token: SeDebugPrivilege	1260	Explorer.EXE
Token: SeDebugPrivilege	2740	unregmp2.exe
Token: SeDebugPrivilege	2740	unregmp2.exe
Token: SeDebugPrivilege	2740	unregmp2.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 1260	1924	84d72b8fd291a03e3abe63e37f18ac9fe3c7328574d889aeb09019e1d661b54c.exe	22
PID 1924 wrote to memory of 1260	1924	84d72b8fd291a03e3abe63e37f18ac9fe3c7328574d889aeb09019e1d661b54c.exe	22
PID 1924 wrote to memory of 1260	1924	84d72b8fd291a03e3abe63e37f18ac9fe3c7328574d889aeb09019e1d661b54c.exe	22
PID 1260 wrote to memory of 2740	1260	Explorer.EXE	28
PID 1260 wrote to memory of 2740	1260	Explorer.EXE	28
PID 1260 wrote to memory of 2740	1260	Explorer.EXE	28
PID 1260 wrote to memory of 2740	1260	Explorer.EXE	28
PID 1260 wrote to memory of 2740	1260	Explorer.EXE	28
PID 1260 wrote to memory of 2740	1260	Explorer.EXE	28
PID 1260 wrote to memory of 2740	1260	Explorer.EXE	28
PID 1260 wrote to memory of 2740	1260	Explorer.EXE	28
PID 1260 wrote to memory of 424	1260	Explorer.EXE	3
PID 1260 wrote to memory of 424	1260	Explorer.EXE	3
PID 1260 wrote to memory of 424	1260	Explorer.EXE	3
PID 1260 wrote to memory of 424	1260	Explorer.EXE	3
PID 1260 wrote to memory of 424	1260	Explorer.EXE	3
PID 1924 wrote to memory of 2520	1924	84d72b8fd291a03e3abe63e37f18ac9fe3c7328574d889aeb09019e1d661b54c.exe	29
PID 1924 wrote to memory of 2520	1924	84d72b8fd291a03e3abe63e37f18ac9fe3c7328574d889aeb09019e1d661b54c.exe	29
PID 1924 wrote to memory of 2520	1924	84d72b8fd291a03e3abe63e37f18ac9fe3c7328574d889aeb09019e1d661b54c.exe	29
PID 1924 wrote to memory of 2520	1924	84d72b8fd291a03e3abe63e37f18ac9fe3c7328574d889aeb09019e1d661b54c.exe	29
PID 2520 wrote to memory of 3036	2520	cmd.exe	31
PID 2520 wrote to memory of 3036	2520	cmd.exe	31
PID 2520 wrote to memory of 3036	2520	cmd.exe	31
PID 2520 wrote to memory of 3036	2520	cmd.exe	31

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:424
- C:\Windows\Logs\unregmp2.exe
  "C:\Windows\Logs\unregmp2.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2740

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Users\Admin\AppData\Local\Temp\84d72b8fd291a03e3abe63e37f18ac9fe3c7328574d889aeb09019e1d661b54c.exe
  "C:\Users\Admin\AppData\Local\Temp\84d72b8fd291a03e3abe63e37f18ac9fe3c7328574d889aeb09019e1d661b54c.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1924
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\84d72b8fd291a03e3abe63e37f18ac9fe3c7328574d889aeb09019e1d661b54c.exe"
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:2520
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 1
      4⤵
      Delays execution with timeout.exe
      PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab4607.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar61E3.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\a1832ac7.tmp

Filesize
14.5MB

MD5
6697f78c0dffa2e0b851046aaf272101

SHA1
b91aeb9e6d4d99778a4fe27da2457cdb321e8bfe

SHA256
354b9545fbb292faea96eadbef7c85caf0f6f72b915e567044833fdfc2b923f0

SHA512
fd5d44c6aa0c791e77bfec1436e810b1ef6cd1c92937faa060b6688b5dd4a47268189639e628e2fed8ce57ad04b0e816f18b16d2a3e69e60cbd16049948766d4

Download Submit
C:\Windows\Logs\unregmp2.exe

Filesize
316KB

MD5
64b328d52dfc8cda123093e3f6e4c37c

SHA1
f68f45b21b911906f3aa982e64504e662a92e5ab

SHA256
7d6be433ba7dd4a2b8f8b79d7b87055da8daafa3e0404432d40469c39c2040e1

SHA512
e29fc068532df36f39c86b79392b5c6191de6f69b7beaba28f9ac96a26089b341b770ff29556eca14f57afd1de59a6f3726818482d6861bdd8ac556ae768df00

Download Submit
\Windows\Logs\unregmp2.exe

Filesize
316KB

MD5
64b328d52dfc8cda123093e3f6e4c37c

SHA1
f68f45b21b911906f3aa982e64504e662a92e5ab

SHA256
7d6be433ba7dd4a2b8f8b79d7b87055da8daafa3e0404432d40469c39c2040e1

SHA512
e29fc068532df36f39c86b79392b5c6191de6f69b7beaba28f9ac96a26089b341b770ff29556eca14f57afd1de59a6f3726818482d6861bdd8ac556ae768df00

Download Submit
memory/424-71-0x0000000000970000-0x0000000000998000-memory.dmp

Filesize
160KB

Download
memory/424-70-0x0000000000970000-0x0000000000998000-memory.dmp

Filesize
160KB

Download
memory/424-61-0x0000000000820000-0x0000000000841000-memory.dmp

Filesize
132KB

Download
memory/1260-143-0x000007FEF5570000-0x000007FEF56B3000-memory.dmp

Filesize
1.3MB

Download
memory/1260-35-0x0000000003DB0000-0x0000000003DB3000-memory.dmp

Filesize
12KB

Download
memory/1260-32-0x0000000003DB0000-0x0000000003DB3000-memory.dmp

Filesize
12KB

Download
memory/1260-39-0x0000000008910000-0x0000000008A09000-memory.dmp

Filesize
996KB

Download
memory/1260-26-0x0000000003BE0000-0x0000000003BE1000-memory.dmp

Filesize
4KB

Download
memory/1260-142-0x000007FEB0C60000-0x000007FEB0C6A000-memory.dmp

Filesize
40KB

Download
memory/1260-24-0x00000000074B0000-0x00000000075A4000-memory.dmp

Filesize
976KB

Download
memory/1260-54-0x0000000003CA0000-0x0000000003D19000-memory.dmp

Filesize
484KB

Download
memory/1260-141-0x000007FEF5570000-0x000007FEF56B3000-memory.dmp

Filesize
1.3MB

Download
memory/1260-4-0x0000000002B20000-0x0000000002B23000-memory.dmp

Filesize
12KB

Download
memory/1260-7-0x0000000002B20000-0x0000000002B23000-memory.dmp

Filesize
12KB

Download
memory/1260-6-0x0000000003CA0000-0x0000000003D19000-memory.dmp

Filesize
484KB

Download
memory/1260-3-0x0000000002B20000-0x0000000002B23000-memory.dmp

Filesize
12KB

Download
memory/1924-37-0x0000000000BA0000-0x0000000000CA2000-memory.dmp

Filesize
1.0MB

Download
memory/1924-72-0x0000000000BA0000-0x0000000000CA2000-memory.dmp

Filesize
1.0MB

Download
memory/1924-0-0x0000000000BA0000-0x0000000000CA2000-memory.dmp

Filesize
1.0MB

Download
memory/2740-129-0x00000000045B0000-0x0000000004775000-memory.dmp

Filesize
1.8MB

Download
memory/2740-130-0x00000000045B0000-0x0000000004775000-memory.dmp

Filesize
1.8MB

Download
memory/2740-123-0x0000000000970000-0x0000000000998000-memory.dmp

Filesize
160KB

Download
memory/2740-124-0x00000000003C0000-0x000000000048B000-memory.dmp

Filesize
812KB

Download
memory/2740-126-0x00000000020C0000-0x00000000020CA000-memory.dmp

Filesize
40KB

Download
memory/2740-125-0x00000000020C0000-0x00000000020C1000-memory.dmp

Filesize
4KB

Download
memory/2740-127-0x00000000020C0000-0x00000000020CA000-memory.dmp

Filesize
40KB

Download
memory/2740-128-0x00000000020C0000-0x00000000020CA000-memory.dmp

Filesize
40KB

Download
memory/2740-120-0x0000000036F30000-0x0000000036F40000-memory.dmp

Filesize
64KB

Download
memory/2740-122-0x00000000003C0000-0x000000000048B000-memory.dmp

Filesize
812KB

Download
memory/2740-131-0x00000000020C0000-0x00000000020C1000-memory.dmp

Filesize
4KB

Download
memory/2740-132-0x00000000020D0000-0x00000000020D1000-memory.dmp

Filesize
4KB

Download
memory/2740-133-0x00000000020D0000-0x00000000020D1000-memory.dmp

Filesize
4KB

Download
memory/2740-134-0x00000000045B0000-0x0000000004775000-memory.dmp

Filesize
1.8MB

Download
memory/2740-58-0x00000000003C0000-0x000000000048B000-memory.dmp

Filesize
812KB

Download
memory/2740-55-0x00000000003C0000-0x000000000048B000-memory.dmp

Filesize
812KB

Download
memory/2740-42-0x0000000000060000-0x0000000000123000-memory.dmp

Filesize
780KB

Download
memory/2740-59-0x000007FEBEB40000-0x000007FEBEB50000-memory.dmp

Filesize
64KB

Download