9c97770ab360c1ecf483651177b89217bf66c1aed5f47669b89a2bc800a6d7a1

General

Target

c30ab3c11b97bb75e87a69ce38056e0e38584c7bd92067a62a41d6a4d4ef828e.exe
Size

204KB
MD5

feedd0af3135c277aa75f2ab9a86965d
SHA1

c3a7f0dbe7969cf0348335326b6d3740f8c9ff64
SHA256

c30ab3c11b97bb75e87a69ce38056e0e38584c7bd92067a62a41d6a4d4ef828e
SHA512

3e94cef07a849a4e3eb3fd6d1dca98021ad974cc466e5fcf62cef63db5986f9b9cde25f6870d353bfec3942d771bdbe2024174d2cef87df735265fffcb4fcf9e
SSDEEP

6144:EKUrg0PTbOu4CCE1jqAO3iScrpIcGm+WhEZRmY8:EK8xOvCCijqAyNcjxI58

Score

6^/10

discovery

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F	c30ab3c11b97bb75e87a69ce38056e0e38584c7bd92067a62a41d6a4d4ef828e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F\Blob = 0f000000010000001400000084e608dd4cc47c78e2de0f831405996c467fc35d090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080b00000001000000420000005300740061007200740043006f006d002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000002500000030233021060b2b0601040181b53701010130123010060a2b0601040182373c0101030200c0620000000100000020000000c766a9bef2d4071c863a31aa4920e813b2d198608cb7b7cfe21143b836df09ea1400000001000000140000004e0bef1aa4405ba517698730ca346843d041aef21d0000000100000010000000155e81336fd96f7313ccb503b12f0e3c7e000000010000000800000000c00c0f7f39d30168000000010000000800000000800c13c1b9d4010300000001000000140000003e2bf7f2031b96f38ce6c4d8a85d3e2d58476a0f2000000001000000cd070000308207c9308205b1a003020102020101300d06092a864886f70d0101050500307d310b300906035504061302494c31163014060355040a130d5374617274436f6d204c74642e312b3029060355040b1322536563757265204469676974616c204365727469666963617465205369676e696e6731293027060355040313205374617274436f6d2043657274696669636174696f6e20417574686f72697479301e170d3036303931373139343633365a170d3336303931373139343633365a307d310b300906035504061302494c31163014060355040a130d5374617274436f6d204c74642e312b3029060355040b1322536563757265204469676974616c204365727469666963617465205369676e696e6731293027060355040313205374617274436f6d2043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a0282020100c188db09bc6c467c789f957bb53390f27262d6c1362022245ecee977f2430aa20664a4cc8e36f838e623f06e6db13cdd72a3851ca1d33db4332bd32faffeeab0415967b6c4067d0a9e7485d6794c80377adf39055259f7f41b4643a4d28585d2c371f3756234ba2c8a7f1e8feeed34d011c796cd523dba33d6dd4dde0b3b4a4b9fc2262ffab5161c723577ca3c5de6cae1268b1a36765c01db741425feedb5a0880fdd78ca2d1f079730012d7279fa46d6132aa8b9a6ab83491de5f2efdde4018e180a8f6353168562a90e193accb566a6c26b7407e42be1763eb46dd8f644e173621f3bc4bea05356256c5109f7aaabcabf76fd6d9bf39ddbbf3d66bc0c56aaaf9848953a4bdfa75850d93875a95bea430c02ff99ebe86c4d705b29659cddaa5dccaf0131ec0cebd28de8ea9c7be66ef727660c1a48d76e42e33fde213e7be10d70fb63aaa86c1a54b45c257ac9a2c98b16a6bb2c7e175e054d586e121d01ee12100dc6327f18fffcf4facd6e91e83649be1a48698bc2964d1a12b26917c10a90d6fa792248bfba7b69f870c7fa7a37d8d80dd2764f57ff90b7e391d2ddefc260b7673addfeaa9cf0d48b7f7222cec69f97b6f8af8aa010a8d9fb18c6b6b55c523c89b6192a73010a0f03b31260f27a2f81dba36eff263097f58bdd8957b6ad3db3af2bc5b77602f0a5d62b9a86142a72f6e3338c5d094b13dfbb8c7413524b0203010001a38202523082024e300c0603551d13040530030101ff300b0603551d0f0404030201ae301d0603551d0e041604144e0bef1aa4405ba517698730ca346843d041aef230640603551d1f045d305b302ca02aa0288626687474703a2f2f636572742e7374617274636f6d2e6f72672f73667363612d63726c2e63726c302ba029a0278625687474703a2f2f63726c2e7374617274636f6d2e6f72672f73667363612d63726c2e63726c3082015d0603551d2004820154308201503082014c060b2b0601040181b5370101013082013b302f06082b060105050702011623687474703a2f2f636572742e7374617274636f6d2e6f72672f706f6c6963792e706466303506082b060105050702011629687474703a2f2f636572742e7374617274636f6d2e6f72672f696e7465726d6564696174652e7064663081d006082b060105050702023081c330271620537461727420436f6d6d65726369616c20285374617274436f6d29204c74642e30030201011a81974c696d69746564204c696162696c6974792c2072656164207468652073656374696f6e202a4c6567616c204c696d69746174696f6e732a206f6620746865205374617274436f6d2043657274696669636174696f6e20417574686f7269747920506f6c69637920617661696c61626c6520617420687474703a2f2f636572742e7374617274636f6d2e6f72672f706f6c6963792e706466301106096086480186f8420101040403020007303806096086480186f842010d042b16295374617274436f6d20467265652053534c2043657274696669636174696f6e20417574686f72697479300d06092a864886f70d01010505000382020100166c99f4660c34f5d0855e7d0aecda104e381c5edfa625054b9132c1e83bf13ddd44095b07498a29cb6602b7b19af72598093c8e1be1dd36872b4bbb68d339663da026c7f239911d51ab827b7ed5ce5ae4e2035770699708f95e58a60adf8c069a451616380a5e57f662c77a0205e6bc1eb5f29ef4a92983f8b214e36e288744c3901ade38a93cac434d6445cedd28a95cf2737b04f817e8abb1f32e5c646e73313a12b8bcb311e47d8f81519a3b8d89f44d93667b3c03edd39a1d9af36550f5a0d0759f2faff0ea824398f8699c8979c4438e4672e3643612aff7251e388990777ec36b6ab9c3cb444bac78908be7c72c1e4b1144c8345227cd0a5d9f85c189d51a78f295105332dd80846675d9b56828fb612ebe84a838c0991286a51e6764ad062e2fa97085c7960f7c8965f58e43540eabdda580399460c034c996702ca312f51f487bbd1c7e6bb79d90f4223baef8fc2acafa8252a0efaf4b5593ebc1b5f0228bac344e262204a1872c754ab7e57d13d7b80c64c036d2c92f86128c2309c11b823b7349a36a578794e5d678c5994363e34de0772de165997269041a4709e60f015624fb1fbf0e79a9582eb9c409017e95ba6d00063eb2ea4a1039d8d02bf5bfec75bf9702c5091b08dc5537e281fb3784436220cae7564b65eafe6cc1249324a134eb05ff9a22ae9b7d3ff165510aa6306ab3f4881c800dfc728ae8835e	c30ab3c11b97bb75e87a69ce38056e0e38584c7bd92067a62a41d6a4d4ef828e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F\Blob = 1900000001000000100000006d00c025527177cfa02e7d1fb659cc5b0300000001000000140000003e2bf7f2031b96f38ce6c4d8a85d3e2d58476a0f68000000010000000800000000800c13c1b9d4017e000000010000000800000000c00c0f7f39d3011d0000000100000010000000155e81336fd96f7313ccb503b12f0e3c1400000001000000140000004e0bef1aa4405ba517698730ca346843d041aef2620000000100000020000000c766a9bef2d4071c863a31aa4920e813b2d198608cb7b7cfe21143b836df09ea53000000010000002500000030233021060b2b0601040181b53701010130123010060a2b0601040182373c0101030200c00b00000001000000420000005300740061007200740043006f006d002000430065007200740069006600690063006100740069006f006e00200041007500740068006f0072006900740079000000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000001400000084e608dd4cc47c78e2de0f831405996c467fc35d2000000001000000cd070000308207c9308205b1a003020102020101300d06092a864886f70d0101050500307d310b300906035504061302494c31163014060355040a130d5374617274436f6d204c74642e312b3029060355040b1322536563757265204469676974616c204365727469666963617465205369676e696e6731293027060355040313205374617274436f6d2043657274696669636174696f6e20417574686f72697479301e170d3036303931373139343633365a170d3336303931373139343633365a307d310b300906035504061302494c31163014060355040a130d5374617274436f6d204c74642e312b3029060355040b1322536563757265204469676974616c204365727469666963617465205369676e696e6731293027060355040313205374617274436f6d2043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a0282020100c188db09bc6c467c789f957bb53390f27262d6c1362022245ecee977f2430aa20664a4cc8e36f838e623f06e6db13cdd72a3851ca1d33db4332bd32faffeeab0415967b6c4067d0a9e7485d6794c80377adf39055259f7f41b4643a4d28585d2c371f3756234ba2c8a7f1e8feeed34d011c796cd523dba33d6dd4dde0b3b4a4b9fc2262ffab5161c723577ca3c5de6cae1268b1a36765c01db741425feedb5a0880fdd78ca2d1f079730012d7279fa46d6132aa8b9a6ab83491de5f2efdde4018e180a8f6353168562a90e193accb566a6c26b7407e42be1763eb46dd8f644e173621f3bc4bea05356256c5109f7aaabcabf76fd6d9bf39ddbbf3d66bc0c56aaaf9848953a4bdfa75850d93875a95bea430c02ff99ebe86c4d705b29659cddaa5dccaf0131ec0cebd28de8ea9c7be66ef727660c1a48d76e42e33fde213e7be10d70fb63aaa86c1a54b45c257ac9a2c98b16a6bb2c7e175e054d586e121d01ee12100dc6327f18fffcf4facd6e91e83649be1a48698bc2964d1a12b26917c10a90d6fa792248bfba7b69f870c7fa7a37d8d80dd2764f57ff90b7e391d2ddefc260b7673addfeaa9cf0d48b7f7222cec69f97b6f8af8aa010a8d9fb18c6b6b55c523c89b6192a73010a0f03b31260f27a2f81dba36eff263097f58bdd8957b6ad3db3af2bc5b77602f0a5d62b9a86142a72f6e3338c5d094b13dfbb8c7413524b0203010001a38202523082024e300c0603551d13040530030101ff300b0603551d0f0404030201ae301d0603551d0e041604144e0bef1aa4405ba517698730ca346843d041aef230640603551d1f045d305b302ca02aa0288626687474703a2f2f636572742e7374617274636f6d2e6f72672f73667363612d63726c2e63726c302ba029a0278625687474703a2f2f63726c2e7374617274636f6d2e6f72672f73667363612d63726c2e63726c3082015d0603551d2004820154308201503082014c060b2b0601040181b5370101013082013b302f06082b060105050702011623687474703a2f2f636572742e7374617274636f6d2e6f72672f706f6c6963792e706466303506082b060105050702011629687474703a2f2f636572742e7374617274636f6d2e6f72672f696e7465726d6564696174652e7064663081d006082b060105050702023081c330271620537461727420436f6d6d65726369616c20285374617274436f6d29204c74642e30030201011a81974c696d69746564204c696162696c6974792c2072656164207468652073656374696f6e202a4c6567616c204c696d69746174696f6e732a206f6620746865205374617274436f6d2043657274696669636174696f6e20417574686f7269747920506f6c69637920617661696c61626c6520617420687474703a2f2f636572742e7374617274636f6d2e6f72672f706f6c6963792e706466301106096086480186f8420101040403020007303806096086480186f842010d042b16295374617274436f6d20467265652053534c2043657274696669636174696f6e20417574686f72697479300d06092a864886f70d01010505000382020100166c99f4660c34f5d0855e7d0aecda104e381c5edfa625054b9132c1e83bf13ddd44095b07498a29cb6602b7b19af72598093c8e1be1dd36872b4bbb68d339663da026c7f239911d51ab827b7ed5ce5ae4e2035770699708f95e58a60adf8c069a451616380a5e57f662c77a0205e6bc1eb5f29ef4a92983f8b214e36e288744c3901ade38a93cac434d6445cedd28a95cf2737b04f817e8abb1f32e5c646e73313a12b8bcb311e47d8f81519a3b8d89f44d93667b3c03edd39a1d9af36550f5a0d0759f2faff0ea824398f8699c8979c4438e4672e3643612aff7251e388990777ec36b6ab9c3cb444bac78908be7c72c1e4b1144c8345227cd0a5d9f85c189d51a78f295105332dd80846675d9b56828fb612ebe84a838c0991286a51e6764ad062e2fa97085c7960f7c8965f58e43540eabdda580399460c034c996702ca312f51f487bbd1c7e6bb79d90f4223baef8fc2acafa8252a0efaf4b5593ebc1b5f0228bac344e262204a1872c754ab7e57d13d7b80c64c036d2c92f86128c2309c11b823b7349a36a578794e5d678c5994363e34de0772de165997269041a4709e60f015624fb1fbf0e79a9582eb9c409017e95ba6d00063eb2ea4a1039d8d02bf5bfec75bf9702c5091b08dc5537e281fb3784436220cae7564b65eafe6cc1249324a134eb05ff9a22ae9b7d3ff165510aa6306ab3f4881c800dfc728ae8835e	c30ab3c11b97bb75e87a69ce38056e0e38584c7bd92067a62a41d6a4d4ef828e.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4868	c30ab3c11b97bb75e87a69ce38056e0e38584c7bd92067a62a41d6a4d4ef828e.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4868	c30ab3c11b97bb75e87a69ce38056e0e38584c7bd92067a62a41d6a4d4ef828e.exe

C:\Users\Admin\AppData\Local\Temp\c30ab3c11b97bb75e87a69ce38056e0e38584c7bd92067a62a41d6a4d4ef828e.exe
"C:\Users\Admin\AppData\Local\Temp\c30ab3c11b97bb75e87a69ce38056e0e38584c7bd92067a62a41d6a4d4ef828e.exe"
1⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uslhlqjy.n4j.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Zander_Tools\c30ab3c11b97bb75e87a69ce3_Url_ds0y5eqkg1akw3g2raos45wmosgcahay\1.6.0.34738\ujf53ixt.newcfg

Filesize
1KB

MD5
7d46ec4905f70391526a95035538bfbe

SHA1
96187ae3c39664bcf756661268d3984720874c62

SHA256
2b18b9b8da60c933acd839787c96b27df79516400a785da8f59d61611dfaac0c

SHA512
b5a69180baf9ff94f057f6cf5aace60c567de41103b406c676eebf68437fa809236842aeb428c9f5a03488b350e5647f2a0d67aea0ef24a978e287a2fb15927e

Download Submit
C:\Users\Admin\AppData\Local\Zander_Tools\c30ab3c11b97bb75e87a69ce3_Url_ds0y5eqkg1akw3g2raos45wmosgcahay\1.6.0.34738\user.config

Filesize
827B

MD5
a71b2875cb982f979bb5140665c8e712

SHA1
3c073001a408355517bd6b3bf7e0dffde034f994

SHA256
343789c61269549defc214994be390833db47815a063e35436b104e7e4424a8f

SHA512
e69f2e4ad1de075e747f4b510ce1ac30ce1d247673783501ae2005886b4bb2dc02b59dc4a076dd99714cb3ebad4aaa431bf00a59fe2da771282a83b63b6d3ddd

Download Submit
C:\Users\Admin\AppData\Local\Zander_Tools\c30ab3c11b97bb75e87a69ce3_Url_ds0y5eqkg1akw3g2raos45wmosgcahay\1.6.0.34738\user.config

Filesize
979B

MD5
e8f3f527447ff7dc020bdc86154312dc

SHA1
64314d1da449d23a94fb5673be5e9d754e2d7e1b

SHA256
66a04140444ab02048c352c73e7b50cd3985f2c5a7e0897ef3bb596162ef0785

SHA512
4c39019da98edf73b88ec5dc26ed17f47d53500c2305279192c13f38141103b78a1a0b45c71a6ef34b4e253dd2ad6cdcddcba5e164c724a4c77825412be26ce1

Download Submit
memory/4868-42-0x00000245E0BE0000-0x00000245E0BE8000-memory.dmp

Filesize
32KB

Download
memory/4868-48-0x00000245E3220000-0x00000245E322E000-memory.dmp

Filesize
56KB

Download
memory/4868-6-0x00007FFBC9500000-0x00007FFBC9FC1000-memory.dmp

Filesize
10.8MB

Download
memory/4868-3-0x00000245C79E0000-0x00000245C79F0000-memory.dmp

Filesize
64KB

Download
memory/4868-2-0x00007FFBC9500000-0x00007FFBC9FC1000-memory.dmp

Filesize
10.8MB

Download
memory/4868-41-0x00000245E0C30000-0x00000245E0DF2000-memory.dmp

Filesize
1.8MB

Download
memory/4868-0-0x00000245C5E10000-0x00000245C5E46000-memory.dmp

Filesize
216KB

Download
memory/4868-43-0x00000245E3240000-0x00000245E3278000-memory.dmp

Filesize
224KB

Download
memory/4868-1-0x00000245C7B40000-0x00000245C7B9C000-memory.dmp

Filesize
368KB

Download
memory/4868-7-0x00000245C79E0000-0x00000245C79F0000-memory.dmp

Filesize
64KB

Download
memory/4868-54-0x00000245E32B0000-0x00000245E32D2000-memory.dmp

Filesize
136KB

Download
memory/4868-55-0x00000245C79E0000-0x00000245C79F0000-memory.dmp

Filesize
64KB

Download
memory/4868-56-0x00000245C79E0000-0x00000245C79F0000-memory.dmp

Filesize
64KB

Download
memory/4868-57-0x00000245E43B0000-0x00000245E4400000-memory.dmp

Filesize
320KB

Download
memory/4868-58-0x00000245E5930000-0x00000245E5E58000-memory.dmp

Filesize
5.2MB

Download
memory/4868-59-0x00000245C79E0000-0x00000245C79F0000-memory.dmp

Filesize
64KB

Download
memory/4868-60-0x00000245C79E0000-0x00000245C79F0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing