a9d70cfd0e530d7fde83f53a7f1945f1a59995d17caab36141788d7074bc6d7b

Analysis

max time kernel
150s
max time network
145s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
02/10/2023, 15:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a9d70cfd0e530d7fde83f53a7f1945f1a59995d17caab36141788d7074bc6d7b.exe
Size

3.0MB
MD5

ad1899b8ed8a1064806d93a6b04a7087
SHA1

4ae5cdd51b169b9993e3729d3f83a7b87ea8e401
SHA256

a9d70cfd0e530d7fde83f53a7f1945f1a59995d17caab36141788d7074bc6d7b
SHA512

2ff5d82b538e452c144851a4ae6dda968deaeb5bd4753dcab2ee4f26912629dbcad6c66b0e3b2aaf47bcb35eba83c15bfcaa906d32cece2eab8df76daf6f2e9e
SSDEEP

49152:rTGkQT5QZuTtS0rQMYOQ+q8CEdTG4QxTGHQO9KFeMy:rKkoWsM0r1Qn2K44KHx0Fer

Score

8^/10

upx

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\FATqchE.sys	Explorer.EXE

Deletes itself 1 IoCs

pid	Process
2924	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1656	4dddd624
2636	wiaacmgr.exe

Loads dropped DLL 2 IoCs

pid	Process
1348	Explorer.EXE
1348	Explorer.EXE

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1992-0-0x0000000000E40000-0x0000000000EC9000-memory.dmp	upx
behavioral1/files/0x00070000000120be-2.dat	upx
behavioral1/memory/1656-3-0x0000000000380000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/1992-34-0x0000000000E40000-0x0000000000EC9000-memory.dmp	upx
behavioral1/memory/1656-47-0x0000000000380000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/1992-71-0x0000000000E40000-0x0000000000EC9000-memory.dmp	upx
behavioral1/memory/1656-70-0x0000000000380000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/1656-108-0x0000000000380000-0x0000000000409000-memory.dmp	upx
behavioral1/files/0x00070000000120be-109.dat	upx

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114

Drops file in System32 directory 13 IoCs

description	ioc	Process
File created	C:\Windows\Syswow64\4dddd624	a9d70cfd0e530d7fde83f53a7f1945f1a59995d17caab36141788d7074bc6d7b.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	4dddd624
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	4dddd624
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	4dddd624
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	4dddd624
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E	4dddd624
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DED9969D7ED2C6E555C5C9254A43EDE4	4dddd624
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	4dddd624
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E	4dddd624
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A	4dddd624
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A	4dddd624
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DED9969D7ED2C6E555C5C9254A43EDE4	4dddd624
File created	C:\Windows\system32\ \Windows\System32\tPWh7T.sys	Explorer.EXE

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\1c59f0	4dddd624
File created	C:\Windows\Inf\wiaacmgr.exe	Explorer.EXE
File opened for modification	C:\Windows\Inf\wiaacmgr.exe	Explorer.EXE
File created	C:\Windows\U6HM03FU.sys	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
2484	timeout.exe
1464	timeout.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\New Windows\Allow	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\New Windows\Allow\www.hao774.com	Explorer.EXE

Modifies data under HKEY_USERS 56 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	4dddd624
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	4dddd624
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	4dddd624
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	4dddd624
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	4dddd624
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	4dddd624
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	4dddd624
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	4dddd624
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	4dddd624
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	4dddd624
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	4dddd624
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	4dddd624
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	4dddd624
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	4dddd624
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	4dddd624
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	4dddd624
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	4dddd624
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	4dddd624
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	4dddd624
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	4dddd624
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	4dddd624
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	4dddd624
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	4dddd624
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	4dddd624
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	4dddd624
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	4dddd624
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	4dddd624
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	4dddd624
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	4dddd624
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	4dddd624
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	4dddd624
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	4dddd624
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	4dddd624
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	4dddd624
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	4dddd624
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	4dddd624
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	4dddd624
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	4dddd624
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	4dddd624
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	4dddd624
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	4dddd624
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	4dddd624
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	4dddd624
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	4dddd624
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	4dddd624
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	4dddd624
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	4dddd624
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	4dddd624
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	4dddd624
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	4dddd624
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	4dddd624
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	4dddd624
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	4dddd624
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	4dddd624
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	4dddd624
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	4dddd624

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	4dddd624
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	4dddd624
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	4dddd624
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	4dddd624

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1656	4dddd624
1656	4dddd624
1656	4dddd624
1656	4dddd624
1656	4dddd624
1656	4dddd624
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1656	4dddd624
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1348	Explorer.EXE

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
468	Process not Found
468	Process not Found
468	Process not Found

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	1992	a9d70cfd0e530d7fde83f53a7f1945f1a59995d17caab36141788d7074bc6d7b.exe
Token: SeTcbPrivilege	1992	a9d70cfd0e530d7fde83f53a7f1945f1a59995d17caab36141788d7074bc6d7b.exe
Token: SeDebugPrivilege	1656	4dddd624
Token: SeTcbPrivilege	1656	4dddd624
Token: SeDebugPrivilege	1656	4dddd624
Token: SeDebugPrivilege	1348	Explorer.EXE
Token: SeDebugPrivilege	1348	Explorer.EXE
Token: SeDebugPrivilege	1656	4dddd624
Token: SeIncBasePriorityPrivilege	1992	a9d70cfd0e530d7fde83f53a7f1945f1a59995d17caab36141788d7074bc6d7b.exe
Token: SeDebugPrivilege	1348	Explorer.EXE
Token: SeDebugPrivilege	1348	Explorer.EXE
Token: SeDebugPrivilege	1348	Explorer.EXE
Token: SeDebugPrivilege	1348	Explorer.EXE
Token: SeIncBasePriorityPrivilege	1656	4dddd624
Token: SeDebugPrivilege	1348	Explorer.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE
1348	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1348	Explorer.EXE

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 1348	1656	4dddd624	14
PID 1656 wrote to memory of 1348	1656	4dddd624	14
PID 1656 wrote to memory of 1348	1656	4dddd624	14
PID 1656 wrote to memory of 1348	1656	4dddd624	14
PID 1656 wrote to memory of 1348	1656	4dddd624	14
PID 1348 wrote to memory of 2636	1348	Explorer.EXE	29
PID 1348 wrote to memory of 2636	1348	Explorer.EXE	29
PID 1348 wrote to memory of 2636	1348	Explorer.EXE	29
PID 1348 wrote to memory of 2636	1348	Explorer.EXE	29
PID 1348 wrote to memory of 2636	1348	Explorer.EXE	29
PID 1348 wrote to memory of 2636	1348	Explorer.EXE	29
PID 1348 wrote to memory of 2636	1348	Explorer.EXE	29
PID 1348 wrote to memory of 2636	1348	Explorer.EXE	29
PID 1656 wrote to memory of 424	1656	4dddd624	3
PID 1656 wrote to memory of 424	1656	4dddd624	3
PID 1656 wrote to memory of 424	1656	4dddd624	3
PID 1656 wrote to memory of 424	1656	4dddd624	3
PID 1656 wrote to memory of 424	1656	4dddd624	3
PID 1992 wrote to memory of 2924	1992	a9d70cfd0e530d7fde83f53a7f1945f1a59995d17caab36141788d7074bc6d7b.exe	31
PID 1992 wrote to memory of 2924	1992	a9d70cfd0e530d7fde83f53a7f1945f1a59995d17caab36141788d7074bc6d7b.exe	31
PID 1992 wrote to memory of 2924	1992	a9d70cfd0e530d7fde83f53a7f1945f1a59995d17caab36141788d7074bc6d7b.exe	31
PID 1992 wrote to memory of 2924	1992	a9d70cfd0e530d7fde83f53a7f1945f1a59995d17caab36141788d7074bc6d7b.exe	31
PID 2924 wrote to memory of 2484	2924	cmd.exe	33
PID 2924 wrote to memory of 2484	2924	cmd.exe	33
PID 2924 wrote to memory of 2484	2924	cmd.exe	33
PID 2924 wrote to memory of 2484	2924	cmd.exe	33
PID 1656 wrote to memory of 660	1656	4dddd624	34
PID 1656 wrote to memory of 660	1656	4dddd624	34
PID 1656 wrote to memory of 660	1656	4dddd624	34
PID 1656 wrote to memory of 660	1656	4dddd624	34
PID 660 wrote to memory of 1464	660	cmd.exe	36
PID 660 wrote to memory of 1464	660	cmd.exe	36
PID 660 wrote to memory of 1464	660	cmd.exe	36
PID 660 wrote to memory of 1464	660	cmd.exe	36

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:424

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Users\Admin\AppData\Local\Temp\a9d70cfd0e530d7fde83f53a7f1945f1a59995d17caab36141788d7074bc6d7b.exe
  "C:\Users\Admin\AppData\Local\Temp\a9d70cfd0e530d7fde83f53a7f1945f1a59995d17caab36141788d7074bc6d7b.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1992
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\a9d70cfd0e530d7fde83f53a7f1945f1a59995d17caab36141788d7074bc6d7b.exe"
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:2924
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 1
      4⤵
      Delays execution with timeout.exe
      PID:2484
- C:\Windows\Inf\wiaacmgr.exe
  "C:\Windows\Inf\wiaacmgr.exe"
  2⤵
  - Executes dropped EXE
  PID:2636

C:\Windows\Syswow64\4dddd624
C:\Windows\Syswow64\4dddd624
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Windows\Syswow64\4dddd624"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:660
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:1464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Tar91A6.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Windows\SysWOW64\4dddd624

Filesize
3.0MB

MD5
e5401706dd217166d478a67e05e7649d

SHA1
6fd48c5ed4c3a81fcd56d1865171ec91709b58d0

SHA256
1566db41a6df8c41effaa4d1867c33616a9a85c33b4e79efb6ffe28ed77b9941

SHA512
798b75f88f3fb80fb365e4adba5527a6c3c6e2cb88416d9e847ff53b325dddffdb07eb675520c0cd8db3311e105a2edd4b19c91a1f3bbf0f46b94cde44264840

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Windows\Syswow64\4dddd624

Filesize
3.0MB

MD5
e5401706dd217166d478a67e05e7649d

SHA1
6fd48c5ed4c3a81fcd56d1865171ec91709b58d0

SHA256
1566db41a6df8c41effaa4d1867c33616a9a85c33b4e79efb6ffe28ed77b9941

SHA512
798b75f88f3fb80fb365e4adba5527a6c3c6e2cb88416d9e847ff53b325dddffdb07eb675520c0cd8db3311e105a2edd4b19c91a1f3bbf0f46b94cde44264840

Download Submit
C:\Windows\inf\wiaacmgr.exe

Filesize
94KB

MD5
3962df9cd4747ba6cfd5dd9058aa8965

SHA1
5d5992b660b3c54c47683fc5b68ae47eea4dff29

SHA256
ee9ee79f88dc62ba7ce479bd0cfde6757327089ea2034c591ff3865f09921c9b

SHA512
a7af55d33bbb70d0667846fe3cc056431f24a35e0596996e0f07d8290c087a8696bb21b815f7fb3907b894d4f5eceed7872df7bd79c2a0cffc81159ebd880961

Download Submit
\Windows\inf\wiaacmgr.exe

Filesize
94KB

MD5
3962df9cd4747ba6cfd5dd9058aa8965

SHA1
5d5992b660b3c54c47683fc5b68ae47eea4dff29

SHA256
ee9ee79f88dc62ba7ce479bd0cfde6757327089ea2034c591ff3865f09921c9b

SHA512
a7af55d33bbb70d0667846fe3cc056431f24a35e0596996e0f07d8290c087a8696bb21b815f7fb3907b894d4f5eceed7872df7bd79c2a0cffc81159ebd880961

Download Submit
\Windows\inf\wiaacmgr.exe

Filesize
94KB

MD5
3962df9cd4747ba6cfd5dd9058aa8965

SHA1
5d5992b660b3c54c47683fc5b68ae47eea4dff29

SHA256
ee9ee79f88dc62ba7ce479bd0cfde6757327089ea2034c591ff3865f09921c9b

SHA512
a7af55d33bbb70d0667846fe3cc056431f24a35e0596996e0f07d8290c087a8696bb21b815f7fb3907b894d4f5eceed7872df7bd79c2a0cffc81159ebd880961

Download Submit
memory/424-77-0x0000000000910000-0x0000000000938000-memory.dmp

Filesize
160KB

Download
memory/424-54-0x00000000007B0000-0x00000000007B3000-memory.dmp

Filesize
12KB

Download
memory/1348-146-0x0000000003FE0000-0x0000000003FEF000-memory.dmp

Filesize
60KB

Download
memory/1348-153-0x0000000009660000-0x0000000009700000-memory.dmp

Filesize
640KB

Download
memory/1348-231-0x0000000003EF0000-0x0000000003EF1000-memory.dmp

Filesize
4KB

Download
memory/1348-230-0x0000000003F00000-0x0000000003F01000-memory.dmp

Filesize
4KB

Download
memory/1348-172-0x0000000004000000-0x0000000004001000-memory.dmp

Filesize
4KB

Download
memory/1348-170-0x0000000004000000-0x0000000004001000-memory.dmp

Filesize
4KB

Download
memory/1348-168-0x0000000004000000-0x0000000004001000-memory.dmp

Filesize
4KB

Download
memory/1348-166-0x0000000004000000-0x0000000004001000-memory.dmp

Filesize
4KB

Download
memory/1348-164-0x0000000004000000-0x0000000004001000-memory.dmp

Filesize
4KB

Download
memory/1348-162-0x0000000004000000-0x0000000004001000-memory.dmp

Filesize
4KB

Download
memory/1348-160-0x0000000004000000-0x0000000004001000-memory.dmp

Filesize
4KB

Download
memory/1348-23-0x00000000026E0000-0x00000000026E3000-memory.dmp

Filesize
12KB

Download
memory/1348-158-0x0000000004000000-0x0000000004001000-memory.dmp

Filesize
4KB

Download
memory/1348-156-0x0000000004000000-0x0000000004001000-memory.dmp

Filesize
4KB

Download
memory/1348-154-0x0000000004000000-0x0000000004001000-memory.dmp

Filesize
4KB

Download
memory/1348-73-0x00000000041B0000-0x000000000427B000-memory.dmp

Filesize
812KB

Download
memory/1348-72-0x00000000041B0000-0x000000000427B000-memory.dmp

Filesize
812KB

Download
memory/1348-24-0x00000000026E0000-0x00000000026E3000-memory.dmp

Filesize
12KB

Download
memory/1348-76-0x000007FEBEC90000-0x000007FEBECA0000-memory.dmp

Filesize
64KB

Download
memory/1348-78-0x0000000002A40000-0x0000000002A41000-memory.dmp

Filesize
4KB

Download
memory/1348-85-0x0000000006D90000-0x0000000006E87000-memory.dmp

Filesize
988KB

Download
memory/1348-25-0x0000000006D90000-0x0000000006E87000-memory.dmp

Filesize
988KB

Download
memory/1348-33-0x0000000006D90000-0x0000000006E87000-memory.dmp

Filesize
988KB

Download
memory/1348-21-0x00000000026E0000-0x00000000026E3000-memory.dmp

Filesize
12KB

Download
memory/1348-151-0x0000000004000000-0x0000000004001000-memory.dmp

Filesize
4KB

Download
memory/1348-134-0x0000000037550000-0x0000000037560000-memory.dmp

Filesize
64KB

Download
memory/1348-136-0x0000000002700000-0x0000000002701000-memory.dmp

Filesize
4KB

Download
memory/1348-137-0x00000000041B0000-0x000000000427B000-memory.dmp

Filesize
812KB

Download
memory/1348-139-0x0000000002700000-0x0000000002701000-memory.dmp

Filesize
4KB

Download
memory/1348-140-0x0000000002700000-0x0000000002701000-memory.dmp

Filesize
4KB

Download
memory/1348-138-0x0000000002700000-0x0000000002701000-memory.dmp

Filesize
4KB

Download
memory/1348-141-0x0000000003FE0000-0x0000000003FEF000-memory.dmp

Filesize
60KB

Download
memory/1348-142-0x0000000009660000-0x0000000009700000-memory.dmp

Filesize
640KB

Download
memory/1348-143-0x0000000009660000-0x0000000009700000-memory.dmp

Filesize
640KB

Download
memory/1348-144-0x0000000002700000-0x0000000002701000-memory.dmp

Filesize
4KB

Download
memory/1348-145-0x0000000003F00000-0x0000000003F01000-memory.dmp

Filesize
4KB

Download
memory/1348-149-0x0000000003F00000-0x0000000003F05000-memory.dmp

Filesize
20KB

Download
memory/1348-147-0x0000000009660000-0x0000000009700000-memory.dmp

Filesize
640KB

Download
memory/1656-47-0x0000000000380000-0x0000000000409000-memory.dmp

Filesize
548KB

Download
memory/1656-108-0x0000000000380000-0x0000000000409000-memory.dmp

Filesize
548KB

Download
memory/1656-70-0x0000000000380000-0x0000000000409000-memory.dmp

Filesize
548KB

Download
memory/1656-3-0x0000000000380000-0x0000000000409000-memory.dmp

Filesize
548KB

Download
memory/1992-0-0x0000000000E40000-0x0000000000EC9000-memory.dmp

Filesize
548KB

Download
memory/1992-71-0x0000000000E40000-0x0000000000EC9000-memory.dmp

Filesize
548KB

Download
memory/1992-34-0x0000000000E40000-0x0000000000EC9000-memory.dmp

Filesize
548KB

Download
memory/2636-46-0x00000000001D0000-0x00000000001D3000-memory.dmp

Filesize
12KB

Download
memory/2636-51-0x000007FEBEC90000-0x000007FEBECA0000-memory.dmp

Filesize
64KB

Download
memory/2636-50-0x0000000001F10000-0x0000000001FDB000-memory.dmp

Filesize
812KB

Download
memory/2636-52-0x0000000001F10000-0x0000000001FDB000-memory.dmp

Filesize
812KB

Download
memory/2636-32-0x00000000000D0000-0x0000000000193000-memory.dmp

Filesize
780KB

Download
memory/2636-42-0x00000000001D0000-0x00000000001D3000-memory.dmp

Filesize
12KB

Download
memory/2636-36-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/2636-56-0x0000000001F10000-0x0000000001FDB000-memory.dmp

Filesize
812KB

Download