70a2b4ab4c4f4f8027aafc3f2cfdefa959830222205b93d36dfc7429f5e4be3a

Analysis

max time kernel
148s
max time network
133s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
06/10/2023, 20:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

70a2b4ab4c4f4f8027aafc3f2cfdefa959830222205b93d36dfc7429f5e4be3a.exe
Size

1.5MB
MD5

ece53f756522240e016186d141321d25
SHA1

8e8a7e24240373d867b94db9af05b760e81309af
SHA256

70a2b4ab4c4f4f8027aafc3f2cfdefa959830222205b93d36dfc7429f5e4be3a
SHA512

a392e2ebf074decc93136f356eae11c8bbef66307d5987f739736e14ac73a783b558286420093c635bcd10bc29ce22fc505e4e8b4afa5ba1ca7b4fb14d716456
SSDEEP

24576:GM7CKVVVMxPcROUnuXGJYybQ56dOA/85RkV4lN/ZLqg/YmrkjeWz:1AseGJPQ0OAUfkVyN/ZLCMkj

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2868	9695.tmp

Loads dropped DLL 2 IoCs

pid	Process
1632	70a2b4ab4c4f4f8027aafc3f2cfdefa959830222205b93d36dfc7429f5e4be3a.exe
1632	70a2b4ab4c4f4f8027aafc3f2cfdefa959830222205b93d36dfc7429f5e4be3a.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7z.sfx	9695.tmp
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	9695.tmp
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	9695.tmp

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main	70a2b4ab4c4f4f8027aafc3f2cfdefa959830222205b93d36dfc7429f5e4be3a.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	70a2b4ab4c4f4f8027aafc3f2cfdefa959830222205b93d36dfc7429f5e4be3a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	70a2b4ab4c4f4f8027aafc3f2cfdefa959830222205b93d36dfc7429f5e4be3a.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2892	jp2launcher.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1632	70a2b4ab4c4f4f8027aafc3f2cfdefa959830222205b93d36dfc7429f5e4be3a.exe
1632	70a2b4ab4c4f4f8027aafc3f2cfdefa959830222205b93d36dfc7429f5e4be3a.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1632	70a2b4ab4c4f4f8027aafc3f2cfdefa959830222205b93d36dfc7429f5e4be3a.exe
1632	70a2b4ab4c4f4f8027aafc3f2cfdefa959830222205b93d36dfc7429f5e4be3a.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1632	70a2b4ab4c4f4f8027aafc3f2cfdefa959830222205b93d36dfc7429f5e4be3a.exe
1632	70a2b4ab4c4f4f8027aafc3f2cfdefa959830222205b93d36dfc7429f5e4be3a.exe
2892	jp2launcher.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 2868	1632	70a2b4ab4c4f4f8027aafc3f2cfdefa959830222205b93d36dfc7429f5e4be3a.exe	28
PID 1632 wrote to memory of 2868	1632	70a2b4ab4c4f4f8027aafc3f2cfdefa959830222205b93d36dfc7429f5e4be3a.exe	28
PID 1632 wrote to memory of 2868	1632	70a2b4ab4c4f4f8027aafc3f2cfdefa959830222205b93d36dfc7429f5e4be3a.exe	28
PID 1632 wrote to memory of 2868	1632	70a2b4ab4c4f4f8027aafc3f2cfdefa959830222205b93d36dfc7429f5e4be3a.exe	28
PID 1632 wrote to memory of 2760	1632	70a2b4ab4c4f4f8027aafc3f2cfdefa959830222205b93d36dfc7429f5e4be3a.exe	29
PID 1632 wrote to memory of 2760	1632	70a2b4ab4c4f4f8027aafc3f2cfdefa959830222205b93d36dfc7429f5e4be3a.exe	29
PID 1632 wrote to memory of 2760	1632	70a2b4ab4c4f4f8027aafc3f2cfdefa959830222205b93d36dfc7429f5e4be3a.exe	29
PID 1632 wrote to memory of 2760	1632	70a2b4ab4c4f4f8027aafc3f2cfdefa959830222205b93d36dfc7429f5e4be3a.exe	29
PID 2760 wrote to memory of 2892	2760	javaws.exe	30
PID 2760 wrote to memory of 2892	2760	javaws.exe	30
PID 2760 wrote to memory of 2892	2760	javaws.exe	30

C:\Users\Admin\AppData\Local\Temp\70a2b4ab4c4f4f8027aafc3f2cfdefa959830222205b93d36dfc7429f5e4be3a.exe
"C:\Users\Admin\AppData\Local\Temp\70a2b4ab4c4f4f8027aafc3f2cfdefa959830222205b93d36dfc7429f5e4be3a.exe"
1⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Users\Admin\AppData\Local\Temp\9695.tmp
  C:\Users\Admin\AppData\Local\Temp\9695.tmp
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2868
- C:\Program Files\Java\jre7\bin\javaws.exe
  "C:\Program Files\Java\jre7\bin\javaws.exe" -J-Djdk.disableLastUsageTracking=true -SSVBaselineUpdate
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Program Files\Java\jre7\bin\jp2launcher.exe
    "C:\Program Files\Java\jre7\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre7" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlN1xsaWJcZGVwbG95LmphcgAtRGphdmEuc2VjdXJpdHkucG9saWN5PWZpbGU6QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTdcbGliXHNlY3VyaXR5XGphdmF3cy5wb2xpY3kALUR0cnVzdFByb3h5PXRydWUALVh2ZXJpZnk6cmVtb3RlAC1Eam5scHguaG9tZT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlN1xiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmU3XGxpYlxqYXZhd3MuamFyO0M6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmU3XGxpYlxkZXBsb3kuamFyO0M6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmU3XGxpYlxwbHVnaW4uamFyAC1EamRrLmRpc2FibGVMYXN0VXNhZ2VUcmFja2luZz10cnVlAC1Eam5scHguanZtPUM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmU3XGJpblxqYXZhdy5leGUALURqbmxweC52bWFyZ3M9TFVScVpHc3VaR2x6WVdKc1pVeGhjM1JWYzJGblpWUnlZV05yYVc1blBYUnlkV1VB -ma LVNTVkJhc2VsaW5lVXBkYXRlAC1ub3RXZWJKYXZh
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\50\46ceb172-5cd6f241

Filesize
12KB

MD5
36fa8fdbf8b864c7c23e3cb8cbebc9a4

SHA1
427d008a3de77b207217e79fd8f3ef6aa83e3cef

SHA256
b8d88484bdcd972c2df39e19286b376e8606a0f86310635a3a97157c58e9a639

SHA512
4ff71d0c7e13575d39e0668dc61fc9c50e5bddf3628e1e923ec2c7ca2126fac02256b6e4e7ee7caeedb47f0222c94b66a2d2ee0b27eaa26de9f9d3f47e936dc0

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\deployment.properties

Filesize
685B

MD5
22d4ef9d1395cb0f4a8220a8e669f203

SHA1
1669e087e7e61c4de02e0d71209a746f74e9184c

SHA256
be2e7c4b4cdbbb9a443ef2867f6937c905aa832c323f09b75b2700e587900f06

SHA512
6aaacf5df64da38f79c25059febc6db7ec329b21b2660dedc775435715b27bccf78b08e56bc2fd2d153ec25052092d3d78ed62e41138e8d6ca1074062dc0b377

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\security\securitypack.jar

Filesize
12KB

MD5
47933033943e6337137aa28bf027a1a2

SHA1
c16d83e0c6bd2356bf3257fcedcccadfd05c3dbb

SHA256
3243018f8d3f21ea0699ecce258dde161c899fb3d248eb12312ee2d540ab3029

SHA512
97ea0697af504b98c14b1355df24f9e9f668cd59e9c44880f562dfe3cf183d92aadbbf07c9f2aa69161437c266631d638fc286b8d5b168a222b76e894cdca313

Download Submit
C:\Users\Admin\AppData\Local\Temp\9695.tmp

Filesize
145KB

MD5
c610e7ccd6859872c585b2a85d7dc992

SHA1
362b3d4b72e3add687c209c79b500b7c6a246d46

SHA256
14063fc61dc71b9881d75e93a587c27a6daf8779ff5255a24a042beace541041

SHA512
8570aad2ae8b5dcba00fc5ebf3dc0ea117e96cc88a83febd820c5811bf617a6431c1367b3eb88332f43f80b30ebe2c298c22dcc44860a075f7b41bf350236666

Download Submit
C:\Users\Admin\AppData\Local\Temp\9695.tmp

Filesize
145KB

MD5
c610e7ccd6859872c585b2a85d7dc992

SHA1
362b3d4b72e3add687c209c79b500b7c6a246d46

SHA256
14063fc61dc71b9881d75e93a587c27a6daf8779ff5255a24a042beace541041

SHA512
8570aad2ae8b5dcba00fc5ebf3dc0ea117e96cc88a83febd820c5811bf617a6431c1367b3eb88332f43f80b30ebe2c298c22dcc44860a075f7b41bf350236666

Download Submit
C:\Users\Admin\AppData\Local\Temp\9695.tmp

Filesize
145KB

MD5
c610e7ccd6859872c585b2a85d7dc992

SHA1
362b3d4b72e3add687c209c79b500b7c6a246d46

SHA256
14063fc61dc71b9881d75e93a587c27a6daf8779ff5255a24a042beace541041

SHA512
8570aad2ae8b5dcba00fc5ebf3dc0ea117e96cc88a83febd820c5811bf617a6431c1367b3eb88332f43f80b30ebe2c298c22dcc44860a075f7b41bf350236666

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
4KB

MD5
bec8247dde8cc0a27e57424b23a7177a

SHA1
0a73daf25181a1a0e0e379daebcb086d2e9a2434

SHA256
5183ef10daa84d38388f2eae961e600f031b41df67eae02dc873b5ce8bb8c882

SHA512
972906a6e6bf58e24b7c8ff174f89252b2e45f38780960ead5aa4de6b36769ee875b7b3a9dafb83b2d981d660c9efc4165b2efdb8b6bc3dbcc6f748b5fa3a27b

Download Submit
\Users\Admin\AppData\Local\Temp\9695.tmp

Filesize
145KB

MD5
c610e7ccd6859872c585b2a85d7dc992

SHA1
362b3d4b72e3add687c209c79b500b7c6a246d46

SHA256
14063fc61dc71b9881d75e93a587c27a6daf8779ff5255a24a042beace541041

SHA512
8570aad2ae8b5dcba00fc5ebf3dc0ea117e96cc88a83febd820c5811bf617a6431c1367b3eb88332f43f80b30ebe2c298c22dcc44860a075f7b41bf350236666

Download Submit
\Users\Admin\AppData\Local\Temp\9695.tmp

Filesize
145KB

MD5
c610e7ccd6859872c585b2a85d7dc992

SHA1
362b3d4b72e3add687c209c79b500b7c6a246d46

SHA256
14063fc61dc71b9881d75e93a587c27a6daf8779ff5255a24a042beace541041

SHA512
8570aad2ae8b5dcba00fc5ebf3dc0ea117e96cc88a83febd820c5811bf617a6431c1367b3eb88332f43f80b30ebe2c298c22dcc44860a075f7b41bf350236666

Download Submit
memory/1632-0-0x0000000001CC0000-0x0000000001D0F000-memory.dmp

Filesize
316KB

Download
memory/1632-1-0x0000000001CC0000-0x0000000001D0F000-memory.dmp

Filesize
316KB

Download
memory/2892-185-0x0000000002560000-0x0000000005560000-memory.dmp

Filesize
48.0MB

Download
memory/2892-234-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2892-187-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2892-174-0x00000000000F0000-0x00000000000FA000-memory.dmp

Filesize
40KB

Download
memory/2892-209-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2892-224-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2892-227-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2892-175-0x00000000000F0000-0x00000000000FA000-memory.dmp

Filesize
40KB

Download
memory/2892-242-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2892-273-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2892-286-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2892-291-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2892-55-0x0000000002560000-0x0000000005560000-memory.dmp

Filesize
48.0MB

Download
memory/2892-48-0x00000000000F0000-0x00000000000FA000-memory.dmp

Filesize
40KB

Download