b9e034f81cca628a7bc2dd4dc341a2014437fa79a6f6834e0774e773dfb09bc2

Analysis

max time kernel
298s
max time network
296s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
08/10/2023, 22:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b9e034f81cca628a7bc2dd4dc341a2014437fa79a6f6834e0774e773dfb09bc2.exe
Size

202KB
MD5

0d4319ab251ef7326d331fde039c5440
SHA1

982d2c249bcccdfda4faa1a4c6b5a974d0948156
SHA256

b9e034f81cca628a7bc2dd4dc341a2014437fa79a6f6834e0774e773dfb09bc2
SHA512

42c65d195fe3656b8f2a45117cc97b36674d18fad5d94b688d88f44d5fbc3f3ce724116080e9841491a853aa38655eb7145756daac9daec8734bd6f5b6ad8ae5
SSDEEP

3072:vbcmK0rkRsxd/jPvlpc3KTmfhQYH9Rh+/Gfclo5c5d:vImiyd/rU3KTmZF9j+/G

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1616	IsInvalid.exe
820	IsInvalid.exe
2616	IsInvalid.exe

Loads dropped DLL 1 IoCs

pid	Process
1632	taskeng.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Run\asdafa = "C:\\Users\\Admin\\AppData\\Roaming\\asdafa.exe"	b9e034f81cca628a7bc2dd4dc341a2014437fa79a6f6834e0774e773dfb09bc2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Run\asdafa = "C:\\Users\\Admin\\AppData\\Roaming\\asdafa.exe"	IsInvalid.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3036 set thread context of 2524	3036	b9e034f81cca628a7bc2dd4dc341a2014437fa79a6f6834e0774e773dfb09bc2.exe	36
PID 1616 set thread context of 820	1616	IsInvalid.exe	49

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Gathers network information 2 TTPs 5 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2632	ipconfig.exe
2516	ipconfig.exe
964	ipconfig.exe
1744	ipconfig.exe
2516	ipconfig.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	IsInvalid.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	IsInvalid.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	IsInvalid.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	IsInvalid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	b9e034f81cca628a7bc2dd4dc341a2014437fa79a6f6834e0774e773dfb09bc2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	b9e034f81cca628a7bc2dd4dc341a2014437fa79a6f6834e0774e773dfb09bc2.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1260	powershell.exe
820	IsInvalid.exe
820	IsInvalid.exe
820	IsInvalid.exe
820	IsInvalid.exe
820	IsInvalid.exe
820	IsInvalid.exe
820	IsInvalid.exe
820	IsInvalid.exe
820	IsInvalid.exe
820	IsInvalid.exe
820	IsInvalid.exe
820	IsInvalid.exe
820	IsInvalid.exe
820	IsInvalid.exe
820	IsInvalid.exe
820	IsInvalid.exe
820	IsInvalid.exe
820	IsInvalid.exe
820	IsInvalid.exe
820	IsInvalid.exe
820	IsInvalid.exe
820	IsInvalid.exe
820	IsInvalid.exe
820	IsInvalid.exe
820	IsInvalid.exe
820	IsInvalid.exe
820	IsInvalid.exe
820	IsInvalid.exe
820	IsInvalid.exe
820	IsInvalid.exe
820	IsInvalid.exe
820	IsInvalid.exe
820	IsInvalid.exe
820	IsInvalid.exe
820	IsInvalid.exe
820	IsInvalid.exe
820	IsInvalid.exe
820	IsInvalid.exe
820	IsInvalid.exe
820	IsInvalid.exe
820	IsInvalid.exe
820	IsInvalid.exe
820	IsInvalid.exe
820	IsInvalid.exe
820	IsInvalid.exe
820	IsInvalid.exe
820	IsInvalid.exe
820	IsInvalid.exe
820	IsInvalid.exe
820	IsInvalid.exe
820	IsInvalid.exe
820	IsInvalid.exe
820	IsInvalid.exe
820	IsInvalid.exe
820	IsInvalid.exe
820	IsInvalid.exe
820	IsInvalid.exe
820	IsInvalid.exe
820	IsInvalid.exe
820	IsInvalid.exe
820	IsInvalid.exe
820	IsInvalid.exe
820	IsInvalid.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	3036	b9e034f81cca628a7bc2dd4dc341a2014437fa79a6f6834e0774e773dfb09bc2.exe
Token: SeDebugPrivilege	2524	b9e034f81cca628a7bc2dd4dc341a2014437fa79a6f6834e0774e773dfb09bc2.exe
Token: SeDebugPrivilege	1260	powershell.exe
Token: SeDebugPrivilege	1616	IsInvalid.exe
Token: SeDebugPrivilege	820	IsInvalid.exe
Token: SeDebugPrivilege	2616	IsInvalid.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 2476	3036	b9e034f81cca628a7bc2dd4dc341a2014437fa79a6f6834e0774e773dfb09bc2.exe	30
PID 3036 wrote to memory of 2476	3036	b9e034f81cca628a7bc2dd4dc341a2014437fa79a6f6834e0774e773dfb09bc2.exe	30
PID 3036 wrote to memory of 2476	3036	b9e034f81cca628a7bc2dd4dc341a2014437fa79a6f6834e0774e773dfb09bc2.exe	30
PID 2476 wrote to memory of 2632	2476	cmd.exe	32
PID 2476 wrote to memory of 2632	2476	cmd.exe	32
PID 2476 wrote to memory of 2632	2476	cmd.exe	32
PID 3036 wrote to memory of 2640	3036	b9e034f81cca628a7bc2dd4dc341a2014437fa79a6f6834e0774e773dfb09bc2.exe	33
PID 3036 wrote to memory of 2640	3036	b9e034f81cca628a7bc2dd4dc341a2014437fa79a6f6834e0774e773dfb09bc2.exe	33
PID 3036 wrote to memory of 2640	3036	b9e034f81cca628a7bc2dd4dc341a2014437fa79a6f6834e0774e773dfb09bc2.exe	33
PID 2640 wrote to memory of 2516	2640	cmd.exe	35
PID 2640 wrote to memory of 2516	2640	cmd.exe	35
PID 2640 wrote to memory of 2516	2640	cmd.exe	35
PID 3036 wrote to memory of 2524	3036	b9e034f81cca628a7bc2dd4dc341a2014437fa79a6f6834e0774e773dfb09bc2.exe	36
PID 3036 wrote to memory of 2524	3036	b9e034f81cca628a7bc2dd4dc341a2014437fa79a6f6834e0774e773dfb09bc2.exe	36
PID 3036 wrote to memory of 2524	3036	b9e034f81cca628a7bc2dd4dc341a2014437fa79a6f6834e0774e773dfb09bc2.exe	36
PID 3036 wrote to memory of 2524	3036	b9e034f81cca628a7bc2dd4dc341a2014437fa79a6f6834e0774e773dfb09bc2.exe	36
PID 3036 wrote to memory of 2524	3036	b9e034f81cca628a7bc2dd4dc341a2014437fa79a6f6834e0774e773dfb09bc2.exe	36
PID 3036 wrote to memory of 2524	3036	b9e034f81cca628a7bc2dd4dc341a2014437fa79a6f6834e0774e773dfb09bc2.exe	36
PID 3036 wrote to memory of 2524	3036	b9e034f81cca628a7bc2dd4dc341a2014437fa79a6f6834e0774e773dfb09bc2.exe	36
PID 2012 wrote to memory of 1260	2012	taskeng.exe	39
PID 2012 wrote to memory of 1260	2012	taskeng.exe	39
PID 2012 wrote to memory of 1260	2012	taskeng.exe	39
PID 1632 wrote to memory of 1616	1632	taskeng.exe	42
PID 1632 wrote to memory of 1616	1632	taskeng.exe	42
PID 1632 wrote to memory of 1616	1632	taskeng.exe	42
PID 1616 wrote to memory of 1232	1616	IsInvalid.exe	43
PID 1616 wrote to memory of 1232	1616	IsInvalid.exe	43
PID 1616 wrote to memory of 1232	1616	IsInvalid.exe	43
PID 1232 wrote to memory of 964	1232	cmd.exe	45
PID 1232 wrote to memory of 964	1232	cmd.exe	45
PID 1232 wrote to memory of 964	1232	cmd.exe	45
PID 1616 wrote to memory of 1816	1616	IsInvalid.exe	46
PID 1616 wrote to memory of 1816	1616	IsInvalid.exe	46
PID 1616 wrote to memory of 1816	1616	IsInvalid.exe	46
PID 1816 wrote to memory of 1744	1816	cmd.exe	48
PID 1816 wrote to memory of 1744	1816	cmd.exe	48
PID 1816 wrote to memory of 1744	1816	cmd.exe	48
PID 1616 wrote to memory of 820	1616	IsInvalid.exe	49
PID 1616 wrote to memory of 820	1616	IsInvalid.exe	49
PID 1616 wrote to memory of 820	1616	IsInvalid.exe	49
PID 1616 wrote to memory of 820	1616	IsInvalid.exe	49
PID 1616 wrote to memory of 820	1616	IsInvalid.exe	49
PID 1616 wrote to memory of 820	1616	IsInvalid.exe	49
PID 1616 wrote to memory of 820	1616	IsInvalid.exe	49
PID 820 wrote to memory of 860	820	IsInvalid.exe	50
PID 820 wrote to memory of 860	820	IsInvalid.exe	50
PID 820 wrote to memory of 860	820	IsInvalid.exe	50
PID 820 wrote to memory of 1104	820	IsInvalid.exe	51
PID 820 wrote to memory of 1104	820	IsInvalid.exe	51
PID 820 wrote to memory of 1104	820	IsInvalid.exe	51
PID 820 wrote to memory of 276	820	IsInvalid.exe	52
PID 820 wrote to memory of 276	820	IsInvalid.exe	52
PID 820 wrote to memory of 276	820	IsInvalid.exe	52
PID 820 wrote to memory of 2372	820	IsInvalid.exe	53
PID 820 wrote to memory of 2372	820	IsInvalid.exe	53
PID 820 wrote to memory of 2372	820	IsInvalid.exe	53
PID 820 wrote to memory of 3056	820	IsInvalid.exe	54
PID 820 wrote to memory of 3056	820	IsInvalid.exe	54
PID 820 wrote to memory of 3056	820	IsInvalid.exe	54
PID 820 wrote to memory of 832	820	IsInvalid.exe	55
PID 820 wrote to memory of 832	820	IsInvalid.exe	55
PID 820 wrote to memory of 832	820	IsInvalid.exe	55
PID 820 wrote to memory of 3020	820	IsInvalid.exe	56
PID 820 wrote to memory of 3020	820	IsInvalid.exe	56

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b9e034f81cca628a7bc2dd4dc341a2014437fa79a6f6834e0774e773dfb09bc2.exe
"C:\Users\Admin\AppData\Local\Temp\b9e034f81cca628a7bc2dd4dc341a2014437fa79a6f6834e0774e773dfb09bc2.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ipconfig /release
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Windows\system32\ipconfig.exe
    ipconfig /release
    3⤵
    - Gathers network information
    PID:2632
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ipconfig /renew
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Windows\system32\ipconfig.exe
    ipconfig /renew
    3⤵
    - Gathers network information
    PID:2516
- C:\Users\Admin\AppData\Local\Temp\b9e034f81cca628a7bc2dd4dc341a2014437fa79a6f6834e0774e773dfb09bc2.exe
  C:\Users\Admin\AppData\Local\Temp\b9e034f81cca628a7bc2dd4dc341a2014437fa79a6f6834e0774e773dfb09bc2.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2524

C:\Windows\system32\taskeng.exe
taskeng.exe {5A4C52FE-C39D-4135-8FF4-1210C80D9460} S-1-5-21-3185155662-718608226-894467740-1000:YETUIZPU\Admin:S4U:
1⤵
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1260

C:\Windows\system32\taskeng.exe
taskeng.exe {7BBF923A-3876-41C1-AED8-B84A741394B0} S-1-5-21-3185155662-718608226-894467740-1000:YETUIZPU\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Users\Admin\AppData\Roaming\MergeLogic\IsInvalid.exe
  C:\Users\Admin\AppData\Roaming\MergeLogic\IsInvalid.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1616
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ipconfig /release
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1232
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /release
      4⤵
      Gathers network information
      PID:964
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ipconfig /renew
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1816
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /renew
      4⤵
      Gathers network information
      PID:1744
- - C:\Users\Admin\AppData\Roaming\MergeLogic\IsInvalid.exe
    C:\Users\Admin\AppData\Roaming\MergeLogic\IsInvalid.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:820
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
      4⤵
      PID:860
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
      4⤵
      PID:1104
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
      4⤵
      PID:276
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
      4⤵
      PID:2372
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
      4⤵
      PID:3056
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
      4⤵
      PID:832
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
      4⤵
      PID:3020
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
      4⤵
      PID:2336
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
      4⤵
      PID:3016
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
      4⤵
      PID:2656
- C:\Users\Admin\AppData\Roaming\MergeLogic\IsInvalid.exe
  C:\Users\Admin\AppData\Roaming\MergeLogic\IsInvalid.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2616
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ipconfig /release
    3⤵
    PID:2992
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /release
      4⤵
      Gathers network information
      PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0a145c4f42accc2966e3a24a7d77eac5

SHA1
9f4eb24a3f1211e6c2fedb327784bba225011aa1

SHA256
4a5adc235335bf1c8f6630181ce803632d7de12d43e62a268dffe5c2a6cf93f6

SHA512
10c2be157030fd86d2dfb07ad1e0f47752cf9474193d5e17e8cdbd16ad640f07d757393bfb20de483e914971215e5b837fc4742a00b2899cdf9f90019f67b9f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b7d3ce0b883011eb7852e39581a6a4b4

SHA1
74d1404e293cc11f711563f06113f41637253e77

SHA256
c7384b09046a9268acb97b826059bc9a9e3a54f15df287a7656cdfc8ed03821e

SHA512
9eee6993da278b4da634cff2097e6bd0db46928018d4ced75dffccd4984bbda7b4ffa5cb82bcd1461f786452c31b9cc74898a73a83327be36517c9c20fc345d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9bf778d2f4773fb9c63096e890984f9e

SHA1
3c14a8e8df6ddf14bbdd4cadd4132ad68c6761a2

SHA256
64fa4bf82e0b5b1613761667f0848ba6c1f32e2f7ebc816784f0f37484bbb6cd

SHA512
4e98dbf7a2dde924f9cea648bf18c6c1706a7c12763edce6b39a85b70b5ee4aca61ccb445012865c3591106679961689b1a3c4440f477d8e631e0d9a87ff0dbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3FC0.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4021.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Roaming\MergeLogic\IsInvalid.exe

Filesize
202KB

MD5
0d4319ab251ef7326d331fde039c5440

SHA1
982d2c249bcccdfda4faa1a4c6b5a974d0948156

SHA256
b9e034f81cca628a7bc2dd4dc341a2014437fa79a6f6834e0774e773dfb09bc2

SHA512
42c65d195fe3656b8f2a45117cc97b36674d18fad5d94b688d88f44d5fbc3f3ce724116080e9841491a853aa38655eb7145756daac9daec8734bd6f5b6ad8ae5

Download Submit
C:\Users\Admin\AppData\Roaming\MergeLogic\IsInvalid.exe

Filesize
202KB

MD5
0d4319ab251ef7326d331fde039c5440

SHA1
982d2c249bcccdfda4faa1a4c6b5a974d0948156

SHA256
b9e034f81cca628a7bc2dd4dc341a2014437fa79a6f6834e0774e773dfb09bc2

SHA512
42c65d195fe3656b8f2a45117cc97b36674d18fad5d94b688d88f44d5fbc3f3ce724116080e9841491a853aa38655eb7145756daac9daec8734bd6f5b6ad8ae5

Download Submit
C:\Users\Admin\AppData\Roaming\MergeLogic\IsInvalid.exe

Filesize
202KB

MD5
0d4319ab251ef7326d331fde039c5440

SHA1
982d2c249bcccdfda4faa1a4c6b5a974d0948156

SHA256
b9e034f81cca628a7bc2dd4dc341a2014437fa79a6f6834e0774e773dfb09bc2

SHA512
42c65d195fe3656b8f2a45117cc97b36674d18fad5d94b688d88f44d5fbc3f3ce724116080e9841491a853aa38655eb7145756daac9daec8734bd6f5b6ad8ae5

Download Submit
C:\Users\Admin\AppData\Roaming\MergeLogic\IsInvalid.exe

Filesize
202KB

MD5
0d4319ab251ef7326d331fde039c5440

SHA1
982d2c249bcccdfda4faa1a4c6b5a974d0948156

SHA256
b9e034f81cca628a7bc2dd4dc341a2014437fa79a6f6834e0774e773dfb09bc2

SHA512
42c65d195fe3656b8f2a45117cc97b36674d18fad5d94b688d88f44d5fbc3f3ce724116080e9841491a853aa38655eb7145756daac9daec8734bd6f5b6ad8ae5

Download Submit
\Users\Admin\AppData\Roaming\MergeLogic\IsInvalid.exe

Filesize
202KB

MD5
0d4319ab251ef7326d331fde039c5440

SHA1
982d2c249bcccdfda4faa1a4c6b5a974d0948156

SHA256
b9e034f81cca628a7bc2dd4dc341a2014437fa79a6f6834e0774e773dfb09bc2

SHA512
42c65d195fe3656b8f2a45117cc97b36674d18fad5d94b688d88f44d5fbc3f3ce724116080e9841491a853aa38655eb7145756daac9daec8734bd6f5b6ad8ae5

Download Submit
memory/820-130-0x000007FEF4910000-0x000007FEF52FC000-memory.dmp

Filesize
9.9MB

Download
memory/820-129-0x0000000000E20000-0x0000000000EA0000-memory.dmp

Filesize
512KB

Download
memory/820-128-0x0000000000E20000-0x0000000000EA0000-memory.dmp

Filesize
512KB

Download
memory/820-127-0x0000000000E20000-0x0000000000EA0000-memory.dmp

Filesize
512KB

Download
memory/820-125-0x0000000000E20000-0x0000000000EA0000-memory.dmp

Filesize
512KB

Download
memory/820-124-0x000007FEF4910000-0x000007FEF52FC000-memory.dmp

Filesize
9.9MB

Download
memory/820-139-0x0000000000E20000-0x0000000000EA0000-memory.dmp

Filesize
512KB

Download
memory/820-118-0x000007FFFFFDB000-0x000007FFFFFDC000-memory.dmp

Filesize
4KB

Download
memory/820-149-0x0000000000E20000-0x0000000000EA0000-memory.dmp

Filesize
512KB

Download
memory/820-150-0x0000000000E20000-0x0000000000EA0000-memory.dmp

Filesize
512KB

Download
memory/820-151-0x0000000000E20000-0x0000000000EA0000-memory.dmp

Filesize
512KB

Download
memory/1260-77-0x0000000001140000-0x00000000011C0000-memory.dmp

Filesize
512KB

Download
memory/1260-69-0x0000000000E00000-0x0000000000E08000-memory.dmp

Filesize
32KB

Download
memory/1260-70-0x000007FEEE350000-0x000007FEEECED000-memory.dmp

Filesize
9.6MB

Download
memory/1260-71-0x0000000001140000-0x00000000011C0000-memory.dmp

Filesize
512KB

Download
memory/1260-72-0x0000000001140000-0x00000000011C0000-memory.dmp

Filesize
512KB

Download
memory/1260-73-0x0000000001140000-0x00000000011C0000-memory.dmp

Filesize
512KB

Download
memory/1260-68-0x0000000019CB0000-0x0000000019F92000-memory.dmp

Filesize
2.9MB

Download
memory/1260-78-0x000007FEEE350000-0x000007FEEECED000-memory.dmp

Filesize
9.6MB

Download
memory/1260-76-0x000007FEEE350000-0x000007FEEECED000-memory.dmp

Filesize
9.6MB

Download
memory/1616-114-0x000000001B7F0000-0x000000001B870000-memory.dmp

Filesize
512KB

Download
memory/1616-86-0x0000000001230000-0x0000000001268000-memory.dmp

Filesize
224KB

Download
memory/1616-113-0x000007FEF4910000-0x000007FEF52FC000-memory.dmp

Filesize
9.9MB

Download
memory/1616-126-0x000007FEF4910000-0x000007FEF52FC000-memory.dmp

Filesize
9.9MB

Download
memory/1616-87-0x000007FEF4910000-0x000007FEF52FC000-memory.dmp

Filesize
9.9MB

Download
memory/1616-88-0x000000001B7F0000-0x000000001B870000-memory.dmp

Filesize
512KB

Download
memory/2524-60-0x000000001BB00000-0x000000001BC00000-memory.dmp

Filesize
1024KB

Download
memory/2524-51-0x0000000140000000-0x00000001400A2000-memory.dmp

Filesize
648KB

Download
memory/2524-63-0x0000000001040000-0x0000000001094000-memory.dmp

Filesize
336KB

Download
memory/2524-61-0x000007FEF5300000-0x000007FEF5CEC000-memory.dmp

Filesize
9.9MB

Download
memory/2524-81-0x000007FEF5300000-0x000007FEF5CEC000-memory.dmp

Filesize
9.9MB

Download
memory/2524-50-0x0000000140000000-0x00000001400A2000-memory.dmp

Filesize
648KB

Download
memory/2524-75-0x000007FEF5300000-0x000007FEF5CEC000-memory.dmp

Filesize
9.9MB

Download
memory/2524-58-0x0000000000820000-0x00000000008A0000-memory.dmp

Filesize
512KB

Download
memory/2524-62-0x0000000000E10000-0x0000000000E66000-memory.dmp

Filesize
344KB

Download
memory/2524-55-0x0000000140000000-0x00000001400A2000-memory.dmp

Filesize
648KB

Download
memory/2524-74-0x0000000000820000-0x00000000008A0000-memory.dmp

Filesize
512KB

Download
memory/2524-53-0x000007FFFFFDA000-0x000007FFFFFDB000-memory.dmp

Filesize
4KB

Download
memory/2524-52-0x0000000140000000-0x00000001400A2000-memory.dmp

Filesize
648KB

Download
memory/2616-153-0x000007FEF4910000-0x000007FEF52FC000-memory.dmp

Filesize
9.9MB

Download
memory/2616-173-0x0000000000980000-0x0000000000A00000-memory.dmp

Filesize
512KB

Download
memory/2616-172-0x000007FEF4910000-0x000007FEF52FC000-memory.dmp

Filesize
9.9MB

Download
memory/2616-154-0x0000000000980000-0x0000000000A00000-memory.dmp

Filesize
512KB

Download
memory/3036-47-0x000000001C650000-0x000000001C716000-memory.dmp

Filesize
792KB

Download
memory/3036-4-0x000000001BD00000-0x000000001BD80000-memory.dmp

Filesize
512KB

Download
memory/3036-3-0x000007FEF5300000-0x000007FEF5CEC000-memory.dmp

Filesize
9.9MB

Download
memory/3036-2-0x000000001BD00000-0x000000001BD80000-memory.dmp

Filesize
512KB

Download
memory/3036-46-0x000000001BBF0000-0x000000001BCC8000-memory.dmp

Filesize
864KB

Download
memory/3036-59-0x000007FEF5300000-0x000007FEF5CEC000-memory.dmp

Filesize
9.9MB

Download
memory/3036-1-0x0000000001130000-0x0000000001168000-memory.dmp

Filesize
224KB

Download
memory/3036-48-0x0000000001090000-0x00000000010DC000-memory.dmp

Filesize
304KB

Download
memory/3036-0-0x000007FEF5300000-0x000007FEF5CEC000-memory.dmp

Filesize
9.9MB

Download