866500021dd2fdb5ddb3fe3a0ac9bcd518e554299a101d094f71dbd5be140d42

General

Target

866500021dd2fdb5ddb3fe3a0ac9bcd518e554299a101d094f71dbd5be140d42.exe
Size

6.2MB
MD5

38933b9a730dc15e20a1c6f9a0ea8c49
SHA1

78c29a50524a75c39314625dd2ec1908fc265225
SHA256

866500021dd2fdb5ddb3fe3a0ac9bcd518e554299a101d094f71dbd5be140d42
SHA512

c6fc45495ac5a7d488d1221a2afee3012d71ec6b6dd4d7bd44e808f8645cc854a7ccf37d1c8d2b37d5a7aa78f6d1a28ab973df627043929d6769ed348898244a
SSDEEP

98304:WOKgL71iSgYEL5iVIIRPaDkH/FsKRAirkAeFcpfEIgJxptQrJTBcTtaopwIyFEgy:3Rhs5UIIRPMkH9NpkYfEIgJxjCTYqo

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\Drivers\1999-Mix.sys	866500021dd2fdb5ddb3fe3a0ac9bcd518e554299a101d094f71dbd5be140d42.exe
File created	C:\Windows\system32\Drivers\Nal.sys	866500021dd2fdb5ddb3fe3a0ac9bcd518e554299a101d094f71dbd5be140d42.exe
File created	C:\Windows\system32\Drivers\MissC.sys	866500021dd2fdb5ddb3fe3a0ac9bcd518e554299a101d094f71dbd5be140d42.exe

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Nal\ImagePath = "\\Device\\HarddiskVolume2\\Windows\\system32\\Drivers\\Nal.sys"	866500021dd2fdb5ddb3fe3a0ac9bcd518e554299a101d094f71dbd5be140d42.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MissC\ImagePath = "\\Device\\HarddiskVolume2\\Windows\\system32\\Drivers\\MissC.sys"	866500021dd2fdb5ddb3fe3a0ac9bcd518e554299a101d094f71dbd5be140d42.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\E403A1DFC8F377E0F4AA43A83EE9EA079A1F55F2	866500021dd2fdb5ddb3fe3a0ac9bcd518e554299a101d094f71dbd5be140d42.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\E403A1DFC8F377E0F4AA43A83EE9EA079A1F55F2\Blob = 5300000001000000230000003021301f060960864801a4a227020130123010060a2b0601040182373c0101030200c05c000000010000000400000000100000030000000100000014000000e403a1dfc8f377e0f4aa43a83ee9ea079a1f55f219000000010000001000000079d8e39856b0540913defb485e73ed621400000001000000140000000525862f6536a1e59d9eca5c0919ad0e3d96261d0f000000010000001400000052bf462203121ab271f48ff1a32d373fd9f12399040000000100000010000000dc911e8da3a186bb4d52eec0e57b515509000000010000004c000000304a060a2b0601040182370a0602060a2b0601040182370a060106082b0601050507030806082b0601050507030406082b0601050507030306082b0601050507030206082b060105050703012000000001000000d3050000308205cf308203b7a00302010202041eb132d5300d06092a864886f70d01010505003076310b300906035504061302434e31233021060355040a0c1a4a656d6d794c6f76654a656e6e7920504b492053657276696365311e301c060355040b0c15706b692e6a656d6d796c6f76656a656e6e792e746b3122302006035504030c194a656d6d794c6f76654a656e6e7920455620526f6f742043413020170d3030303130313030303030305a180f32303939313233313233353935395a3076310b300906035504061302434e31233021060355040a0c1a4a656d6d794c6f76654a656e6e7920504b492053657276696365311e301c060355040b0c15706b692e6a656d6d796c6f76656a656e6e792e746b3122302006035504030c194a656d6d794c6f76654a656e6e7920455620526f6f7420434130820222300d06092a864886f70d01010105000382020f003082020a0282020100b5bf164ce267332d80ffed87e949041ea0b8dd6e4389cc2ece1e2606c7dc4085d75631f5bf99e3b60a4dbe48dc7337e8edc95dd02aca568a119c2884dd8cecd0c174585e1b6ec89e47f37f28626bb42abb0f7cb0ee0f25d11e268026937bfc4587de5d7cd89d9cd3fee634120724a3771d3dec3ba265398f84274bc72d683be7982706d99e24f4ffe84370fb7b0c8d56449c1bdb2d53ca85a55ea12b4cb65aa691fbbceb57c3cb924ded732c252a968069030dbd3a2bf0c8fa027b7ab6afc325b439d4edc7bad1d3e57dfa244705d36bae516daa94378ea3a87e54aad21deb547b1bc659ca611b05da6f473f6dedfc7616bb9a86838cb2b1be86ff2169d4bcc9078527fa4e579acfc1d649339751c2e6521432cf6b5f26666f2c732ec567a2f5c89f62a34b4a73352238b02d981eaf905c6a66ebe570b20d6ae57d978420f34ab679268d8910217031fa6c69831f485eab30c445789242977e2c9d2df3f0f1aa4ec0cae5612418ffdf0127b7d5809e7a1803121d5b0ff82537ab112a49d7946a51ec8c4691332d5ffa415471f2d95e104400776c21250ae00d587b233b22a596db169e0583c0027c59814544963e66a5eb293ea11523e338d924244bd36b6d27227eecf848c3aef39b756123595c646d36d6cdf570b72fe9fbef779e0afa1db7cf4cc81964b366441f8032337a328f3c988997d0a27d2d8dce891c221a514ab30203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604140525862f6536a1e59d9eca5c0919ad0e3d96261d301f0603551d230418301680140525862f6536a1e59d9eca5c0919ad0e3d96261d300d06092a864886f70d01010505000382020100ad21caaf24b3bfa5ae380783453b61419a4625b1adf976ca6ee77f802063842fd2ca4879ddf39df1a0ca779bb313fb86d1241607b6df5e868ad9cddb69e19baf3107c22cf951569dc8d5f89db4b4ab7b859b61482b10df9bfcce81c4f1b86c77d40a5ee2805a460dd0d6ea165f86e67085097d159090416b07de58ece97764bd1ab9d3c197d1e52aa132182f68fe1962f194b22e1a5a9d4d25c46c9e97a8a6fde4ec57296b4a509eb6dcc8be7b25ff104ef9892d413c93662351b7f3bab4725aaadd18adf65efba74224dbd1dd718356d68e205046d648ac74e11d3be7494d0dba37c51a467af57c721a25968ab1e6a48416009cfb2ac1c063245d93ec2459ac262778e907e4b9aa5bf666db808344c83857d632ae46fe2daba83d1497a155bb9da767ca7fe567b218dffda7aa61055501b2f515cd0fd8b830a67c82b765f52cf80f077ea177480395a29c8dbe9cd572715257a7cef58ad63218e05d16f0096bd496e12d17bf7790b9ddb6318fb91a2a3f3395dd55e4ba739c2c8d15442fbc8de41bade132d1a23fb5a2844e6b08062208f9191e1f3ca0a5504e07cf4b3f2baa683bdc0dc10a8a6631b3d46481641798a4a37b35ada800104d8bc70c0fc31f6615284cb1229592ee072139b6a15a8ad9e1a8135bb4fe7b426d5e69ca1a9a420d7ce3612490d4d9421835a89a05f14e3ca3fd987c51cd62f2926945cfbff32caa	866500021dd2fdb5ddb3fe3a0ac9bcd518e554299a101d094f71dbd5be140d42.exe

Suspicious behavior: LoadsDriver 9 IoCs

pid	Process
680	Process not Found
4584	866500021dd2fdb5ddb3fe3a0ac9bcd518e554299a101d094f71dbd5be140d42.exe
680	Process not Found
680	Process not Found
4584	866500021dd2fdb5ddb3fe3a0ac9bcd518e554299a101d094f71dbd5be140d42.exe
680	Process not Found
4584	866500021dd2fdb5ddb3fe3a0ac9bcd518e554299a101d094f71dbd5be140d42.exe
680	Process not Found
680	Process not Found

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	4584	866500021dd2fdb5ddb3fe3a0ac9bcd518e554299a101d094f71dbd5be140d42.exe
Token: SeLoadDriverPrivilege	4584	866500021dd2fdb5ddb3fe3a0ac9bcd518e554299a101d094f71dbd5be140d42.exe
Token: SeLoadDriverPrivilege	4584	866500021dd2fdb5ddb3fe3a0ac9bcd518e554299a101d094f71dbd5be140d42.exe
Token: SeLoadDriverPrivilege	4584	866500021dd2fdb5ddb3fe3a0ac9bcd518e554299a101d094f71dbd5be140d42.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4584	866500021dd2fdb5ddb3fe3a0ac9bcd518e554299a101d094f71dbd5be140d42.exe
4584	866500021dd2fdb5ddb3fe3a0ac9bcd518e554299a101d094f71dbd5be140d42.exe

C:\Users\Admin\AppData\Local\Temp\866500021dd2fdb5ddb3fe3a0ac9bcd518e554299a101d094f71dbd5be140d42.exe
"C:\Users\Admin\AppData\Local\Temp\866500021dd2fdb5ddb3fe3a0ac9bcd518e554299a101d094f71dbd5be140d42.exe"
1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Modifies system certificate store
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\drivers\1999-Mix.sys

Filesize
18KB

MD5
fd539e1c78bb22e47bf85cbfb76a7477

SHA1
9f86471d0fe8e786bd8f31d516f593947b348f75

SHA256
7aae94158ab29eeba019d4b776e634fd671c966052cbd2aec6293485f668e56e

SHA512
5a914fbe1d7f19ad241ce33b9e22ce659b34aa9232fabaea776e5f1762498e346f1dbe643fdf64cdfe88ce45600cbcd60d5842a011999c4aa19f7d26f9c608a1

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads