Analysis
-
max time kernel
150s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
12-10-2023 17:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bc082e85f4f4ea47b3a27d31690c78bdffec1444a5d548b12442f8d73bf524eb.exe
Resource
win7-20230831-en
windows7-x64
19 signatures
150 seconds
Behavioral task
behavioral2
Sample
bc082e85f4f4ea47b3a27d31690c78bdffec1444a5d548b12442f8d73bf524eb.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
20 signatures
150 seconds
General
-
Target
bc082e85f4f4ea47b3a27d31690c78bdffec1444a5d548b12442f8d73bf524eb.exe
-
Size
399KB
-
MD5
6b536c7f28c331c46c88e5e1827f83d0
-
SHA1
c55b37d2fcbe8c5178f065b7fb08395aafd68dc9
-
SHA256
bc082e85f4f4ea47b3a27d31690c78bdffec1444a5d548b12442f8d73bf524eb
-
SHA512
7e22107cb788c71459510aef25a2123c058855e03c7c4ea6530f457246b7d84aad965b8cce90ed305d94f66ca8e9699d26e80b03572b13e710738dc77112d5e0
-
SSDEEP
6144:XKiYJL+K7EQ5vrt5AVfL8haEK4sDzLPFZcEOkCybEaQRXr9HNdvOa:LqEU0Vf4ha0sDzDOkx2LIa
Score
8/10
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\System32\drivers\rt1GtnMU3.sys quser.exe -
Deletes itself 1 IoCs
pid Process 2432 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2756 f97a9d44 2700 quser.exe -
Loads dropped DLL 1 IoCs
pid Process 1412 Explorer.EXE -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 114.114.114.114 -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357 f97a9d44 File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E f97a9d44 File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A f97a9d44 File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A f97a9d44 File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat f97a9d44 File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DED9969D7ED2C6E555C5C9254A43EDE4 f97a9d44 File created C:\Windows\system32\ \Windows\System32\dT9039qPO.sys quser.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 f97a9d44 File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E f97a9d44 File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DED9969D7ED2C6E555C5C9254A43EDE4 f97a9d44 File created C:\Windows\Syswow64\f97a9d44 bc082e85f4f4ea47b3a27d31690c78bdffec1444a5d548b12442f8d73bf524eb.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357 f97a9d44 File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 f97a9d44 -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\sc_reader.exe Explorer.EXE File opened for modification C:\Windows\2f2f08 f97a9d44 File created C:\Windows\Help\quser.exe Explorer.EXE File opened for modification C:\Windows\Help\quser.exe Explorer.EXE File created C:\Windows\LZk7XD.sys quser.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 2 IoCs
pid Process 1704 timeout.exe 1472 timeout.exe -
Modifies Control Panel 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Control Panel\Desktop\WindowMetrics\Shell Icon Size = "31" quser.exe Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Control Panel\Desktop\WindowMetrics\Shell Icon Size = "32" quser.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs f97a9d44 Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" f97a9d44 Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 f97a9d44 Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs f97a9d44 Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs f97a9d44 Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates f97a9d44 Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix f97a9d44 Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing f97a9d44 Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root f97a9d44 Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot f97a9d44 Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates f97a9d44 Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs f97a9d44 Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA f97a9d44 Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed f97a9d44 Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople f97a9d44 Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ f97a9d44 Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs f97a9d44 Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs f97a9d44 Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs f97a9d44 Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates f97a9d44 Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs f97a9d44 Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" f97a9d44 Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings f97a9d44 Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed f97a9d44 Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates f97a9d44 Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs f97a9d44 Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6A702E27-7C2F-49D9-BF83-27DF2F7F5B5E}\WpadDecision = "0" f97a9d44 Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates f97a9d44 Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7e-af-fa-04-bf-79 f97a9d44 Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings f97a9d44 Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" f97a9d44 Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates f97a9d44 Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs f97a9d44 Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates f97a9d44 Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6A702E27-7C2F-49D9-BF83-27DF2F7F5B5E}\WpadDecisionTime = 604435ebcc00da01 f97a9d44 Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7e-af-fa-04-bf-79\WpadDecisionTime = 604435ebcc00da01 f97a9d44 Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections f97a9d44 Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs f97a9d44 Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 f97a9d44 Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 f97a9d44 Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7e-af-fa-04-bf-79\WpadDecisionReason = "1" f97a9d44 Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My f97a9d44 Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust f97a9d44 Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6A702E27-7C2F-49D9-BF83-27DF2F7F5B5E} f97a9d44 Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7e-af-fa-04-bf-79\WpadDecision = "0" f97a9d44 Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad f97a9d44 Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6A702E27-7C2F-49D9-BF83-27DF2F7F5B5E}\WpadNetworkName = "Network 2" f97a9d44 Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates f97a9d44 Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA f97a9d44 Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs f97a9d44 Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs f97a9d44 Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople f97a9d44 Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust f97a9d44 Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates f97a9d44 Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs f97a9d44 Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs f97a9d44 Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0018000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 f97a9d44 Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6A702E27-7C2F-49D9-BF83-27DF2F7F5B5E}\WpadDecisionReason = "1" f97a9d44 Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" f97a9d44 Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" f97a9d44 Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs f97a9d44 Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates f97a9d44 Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6A702E27-7C2F-49D9-BF83-27DF2F7F5B5E}\7e-af-fa-04-bf-79 f97a9d44 Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs f97a9d44 -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 quser.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e quser.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 quser.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde quser.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e quser.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 f97a9d44 Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e f97a9d44 -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2756 f97a9d44 2756 f97a9d44 2756 f97a9d44 2756 f97a9d44 2756 f97a9d44 2756 f97a9d44 1412 Explorer.EXE 1412 Explorer.EXE 1412 Explorer.EXE 2756 f97a9d44 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1412 Explorer.EXE -
Suspicious behavior: LoadsDriver 3 IoCs
pid Process 464 Process not Found 464 Process not Found 464 Process not Found -
Suspicious use of AdjustPrivilegeToken 18 IoCs
description pid Process Token: SeDebugPrivilege 2944 bc082e85f4f4ea47b3a27d31690c78bdffec1444a5d548b12442f8d73bf524eb.exe Token: SeTcbPrivilege 2944 bc082e85f4f4ea47b3a27d31690c78bdffec1444a5d548b12442f8d73bf524eb.exe Token: SeDebugPrivilege 2756 f97a9d44 Token: SeTcbPrivilege 2756 f97a9d44 Token: SeDebugPrivilege 2756 f97a9d44 Token: SeDebugPrivilege 1412 Explorer.EXE Token: SeDebugPrivilege 1412 Explorer.EXE Token: SeIncBasePriorityPrivilege 2944 bc082e85f4f4ea47b3a27d31690c78bdffec1444a5d548b12442f8d73bf524eb.exe Token: SeDebugPrivilege 2756 f97a9d44 Token: SeDebugPrivilege 2700 quser.exe Token: SeDebugPrivilege 2700 quser.exe Token: SeDebugPrivilege 2700 quser.exe Token: SeIncBasePriorityPrivilege 2756 f97a9d44 Token: SeShutdownPrivilege 1412 Explorer.EXE Token: SeShutdownPrivilege 1412 Explorer.EXE Token: SeShutdownPrivilege 1412 Explorer.EXE Token: SeShutdownPrivilege 1412 Explorer.EXE Token: SeShutdownPrivilege 1412 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1412 Explorer.EXE 1412 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1412 Explorer.EXE 1412 Explorer.EXE -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 2756 wrote to memory of 1412 2756 f97a9d44 13 PID 2756 wrote to memory of 1412 2756 f97a9d44 13 PID 2756 wrote to memory of 1412 2756 f97a9d44 13 PID 2756 wrote to memory of 1412 2756 f97a9d44 13 PID 2756 wrote to memory of 1412 2756 f97a9d44 13 PID 1412 wrote to memory of 2700 1412 Explorer.EXE 29 PID 1412 wrote to memory of 2700 1412 Explorer.EXE 29 PID 1412 wrote to memory of 2700 1412 Explorer.EXE 29 PID 1412 wrote to memory of 2700 1412 Explorer.EXE 29 PID 1412 wrote to memory of 2700 1412 Explorer.EXE 29 PID 1412 wrote to memory of 2700 1412 Explorer.EXE 29 PID 1412 wrote to memory of 2700 1412 Explorer.EXE 29 PID 1412 wrote to memory of 2700 1412 Explorer.EXE 29 PID 2756 wrote to memory of 420 2756 f97a9d44 3 PID 2756 wrote to memory of 420 2756 f97a9d44 3 PID 2756 wrote to memory of 420 2756 f97a9d44 3 PID 2756 wrote to memory of 420 2756 f97a9d44 3 PID 2756 wrote to memory of 420 2756 f97a9d44 3 PID 2944 wrote to memory of 2432 2944 bc082e85f4f4ea47b3a27d31690c78bdffec1444a5d548b12442f8d73bf524eb.exe 31 PID 2944 wrote to memory of 2432 2944 bc082e85f4f4ea47b3a27d31690c78bdffec1444a5d548b12442f8d73bf524eb.exe 31 PID 2944 wrote to memory of 2432 2944 bc082e85f4f4ea47b3a27d31690c78bdffec1444a5d548b12442f8d73bf524eb.exe 31 PID 2944 wrote to memory of 2432 2944 bc082e85f4f4ea47b3a27d31690c78bdffec1444a5d548b12442f8d73bf524eb.exe 31 PID 2432 wrote to memory of 1704 2432 cmd.exe 33 PID 2432 wrote to memory of 1704 2432 cmd.exe 33 PID 2432 wrote to memory of 1704 2432 cmd.exe 33 PID 2432 wrote to memory of 1704 2432 cmd.exe 33 PID 2756 wrote to memory of 1608 2756 f97a9d44 37 PID 2756 wrote to memory of 1608 2756 f97a9d44 37 PID 2756 wrote to memory of 1608 2756 f97a9d44 37 PID 2756 wrote to memory of 1608 2756 f97a9d44 37 PID 1608 wrote to memory of 1472 1608 cmd.exe 38 PID 1608 wrote to memory of 1472 1608 cmd.exe 38 PID 1608 wrote to memory of 1472 1608 cmd.exe 38 PID 1608 wrote to memory of 1472 1608 cmd.exe 38
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:420
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Users\Admin\AppData\Local\Temp\bc082e85f4f4ea47b3a27d31690c78bdffec1444a5d548b12442f8d73bf524eb.exe"C:\Users\Admin\AppData\Local\Temp\bc082e85f4f4ea47b3a27d31690c78bdffec1444a5d548b12442f8d73bf524eb.exe"2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\bc082e85f4f4ea47b3a27d31690c78bdffec1444a5d548b12442f8d73bf524eb.exe"3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\timeout.exetimeout /t 14⤵
- Delays execution with timeout.exe
PID:1704
-
-
-
-
C:\Windows\Help\quser.exe"C:\Windows\Help\quser.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:2700
-
-
C:\Windows\Syswow64\f97a9d44C:\Windows\Syswow64\f97a9d441⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Windows\Syswow64\f97a9d44"2⤵
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\SysWOW64\timeout.exetimeout /t 13⤵
- Delays execution with timeout.exe
PID:1472
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
61KB
MD5f3441b8572aae8801c04f3060b550443
SHA14ef0a35436125d6821831ef36c28ffaf196cda15
SHA2566720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA5125ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9
-
Filesize
145KB
MD5d2a1752df6431ac0b448cc8f25d0b3d4
SHA187afaeb38c8bec3278830a470f94ef39726fb26c
SHA2569f4665e08fbfb72b2317bafa85b9ed9491f7df32dd9d818ca726d6d2ae2d4f35
SHA5128411240eea9dd8b048da8a8023f87a2e3411ab67e8f2961ca5098b9df7ba27a5d2b31e339bb2d122a18880633dac569bbf3b6061619656a2582fe5fb16293688
-
Filesize
183KB
MD5e00fb9f91bcbbccb56a2455456d2b70a
SHA19ad3517db35b63ac08185f395a34980eea5d0840
SHA25607b1a5e314075499de803a074a431ac7376121412b190c1f2deae5976b55403f
SHA512ea3c303976e0ad18a0071c8d16570153ad03f257cc3f5bc59ac3ca3d680a18e714f9711938aa0ebba45532fa4a2b43863f6d210a7ef67ce95d576dd5153cdd20
-
Filesize
1KB
MD5cc72264f35a380878548f8cc7edbdb2c
SHA188f6b90ae35427fe6432e77dd1dec61514f79fbd
SHA256e33dd193cbe6afc9f891eac357bf2e95640bd70ff7c71489381f5dd8be021e42
SHA5121137c6ee1c4ad15676a61bda8558bb1ddd2768b075f446180f23ca462ad775841ccd45859750b20529a61df13546e5943437ca7df9bd88bf0cc703c741230906
-
Filesize
23KB
MD5b31b93fadfe4a2727f7f136f59e577fd
SHA1dc82e060bda5d7a41aa477e23c31fa969bab82ed
SHA256363d202d3c269dee639dc437b5d190b4ff8ecbb3807b70dfdfe08d7355976fa3
SHA512b336f0d14db9655741ede7eb0b43417dddcbf92316b4c17e0854f16c971a2442e446bc3dd32b28cf35e16b63d50e2b1c09f5a537eb9d1e133159973324a90cee
-
Filesize
399KB
MD51b3fc803e8525cba3bb2a7f682845684
SHA1f159b8af078d2f43d49eb9aa46a851fb90c24609
SHA256efbb9477920d2e6aacd3b4738df3dad9ee42ddafcbe15ca21689451847a9b0ac
SHA5121170e6941412502935be689264e4f735b3c73a4bc7add72a4588f2fad25face032b89d03a59b69db17d35b67d4d62875731a55403fdeaed1cd5023773e8c7c17
-
Filesize
399KB
MD51b3fc803e8525cba3bb2a7f682845684
SHA1f159b8af078d2f43d49eb9aa46a851fb90c24609
SHA256efbb9477920d2e6aacd3b4738df3dad9ee42ddafcbe15ca21689451847a9b0ac
SHA5121170e6941412502935be689264e4f735b3c73a4bc7add72a4588f2fad25face032b89d03a59b69db17d35b67d4d62875731a55403fdeaed1cd5023773e8c7c17
-
Filesize
163KB
MD59441737383d21192400eca82fda910ec
SHA1725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA5127608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf
-
Filesize
23KB
MD5b31b93fadfe4a2727f7f136f59e577fd
SHA1dc82e060bda5d7a41aa477e23c31fa969bab82ed
SHA256363d202d3c269dee639dc437b5d190b4ff8ecbb3807b70dfdfe08d7355976fa3
SHA512b336f0d14db9655741ede7eb0b43417dddcbf92316b4c17e0854f16c971a2442e446bc3dd32b28cf35e16b63d50e2b1c09f5a537eb9d1e133159973324a90cee