0be679f2ad2cab573d4eadff74a6aaeeb9916010d90025f099d00eaa0c46ff40

Analysis

max time kernel
120s
max time network
152s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12/10/2023, 19:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader_Guard.exe
Size

1.3MB
MD5

263afcc667cf61792e5ad64481c4a5a8
SHA1

1aae1c22d71c28a1437e8fff7f41ef25c2783b22
SHA256

0be679f2ad2cab573d4eadff74a6aaeeb9916010d90025f099d00eaa0c46ff40
SHA512

d40de8d7a2e92fa4b5ed73d89c1818f9186757a41a3a15572622d679c503568aa14b084b82ae08f69078fcc62d88f7a1a8056183a4b97a6fd7a1f6f8ae44f88c
SSDEEP

24576:yGQtTYlhSOfKH1NLgQy2apQR/Yesl8d944HcmM0R7Di4j1a7+iW+:yGtlsOecQy2lFYTl8dNc4K4UiiF

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
796	2968	WerFault.exe	13

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D8263091-6CE8-11EE-9745-4249527DEDD7} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 103858b0f500da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "403707649"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f908080c5c8cf442941c5db076e34ac2000000000200000000001066000000010000200000004408f7dbbb1eeee4f5afc4e1526aa33d973ac2c36fbb0080b882e7ffae2a957f000000000e80000000020000200000008a8c36935777904660b069cea2e3ea499f05a560e61059b0b32288d71abbe9e6900000002afe03a9b2c9e841feac1e9632662140a65d1e25defb8508886fba6e7cd72a5f913ec1d57e3dd5396cb6f5ca6b65f6b99e7d8016e4f421c107e06c918400c14ca45864a50a34172c088cdb5bf3661f3f32dd38418fecd596c803ab8b8c37f57c7f854a294599b2fb0dc7115974395a4be6ba71dc0ef511c48d126f2c49f2ac944cbbecc64e6b944e25199ccf4e21e05640000000f40b7e941c2050c5a58f3d19e3a017fb7d4e5b9df46626a7ffca40e0b8cf57caf70c3a5aac553b4ef26cd1f0aefbf29bc4422af4cc5632d51770f71adde1b3b2	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f908080c5c8cf442941c5db076e34ac200000000020000000000106600000001000020000000a38d0452324f70fd0f3bcaf62a60555944b7b2eec86505b24294e425b3da18e9000000000e80000000020000200000001d5f66ff0b0e4c36794061d1e582643652119cb9194bea707ca8aec2ebc637ed20000000e32be3c6b2f212eddf0593c2dd754a3fc330fa757c619f5269db647ada7560724000000067d81764defd57baaf96bd644818c168f9d9f33377ead16b120fe101ce3f57631b4351c8aa3649cbcfb8272f929d1010b327c3fa9c3b0b44ccb063b6439112d5	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Loader_Guard.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Loader_Guard.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Loader_Guard.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Loader_Guard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Loader_Guard.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Loader_Guard.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2968	Loader_Guard.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2476	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2476	iexplore.exe
2476	iexplore.exe
2744	IEXPLORE.EXE
2744	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 2476	2968	Loader_Guard.exe	28
PID 2968 wrote to memory of 2476	2968	Loader_Guard.exe	28
PID 2968 wrote to memory of 2476	2968	Loader_Guard.exe	28
PID 2968 wrote to memory of 2476	2968	Loader_Guard.exe	28
PID 2476 wrote to memory of 2744	2476	iexplore.exe	30
PID 2476 wrote to memory of 2744	2476	iexplore.exe	30
PID 2476 wrote to memory of 2744	2476	iexplore.exe	30
PID 2476 wrote to memory of 2744	2476	iexplore.exe	30
PID 2968 wrote to memory of 796	2968	Loader_Guard.exe	32
PID 2968 wrote to memory of 796	2968	Loader_Guard.exe	32
PID 2968 wrote to memory of 796	2968	Loader_Guard.exe	32
PID 2968 wrote to memory of 796	2968	Loader_Guard.exe	32

C:\Users\Admin\AppData\Local\Temp\Loader_Guard.exe
"C:\Users\Admin\AppData\Local\Temp\Loader_Guard.exe"
1⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://blammed.pro/
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2476 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2744
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 1676
  2⤵
  - Program crash
  PID:796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
62cb6e5a8d7048385bcb362991edd78a

SHA1
7ad4e8690536007aab05742506ab7ef8673f40c7

SHA256
4f0ecf473975f9277b034d596bd5eaed8d0c98d8af1469982b9ca3054c58d95f

SHA512
e928d669f1693dd86430a4c58c3d8c90c9438e3cbfebf4a86cf3ffa312c7cbfbf6492c5130141226aae31dc6bd31edee0b3ac289fad76f66c753f142d0e45dd5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
21c1ea7ea5b76100851aa2e50dbc37da

SHA1
691468c19a3f1b880b1de5dab457cec75bd08f75

SHA256
478629a49b2fa0ca90c611d8caa3f893d08f5415f5b168121baf0f8e269ff5ad

SHA512
b43217dc8cc889b481014e5d4ee5902d1fd01e9f3335acf1971db93822dd2f1cf1cdfccfa8ee34ee32287089e01712bd36ced6c2ccd89ff1ffd327b980022787

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c971d83f98fdf2d4f04d339a86662704

SHA1
05c313d06c333a49942b91360b9436f04688f095

SHA256
e5287bb8ac291396a1caae910a4713137127cbdfbabbae2c0350232897e45952

SHA512
fb092b4e51c1720d4d463bb48575d61f2e7b7b93c2729b151f6a5ab16a7ec1d26d0c639ec8a06aafa57ce56409972b2170f779a4d64a73e0543f9a1658df4144

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6b6a963a9abeeb0c76bf02618f7e700c

SHA1
54317ba14e94a1b944ef01b44a0eb7ae3fc34d2f

SHA256
67492bea00e3a44a7c7a1e382f9ca33c6685676007023d77d763433268620b42

SHA512
de9beaff5f2d09a25ecb9125e1c5cb658e5a94281e68059e656cc9d0b04114aeaed4834bc284ee4d81713ec9da91cbb5b8085cc2abf5226aecb1d808351f128d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
99d8d6efb5f4d072dd179ec02c7f2a0d

SHA1
26f6e4cbe458a57d5af921295cd77f6a593f2abd

SHA256
0085834019875a935441281bc3861035754b19f3f8e47f9932b8532d8c96f024

SHA512
668107ab7d78dde0a0bdf27187d4f10cb635e2e3fb6a373ad767df4b9cc62085fd66d389096d6a056962efb7e5532d40b7545b1b7df9cc1a2dd82c4ae362eb6a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
33b6f7ccde6f4493aad07b5320bb9ad9

SHA1
d932a4bb719f03dd5f250d2f5741100a9f9ed9d7

SHA256
0beb7bf822a309e0ccd6f4ca12740b1399b405feaaf0474d2892d70b4a670b5e

SHA512
9f1b4fc80a246e50c24c82c636b04614db62e9b67ea4693aa3fa5d800d0fbf6c7390d09de1cfeac8b523b057eadc73e2b16ddf3a0d59b4f0d29fc7732a21569b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
793e665c62c876b94e3f98bf74397839

SHA1
381662d6704f62309131e6cf1176ffdff0d3d506

SHA256
ca06323000cda2195f685c3b930d0ef095958ffb894197418e6ca8da2637b057

SHA512
9f387e96925ccc8c7475b51f63de49a161fdaea3b633f0e552a500922e1deb09f0e90eed05591ce145bde4821281724dd309f41749bc42ea93b00d0304014eb9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3f34718ea1af487f925fb4526ba4b178

SHA1
8290086d85b191177e7576b2c4fd6983bc8feb0a

SHA256
84ec4960324643783d6d0cdb409f272778511700e0639ad5ba54c729dc8ed2f3

SHA512
3340c589ae68d76ae0931852b47d5956295f53f02a7b2d28eddf908c41ae75bba2da006807cd21096a89e93d4aff8352d67bfddde6de4512a41305c0febadd77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5f36c79e455639ad7866bc78cf203fcb

SHA1
5c489b15e07b1da6268d8b7945e46d10c44debcc

SHA256
eb2601aa120a4bd6a89b73ee37c513d4b75dac5708cc610397b567fea1127dbb

SHA512
539285e821fa8696a0124710b190973309d559b73e3363c612ecd9aa54eb5d1b63ef980bf18cc7485728dac64a35075c68fab6cbb61897c9136208b75694e9b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ecadaa49b71568041dccd731efff354a

SHA1
16ef471df173c89c88a3fb5bc203ba46d28f2e55

SHA256
3d326a4a6a9fd6892eb43fb69f9d4504527bb420556aacae99e3da1c6c072adc

SHA512
474dd73b687d427ba9728a9300aff46a957733d17b95ba30e07fdf4ac49ac320e5e87237a6669f07a8b13186c905eca235da0c38a80e4eb3a75788c0f85feff4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d5367d7052c8786bcabdff28a0f3fa8d

SHA1
ce3d152e2670b057ec9f7fffb3d25cdf52a17245

SHA256
501ff72b3646f5f16bffe2589ff040bff80532e26e4a6727ffa53fc8980216c5

SHA512
e2f2b61dca595167929bf2619f608bf8a571331ab1ef7ffbf8319861913e52a75c528dbe631875049eb109f24ed98ea9e27196bab963df4e5dba76ce1ca036e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
df8ff708313871c5da6c7d3cc7562871

SHA1
5164163ef9bec534e16fc2a6776aa706bdb1a5f9

SHA256
fc2bc636b9cd5143324c172e08cd3d0687d06a831dda8c0787b8c13c6283a097

SHA512
ac520d1d3fc20650e39523ee3d9d3dfb3ab6dc778c617d495e6ac6599e3b1931e7adab91ba6be9c909870b94b46f83c1bb64ea196a046f893403bac38422c658

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d21c2e00185704e25fdb9e53305a2da3

SHA1
865912022cc8445cbfb60abf0c5134e581d9e472

SHA256
6e7478b578e8b05264cbe76f609d12d4974007ab9310d391a1984a172f1638a8

SHA512
636bec6cd26e0110f80a12688ad4b2ffc00b11fe42d31609d4c4835c15f7ce1b6a11f9371340db556b6856ef2bde515d71a2f2eb93cc4a02383d14c54ce25dd9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b14d54aa3160710d04f0c97f605b7719

SHA1
5173cff6208befea93f6e2d4b66684907f84095d

SHA256
41403a07d2d5571f236384680a4a7b2bb9005eda499da14821d8ccef5c81eac2

SHA512
4dea48b71fa098c68ab4a9e3cbbe79269206e4c7fb8a032152da6bc34351360fd2d4180439ad19776a5db6f4d2126ff524a93f5bb9037ccadd6b6bc234dab757

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
025e7cb6f8dea54650026e3695c67cc3

SHA1
867b5ac88a16b93efdfda66c1c91b4b566b0ba8e

SHA256
28e5a227f54d5647ea9839c6d1dcdf4343bb3756307515d5b33a4a0d95dd43f6

SHA512
2bb787219db1ab4913e6e14ebcd4d87830c7250ec0396392048d783005fb50548525f94926bdc54d37d0fc9dc87336d210c49f22b709820f6850f4de795f72c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bab4c9939b998d002de8bdb5da9eda4f

SHA1
11ca7b91541b9a7e660003e24897547433306647

SHA256
2a12eff1b3bd049e70f1e72f1bceba6de7ea936ed69e8ae4cfbe84917e4b0d2c

SHA512
a6c0ae88746c7b51e023e2f100a42075ef32b2ab4ad1d43a7c09149d67e0cd89270cb17fb51bd188c9ed110032da7211c51822487047003dd5a63b566a498531

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c170f6dd0703d984b0cebd437769a36e

SHA1
26039174a0df85f84f8edb8511980088d2d21b90

SHA256
b4512a259f5e104f930bd1bb56b064d2024d22067295b2fc1e83b18b3da98f62

SHA512
7d6703d9948f4c6430123c2cc4bc5138e7695dd538d7b991fe5d69f495a19aadde65b26a62b3bff934f76fd8bc2b2065dcf53e22298f15d5775795dc93218204

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2fc4b7bf30201fd944ed1c640c90a882

SHA1
706f040b4f64b340128a341559f4761d821aefd5

SHA256
29196912dd5b66afbff9a79478537e80a1fa8d83cb9e71aa0df8234c20108661

SHA512
6e26f1e8d778fd9972b6dfbbffa52a3c58d8447b214730962f69291cd95a529ab42c7350c7596d9b6146281f6bf4fbb79ff8cfab258b06cb0afd5f7e18d65637

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e5a6657f521b39a74b6eb1f090c2243f

SHA1
ccf96427f79ed983e346d10f1b1e600b40939638

SHA256
af797da4f909dd424eadfdbe18685f8ce620ccfbeb77ac150040f3e8bc5bf670

SHA512
d853fba4a383391b5dce9de10db6b704fa545952fb342ade026cbe70af00f30243539214acb8e202ae27b62d99caf85f347f17b75e93643da3c2c20b004ef1d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9926.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar99D4.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
memory/2968-0-0x0000000073EF0000-0x00000000745DE000-memory.dmp

Filesize
6.9MB

Download
memory/2968-1-0x00000000012A0000-0x00000000013F0000-memory.dmp

Filesize
1.3MB

Download
memory/2968-2-0x00000000011E0000-0x0000000001220000-memory.dmp

Filesize
256KB

Download
memory/2968-83-0x0000000073EF0000-0x00000000745DE000-memory.dmp

Filesize
6.9MB

Download
memory/2968-337-0x00000000011E0000-0x0000000001220000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads