37b51c529c4f88f175fec0d639759364d8dc4df55d0ebf775f4b4409546d6255

Analysis

max time kernel
120s
max time network
165s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
13/10/2023, 02:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

App/DirectoryMonitor/DirectoryMonitor.exe
Size

1.9MB
MD5

ae0bc60a12ca3a32afb32cf17f44282a
SHA1

9100660d3e5daaaa810c8161d8ae25f2b0b54209
SHA256

242e6e9e8ef08501d6f97e408b2fff7d7141baced8214250219cad7c8a3b08dc
SHA512

72ed571b2a236415b20bfa6f7c1e4847df525b0f3a729e2f025236f6586254604f3a71dea282c9a9d0b2c8909e27fa67eb558569a362668ae82af8204afbfe56
SSDEEP

12288:4kLywLk29CPs+RkZL+AFncWlBI4g4dxCMDL6rkS:4ZECUXc+pgqCRrkS

Score

6^/10

evasion trojan

Malware Config

Signatures

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DirectoryMonitor.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main	DirectoryMonitor.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	DirectoryMonitor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	DirectoryMonitor.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\SystemCertificates\CA\Certificates\091E8EA1B256A312962AF6C140C0FBF079A407B3	DirectoryMonitor.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	DirectoryMonitor.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	DirectoryMonitor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	DirectoryMonitor.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	DirectoryMonitor.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	DirectoryMonitor.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\SystemCertificates\CA\Certificates\091E8EA1B256A312962AF6C140C0FBF079A407B3\Blob = 030000000100000014000000091e8ea1b256a312962af6c140c0fbf079a407b3190000000100000010000000bbb14e7405b947a5ae7063c3ee8858a704000000010000001000000090d366640488fcf876bdbd3a19c5fbf10f000000010000003000000012b85ed5575d4cdefb24db1d405f6a317aeceea0c9aebe00b22763a5b77e107ed1244ecb4e5fe050bcec52d3bac2574c1400000001000000140000005af3ed2bfc36c23779b95230ea546fcf55cb2eac18000000010000001000000070d4f0bec2078234214bd651643b02402000000001000000ca020000308202c63082024da003020102021100b3bddff8a7845bbce903a04135b34a45300a06082a8648ce3d040303304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205832301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b30090603550403130245313076301006072a8648ce3d020106052b8104002203620004245c2da22afd1c4ba65d97732731acb2a06962ef65e8a6b0f0ac4b9fff1c0b700fd3982f4dfc0f009b37f074055732972e05ef2a4325a3fb6e342713f64f7e69d302995eeb244792c1249be6b1218fc12481fc68cc1f69ba58f51922f774c616a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e041604145af3ed2bfc36c23779b95230ea546fcf55cb2eac301f0603551d230418301680147c4296aede4b483bfa92f89e8ccf6d8ba9723795303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78322e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78322e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300a06082a8648ce3d040303036700306402307b74d552138d61fe0dba3f03009df3d79884d9572ebde90f9c5c480421f2cbb360728e97d6124fca44f642c9d37b86a902305ab1b1b4edea609920b13803ca3da026b8ee6e2d4af6c6661f339adb924ad5f52913c6706228ba238ccf3d2fcb82e97f	DirectoryMonitor.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\SystemCertificates\CA\Certificates\151682F5218C0A511C28F4060A73B9CA78CE9A53	DirectoryMonitor.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\SystemCertificates\CA\Certificates\151682F5218C0A511C28F4060A73B9CA78CE9A53\Blob = 030000000100000014000000151682f5218c0a511c28f4060a73b9ca78ce9a531400000001000000140000007c4296aede4b483bfa92f89e8ccf6d8ba972379504000000010000001000000029f1c1b26d92e893b6e6852ab708cce10f00000001000000200000005aef843ffcf2ec7055f504a162f229f8391c370ff3a6163d2db3f3d604d622be19000000010000001000000070d4f0bec2078234214bd651643b02401800000001000000100000002fe1f70bb05d7c92335bc5e05b984da62000000001000000640400003082046030820248a0030201020210079e492886376fd40848c23fc631e463300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f742058323076301006072a8648ce3d020106052b8104002203620004cd9bd59f80830aec094af3164a3e5ccf77acde67050d1d07b6dc16fb5a8b14dbe27160c4ba459511898eea06dff72a161ca4b9c5c532e003e01e8218388bd745d80a6a6ee60077fb02517d22d80a6e9a5b77dff0fa41ec39dc75ca68070c1feaa381e53081e2300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604147c4296aede4b483bfa92f89e8ccf6d8ba9723795301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b050003820201001b7f252b907a0876007718e1c32e8a364c417ebf174be330d75b0c7e9c96986f7bb068c02444cce2f2fcd1eadbd29f01f9174d0c9d55fda5ad6dd22f3f4b72c02eae73c7251657c23e15ade031d10a84846c6278423122461aed7a40bf9716814477ca6c7b5d215c07f2119121bfe12fc2ef6efd0520e4b4f779f32dbb372af0c6b1acac51f51fb35a1e66ce580718387f71a93c83bad7bc829e9a760f9eb029fdcbf38907481bfeab932e14210d5faf8eb754ab5d0ed45b4c71d092ea3da3369b7c1fe03b55b9d85353cc8366bb4adc810600188bf4b3d748b11341b9c4b69ecf2c778e42200b807e9fc5ab48dbbc6f048d6c4629020d708a1df11273b64624429e2a1718e3acc798c272cc6d2d766ddd2c2b2696a5cf21081be5da2fcbef9f7393aef8365f478f9728ceabe29826988bfdee28322229ed4c9509c420fa07e1862c44f68147c0e46232ed1dd83c488896c35e91b6af7b59a4eee3869cc78858ca282a66559b8580b91dd8402bc91c133ca9ebde99c21640f6f5a4ae2a256c52bac7044cb432bbfc385ca00c617b57ec774e50cfaf06a20f378ce10ed2d32f1abd9c713ecce1f8d1a8a3bd04f619c0f986aff50e1aaa956befca47714b631c4d96db55230a9d0f8175a0e640f56446036ecefa6a7d06eca4340674da53d8b9b8c6237da9f82a2da482a62e2d11cae6cd31587985e6721ca79fd34cd066d0a7bb	DirectoryMonitor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	DirectoryMonitor.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2012	DirectoryMonitor.exe
Token: SeSecurityPrivilege	1672	auditpol.exe
Token: SeSecurityPrivilege	2752	auditpol.exe
Token: SeSecurityPrivilege	2004	auditpol.exe
Token: SeSecurityPrivilege	2248	auditpol.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2012	DirectoryMonitor.exe
2012	DirectoryMonitor.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2012	DirectoryMonitor.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2012	DirectoryMonitor.exe
2012	DirectoryMonitor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 1672	2012	DirectoryMonitor.exe	28
PID 2012 wrote to memory of 1672	2012	DirectoryMonitor.exe	28
PID 2012 wrote to memory of 1672	2012	DirectoryMonitor.exe	28
PID 2012 wrote to memory of 2752	2012	DirectoryMonitor.exe	30
PID 2012 wrote to memory of 2752	2012	DirectoryMonitor.exe	30
PID 2012 wrote to memory of 2752	2012	DirectoryMonitor.exe	30
PID 2012 wrote to memory of 2004	2012	DirectoryMonitor.exe	32
PID 2012 wrote to memory of 2004	2012	DirectoryMonitor.exe	32
PID 2012 wrote to memory of 2004	2012	DirectoryMonitor.exe	32
PID 2012 wrote to memory of 2248	2012	DirectoryMonitor.exe	34
PID 2012 wrote to memory of 2248	2012	DirectoryMonitor.exe	34
PID 2012 wrote to memory of 2248	2012	DirectoryMonitor.exe	34

C:\Users\Admin\AppData\Local\Temp\App\DirectoryMonitor\DirectoryMonitor.exe
"C:\Users\Admin\AppData\Local\Temp\App\DirectoryMonitor\DirectoryMonitor.exe"
1⤵
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\system32\auditpol.exe
  "auditpol.exe" /get /subcategory:"{0CCE921D-69AE-11D9-BED3-505054503030}"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1672
- C:\Windows\system32\auditpol.exe
  "auditpol.exe" /set /subcategory:"{0CCE921D-69AE-11D9-BED3-505054503030}" /success:disable
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2752
- C:\Windows\system32\auditpol.exe
  "auditpol.exe" /get /subcategory:"{0CCE9223-69AE-11D9-BED3-505054503030}"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2004
- C:\Windows\system32\auditpol.exe
  "auditpol.exe" /set /subcategory:"{0CCE9223-69AE-11D9-BED3-505054503030}" /success:disable
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\DirectoryMonitor\Admin\ExternalPluginSettings.xml

Filesize
178B

MD5
14f709eb94bfa215bbafde7401e15a7d

SHA1
154c7ce46d4d0de69b20ffbf934addc5957006f5

SHA256
9502e9e22c93b8291c9764d98c993753844b2d756b20f23e813575a3c225c8f7

SHA512
15ad946047e86d6efe184bc1c3940f9f9be47531ca02d4c033138211f0065217dc8ed3926378797d59505e24e7fdbde29b79c56fd322121d901cddf7c3466ea2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e48ccd7becc857090f9a23cbf360122a

SHA1
7131ce4db7cf3a9abbad0e8c1d97d8b6fec9fcb2

SHA256
e38bd56acc9960f1d211d20ec2a7765cfc05b29844f4db337a938786248b689e

SHA512
3688cee481d8546d09b1f7864ce4d0fe9897f864536659b2f81dacffe005ae5c7de2ebddc4c9f109eaec0516456f67950e89112435f5b893815a81ed3f381c56

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDA89.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDB18.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
memory/2012-0-0x0000000000880000-0x0000000000A6C000-memory.dmp

Filesize
1.9MB

Download
memory/2012-2-0x000007FEF5C20000-0x000007FEF660C000-memory.dmp

Filesize
9.9MB

Download
memory/2012-1-0x0000000000350000-0x0000000000374000-memory.dmp

Filesize
144KB

Download
memory/2012-3-0x0000000000380000-0x0000000000394000-memory.dmp

Filesize
80KB

Download
memory/2012-4-0x00000000007D0000-0x0000000000850000-memory.dmp

Filesize
512KB

Download
memory/2012-5-0x00000000006E0000-0x0000000000730000-memory.dmp

Filesize
320KB

Download
memory/2012-6-0x00000000023E0000-0x000000000244E000-memory.dmp

Filesize
440KB

Download
memory/2012-7-0x0000000000550000-0x000000000055A000-memory.dmp

Filesize
40KB

Download
memory/2012-8-0x0000000002300000-0x0000000002360000-memory.dmp

Filesize
384KB

Download
memory/2012-9-0x0000000000850000-0x0000000000860000-memory.dmp

Filesize
64KB

Download
memory/2012-10-0x0000000000860000-0x0000000000870000-memory.dmp

Filesize
64KB

Download
memory/2012-11-0x000000001AF70000-0x000000001AFD0000-memory.dmp

Filesize
384KB

Download
memory/2012-12-0x0000000002450000-0x0000000002475000-memory.dmp

Filesize
148KB

Download
memory/2012-17-0x000000001B6D0000-0x000000001B7AA000-memory.dmp

Filesize
872KB

Download
memory/2012-18-0x000000001C920000-0x000000001C9AA000-memory.dmp

Filesize
552KB

Download
memory/2012-20-0x000000001AD00000-0x000000001AD20000-memory.dmp

Filesize
128KB

Download
memory/2012-19-0x00000000007D0000-0x0000000000850000-memory.dmp

Filesize
512KB

Download
memory/2012-22-0x00000000007D0000-0x0000000000850000-memory.dmp

Filesize
512KB

Download
memory/2012-25-0x000000001CEE0000-0x000000001CFC4000-memory.dmp

Filesize
912KB

Download
memory/2012-28-0x000000001B020000-0x000000001B02A000-memory.dmp

Filesize
40KB

Download
memory/2012-29-0x000000001C530000-0x000000001C550000-memory.dmp

Filesize
128KB

Download
memory/2012-30-0x000000001C530000-0x000000001C550000-memory.dmp

Filesize
128KB

Download
memory/2012-31-0x000000001C550000-0x000000001C588000-memory.dmp

Filesize
224KB

Download
memory/2012-32-0x000000001C550000-0x000000001C588000-memory.dmp

Filesize
224KB

Download
memory/2012-33-0x000000001C5C0000-0x000000001C5D8000-memory.dmp

Filesize
96KB

Download
memory/2012-34-0x000000001C5C0000-0x000000001C5D8000-memory.dmp

Filesize
96KB

Download
memory/2012-35-0x000000001C740000-0x000000001C75E000-memory.dmp

Filesize
120KB

Download
memory/2012-36-0x000000001C740000-0x000000001C75E000-memory.dmp

Filesize
120KB

Download
memory/2012-37-0x000000001CA10000-0x000000001CA2C000-memory.dmp

Filesize
112KB

Download
memory/2012-38-0x000000001CA10000-0x000000001CA2C000-memory.dmp

Filesize
112KB

Download
memory/2012-39-0x000000001D0E0000-0x000000001D0F8000-memory.dmp

Filesize
96KB

Download
memory/2012-42-0x000007FEF5C20000-0x000007FEF660C000-memory.dmp

Filesize
9.9MB

Download
memory/2012-41-0x0000000020710000-0x0000000020726000-memory.dmp

Filesize
88KB

Download
memory/2012-40-0x000000001D0E0000-0x000000001D0F8000-memory.dmp

Filesize
96KB

Download
memory/2012-43-0x0000000020710000-0x0000000020726000-memory.dmp

Filesize
88KB

Download
memory/2012-44-0x0000000020730000-0x0000000020744000-memory.dmp

Filesize
80KB

Download
memory/2012-45-0x0000000020730000-0x0000000020744000-memory.dmp

Filesize
80KB

Download
memory/2012-46-0x0000000020750000-0x000000002076A000-memory.dmp

Filesize
104KB

Download
memory/2012-47-0x0000000020750000-0x000000002076A000-memory.dmp

Filesize
104KB

Download
memory/2012-48-0x0000000020770000-0x0000000020792000-memory.dmp

Filesize
136KB

Download
memory/2012-49-0x0000000020770000-0x0000000020792000-memory.dmp

Filesize
136KB

Download
memory/2012-50-0x00000000007D0000-0x0000000000850000-memory.dmp

Filesize
512KB

Download
memory/2012-51-0x0000000020800000-0x0000000020826000-memory.dmp

Filesize
152KB

Download
memory/2012-52-0x000000001DB30000-0x000000001DBB4000-memory.dmp

Filesize
528KB

Download
memory/2012-53-0x000000001B950000-0x000000001B964000-memory.dmp

Filesize
80KB

Download
memory/2012-54-0x000000001DBC0000-0x000000001DC08000-memory.dmp

Filesize
288KB

Download
memory/2012-55-0x000000001DC10000-0x000000001DC2C000-memory.dmp

Filesize
112KB

Download
memory/2012-56-0x000000001CDD0000-0x000000001CDE0000-memory.dmp

Filesize
64KB

Download
memory/2012-57-0x000000001DC30000-0x000000001DC40000-memory.dmp

Filesize
64KB

Download
memory/2012-58-0x000000001DC40000-0x000000001DC4C000-memory.dmp

Filesize
48KB

Download
memory/2012-59-0x000000001DC50000-0x000000001DC5C000-memory.dmp

Filesize
48KB

Download
memory/2012-60-0x000000001DC60000-0x000000001DC72000-memory.dmp

Filesize
72KB

Download
memory/2012-61-0x000000001DC70000-0x000000001DC8E000-memory.dmp

Filesize
120KB

Download
memory/2012-65-0x00000000208C0000-0x0000000020920000-memory.dmp

Filesize
384KB

Download
memory/2012-76-0x0000000020A80000-0x0000000020AD6000-memory.dmp

Filesize
344KB

Download
memory/2012-75-0x000000001FEB0000-0x000000001FEBE000-memory.dmp

Filesize
56KB

Download
memory/2012-78-0x0000000021AF0000-0x0000000022296000-memory.dmp

Filesize
7.6MB

Download
memory/2012-80-0x00000000007D0000-0x0000000000850000-memory.dmp

Filesize
512KB

Download
memory/2012-81-0x00000000007D0000-0x0000000000850000-memory.dmp

Filesize
512KB

Download
memory/2012-83-0x000000001CB00000-0x000000001CB26000-memory.dmp

Filesize
152KB

Download
memory/2012-84-0x00000000007D0000-0x0000000000850000-memory.dmp

Filesize
512KB

Download
memory/2012-93-0x00000000007D0000-0x0000000000850000-memory.dmp

Filesize
512KB

Download
memory/2012-94-0x0000000022F30000-0x0000000022F5A000-memory.dmp

Filesize
168KB

Download
memory/2012-96-0x00000000007D0000-0x0000000000850000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads