aa17b69f40915e8e0778bf49c69f04fca5fce4d2dfb32dd50cd323ad371b4a44

Analysis

max time kernel
150s
max time network
131s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
16/10/2023, 12:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa17b69f40915e8e0778bf49c69f04fca5fce4d2dfb32dd50cd323ad371b4a44.exe
Size

399KB
MD5

e6af8a2f7bbfc7f691538347580e7edf
SHA1

1317f20d71068d003978fbfc74507b30126f50de
SHA256

aa17b69f40915e8e0778bf49c69f04fca5fce4d2dfb32dd50cd323ad371b4a44
SHA512

3b992aa441a59248f4b26c49f0c5e1591090de3d22f31addcb179c2cc2f2b0e7a01130f0741b777b04116909697d122a515b1b6557032a1a35bdb960821f4159
SSDEEP

6144:cKiYJL+K7EQ5vrt5AVfL8haEK4sDzLPFZcEOkCybEaQRXr9HNdvOa:wqEU0Vf4ha0sDzDOkx2LIa

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\5oUt04y3.sys	choice.exe

Deletes itself 1 IoCs

pid	Process
2880	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2088	dfe6ca2b
2572	choice.exe

Loads dropped DLL 1 IoCs

pid	Process
1400	Explorer.EXE

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114

Drops file in System32 directory 13 IoCs

description	ioc	Process
File created	C:\Windows\system32\ \Windows\System32\J2CDfSvwC.sys	choice.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E	dfe6ca2b
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DED9969D7ED2C6E555C5C9254A43EDE4	dfe6ca2b
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	dfe6ca2b
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	dfe6ca2b
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	dfe6ca2b
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A	dfe6ca2b
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DED9969D7ED2C6E555C5C9254A43EDE4	dfe6ca2b
File created	C:\Windows\Syswow64\dfe6ca2b	aa17b69f40915e8e0778bf49c69f04fca5fce4d2dfb32dd50cd323ad371b4a44.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	dfe6ca2b
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E	dfe6ca2b
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	dfe6ca2b
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A	dfe6ca2b

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Help\choice.exe	Explorer.EXE
File opened for modification	C:\Windows\Help\choice.exe	Explorer.EXE
File created	C:\Windows\Y5zHRXvx.sys	choice.exe
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\sc_reader.exe	Explorer.EXE
File opened for modification	C:\Windows\23bf50	dfe6ca2b

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
2848	timeout.exe
1516	timeout.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Control Panel\Desktop\WindowMetrics\Shell Icon Size = "31"	choice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Control Panel\Desktop\WindowMetrics\Shell Icon Size = "32"	choice.exe

Modifies data under HKEY_USERS 56 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	dfe6ca2b
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	dfe6ca2b
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dfe6ca2b
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	dfe6ca2b
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	dfe6ca2b
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	dfe6ca2b
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	dfe6ca2b
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	dfe6ca2b
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	dfe6ca2b
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	dfe6ca2b
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dfe6ca2b
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	dfe6ca2b
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	dfe6ca2b
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	dfe6ca2b
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	dfe6ca2b
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	dfe6ca2b
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	dfe6ca2b
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	dfe6ca2b
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	dfe6ca2b
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	dfe6ca2b
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	dfe6ca2b
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	dfe6ca2b
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dfe6ca2b
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	dfe6ca2b
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	dfe6ca2b
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	dfe6ca2b
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	dfe6ca2b
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dfe6ca2b
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	dfe6ca2b
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dfe6ca2b
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	dfe6ca2b
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	dfe6ca2b
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	dfe6ca2b
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	dfe6ca2b
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	dfe6ca2b
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dfe6ca2b
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	dfe6ca2b
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	dfe6ca2b
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	dfe6ca2b
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	dfe6ca2b
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dfe6ca2b
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	dfe6ca2b
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	dfe6ca2b
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	dfe6ca2b
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dfe6ca2b
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dfe6ca2b
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dfe6ca2b
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	dfe6ca2b
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	dfe6ca2b
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	dfe6ca2b
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	dfe6ca2b
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	dfe6ca2b
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	dfe6ca2b
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	dfe6ca2b
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	dfe6ca2b
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	dfe6ca2b

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	dfe6ca2b
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	dfe6ca2b
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	dfe6ca2b
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	dfe6ca2b
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	choice.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	choice.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2088	dfe6ca2b
2088	dfe6ca2b
2088	dfe6ca2b
2088	dfe6ca2b
2088	dfe6ca2b
2088	dfe6ca2b
1400	Explorer.EXE
1400	Explorer.EXE
1400	Explorer.EXE
2088	dfe6ca2b

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1400	Explorer.EXE

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	2988	aa17b69f40915e8e0778bf49c69f04fca5fce4d2dfb32dd50cd323ad371b4a44.exe
Token: SeTcbPrivilege	2988	aa17b69f40915e8e0778bf49c69f04fca5fce4d2dfb32dd50cd323ad371b4a44.exe
Token: SeDebugPrivilege	2088	dfe6ca2b
Token: SeTcbPrivilege	2088	dfe6ca2b
Token: SeDebugPrivilege	2088	dfe6ca2b
Token: SeDebugPrivilege	1400	Explorer.EXE
Token: SeDebugPrivilege	1400	Explorer.EXE
Token: SeIncBasePriorityPrivilege	2988	aa17b69f40915e8e0778bf49c69f04fca5fce4d2dfb32dd50cd323ad371b4a44.exe
Token: SeDebugPrivilege	2088	dfe6ca2b
Token: SeDebugPrivilege	2572	choice.exe
Token: SeDebugPrivilege	2572	choice.exe
Token: SeDebugPrivilege	2572	choice.exe
Token: SeIncBasePriorityPrivilege	2088	dfe6ca2b
Token: SeShutdownPrivilege	1400	Explorer.EXE
Token: SeShutdownPrivilege	1400	Explorer.EXE
Token: SeShutdownPrivilege	1400	Explorer.EXE
Token: SeShutdownPrivilege	1400	Explorer.EXE
Token: SeShutdownPrivilege	1400	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1400	Explorer.EXE
1400	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1400	Explorer.EXE
1400	Explorer.EXE

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 1400	2088	dfe6ca2b	14
PID 2088 wrote to memory of 1400	2088	dfe6ca2b	14
PID 2088 wrote to memory of 1400	2088	dfe6ca2b	14
PID 2088 wrote to memory of 1400	2088	dfe6ca2b	14
PID 2088 wrote to memory of 1400	2088	dfe6ca2b	14
PID 1400 wrote to memory of 2572	1400	Explorer.EXE	29
PID 1400 wrote to memory of 2572	1400	Explorer.EXE	29
PID 1400 wrote to memory of 2572	1400	Explorer.EXE	29
PID 1400 wrote to memory of 2572	1400	Explorer.EXE	29
PID 1400 wrote to memory of 2572	1400	Explorer.EXE	29
PID 1400 wrote to memory of 2572	1400	Explorer.EXE	29
PID 1400 wrote to memory of 2572	1400	Explorer.EXE	29
PID 1400 wrote to memory of 2572	1400	Explorer.EXE	29
PID 2088 wrote to memory of 420	2088	dfe6ca2b	3
PID 2088 wrote to memory of 420	2088	dfe6ca2b	3
PID 2088 wrote to memory of 420	2088	dfe6ca2b	3
PID 2088 wrote to memory of 420	2088	dfe6ca2b	3
PID 2088 wrote to memory of 420	2088	dfe6ca2b	3
PID 2988 wrote to memory of 2880	2988	aa17b69f40915e8e0778bf49c69f04fca5fce4d2dfb32dd50cd323ad371b4a44.exe	32
PID 2988 wrote to memory of 2880	2988	aa17b69f40915e8e0778bf49c69f04fca5fce4d2dfb32dd50cd323ad371b4a44.exe	32
PID 2988 wrote to memory of 2880	2988	aa17b69f40915e8e0778bf49c69f04fca5fce4d2dfb32dd50cd323ad371b4a44.exe	32
PID 2988 wrote to memory of 2880	2988	aa17b69f40915e8e0778bf49c69f04fca5fce4d2dfb32dd50cd323ad371b4a44.exe	32
PID 2880 wrote to memory of 2848	2880	cmd.exe	33
PID 2880 wrote to memory of 2848	2880	cmd.exe	33
PID 2880 wrote to memory of 2848	2880	cmd.exe	33
PID 2880 wrote to memory of 2848	2880	cmd.exe	33
PID 2088 wrote to memory of 3068	2088	dfe6ca2b	35
PID 2088 wrote to memory of 3068	2088	dfe6ca2b	35
PID 2088 wrote to memory of 3068	2088	dfe6ca2b	35
PID 2088 wrote to memory of 3068	2088	dfe6ca2b	35
PID 3068 wrote to memory of 1516	3068	cmd.exe	37
PID 3068 wrote to memory of 1516	3068	cmd.exe	37
PID 3068 wrote to memory of 1516	3068	cmd.exe	37
PID 3068 wrote to memory of 1516	3068	cmd.exe	37

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1400
- C:\Users\Admin\AppData\Local\Temp\aa17b69f40915e8e0778bf49c69f04fca5fce4d2dfb32dd50cd323ad371b4a44.exe
  "C:\Users\Admin\AppData\Local\Temp\aa17b69f40915e8e0778bf49c69f04fca5fce4d2dfb32dd50cd323ad371b4a44.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\aa17b69f40915e8e0778bf49c69f04fca5fce4d2dfb32dd50cd323ad371b4a44.exe"
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:2880
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 1
      4⤵
      Delays execution with timeout.exe
      PID:2848
- C:\Windows\Help\choice.exe
  "C:\Windows\Help\choice.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  PID:2572

C:\Windows\Syswow64\dfe6ca2b
C:\Windows\Syswow64\dfe6ca2b
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Windows\Syswow64\dfe6ca2b"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:1516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IcoD673.exe

Filesize
145KB

MD5
d2a1752df6431ac0b448cc8f25d0b3d4

SHA1
87afaeb38c8bec3278830a470f94ef39726fb26c

SHA256
9f4665e08fbfb72b2317bafa85b9ed9491f7df32dd9d818ca726d6d2ae2d4f35

SHA512
8411240eea9dd8b048da8a8023f87a2e3411ab67e8f2961ca5098b9df7ba27a5d2b31e339bb2d122a18880633dac569bbf3b6061619656a2582fe5fb16293688

Download Submit
C:\Users\Admin\AppData\Local\Temp\IcoD868.tmp

Filesize
183KB

MD5
e00fb9f91bcbbccb56a2455456d2b70a

SHA1
9ad3517db35b63ac08185f395a34980eea5d0840

SHA256
07b1a5e314075499de803a074a431ac7376121412b190c1f2deae5976b55403f

SHA512
ea3c303976e0ad18a0071c8d16570153ad03f257cc3f5bc59ac3ca3d680a18e714f9711938aa0ebba45532fa4a2b43863f6d210a7ef67ce95d576dd5153cdd20

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBCFA.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\Desktop\Íæ´«ÆæÇëµãÎÒ.lnk

Filesize
1KB

MD5
0b95fd58054b55ca1df99d5e0bbc2158

SHA1
bbc747b503fa14e7b02a2ccce5f9fb3fefc988b5

SHA256
64f46243ab07f8af732bd3acb919d9372bcd204d50dfbda44b0949fcbc74501b

SHA512
5de3770fd81bccef09bac8198af72d12dd513938de28ef6f2582309d63139ee929012450cc97ef2128c29a495dc0727daaa4612c2ab889cdaf1e5c3e7f972e1d

Download Submit
C:\Windows\Help\choice.exe

Filesize
36KB

MD5
bd3e64a49311e558c08f4f04b53f82d8

SHA1
0edcc10670d29e5ca59702facef13d8f3376afc5

SHA256
5af7d20da70ccb712c0e441e83f01be0633f6f804289bff1b3ceb5f853f0dc80

SHA512
0f68c67b6ed46ce39d8a9e71e4688c517fa2d852db73666a20cbb12f7202a4083d03007b31d4bb3e4b2877964673a4651fd89752d1d0605a3a6beaefcec94f20

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Windows\SysWOW64\dfe6ca2b

Filesize
399KB

MD5
e649f3fdc9bea2b76585445c7c5d80f6

SHA1
974f2896ea70dd5aca8005b405bae256a12f0ab8

SHA256
60ad3fffd2bfc2a46122ed14ba0b10f7f496af53203e1e78b7df9ee290bbafe4

SHA512
a9f24aae2bd02806706ea86113a7af7a6d672e10b47679b1299980362da9dd9ae43b0b3ebed9b497055b4f2a6b49b78c0238bfb6276efc7ffd4b4df188e45d46

Download Submit
C:\Windows\Syswow64\dfe6ca2b

Filesize
399KB

MD5
e649f3fdc9bea2b76585445c7c5d80f6

SHA1
974f2896ea70dd5aca8005b405bae256a12f0ab8

SHA256
60ad3fffd2bfc2a46122ed14ba0b10f7f496af53203e1e78b7df9ee290bbafe4

SHA512
a9f24aae2bd02806706ea86113a7af7a6d672e10b47679b1299980362da9dd9ae43b0b3ebed9b497055b4f2a6b49b78c0238bfb6276efc7ffd4b4df188e45d46

Download Submit
\Windows\Help\choice.exe

Filesize
36KB

MD5
bd3e64a49311e558c08f4f04b53f82d8

SHA1
0edcc10670d29e5ca59702facef13d8f3376afc5

SHA256
5af7d20da70ccb712c0e441e83f01be0633f6f804289bff1b3ceb5f853f0dc80

SHA512
0f68c67b6ed46ce39d8a9e71e4688c517fa2d852db73666a20cbb12f7202a4083d03007b31d4bb3e4b2877964673a4651fd89752d1d0605a3a6beaefcec94f20

Download Submit
memory/420-46-0x00000000008E0000-0x00000000008E3000-memory.dmp

Filesize
12KB

Download
memory/420-48-0x0000000000990000-0x00000000009B8000-memory.dmp

Filesize
160KB

Download
memory/1400-24-0x0000000004E90000-0x0000000004F87000-memory.dmp

Filesize
988KB

Download
memory/1400-23-0x0000000002570000-0x0000000002573000-memory.dmp

Filesize
12KB

Download
memory/1400-21-0x0000000002570000-0x0000000002573000-memory.dmp

Filesize
12KB

Download
memory/1400-19-0x0000000002570000-0x0000000002573000-memory.dmp

Filesize
12KB

Download
memory/1400-78-0x0000000004E90000-0x0000000004F87000-memory.dmp

Filesize
988KB

Download
memory/2572-35-0x0000000000090000-0x0000000000093000-memory.dmp

Filesize
12KB

Download
memory/2572-110-0x0000000001DF0000-0x0000000001DF1000-memory.dmp

Filesize
4KB

Download
memory/2572-43-0x00000000003E0000-0x00000000004AB000-memory.dmp

Filesize
812KB

Download
memory/2572-40-0x00000000003E0000-0x00000000004AB000-memory.dmp

Filesize
812KB

Download
memory/2572-95-0x00000000003E0000-0x00000000004AB000-memory.dmp

Filesize
812KB

Download
memory/2572-105-0x00000000003E0000-0x00000000004AB000-memory.dmp

Filesize
812KB

Download
memory/2572-106-0x0000000037980000-0x0000000037990000-memory.dmp

Filesize
64KB

Download
memory/2572-108-0x0000000001DF0000-0x0000000001DF1000-memory.dmp

Filesize
4KB

Download
memory/2572-109-0x0000000001DF0000-0x0000000001DF1000-memory.dmp

Filesize
4KB

Download
memory/2572-44-0x000007FEBF8C0000-0x000007FEBF8D0000-memory.dmp

Filesize
64KB

Download
memory/2572-111-0x0000000001DF0000-0x0000000001DF1000-memory.dmp

Filesize
4KB

Download
memory/2572-112-0x00000000030C0000-0x0000000003177000-memory.dmp

Filesize
732KB

Download
memory/2572-113-0x00000000030C0000-0x0000000003177000-memory.dmp

Filesize
732KB

Download
memory/2572-39-0x0000000000090000-0x0000000000093000-memory.dmp

Filesize
12KB

Download
memory/2572-29-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/2572-28-0x0000000000170000-0x0000000000233000-memory.dmp

Filesize
780KB

Download
memory/2572-123-0x0000000001DF0000-0x0000000001DF1000-memory.dmp

Filesize
4KB

Download
memory/2572-124-0x00000000030C0000-0x0000000003177000-memory.dmp

Filesize
732KB

Download