bdf45688b46b2443bd8a14e567094f0d0d418e02af76935eb07775b5db122862

Analysis

max time kernel
150s
max time network
145s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
21/10/2023, 08:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bdf45688b46b2443bd8a14e567094f0d0d418e02af76935eb07775b5db122862.exe
Size

3.1MB
MD5

f407e8b2faee3715b87447b7f794ee32
SHA1

7fb95c5f281b22b967988f4f84d11c8462d6bdd4
SHA256

bdf45688b46b2443bd8a14e567094f0d0d418e02af76935eb07775b5db122862
SHA512

5ca1810022fbd431bf19f71ea5f5981726f5a01be29cff7fd304583ddc33f1957b86ae8f340f8b89f27d07e308a7572a418db2722c38aab6411df4bfc4c09724
SSDEEP

24576:OQ6n+8aUyQ6n+BUzJbKkKF/eMNPjMeed7SHHHR:OQ6nkQ6nd9KFeMKW

Score

10^/10

upx

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1228 created 408	1228	Explorer.EXE	3

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\g2HTrW.sys	systray.exe

Deletes itself 1 IoCs

pid	Process
580	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2848	systray.exe

Loads dropped DLL 1 IoCs

pid	Process
1228	Explorer.EXE

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000018ba0-117.dat	upx

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C	systray.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_ADB601E2C381343DA1163E5F08582475	systray.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B	systray.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\349D186F1CB5682FA0194D4F3754EF36_CE21678B3713ACF5F5ED4AAA700C6173	systray.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3	systray.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3	systray.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\349D186F1CB5682FA0194D4F3754EF36_CE21678B3713ACF5F5ED4AAA700C6173	systray.exe
File created	C:\Windows\system32\ \Windows\System32\viWqz6Lq.sys	systray.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C	systray.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_ADB601E2C381343DA1163E5F08582475	systray.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B	systray.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\LdF8Krm.sys	systray.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1080	timeout.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	systray.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8B57AF12-7DE0-4CDE-9263-868AFBAB6AD4}\WpadDecisionTime = c05dbff7fa03da01	systray.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-33-93-1c-f3-85	systray.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	systray.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	systray.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8B57AF12-7DE0-4CDE-9263-868AFBAB6AD4}\WpadDecision = "0"	systray.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	systray.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	systray.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	systray.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-33-93-1c-f3-85\WpadDecision = "0"	systray.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	systray.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	systray.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	systray.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	systray.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8B57AF12-7DE0-4CDE-9263-868AFBAB6AD4}\WpadNetworkName = "Network 2"	systray.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	systray.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	systray.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	systray.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	systray.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	systray.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	systray.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	systray.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	systray.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	systray.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	systray.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	systray.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	systray.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	systray.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	systray.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-33-93-1c-f3-85\WpadDecisionReason = "1"	systray.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	systray.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	systray.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	systray.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	systray.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	systray.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	systray.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8B57AF12-7DE0-4CDE-9263-868AFBAB6AD4}\WpadDecisionReason = "1"	systray.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8B57AF12-7DE0-4CDE-9263-868AFBAB6AD4}\8a-33-93-1c-f3-85	systray.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	systray.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	systray.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	systray.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	systray.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	systray.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	systray.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	systray.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	systray.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	systray.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	systray.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	systray.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f004f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	systray.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-33-93-1c-f3-85\WpadDecisionTime = c05dbff7fa03da01	systray.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	systray.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	systray.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	systray.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	systray.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	systray.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	systray.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	systray.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8B57AF12-7DE0-4CDE-9263-868AFBAB6AD4}	systray.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	systray.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	systray.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	systray.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	systray.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	systray.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	bdf45688b46b2443bd8a14e567094f0d0d418e02af76935eb07775b5db122862.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	systray.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	systray.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	bdf45688b46b2443bd8a14e567094f0d0d418e02af76935eb07775b5db122862.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	bdf45688b46b2443bd8a14e567094f0d0d418e02af76935eb07775b5db122862.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	bdf45688b46b2443bd8a14e567094f0d0d418e02af76935eb07775b5db122862.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1728	bdf45688b46b2443bd8a14e567094f0d0d418e02af76935eb07775b5db122862.exe
1728	bdf45688b46b2443bd8a14e567094f0d0d418e02af76935eb07775b5db122862.exe
1728	bdf45688b46b2443bd8a14e567094f0d0d418e02af76935eb07775b5db122862.exe
1728	bdf45688b46b2443bd8a14e567094f0d0d418e02af76935eb07775b5db122862.exe
1728	bdf45688b46b2443bd8a14e567094f0d0d418e02af76935eb07775b5db122862.exe
1228	Explorer.EXE
1228	Explorer.EXE
1228	Explorer.EXE
1728	bdf45688b46b2443bd8a14e567094f0d0d418e02af76935eb07775b5db122862.exe
2848	systray.exe
2848	systray.exe
2848	systray.exe
2848	systray.exe
2848	systray.exe
2848	systray.exe
2848	systray.exe
2848	systray.exe
2848	systray.exe
2848	systray.exe
2848	systray.exe
2848	systray.exe
2848	systray.exe
2848	systray.exe
2848	systray.exe
2848	systray.exe
2848	systray.exe
2848	systray.exe
2848	systray.exe
2848	systray.exe
2848	systray.exe
2848	systray.exe
2848	systray.exe
2848	systray.exe
2848	systray.exe
2848	systray.exe
2848	systray.exe
2848	systray.exe
2848	systray.exe
2848	systray.exe
2848	systray.exe
2848	systray.exe
2848	systray.exe
2848	systray.exe
2848	systray.exe
2848	systray.exe
2848	systray.exe
2848	systray.exe
2848	systray.exe
2848	systray.exe
2848	systray.exe
2848	systray.exe
2848	systray.exe
2848	systray.exe
2848	systray.exe
2848	systray.exe
2848	systray.exe
2848	systray.exe
2848	systray.exe
2848	systray.exe
2848	systray.exe
2848	systray.exe
2848	systray.exe
2848	systray.exe
2848	systray.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1228	Explorer.EXE

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	1728	bdf45688b46b2443bd8a14e567094f0d0d418e02af76935eb07775b5db122862.exe
Token: SeTcbPrivilege	1728	bdf45688b46b2443bd8a14e567094f0d0d418e02af76935eb07775b5db122862.exe
Token: SeDebugPrivilege	1728	bdf45688b46b2443bd8a14e567094f0d0d418e02af76935eb07775b5db122862.exe
Token: SeDebugPrivilege	1228	Explorer.EXE
Token: SeDebugPrivilege	1228	Explorer.EXE
Token: SeDebugPrivilege	1728	bdf45688b46b2443bd8a14e567094f0d0d418e02af76935eb07775b5db122862.exe
Token: SeDebugPrivilege	2848	systray.exe
Token: SeDebugPrivilege	2848	systray.exe
Token: SeDebugPrivilege	2848	systray.exe
Token: SeIncBasePriorityPrivilege	1728	bdf45688b46b2443bd8a14e567094f0d0d418e02af76935eb07775b5db122862.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 1228	1728	bdf45688b46b2443bd8a14e567094f0d0d418e02af76935eb07775b5db122862.exe	15
PID 1728 wrote to memory of 1228	1728	bdf45688b46b2443bd8a14e567094f0d0d418e02af76935eb07775b5db122862.exe	15
PID 1728 wrote to memory of 1228	1728	bdf45688b46b2443bd8a14e567094f0d0d418e02af76935eb07775b5db122862.exe	15
PID 1728 wrote to memory of 1228	1728	bdf45688b46b2443bd8a14e567094f0d0d418e02af76935eb07775b5db122862.exe	15
PID 1728 wrote to memory of 1228	1728	bdf45688b46b2443bd8a14e567094f0d0d418e02af76935eb07775b5db122862.exe	15
PID 1228 wrote to memory of 2848	1228	Explorer.EXE	28
PID 1228 wrote to memory of 2848	1228	Explorer.EXE	28
PID 1228 wrote to memory of 2848	1228	Explorer.EXE	28
PID 1228 wrote to memory of 2848	1228	Explorer.EXE	28
PID 1228 wrote to memory of 2848	1228	Explorer.EXE	28
PID 1228 wrote to memory of 2848	1228	Explorer.EXE	28
PID 1228 wrote to memory of 2848	1228	Explorer.EXE	28
PID 1228 wrote to memory of 2848	1228	Explorer.EXE	28
PID 1728 wrote to memory of 408	1728	bdf45688b46b2443bd8a14e567094f0d0d418e02af76935eb07775b5db122862.exe	3
PID 1728 wrote to memory of 408	1728	bdf45688b46b2443bd8a14e567094f0d0d418e02af76935eb07775b5db122862.exe	3
PID 1728 wrote to memory of 408	1728	bdf45688b46b2443bd8a14e567094f0d0d418e02af76935eb07775b5db122862.exe	3
PID 1728 wrote to memory of 408	1728	bdf45688b46b2443bd8a14e567094f0d0d418e02af76935eb07775b5db122862.exe	3
PID 1728 wrote to memory of 408	1728	bdf45688b46b2443bd8a14e567094f0d0d418e02af76935eb07775b5db122862.exe	3
PID 1728 wrote to memory of 580	1728	bdf45688b46b2443bd8a14e567094f0d0d418e02af76935eb07775b5db122862.exe	29
PID 1728 wrote to memory of 580	1728	bdf45688b46b2443bd8a14e567094f0d0d418e02af76935eb07775b5db122862.exe	29
PID 1728 wrote to memory of 580	1728	bdf45688b46b2443bd8a14e567094f0d0d418e02af76935eb07775b5db122862.exe	29
PID 1728 wrote to memory of 580	1728	bdf45688b46b2443bd8a14e567094f0d0d418e02af76935eb07775b5db122862.exe	29
PID 580 wrote to memory of 1080	580	cmd.exe	31
PID 580 wrote to memory of 1080	580	cmd.exe	31
PID 580 wrote to memory of 1080	580	cmd.exe	31
PID 580 wrote to memory of 1080	580	cmd.exe	31

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:408
- C:\ProgramData\Microsoft\systray.exe
  "C:\ProgramData\Microsoft\systray.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2848

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Users\Admin\AppData\Local\Temp\bdf45688b46b2443bd8a14e567094f0d0d418e02af76935eb07775b5db122862.exe
  "C:\Users\Admin\AppData\Local\Temp\bdf45688b46b2443bd8a14e567094f0d0d418e02af76935eb07775b5db122862.exe"
  2⤵
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\bdf45688b46b2443bd8a14e567094f0d0d418e02af76935eb07775b5db122862.exe"
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:580
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 1
      4⤵
      Delays execution with timeout.exe
      PID:1080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\systray.exe

Filesize
9KB

MD5
ebbc1621624257f3dd0cc1c163e8680e

SHA1
b1242ac89a71117a7b6d127702a52126d61fd03b

SHA256
a1f59a921814f143ba40d4665d717f5da9e43f5077dfc0eb2966c7af462997a5

SHA512
5f29cb87f5d63976cbf937ae84949441a32e97f566802a26b371782adeaa908c2fca82d43d4a2904edfe918a2fb39fb26847578b8d47039fb3eadc90a36a9cb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6183.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8DB4.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\a189cb08.tmp

Filesize
14.1MB

MD5
a30c91265ba1eff0d8d075103a88d055

SHA1
df70b38f5536a4a8b70ef1fdc7d38b7711174ed1

SHA256
70fabe387c240ac3697dfdaed5934f064e1187cd4d5f446d9e8a6e6b519b2664

SHA512
bd4d4309b0f89d1464500a75186898360c497ec53a152a6e03a657c07e0fce59fdf1c060811ecb716a50ada78b63a1f253264cbf35d15cff46159b7226d37f8e

Download Submit
\ProgramData\Microsoft\systray.exe

Filesize
9KB

MD5
ebbc1621624257f3dd0cc1c163e8680e

SHA1
b1242ac89a71117a7b6d127702a52126d61fd03b

SHA256
a1f59a921814f143ba40d4665d717f5da9e43f5077dfc0eb2966c7af462997a5

SHA512
5f29cb87f5d63976cbf937ae84949441a32e97f566802a26b371782adeaa908c2fca82d43d4a2904edfe918a2fb39fb26847578b8d47039fb3eadc90a36a9cb1

Download Submit
memory/408-47-0x0000000000960000-0x0000000000963000-memory.dmp

Filesize
12KB

Download
memory/408-92-0x0000000000970000-0x0000000000998000-memory.dmp

Filesize
160KB

Download
memory/408-49-0x0000000000970000-0x0000000000998000-memory.dmp

Filesize
160KB

Download
memory/1228-63-0x0000000006E10000-0x0000000006F09000-memory.dmp

Filesize
996KB

Download
memory/1228-21-0x0000000002C80000-0x0000000002C83000-memory.dmp

Filesize
12KB

Download
memory/1228-22-0x0000000002C80000-0x0000000002C83000-memory.dmp

Filesize
12KB

Download
memory/1228-23-0x0000000006E10000-0x0000000006F09000-memory.dmp

Filesize
996KB

Download
memory/1228-24-0x0000000006E10000-0x0000000006F09000-memory.dmp

Filesize
996KB

Download
memory/1228-20-0x0000000002C80000-0x0000000002C83000-memory.dmp

Filesize
12KB

Download
memory/1728-2-0x0000000000280000-0x00000000002EC000-memory.dmp

Filesize
432KB

Download
memory/1728-1-0x0000000000280000-0x00000000002EC000-memory.dmp

Filesize
432KB

Download
memory/1728-3-0x0000000000280000-0x00000000002EC000-memory.dmp

Filesize
432KB

Download
memory/1728-50-0x0000000000280000-0x00000000002EC000-memory.dmp

Filesize
432KB

Download
memory/1728-0-0x0000000000280000-0x00000000002EC000-memory.dmp

Filesize
432KB

Download
memory/1728-77-0x0000000000280000-0x00000000002EC000-memory.dmp

Filesize
432KB

Download
memory/2848-44-0x000007FEBE600000-0x000007FEBE610000-memory.dmp

Filesize
64KB

Download
memory/2848-45-0x0000000001D90000-0x0000000001E5B000-memory.dmp

Filesize
812KB

Download
memory/2848-43-0x0000000001D90000-0x0000000001E5B000-memory.dmp

Filesize
812KB

Download
memory/2848-40-0x0000000000160000-0x0000000000163000-memory.dmp

Filesize
12KB

Download
memory/2848-36-0x0000000000160000-0x0000000000163000-memory.dmp

Filesize
12KB

Download
memory/2848-91-0x0000000001D90000-0x0000000001E5B000-memory.dmp

Filesize
812KB

Download
memory/2848-30-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2848-102-0x0000000037930000-0x0000000037940000-memory.dmp

Filesize
64KB

Download
memory/2848-104-0x0000000001F30000-0x0000000001F31000-memory.dmp

Filesize
4KB

Download
memory/2848-105-0x0000000001F30000-0x0000000001F31000-memory.dmp

Filesize
4KB

Download
memory/2848-106-0x0000000001F30000-0x0000000001F31000-memory.dmp

Filesize
4KB

Download
memory/2848-107-0x00000000043B0000-0x0000000004575000-memory.dmp

Filesize
1.8MB

Download
memory/2848-108-0x00000000043B0000-0x0000000004575000-memory.dmp

Filesize
1.8MB

Download
memory/2848-109-0x00000000043B0000-0x0000000004575000-memory.dmp

Filesize
1.8MB

Download
memory/2848-110-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/2848-111-0x0000000001F30000-0x0000000001F31000-memory.dmp

Filesize
4KB

Download
memory/2848-112-0x00000000043B0000-0x0000000004575000-memory.dmp

Filesize
1.8MB

Download
memory/2848-28-0x0000000000060000-0x0000000000123000-memory.dmp

Filesize
780KB

Download
memory/2848-120-0x00000000043B0000-0x0000000004575000-memory.dmp

Filesize
1.8MB

Download