94e3a8f25dbff86ee6fe11ee045b70055357c08ae1723598a361c96eac5e2c24

Analysis

max time kernel
119s
max time network
132s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
08-11-2023 03:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Rootkits/9114dc1c44f6a1b7d63ca95e04541d833c49a3e65a717471042bd0ec19a3eb99.exe
Size

3.2MB
MD5

c52ce9d8ecf3e5a3f1518178e468abdb
SHA1

dcc2392a9c0cbf84c0fea37f4b4bd1bbde5d4cd9
SHA256

9114dc1c44f6a1b7d63ca95e04541d833c49a3e65a717471042bd0ec19a3eb99
SHA512

1b74eed1c9bb6b261f8b9015459790f3e91bbb44ce3e74a8a974d36d23da233f0b3ce5283413c1da1e97faa1b4c7ccad6dc794fe610adf80d1961f15b383c82f
SSDEEP

49152:io6sSyg5sHNh7vo2/BPFZqMQj0HcvnafOdYCig65Mkk3pUcqtmmCgKau2FYOjRnc:DZxnKzdYcZT2YOjRN

Score

8^/10

persistence

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

9114dc1c44f6a1b7d63ca95e04541d833c49a3e65a717471042bd0ec19a3eb99.exe

description ioc process

File created C:\Windows\system32\drivers\5a08a432.sys 9114dc1c44f6a1b7d63ca95e04541d833c49a3e65a717471042bd0ec19a3eb99.exe

description	ioc	process
File created	C:\Windows\system32\drivers\5a08a432.sys	9114dc1c44f6a1b7d63ca95e04541d833c49a3e65a717471042bd0ec19a3eb99.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

9114dc1c44f6a1b7d63ca95e04541d833c49a3e65a717471042bd0ec19a3eb99.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\79faa788\ImagePath = "System32\\drivers\\1824e823.sys"	9114dc1c44f6a1b7d63ca95e04541d833c49a3e65a717471042bd0ec19a3eb99.exe

Drops file in Windows directory 1 IoCs

Processes:

9114dc1c44f6a1b7d63ca95e04541d833c49a3e65a717471042bd0ec19a3eb99.exe

description ioc process

File created C:\Windows\addins\modulConfing.config 9114dc1c44f6a1b7d63ca95e04541d833c49a3e65a717471042bd0ec19a3eb99.exe

description	ioc	process
File created	C:\Windows\addins\modulConfing.config	9114dc1c44f6a1b7d63ca95e04541d833c49a3e65a717471042bd0ec19a3eb99.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

9114dc1c44f6a1b7d63ca95e04541d833c49a3e65a717471042bd0ec19a3eb99.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\SystemCertificates\AuthRoot\Certificates\5109E6ACAE9C8E8D179D33E8C8EDB9D7D683FB7A	9114dc1c44f6a1b7d63ca95e04541d833c49a3e65a717471042bd0ec19a3eb99.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5109E6ACAE9C8E8D179D33E8C8EDB9D7D683FB7A\Blob = 0400000001000000100000004a1c6d751c964228ba242b4cc46356210f00000001000000200000003c86137be355895932e715b453c1d27181eb66fd7441fcb62235c70b1c385618140000000100000014000000ee401f3c4b918bb6cf3c1a5467fa7a102bd43f58190000000100000010000000f0ef2311884c7951ee1a68e67dd897cc0300000001000000140000005109e6acae9c8e8d179d33e8c8edb9d7d683fb7a5c00000001000000040000000008000020000000010000000904000030820405308202eda00302010202142de7737311652476e9e1ebb97f0f37c52c07efb0300d06092a864886f70d01010b0500308191310b300906035504061302434e310b300906035504080c02484b310b300906035504070c02484e31153013060355040a0c0c4861696e616e576562706f7831153013060355040b0c0c4861696e616e576562706f783115301306035504030c0c4861696e616e576562706f783123302106092a864886f70d01090116144861696e616e576562706f78403136332e636f6d301e170d3230313033313037353633345a170d3235313033303037353633345a308191310b300906035504061302434e310b300906035504080c02484b310b300906035504070c02484e31153013060355040a0c0c4861696e616e576562706f7831153013060355040b0c0c4861696e616e576562706f783115301306035504030c0c4861696e616e576562706f783123302106092a864886f70d01090116144861696e616e576562706f78403136332e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100b8d5c77f1ca30d5bf8ead0fafcc12de3e365bd8c6d565a639b9acc94dd127a332893d8370f1ec85ae7b7d931b0f4473b323b0958268d375476048db72831ceff52077ec62158ff4866a4da04b53de147cd9d4d6d1fb3c63b934b2b07e8e7767e8f42e8896fb8218d05ae1c869554fdd992fe3d16655d1cc3c3d789c2f1fc97e2703bcc2af84561242d15bb5526ca9f994ab918b2eee5ed0c16c04ec51c6385d237fcb4c3f42e82598a43a2192a8c46e844f620b5db83d4b519d5b61b6ce7e7f5692c9e0133cc6c7e0aafbdac72a552b8c0d0f9f62b36bfd4c46db0d823d2a1e7ef5a538daf9205345b5ccd08652f168a8437e418233f00af3a3c5d0bdaffe0df0203010001a3533051301d0603551d0e04160414ee401f3c4b918bb6cf3c1a5467fa7a102bd43f58301f0603551d23041830168014ee401f3c4b918bb6cf3c1a5467fa7a102bd43f58300f0603551d130101ff040530030101ff300d06092a864886f70d01010b05000382010100207bcdf321c80954b0c9418b025b02eea84ef4189aa56cfdccb0ca8ad9231eeb71c9af436aac5f2ab3c1077d05ba7f7db449321c5f0049dd5992cb4fc3fb9653d5ec3b15eef43fef1df3bf94b6395badf905c06eb3f21b8f7cd0e29f51b2f8e109dc55c6404b61c745890f74562dc68745de92df1ce0d01e6f07c65f5b6e5479775e72fd42093a1a2e5e64d2b52bec4613d291b0faaee929c1b13844be2e2325a9a13c48538fb8a9f8f3042f2d2b15afd4ec3c071d9371e82438f14207c9f825009b3bb51a4c4645f5edfc000903376af3bf639aa124e5e3556d24210a116e719c7fefdda1a3aa84ab05ff39e174d61efaee24a405e9c07022360cbeeb85bf9a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	9114dc1c44f6a1b7d63ca95e04541d833c49a3e65a717471042bd0ec19a3eb99.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

468
468

pid	process
468
468

C:\Users\Admin\AppData\Local\Temp\Rootkits\9114dc1c44f6a1b7d63ca95e04541d833c49a3e65a717471042bd0ec19a3eb99.exe
"C:\Users\Admin\AppData\Local\Temp\Rootkits\9114dc1c44f6a1b7d63ca95e04541d833c49a3e65a717471042bd0ec19a3eb99.exe"
1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Drops file in Windows directory
- Modifies system certificate store
PID:2360

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads