54f005ebc30ea5ba65ea412cfdf5f6b0c5958da2efb1bd4db7150700f1447dc3

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
27/11/2023, 18:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d94e92b365acec3100d7ee7d036b2b0.exe
Size

29KB
MD5

3d94e92b365acec3100d7ee7d036b2b0
SHA1

e148ac4342c363fd4d7d5c24f1f737135fabb4af
SHA256

54f005ebc30ea5ba65ea412cfdf5f6b0c5958da2efb1bd4db7150700f1447dc3
SHA512

2eee1b33d7ae07c8553fb075e985e79bbf739096bb6ce8624fc685b705e8cac5a731490630dd16f1387192afa4776ff05a2b6cacc33acc4aacfa31ec1f62beba
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/X0:AEwVs+0jNDY1qi/qs

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2164	services.exe

UPX packed file 32 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2084-3-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/files/0x000d00000001226b-8.dat	upx
behavioral1/files/0x000d00000001226b-6.dat	upx
behavioral1/memory/2164-10-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2084-16-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2164-17-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2164-22-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2164-24-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2084-25-0x0000000000220000-0x0000000000228000-memory.dmp	upx
behavioral1/memory/2164-30-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2164-32-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x003300000001468f-45.dat	upx
behavioral1/memory/2164-163-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2084-161-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2084-798-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2164-799-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2084-1056-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2164-1057-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2084-1060-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2164-1061-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2084-1065-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2164-1066-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2084-1076-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2164-1077-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2084-1080-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2164-1081-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2084-1085-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2164-1086-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2084-1087-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2164-1088-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2084-1092-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2164-1093-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	3d94e92b365acec3100d7ee7d036b2b0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	3d94e92b365acec3100d7ee7d036b2b0.exe
File opened for modification	C:\Windows\java.exe	3d94e92b365acec3100d7ee7d036b2b0.exe
File created	C:\Windows\java.exe	3d94e92b365acec3100d7ee7d036b2b0.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	3d94e92b365acec3100d7ee7d036b2b0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	3d94e92b365acec3100d7ee7d036b2b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	3d94e92b365acec3100d7ee7d036b2b0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	3d94e92b365acec3100d7ee7d036b2b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	3d94e92b365acec3100d7ee7d036b2b0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	3d94e92b365acec3100d7ee7d036b2b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	3d94e92b365acec3100d7ee7d036b2b0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	3d94e92b365acec3100d7ee7d036b2b0.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2164	2084	3d94e92b365acec3100d7ee7d036b2b0.exe	28
PID 2084 wrote to memory of 2164	2084	3d94e92b365acec3100d7ee7d036b2b0.exe	28
PID 2084 wrote to memory of 2164	2084	3d94e92b365acec3100d7ee7d036b2b0.exe	28
PID 2084 wrote to memory of 2164	2084	3d94e92b365acec3100d7ee7d036b2b0.exe	28

C:\Users\Admin\AppData\Local\Temp\3d94e92b365acec3100d7ee7d036b2b0.exe
"C:\Users\Admin\AppData\Local\Temp\3d94e92b365acec3100d7ee7d036b2b0.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
01b43b4fb98a6b8d29cbb4c64e66891e

SHA1
097c38fddd343e6bebb69ca7595ec79594ee4cf5

SHA256
8cad2848ce1e7fa3789be00344e76b78dbe01f14ae9550e9683f1b23f41d39c5

SHA512
d5e6f13d25ffbfab1c4ea44e92079e91ea75596452bfcec065e6b9ac81ce65f6bb3744851b4e7a822a3fb9729d5e40d3c3bf3e499afe0cadef3ff3dd19ce30e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
72914e3ca4842e4dfabe7f43d5d6c6db

SHA1
e533b16d9846c321101394ce339b495b98093892

SHA256
5aa0ba367d11c157073a3a0680aa69cb728aef66583b9cf2f3526c409238da99

SHA512
0960aa881cb0e28e4365835d187f1fe73cf3b61984179b80d72541ab77a413ebf936a2ee472fcf8a5bd617d3854ac4107f1d917e9de76fa72597e800bb4c7be9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f4c38be899033d0e2b269eeb3616ebd8

SHA1
7eb27df6e4b046fcc87c942a2cc114f28888135e

SHA256
a9d8b2f0db0686a13109e336c28056d175846fd8e5707e7a79408f3103db1c7c

SHA512
1c9d5489ea55ce71cfd0be9752aff06eb6226786507eaa326f7d4fbc39f954fdf7bb8be0efa17be030d8e5b503c0b77bf0d6c3e397e7e64bec88fe55af5048f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5ffe99888543c3ce2b2af876282c04e1

SHA1
f1647156398df81a588bd35af1547d2a299704dd

SHA256
cbe774d00f675cb7fb76f895378e04dcf971089ed6ea986123284bf9259d1be0

SHA512
517adb6ca40e892c1d224970a2e8e83353f590d715d660f79dc3f103016ba200dc6c915e257ac310a4fd691836aa67a17dd25eda2e932c80e30c4dfcfb650390

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fccdf056097f63952ca992bba4c2ee5c

SHA1
5b9b286690ad7dab79e0c2f547d3905d95c5a168

SHA256
0f3650b9c938fecb07aa510c5eb8a3c4c1c053aab6a9c94ed87fa3d50289f14e

SHA512
e3a67767e6f09aa4374dfdfa0a7588876241162103e4ad16bbc05baa23d30ce0fc0529c2fe9dc8d42e7bc7a5b58d18899f171c7e80ff6b2ce8536106aa636d13

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ad9cc5f3ec1d5de7c9542300e5d5c8bf

SHA1
d97a75da6e177af147bf65a56646f43612b12c37

SHA256
519f4fe6674ab8932edbff1229701d64c2d62b77c526cb6840d207ff951903ed

SHA512
0e9b92952e7f6f03fe07fb6306167eec5e4e673169b827a831454c8d39a8799f9e4a4dc72685dab25562c30152088a59126668cad196d48022d1c489758bf8bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1c6d278870f9b2596404442ccd166b4a

SHA1
c46f1e07190ba243d444a9f7ed565d6d2141c1f1

SHA256
856d6e379934ab94f0be50379b898fc37c4f70110f2b1ee510d5f39ff2041851

SHA512
bbb1a7f819b3c65f65bcf39ff46cd94ab38f5e7e13ee116862244338d10ea8c87b52099500b03c7e55a08842cb69c14562a2bf5a41e02fa1063293710879ee98

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0685c3b2bb637ad7b7ed6675f9fe427b

SHA1
e5e07d5237d0a34eaf5fed13c84440f801451115

SHA256
1f573d0ce9a0eabbabee626863a7c7dc258c865345bd8390618595030c1796f9

SHA512
9f0331e40824393b91dabbbcf8c4820459763adebe237f30e843d7ee774c86bbb54ad7e9f6528683daf4b3902cb5e3166f83f34187dbad5406f18e1febc6a77e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7TVQOT0Y\UPJZY2HT.htm

Filesize
145KB

MD5
d0649ab2f56a1469e240feed83bd47dc

SHA1
c28b160fb8a4b1c241a61fb1c8e5b3a0fe5dcf68

SHA256
7df901d129e80af8ea0053d301ef765994c6b703dda69046af876076931af18e

SHA512
cd4fe0c959076593e36ed8feab193acf83691cccfc308d0a2abc25ca7fb19828b48ad588dd047f16c1bd4b82f172a3a65274d4bfae344c72615e3a4c619b026b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HNDI6Z3B\RDFOF0EO.htm

Filesize
145KB

MD5
c5713973bd9017049070a9e4382e461e

SHA1
4252241340cfa7803ba2eb4c29bfd90f906bb701

SHA256
89293b9a7ed892be5abf5032e8542c5d1c68e252e3e682d5a56d78b7f1c05c10

SHA512
49ad8131ca66f8fa26828ebf4f5d0a8ed88f1c3f57c3b1ee9e8bf99818910d54e06368903a6405fb89df019d03a117eaf788792613b660982b74ec2b6835b09e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HNDI6Z3B\search[2].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HNDI6Z3B\search[6].htm

Filesize
155KB

MD5
7a967491a635e5303b7a82b20d150c33

SHA1
501a05378dddd45797db3274fd5ca42cbd820cc1

SHA256
058fcf8c199ffc09528fd0d791583d03638aabf5abff2bc6859ce35482cc5cbb

SHA512
a5d719a15e27f8b206fdc516ba2bafef5096f914cb9cbd57635385e6f791180723eb214a8abe7389bbb7c96391301992e7baee50b66867726dbefdc89c2af5f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MQDFJ88W\results[3].htm

Filesize
1KB

MD5
1f54bb772898601864114ea6f0b12b25

SHA1
6e7988e843cc302509d64e192d18c83b2c7dec3a

SHA256
31c4da7079c2bd7ca47ff1c5088456fefa48f6ab5a5836950d4b255b4b5e0d0b

SHA512
f05085ba7521d70f35eda262962a3b11ed0d76edec90d3c8eeda27f99a947ef519df5191d964c2e1b9fee1db606ae0dd9d7cbbf924aa50d2e872556127479b62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MQDFJ88W\search[3].htm

Filesize
156KB

MD5
34b23c30ad06bfc134cba1271bbd2f52

SHA1
21edd2702f82a59d413411ec36e296d3aea56702

SHA256
aaa70c4449836923f91c83b6dccd8603f708cc0b2d298455239e4ab08d442084

SHA512
d1deeab9d4ade8bfa5593212d471ca70dc8967650f8a8e29aacbfc2aa9fa479e9d94b353c046d33f35c2bebb3a5e24db19de0d934b88bc2c1300532895d03183

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF485.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\JTzzaE2v.log

Filesize
256B

MD5
bee88a352cc9788679e4e09e0a7d913b

SHA1
423aedd27481a48ecb6478740a59fd23019e635f

SHA256
f4f07837f9c549cf01a377766852594b97ce48e7c677fe92770ad0a1e03209f4

SHA512
cd2dbecf35d21b5cce916421ecde28e1b57deb426a653a67ee419a26ba68b44829af71953485b2968e5dfceaec68af68fb0adef469b8120c93fbcfd2db28fe01

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF582.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEEE3.tmp

Filesize
29KB

MD5
744a492ad0faa0a8c2c84d8d63b1d368

SHA1
285b44afc0a57f6aca55139241bff258068df8df

SHA256
eadccd2d2aa204eec3cddf04df59842e70edb457f78a8295a13163da402a427e

SHA512
4ac87602442b2c36c217aed8cb88e8d0491e5c49c08bf26c95e2fdca7734bf60bf7cddc624bb2d35ab36728b9c3d5517382edd9c063fa8a9edd7a263a168750a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
288B

MD5
0a1255fd6d036ba3d15a481ff18e7d3d

SHA1
5ed84bd8bb6f42ce2b0ea957dbfcd1454983d56b

SHA256
c789f77d7ff0ec003b898eabcbc94c7f127f785ce2765dfa98fc5af106205612

SHA512
ccf6627e5d2181b55d676f81144f9117028a95bd5f79767c26e443f60a76c9e64da6ac63f3fb6c40d108c66701de2fa949f596da36aa87ffd13bcd9bed4c44f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
288B

MD5
fd2cd4288fb72fc172d677a72393b0a7

SHA1
c35f13c0bdf91308cd76eab7fdd7ffc9242ad6c6

SHA256
c58e7fa54da6e0e4048ff06257c230105724a554c3dc0ba69954f4c6f9a77935

SHA512
f171db85831d4d3e69e9a0657da2b399ebee8287f5ae87bc81d17e3caac89ad2967038322dff554ce9ac7d4ce0171c5f71b2939acabd5ca66ca0233dbdce3293

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
288B

MD5
038b6fe18f21ed523a7753ed3892e663

SHA1
4fc2316e0164f09af2f4801bfda7f0173f42db24

SHA256
27c33577b9b9fdab84a3b1d67458e825da3acec46bfb8844aa8899dfe622b7b8

SHA512
67eac23130e1bd974e293a71f7d6cd06042c28873be55598927ee800f1cf566782d204927ccbdb461d9e5f3689d3c3d70d66984c561540923ff489f1b5bbb5af

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
288B

MD5
f8bb28a72151e109ad39b84ecc6f4670

SHA1
9de9a8afcba4982d9ba1aba5e78a9027675dceb3

SHA256
404098531fe1e2fdad849754bfdcfd349ce6bd5ec0d6e75c24ea138b1459a88b

SHA512
9e35360294dfeed3ec947ca28138e8cf4869d773f3075f6cde4d8b462821ff32fcf30f39e1d483cc009d3b3d0a206b079ae5451c9282b04d8bbc4bdd458c8eff

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/2084-1087-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2084-1076-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2084-25-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/2084-1085-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2084-798-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2084-1080-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2084-23-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/2084-1060-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2084-1092-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2084-3-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2084-16-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2084-1065-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2084-1056-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2084-161-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2084-9-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/2164-1057-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2164-1061-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2164-10-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2164-1066-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2164-17-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2164-22-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2164-1077-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2164-799-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2164-1081-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2164-24-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2164-1086-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2164-30-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2164-1088-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2164-32-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2164-1093-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2164-163-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads