3e1ff53cdf72f047d4ce74ac6c4e273b8797870a4b3f7d805f77dff491661a9d

General

Target

086d010a73cb50000e8ad270cb1ac814.exe
Size

200KB
MD5

086d010a73cb50000e8ad270cb1ac814
SHA1

c7eb5c6da10053e832f32fcc524cc0cdc6a9eb69
SHA256

3e1ff53cdf72f047d4ce74ac6c4e273b8797870a4b3f7d805f77dff491661a9d
SHA512

9ba16a53f6ce942bbcb1ac7c88daa94225f9840588ecb5940eae1ce2d3c914daf5f7c5e6a382a21be68eecdb245bd066065feeb8c3884c5e3389e2201cf4289f
SSDEEP

3072:GgiCQtFgehesL5bEGsMgA9NFDn1q2ZRg9HQ6nae8m6+Y:bfM5bEEgEFxq2ZRg9wI1sJ

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7FA5054F-8A15-5E65-8708-5AEDC88F6BE2}	086d010a73cb50000e8ad270cb1ac814.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7FA5054F-8A15-5E65-8708-5AEDC88F6BE2}\stubpath = "%SystemRoot%\\system32\\V3Medic.exe"	086d010a73cb50000e8ad270cb1ac814.exe

Deletes itself 1 IoCs

pid	Process
1920	cmd.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\V3Medic.exe	086d010a73cb50000e8ad270cb1ac814.exe
File opened for modification	C:\Windows\SysWOW64\V3Medic.exe	086d010a73cb50000e8ad270cb1ac814.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	086d010a73cb50000e8ad270cb1ac814.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	086d010a73cb50000e8ad270cb1ac814.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2100	086d010a73cb50000e8ad270cb1ac814.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 1056	2100	086d010a73cb50000e8ad270cb1ac814.exe	28
PID 2100 wrote to memory of 1056	2100	086d010a73cb50000e8ad270cb1ac814.exe	28
PID 2100 wrote to memory of 1056	2100	086d010a73cb50000e8ad270cb1ac814.exe	28
PID 2100 wrote to memory of 1056	2100	086d010a73cb50000e8ad270cb1ac814.exe	28
PID 2100 wrote to memory of 1920	2100	086d010a73cb50000e8ad270cb1ac814.exe	34
PID 2100 wrote to memory of 1920	2100	086d010a73cb50000e8ad270cb1ac814.exe	34
PID 2100 wrote to memory of 1920	2100	086d010a73cb50000e8ad270cb1ac814.exe	34
PID 2100 wrote to memory of 1920	2100	086d010a73cb50000e8ad270cb1ac814.exe	34

C:\Users\Admin\AppData\Local\Temp\086d010a73cb50000e8ad270cb1ac814.exe
"C:\Users\Admin\AppData\Local\Temp\086d010a73cb50000e8ad270cb1ac814.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in System32 directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Windows\SysWOW64\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\{7FA5054F-8A15-5E65-8708-5AEDC88F6BE2}" /f
  2⤵
  PID:1056
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\086D01~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1920