a65028c330b56ea2fb5a3f30eaf1fc7c85831d44270a9a6bfa56323c29d3da64

Analysis

max time kernel
5s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 20:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

102b8cf55217be4ad06247a6a884233d.exe
Size

1.1MB
MD5

102b8cf55217be4ad06247a6a884233d
SHA1

dc544dc8d4decc9264cd637be1f1bf769a3642cc
SHA256

a65028c330b56ea2fb5a3f30eaf1fc7c85831d44270a9a6bfa56323c29d3da64
SHA512

fe6692dcf3c43da97ba30fe47ab4506d70fb800b7ab209cab1126cd98670dfe37355e81ac11aba07830b985ee332540d5b6302413790601b38ac0877bf912e08
SSDEEP

12288:gMiy4IadS4ms5I6e66fEheKhGsX+JkC9sdDfNpf+YKBnSJbH91dJHK2JdIP:gbSaE4mvt/LkxF4SJDnfHh

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4516	3364	WerFault.exe	108

NSIS installer 6 IoCs

installer

resource	yara_rule
behavioral2/files/0x0006000000023228-22.dat	nsis_installer_1
behavioral2/files/0x0006000000023228-22.dat	nsis_installer_2
behavioral2/files/0x0006000000023228-33.dat	nsis_installer_1
behavioral2/files/0x0006000000023228-33.dat	nsis_installer_2
behavioral2/files/0x0006000000023228-32.dat	nsis_installer_1
behavioral2/files/0x0006000000023228-32.dat	nsis_installer_2

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8120f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce7f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c06200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f1400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e00000074006800610077007400650000007e000000010000000800000000c0032f2df8d60168000000010000000000000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b81190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	102b8cf55217be4ad06247a6a884233d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 5c000000010000000400000000080000190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d03000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b816800000001000000000000007e000000010000000800000000c0032f2df8d6010b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748506200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f53000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703010f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8122000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	102b8cf55217be4ad06247a6a884233d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81	102b8cf55217be4ad06247a6a884233d.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4772	102b8cf55217be4ad06247a6a884233d.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4772	102b8cf55217be4ad06247a6a884233d.exe

C:\Users\Admin\AppData\Local\Temp\102b8cf55217be4ad06247a6a884233d.exe
"C:\Users\Admin\AppData\Local\Temp\102b8cf55217be4ad06247a6a884233d.exe"
1⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4772
- C:\Users\Admin\AppData\Local\Temp\File.exe
  "C:\Users\Admin\AppData\Local\Temp\File.exe"
  2⤵
  PID:3652
- - C:\Users\Admin\AppData\Local\Temp\1430546536.exe
    C:\Users\Admin\AppData\Local\Temp\1430546536.exe 5^4^2^0^4^6^1^1^5^6^8 KkxHRDkxMi8tGidOUUBQRT48LxspRkBQVU9ORUhDOCsYKkBHU1BDQzwtLi0vLx4vP0NDPCsaJ0tOTURRPVNeRD41LDI3NBwpUkRNUD1NW1NSSDdnc29qMiorcXJyKENETkUlT0tOLT1KTy1ESD5KHC1DSENCSkQ+NS00NzIwLC8yKy0YKkAvPS0yLzUwGic/LjstLRouQy43JSwcLUQwNywwGyk8MDkrMRwpT1FKPk0+UF1QTkNVQD5TNRsrTlJLPlRCT1k9UEg/PRwpT1FKPk0+UF1OPUdEPBspPVNBXVVORjwfKj9QQFtBTUBGSE1ANxgqRE1TUFlBUUpRS0BOOzIcKVNHPEhDVEtTX1FMSzwbKU5IOTAgKz5SMDgaJ01RTFRFR0ReUj9EPktLRUVHQEZAT0pHOR4vRU1eUVBITERJQz1wbHRkGylKQFBTUkpDTUZaT0tATl1EPVNSPC0aJ0NFQkVUNzAfKkNLWkBXTj1HSEJaP0Y+TldQUD9DPGFbZG5hHi9ASVZNR0k5P1tHUDkrMDApKyspLS4yKisyOBspTERJQz0tLjIvMC8uNDQzICs+TlZJRkc8QF1URUdEPDApKiouLjExJDc5MDAyLTEoQUkaLlQ8N0VqdmdsaFskMWEvJisnJldlaGNucm0jSVApNSorKCo8amhnYVVlXkVocyAsXjAvNS4vMConRkJMSEgjMl8la2hmXyNCYWFrayMqQmNsZ2hhIzJiLTAtKygpMTEuLjExKlJcYFltZSMyYi8yNiktLiZNT0RrcW1raltcIC5kMSoxHy5QTEQ4ZHJ0bB8yYCAsXiAuZGdhbi0vLCswZSpnbmJpJDFhTG1pUGdtYT5udmlmZ1xgS2FqW2ZkbVlcYGxqb3UfMWUsLisrMTM2NTAvJC1gKS8vLjUxMDg1Kx8qYS0yMywvNDU0MCggL2Q0LS0yMzMzKTAyN1kuTHdMdUsrVXZ1eUhNYnRFUT0xSGd3b0d4M2JTcmZzS3pVcUdsUDJEPj5gTFBxdE1OcW1HP1RlVmdBZVxnUmNLUW9ySUIvcEVLcnVKVD1jWFVrb1lPX25JamZsYU9laQ==
    3⤵
    PID:3364
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 888
      4⤵
      Program crash
      PID:4516

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703465341.txt bios get serialnumber
1⤵
PID:1564

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703465341.txt bios get version
1⤵
PID:1204

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703465341.txt bios get version
1⤵
PID:4988

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703465341.txt bios get version
1⤵
PID:2228

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81703465341.txt bios get version
1⤵
PID:4896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3364 -ip 3364
1⤵
PID:4284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1430546536.exe

Filesize
287KB

MD5
e3091f5377a57d6bd3de63e123b9fb3a

SHA1
63537221b309fd6ba1a89eb350ea3ae5a6ec2224

SHA256
7a772ba2208bef73f1caa14d8fdba7ddb0cd4ea3efe345ef1db6fcf3c2965f3a

SHA512
b6dd8adf91faa82ec71620ef4c6b25f2619722eb98ca863ae22980e71a4970e1a0c994471fd424dec9f97024bef977d5fece6a1d3e48bf7885d404bed28d37a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1430546536.exe

Filesize
334KB

MD5
3a8fdc42f7d2d9d3580b24c5bc323cba

SHA1
c7fbbe704dc09533d09008d2215a02d2155741f0

SHA256
71175ad0477617fe353514ae803f958e3e7cd453a809fb2e6ce4882ecddfe0fc

SHA512
d2d29749a8fd7129ba8c3d1c962816ce14b5991cf3cb9f36872d67d6f18a76fd389452af803f1ed84f9635c23bb3e5db8f37142c2554baef4ee8de24603b6d0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703465341.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703465341.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\81703465341.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe

Filesize
29KB

MD5
ccb313605cc23e5fd2cc0fd38d97e1fe

SHA1
a8e958993f863216dca11a039777e9521b32373c

SHA256
2d588b1ea8ea46d985fbb1a4e5393672fee6a25f238e3813e8d48e493e7b0164

SHA512
a73fa27344cc1e5421c6a845aaa6e518672d269716dd762632abcb9bf8d05294bec0fb8d45b8168a949583879f9fab424e12bb41bace88d71bce729df346f024

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe

Filesize
47KB

MD5
17260c3f83a9aa663d2d63d0ee15a144

SHA1
1f589899d13fddec4cb6226648e9eb71417a5530

SHA256
3f9db3ee7e19630333670b2426d1a44e1f6f373cbfc449ee83c39be9796f4008

SHA512
bcf5ef8af20abd5813184b22f4e2d77747744022bdb057c03cd93cb67cc23a5fbd6c5779ce8c05677929a6aedafbe27311444cccd66432dae83ed92adf312900

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe

Filesize
1KB

MD5
36980f88f1d00732fb16d771a042b89c

SHA1
fdc056ec0227b675018a0995499e70946db86d23

SHA256
aed67c2365e1f62324434639df984c938607713f9dd2b24128fef03b621fa6ca

SHA512
57bac38dd2b371e15fabff62d0785e1a9142b871ce97a03cdf929c074219698e3c66717b96b30c3055e3fb0328365af40db697f44104dab984402e34244a547d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh6478.tmp\dhihhg.dll

Filesize
126KB

MD5
09c0a8445c727b6cdee796a9a58b5482

SHA1
e654bd7418601f7205b2632c8bf32c29295384f9

SHA256
e363e4886f4a87644efc9a2515c0a98c054f50b02fc5fb58b540e041ad0d70d3

SHA512
3a43a904ea11bc1b70580da33196073e6f3a53841342ff755845f4eff94f4009b1fd496a57b2a38f36bb9dadbb87af92ca8ab9222547d780db081dc0a6ae0b85

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh6478.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit
memory/4772-0-0x00007FF9CC240000-0x00007FF9CCBE1000-memory.dmp

Filesize
9.6MB

Download
memory/4772-17-0x000000001C780000-0x000000001C7F8000-memory.dmp

Filesize
480KB

Download
memory/4772-1-0x00007FF9CC240000-0x00007FF9CCBE1000-memory.dmp

Filesize
9.6MB

Download
memory/4772-2-0x00000000013F0000-0x0000000001400000-memory.dmp

Filesize
64KB

Download
memory/4772-92-0x00007FF9CC240000-0x00007FF9CCBE1000-memory.dmp

Filesize
9.6MB

Download