5c4e65fec6657caef68eb006819e1ad1fde846f6c233b8b9a6ddbecccfdb5df9

General

Target

203756f969ef6db28a792f24566642c3.exe
Size

96KB
MD5

203756f969ef6db28a792f24566642c3
SHA1

b5f504c24a07de14f4136876e7392fa400a1df4d
SHA256

5c4e65fec6657caef68eb006819e1ad1fde846f6c233b8b9a6ddbecccfdb5df9
SHA512

de93088115515a643752e90c357a3962d446e6f50ee47dfc24c9d1267b278284d350bf7c98aba5e043bf41854c3d75efc61a0ce4c378de00f73fedfa218b12be
SSDEEP

1536:DomALFDs+Kg2ORhfPe5lEA2CgnufjuUwfisAqBMh89CFMV2yaVUGz/:EmAe8/IlEA2Cgg1GisLBp9CEMUe/

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1272	taskhost.exe
848	taskhost.exe

Loads dropped DLL 3 IoCs

pid	Process
2944	203756f969ef6db28a792f24566642c3.exe
2944	203756f969ef6db28a792f24566642c3.exe
1272	taskhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Taskhost = "C:\\Users\\Admin\\AppData\\Roaming\\taskhost.exe"	203756f969ef6db28a792f24566642c3.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2932 set thread context of 2944	2932	203756f969ef6db28a792f24566642c3.exe	28
PID 1272 set thread context of 848	1272	taskhost.exe	30

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	taskhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	taskhost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	taskhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	taskhost.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 2944	2932	203756f969ef6db28a792f24566642c3.exe	28
PID 2932 wrote to memory of 2944	2932	203756f969ef6db28a792f24566642c3.exe	28
PID 2932 wrote to memory of 2944	2932	203756f969ef6db28a792f24566642c3.exe	28
PID 2932 wrote to memory of 2944	2932	203756f969ef6db28a792f24566642c3.exe	28
PID 2932 wrote to memory of 2944	2932	203756f969ef6db28a792f24566642c3.exe	28
PID 2932 wrote to memory of 2944	2932	203756f969ef6db28a792f24566642c3.exe	28
PID 2944 wrote to memory of 1272	2944	203756f969ef6db28a792f24566642c3.exe	29
PID 2944 wrote to memory of 1272	2944	203756f969ef6db28a792f24566642c3.exe	29
PID 2944 wrote to memory of 1272	2944	203756f969ef6db28a792f24566642c3.exe	29
PID 2944 wrote to memory of 1272	2944	203756f969ef6db28a792f24566642c3.exe	29
PID 1272 wrote to memory of 848	1272	taskhost.exe	30
PID 1272 wrote to memory of 848	1272	taskhost.exe	30
PID 1272 wrote to memory of 848	1272	taskhost.exe	30
PID 1272 wrote to memory of 848	1272	taskhost.exe	30
PID 1272 wrote to memory of 848	1272	taskhost.exe	30
PID 1272 wrote to memory of 848	1272	taskhost.exe	30

C:\Users\Admin\AppData\Local\Temp\203756f969ef6db28a792f24566642c3.exe
"C:\Users\Admin\AppData\Local\Temp\203756f969ef6db28a792f24566642c3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Users\Admin\AppData\Local\Temp\203756f969ef6db28a792f24566642c3.exe
  C:\Users\Admin\AppData\Local\Temp\203756f969ef6db28a792f24566642c3.exe
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Users\Admin\AppData\Roaming\taskhost.exe
    C:\Users\Admin\AppData\Roaming\taskhost.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1272
  - - C:\Users\Admin\AppData\Roaming\taskhost.exe
      C:\Users\Admin\AppData\Roaming\taskhost.exe
      4⤵
      Executes dropped EXE
      Modifies system certificate store
      PID:848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
7KB

MD5
5da20b844c34cda2b83a71b13db09cc4

SHA1
69e6d745c078011b171356b1257806a6e6bd1cfe

SHA256
6556af10ea7818bee690b6e39844a2ddc3a42bff4cf27434584de666ef7e459b

SHA512
f2686a91185d8500ee47df031a996e8143d3fd994283c9792e5992870e5cf67003dafdfd74694ac9f358b1e843fc93d34a559c6ba226ac4744f628f3115b4415

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
e934ecb9247e54275ce8a41e96d3be75

SHA1
155d32f5cf9e25039576d25d41bbbcb9873356f5

SHA256
9d2c47e8e55b20f0c29f6d3430a6c7c7a1ee5db55f7be3bf97326ab1c8046bee

SHA512
280e816e3feb5abe35edeea1b4d6f195d98f89a076ce7df87f6e41c80acacdbea202567d81aa1a1e7b4484966388ac40fdf6564455f5c1015e31722a10582aaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar76EA.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
\Users\Admin\AppData\Roaming\taskhost.exe

Filesize
96KB

MD5
dc72fc708276ec90bc5b0a720cf7bd66

SHA1
430e659c75db35ce10ab645911275326998635c6

SHA256
f585ba5f371a9bc5a433c05a268485cbd12f5d2ea58cae1a33193b59ef32f9f1

SHA512
c72d6c13416f0600030c71988615f3c6713fac1d2effd0b6af06e9514536f01c341d78643e4e77b7eb090d7c57fa9c0f150b6ec4834b17a7804672bd35422ca5

Download Submit
memory/848-27-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/848-161-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2944-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2944-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2944-4-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2944-6-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2944-25-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads