73e909b20aaa29b08846eeefbfa51203114d661f3cddf2cd9025e88dca11300f

Analysis

max time kernel
140s
max time network
146s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 13:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2266be64c0d23a7a09778004f445bf34.exe
Size

195KB
MD5

2266be64c0d23a7a09778004f445bf34
SHA1

14ddb3d02b4dfb491d810189e5ad6940d074fb47
SHA256

73e909b20aaa29b08846eeefbfa51203114d661f3cddf2cd9025e88dca11300f
SHA512

88f5eec66918d5a60e9b0535981f7f262d13b5754d80ca310a393070110237757bf2d2b2895232847fd2fcb2260b37e46e8a0590f9c3cf31d06a5b3667259c3f
SSDEEP

3072:L/na6WDmrZ5Cn79xvlr2xmOJ5wUuWXcfb0hw7IACb873684yVcx566/zndV6sIUU:L/nuDm9knmhJ4/sMLuO6/zqwegiD

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	2266be64c0d23a7a09778004f445bf34.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	2266be64c0d23a7a09778004f445bf34.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\Desktop\ÍøÒ³ÓÎÏ·\Desktop.ini	2266be64c0d23a7a09778004f445bf34.exe
File opened for modification	C:\Users\Admin\Desktop\ÍøÒ³ÓÎÏ·\Desktop.ini	2266be64c0d23a7a09778004f445bf34.exe
File created	C:\Users\Admin\Desktop\ÍøÒ³ÓÎÏ·\Desktop.ini	2266be64c0d23a7a09778004f445bf34.exe
File opened for modification	C:\Users\Admin\Desktop\ÍøÒ³ÓÎÏ·\Desktop.ini	2266be64c0d23a7a09778004f445bf34.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\baidu.ico	2266be64c0d23a7a09778004f445bf34.exe
File created	C:\Windows\SysWOW64\taobao.ico	2266be64c0d23a7a09778004f445bf34.exe
File opened for modification	C:\Windows\SysWOW64\baidu.ico	2266be64c0d23a7a09778004f445bf34.exe
File opened for modification	C:\Windows\SysWOW64\taobao.ico	2266be64c0d23a7a09778004f445bf34.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97426908-2446-7578-9742-244686722755}\Instance\InitPropertyBag\method = "ShellExecute"	2266be64c0d23a7a09778004f445bf34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	2266be64c0d23a7a09778004f445bf34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{999C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder	2266be64c0d23a7a09778004f445bf34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97426908-2446-7578-9742-244686722755}	2266be64c0d23a7a09778004f445bf34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{999C5380-42A0-1069-A2EA-08002B30309D}\Shell\·ÃÎÊ(&H)	2266be64c0d23a7a09778004f445bf34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000C5380-42A0-1069-A2EA-08002B30309D}\Shell	2266be64c0d23a7a09778004f445bf34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97426908-2446-7578-9742-244686722755}\Instance\InitPropertyBag\command = "´ò¿ªÖ÷Ò³"	2266be64c0d23a7a09778004f445bf34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder	2266be64c0d23a7a09778004f445bf34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shellex\ContextMenuHandlers\ieframe	2266be64c0d23a7a09778004f445bf34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{999C5380-42A0-1069-A2EA-08002B30309D}\Shell\·ÃÎÊ(&H)\Command	2266be64c0d23a7a09778004f445bf34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder	2266be64c0d23a7a09778004f445bf34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97426908-2446-7578-9742-244686722755}\InProcServer32	2266be64c0d23a7a09778004f445bf34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{999C5380-42A0-1069-A2EA-08002B30309D}\Shell\·ÃÎÊ(&H)\ = "´ò¿ª(&H)"	2266be64c0d23a7a09778004f445bf34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97426908-2446-7578-9742-244686722755}\shellex\MayChangeDefaultMenu\	2266be64c0d23a7a09778004f445bf34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{999C5380-42A0-1069-A2EA-08002B30309D}	2266be64c0d23a7a09778004f445bf34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000C5380-42A0-1069-A2EA-08002B30309D}\DefaultIcon	2266be64c0d23a7a09778004f445bf34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97426908-2446-7578-9742-244686722755}\Instance\InitPropertyBag\CLSID = "{13709620-C279-11CE-A49E-444553540000}"	2266be64c0d23a7a09778004f445bf34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{999C5380-42A0-1069-A2EA-08002B30309D}\Shell\·ÃÎÊ(&H)\Command	2266be64c0d23a7a09778004f445bf34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000C5380-42A0-1069-A2EA-08002B30309D}\Shell\·ÃÎÊ(&H)\Command\ = "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe %1 http://www.7400.net/taobao/"	2266be64c0d23a7a09778004f445bf34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder	2266be64c0d23a7a09778004f445bf34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97426908-2446-7578-9742-244686722755}\InProcServer32\ThreadingModel = "Apartment"	2266be64c0d23a7a09778004f445bf34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{999C5380-42A0-1069-A2EA-08002B30309D}\DefaultIcon	2266be64c0d23a7a09778004f445bf34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000C5380-42A0-1069-A2EA-08002B30309D}\DefaultIcon\ = "C:\\Windows\\SysWow64\\taobao.ico"	2266be64c0d23a7a09778004f445bf34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000C5380-42A0-1069-A2EA-08002B30309D}\Shell\·ÃÎÊ(&H)\Command\ = "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe %1 http://www.7400.net/taobao/"	2266be64c0d23a7a09778004f445bf34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\Shellex\ContextMenuHandlers\IE	2266be64c0d23a7a09778004f445bf34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{999C5380-42A0-1069-A2EA-08002B30309D}\DefaultIcon\ = "C:\\Windows\\SysWow64\\baidu.ico"	2266be64c0d23a7a09778004f445bf34.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{999C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\Attributes = "0"	2266be64c0d23a7a09778004f445bf34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97426908-2446-7578-9742-244686722755}\Instance	2266be64c0d23a7a09778004f445bf34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97426908-2446-7578-9742-244686722755}\Instance\InitPropertyBag\CLSID = "{13709620-C279-11CE-A49E-444553540000}"	2266be64c0d23a7a09778004f445bf34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{999C5380-42A0-1069-A2EA-08002B30309D}\ = "°Ù¶ÈËÑË÷"	2266be64c0d23a7a09778004f445bf34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	2266be64c0d23a7a09778004f445bf34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97426908-2446-7578-9742-244686722755}\Instance\InitPropertyBag\Param1 = "http://%77%77%77%2e%37%34%30%30%2e%6e%65%74"	2266be64c0d23a7a09778004f445bf34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000C5380-42A0-1069-A2EA-08002B30309D}	2266be64c0d23a7a09778004f445bf34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97426908-2446-7578-9742-244686722755}\shellex	2266be64c0d23a7a09778004f445bf34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{999C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder	2266be64c0d23a7a09778004f445bf34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000C5380-42A0-1069-A2EA-08002B30309D}\Shell\·ÃÎÊ(&H)\Command	2266be64c0d23a7a09778004f445bf34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{999C5380-42A0-1069-A2EA-08002B30309D}\Shell\·ÃÎÊ(&H)\Command\ = "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe %1 http://www.googje.in/baidu/"	2266be64c0d23a7a09778004f445bf34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	2266be64c0d23a7a09778004f445bf34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{999C5380-42A0-1069-A2EA-08002B30309D}\DefaultIcon\ = "C:\\Windows\\SysWow64\\baidu.ico"	2266be64c0d23a7a09778004f445bf34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000C5380-42A0-1069-A2EA-08002B30309D}\Shell\·ÃÎÊ(&H)\ = "´ò¿ª(&H)"	2266be64c0d23a7a09778004f445bf34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97426908-2446-7578-9742-244686722755}\InProcServer32\ = "%SystemRoot%\\SysWow64\\shdocvw.dll"	2266be64c0d23a7a09778004f445bf34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{999C5380-42A0-1069-A2EA-08002B30309D}	2266be64c0d23a7a09778004f445bf34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000C5380-42A0-1069-A2EA-08002B30309D}\Shell\·ÃÎÊ(&H)\ = "´ò¿ª(&H)"	2266be64c0d23a7a09778004f445bf34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97426908-2446-7578-9742-244686722755}\Instance\InitPropertyBag\command = "´ò¿ªÖ÷Ò³"	2266be64c0d23a7a09778004f445bf34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97426908-2446-7578-9742-244686722755}\Instance\InitPropertyBag\Param2 = "%ProgramFiles(x86)%\\Internet Explorer\\iexplore.exe"	2266be64c0d23a7a09778004f445bf34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder	2266be64c0d23a7a09778004f445bf34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{999C5380-42A0-1069-A2EA-08002B30309D}\Shell	2266be64c0d23a7a09778004f445bf34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97426908-2446-7578-9742-244686722755}\InProcServer32\ThreadingModel = "Apartment"	2266be64c0d23a7a09778004f445bf34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shellex	2266be64c0d23a7a09778004f445bf34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\Shellex\ContextMenuHandlers\IE	2266be64c0d23a7a09778004f445bf34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97426908-2446-7578-9742-244686722755}\Instance\CLSID = "{3f454f0e-42ae-4d7c-8ea3-328250d6e272}"	2266be64c0d23a7a09778004f445bf34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{999C5380-42A0-1069-A2EA-08002B30309D}\Shell\ = "·ÃÎÊ(&H)"	2266be64c0d23a7a09778004f445bf34.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{999C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\Attributes = "0"	2266be64c0d23a7a09778004f445bf34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97426908-2446-7578-9742-244686722755}\Instance	2266be64c0d23a7a09778004f445bf34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97426908-2446-7578-9742-244686722755}\Instance\InitPropertyBag\method = "ShellExecute"	2266be64c0d23a7a09778004f445bf34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{999C5380-42A0-1069-A2EA-08002B30309D}\DefaultIcon	2266be64c0d23a7a09778004f445bf34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	2266be64c0d23a7a09778004f445bf34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\Shellex\ContextMenuHandlers	2266be64c0d23a7a09778004f445bf34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shellex\ContextMenuHandlers\IE	2266be64c0d23a7a09778004f445bf34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000C5380-42A0-1069-A2EA-08002B30309D}\DefaultIcon\ = "C:\\Windows\\SysWow64\\taobao.ico"	2266be64c0d23a7a09778004f445bf34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000C5380-42A0-1069-A2EA-08002B30309D}\Shell\ = "·ÃÎÊ(&H)"	2266be64c0d23a7a09778004f445bf34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97426908-2446-7578-9742-244686722755}\InProcServer32	2266be64c0d23a7a09778004f445bf34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\Shellex\ContextMenuHandlers	2266be64c0d23a7a09778004f445bf34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{999C5380-42A0-1069-A2EA-08002B30309D}\Shell\ = "·ÃÎÊ(&H)"	2266be64c0d23a7a09778004f445bf34.exe

Modifies system certificate store 2 TTPs 4 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	2266be64c0d23a7a09778004f445bf34.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	2266be64c0d23a7a09778004f445bf34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	2266be64c0d23a7a09778004f445bf34.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	2266be64c0d23a7a09778004f445bf34.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2144 wrote to memory of 2204	2144	2266be64c0d23a7a09778004f445bf34.exe	33
PID 2144 wrote to memory of 2204	2144	2266be64c0d23a7a09778004f445bf34.exe	33
PID 2144 wrote to memory of 2204	2144	2266be64c0d23a7a09778004f445bf34.exe	33
PID 2144 wrote to memory of 2204	2144	2266be64c0d23a7a09778004f445bf34.exe	33

C:\Users\Admin\AppData\Local\Temp\2266be64c0d23a7a09778004f445bf34.exe
"C:\Users\Admin\AppData\Local\Temp\2266be64c0d23a7a09778004f445bf34.exe"
1⤵
- Drops file in Drivers directory
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Modifies registry class
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2144
- C:\Users\Admin\AppData\Local\Temp\2266be64c0d23a7a09778004f445bf34.exe
  "C:\Users\Admin\AppData\Local\Temp\2266be64c0d23a7a09778004f445bf34.exe"
  2⤵
  - Drops file in Drivers directory
  - Drops desktop.ini file(s)
  - Drops file in System32 directory
  - Modifies registry class
  PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2144-4-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2204-83-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download