96c1c6295f81ac18829b4d79cb9a2c199cc536ff653707d0f14a3f575773b986

General

Target

26a4cc77158f9831700134eec96ca21b.exe
Size

1.0MB
MD5

26a4cc77158f9831700134eec96ca21b
SHA1

ee5bfa49951d84e05d27aec2b1f19c5b88b8acae
SHA256

96c1c6295f81ac18829b4d79cb9a2c199cc536ff653707d0f14a3f575773b986
SHA512

dd30ffd73e954c5e21a846b783158b2055c42dba9474537cf4a364fa31ca7e5f1b6f7595b8a502dbe92f187d52bff240af39d8eed02ed2a00a9e7ecad087df16
SSDEEP

24576:ibSaE4mvt/2WPvOzmheRU8OzlKWn3rkeMe:ibSv4mvcWPWzmheRpOxHn3rV

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1340	224	WerFault.exe	96

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81	26a4cc77158f9831700134eec96ca21b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8120f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce7f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c06200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f1400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e00000074006800610077007400650000007e000000010000000800000000c0032f2df8d60168000000010000000000000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b81190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	26a4cc77158f9831700134eec96ca21b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 5c000000010000000400000000080000190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d03000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b816800000001000000000000007e000000010000000800000000c0032f2df8d6010b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748506200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f53000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703010f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8122000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	26a4cc77158f9831700134eec96ca21b.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2180	26a4cc77158f9831700134eec96ca21b.exe
2180	26a4cc77158f9831700134eec96ca21b.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2180	26a4cc77158f9831700134eec96ca21b.exe

C:\Users\Admin\AppData\Local\Temp\26a4cc77158f9831700134eec96ca21b.exe
"C:\Users\Admin\AppData\Local\Temp\26a4cc77158f9831700134eec96ca21b.exe"
1⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2180
- C:\Users\Admin\AppData\Local\Temp\File.exe
  "C:\Users\Admin\AppData\Local\Temp\File.exe"
  2⤵
  PID:2308
- - C:\Users\Admin\AppData\Local\Temp\ebfcabfbcdhd.exe
    C:\Users\Admin\AppData\Local\Temp\ebfcabfbcdhd.exe 1/7/8/0/0/1/3/7/4/0/6 LklBRD02MCkuIClSTjpQSUM6KRwvSERNT09SSkY9OTAaLj1BU1RIQTYtMTEwLBgvQ0hBNiwgKU9LR0RVQlFYRUQ3MC8xNCAuUD5OVj9RWE1STDxlbXBwNC4oa3J2LUE+T0snU0hILUFPTSdFTkBOGSdDTEhAREVENzEwLjIxMi8qMDMaLj0pPTYzLykcLz4xNiUxIC5BLDktKx8oPDQ9LC4ZK0QvPCYpIC9PT0hAVT1TWEhSSVU+PFU9Gi5JSk9EVEBNW0VPSzo1IC9PT0hAVT1TWEZBTUQ6GStFUkRYTVJMPB0oQVg/XjxFRExISz45IClHSEtUX0FPSFNTP1E2LSAvU0U6SktTTk5XVVJLOhkrVkc8KxgvRFIuNhwvTFRHTElNRFxQQUw9TkY9SU1ARD5RUkY8GSdJU15PTkpUQ0w+NXRydGIZK1I/U05KTklNRFhRUz9RWDxBWVI6KxwvQkg9PVg9MB0oRVNZQ1JGQU1IQFhBTj1RUkhURUM6X11sbWQZJ0RPVktFS0E+XkJIPTE4MCcuMTItKi00LjcxGStUQ0w+NTE0MTYpNTUvMy4YL0ROVEdITztDWExJTUQ6LSsxLy4rKDE1KS4pNjUzOSktKkFMHShRQTdWYF10JTFjKioxLS0tIyhsaGtudC1hbW4hIC9UT0U5aG5zaR0zYSQvXyEyYGZebC4wMC8tZi5jbV9nJTJlT25qVGNsXjxvd21paF1kR2BnWWdlcVxdYXBmbnIdMmYwMSs1MCsyLDA2JTFjKjAyMy8qKzM4NSIrYjEuMTIoMTMyNS8hM2A2LjE0OTYyMTM3M1hAOnJNUz4tXXpPdkU7Y3JIU2wxSz1uckNTd2VWc1VzRlNOakgyai5ETjlcSmNfdE1CaGlFVm5rUmRwa1lDbDFLTkBxQ2lvckhMa3ZFaENfWEdvakdlc15iK0puT1Jo
    3⤵
    PID:224
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic /output:C:\Users\Admin\AppData\Local\Temp\81703580019.txt bios get serialnumber
      4⤵
      PID:3832
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 856
      4⤵
      Program crash
      PID:1340
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic /output:C:\Users\Admin\AppData\Local\Temp\81703580019.txt bios get version
      4⤵
      PID:1768
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic /output:C:\Users\Admin\AppData\Local\Temp\81703580019.txt bios get version
      4⤵
      PID:4796
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic /output:C:\Users\Admin\AppData\Local\Temp\81703580019.txt bios get version
      4⤵
      PID:2196
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic /output:C:\Users\Admin\AppData\Local\Temp\81703580019.txt bios get version
      4⤵
      PID:4952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 224 -ip 224
1⤵
PID:1400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2180-0-0x00007FFDAC1D0000-0x00007FFDACB71000-memory.dmp

Filesize
9.6MB

Download
memory/2180-1-0x0000000000EC0000-0x0000000000ED0000-memory.dmp

Filesize
64KB

Download
memory/2180-17-0x000000001C000000-0x000000001C078000-memory.dmp

Filesize
480KB

Download
memory/2180-93-0x00007FFDAC1D0000-0x00007FFDACB71000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing