55b0c0baf5788aaaf3330ed8de34f75255f505279752f19140c9b296a3f99206

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 16:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2bdeca41a9cb786c3a6628ccd57746b9.exe
Size

28KB
MD5

2bdeca41a9cb786c3a6628ccd57746b9
SHA1

a9e7448ff02eeeb3f5181708a5f22939573b2407
SHA256

55b0c0baf5788aaaf3330ed8de34f75255f505279752f19140c9b296a3f99206
SHA512

838d2dad0acc2b8e963044027c3a827a97f3514f3c7ec44b89605d8b2092b9a5c82175427fa2113283edfdd36776b0d089b2647e2c8d8a360bc8d715d1a90e50
SSDEEP

384:1vxBbK26lj5Id8SpHx9jLhsznnVxA1WmP5w7GGCJlqqwMyNBcYQSkTtA:Dv8IRRdsxq1DjJcqffYQSv

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2392	services.exe

UPX packed file 28 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2884-0-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/files/0x000d0000000122bf-7.dat	upx
behavioral1/memory/2884-4-0x0000000000220000-0x0000000000228000-memory.dmp	upx
behavioral1/memory/2392-11-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2884-17-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2392-18-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2392-25-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2392-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2392-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2392-33-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2884-37-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2392-38-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2392-43-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x000600000000f6f8-48.dat	upx
behavioral1/memory/2884-55-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2392-56-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2884-59-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2392-60-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2884-64-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2392-65-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2392-67-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2884-71-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2392-72-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2884-76-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2392-77-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2392-79-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2884-249-0x0000000000500000-0x0000000000510000-memory.dmp	upx
behavioral1/memory/2392-251-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	2bdeca41a9cb786c3a6628ccd57746b9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	2bdeca41a9cb786c3a6628ccd57746b9.exe
File opened for modification	C:\Windows\java.exe	2bdeca41a9cb786c3a6628ccd57746b9.exe
File created	C:\Windows\java.exe	2bdeca41a9cb786c3a6628ccd57746b9.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	2bdeca41a9cb786c3a6628ccd57746b9.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	2bdeca41a9cb786c3a6628ccd57746b9.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	2bdeca41a9cb786c3a6628ccd57746b9.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	2bdeca41a9cb786c3a6628ccd57746b9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	2bdeca41a9cb786c3a6628ccd57746b9.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	2bdeca41a9cb786c3a6628ccd57746b9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	2bdeca41a9cb786c3a6628ccd57746b9.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2bdeca41a9cb786c3a6628ccd57746b9.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 2392	2884	2bdeca41a9cb786c3a6628ccd57746b9.exe	28
PID 2884 wrote to memory of 2392	2884	2bdeca41a9cb786c3a6628ccd57746b9.exe	28
PID 2884 wrote to memory of 2392	2884	2bdeca41a9cb786c3a6628ccd57746b9.exe	28
PID 2884 wrote to memory of 2392	2884	2bdeca41a9cb786c3a6628ccd57746b9.exe	28

C:\Users\Admin\AppData\Local\Temp\2bdeca41a9cb786c3a6628ccd57746b9.exe
"C:\Users\Admin\AppData\Local\Temp\2bdeca41a9cb786c3a6628ccd57746b9.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
89cbdab533748419505b4cb21b1e7787

SHA1
b3e9f71bb24877bff41fba564333bbb09da30925

SHA256
f36cf5a1ac88ee7bce185676143b78990ad36da0572a86750e55ef5ba99499bc

SHA512
eb6766485f3137a8059e9af985d6f336ed0a21782f03c4c6a890693cf7e8cd575a5e0f79a9cef3b578785e4abb4b1811002caf1faf270523e1244270ee9cac6e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
081e159aea71278b232fcdd80c24ff7a

SHA1
31fbc3d6a07e087d477fcc42a6abebb225c53018

SHA256
c0fb3e615df43e9948fba1dfaf4daead0c10d79aacf44b06ee328c28ebc04031

SHA512
16bef96d0d29ae2e7ab0bc8dae91bb6cb1506655ffb1ca0a8cedd4c6860396b72279997b307ba69aa28b557bcbac952f795d2bc3eb1b2cee4758b5fb20815228

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b4162947cec1d4de4d0856fce08a472b

SHA1
43e9a672c0470b48387266167953fdac6ab7443d

SHA256
d1f0f0ac92c406b470f7e9d235fe3ce9edcf225cb051f8b2204e04f22bc02cce

SHA512
e1b0c3a69a06f7cb4473961531438e36fa11ca239595f12a0c08437a6db2b53d9bcabf6c23a101823340c86298e8e885318a90172378c042a039239cce9ec982

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
88641759c403a820e9f57e75af390eda

SHA1
77d9252a9b56ef5fdfb66133535c5e2f5f83756e

SHA256
321a2d1f1e5fd6f8717941a12717db1fbf35b8a9b275688c955ba888b25e7736

SHA512
36eb5017b1c8bb082c314742d97c51a878c218e4a1056b196e43eed7330fb146dd1b97979722791c8d2cdca2a03737cd03dca4cecf87f6077174d8b96eb71684

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f5ac8e8ff25302ae706b44865fe9863a

SHA1
fede081dafa58577b3c08dab748fe6df0b5cc048

SHA256
f665504a8c71eae02988f675faa7b190abc8511b9869d1b3c8bc3980485fe97a

SHA512
d707c000ee5e20595f535400ea3eeffc47315daaab1d4d700e2c9c0f46a0b3c975b822b44e4502adf3395be540fa2ced12b95153c5357fb73bcd2af4c5a9583e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
934dcb85b599692c65b4ef25b9724fd1

SHA1
e4081af8f704be079fe348435fb2c0b4502f1118

SHA256
f3644c4770630503b19a40eed6d3d6136d3169ae6672669ed01c41a6843919a3

SHA512
09fc0e1aa195f8f6998425325a51e44ad09517acb9c78c08a8190afedf575e13bef4cfaa97bd80b64b85b098277f295d70d51ed7d36585cd327695befb2c4bd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M2VO416U\search[2].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8CAE.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8D6C.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7F7C.tmp

Filesize
28KB

MD5
ce4c3fbcb71c8611d09b0c3131f4cf15

SHA1
132e7870e0cc019c401afe51f8e16d34e0020af6

SHA256
5182048606376f31e1c47e9598bf7ebee54275d36860b3b5da165f798172232e

SHA512
6d37539c91235bbc538bbb240491bba465d49d764db0678729def19aa9984a849dc4aafcb754cc126623c59590e40de4e48f4c53c05536a4e242efa618f932ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
f3af4cc56a0f07bd8442721e1f06d37b

SHA1
0e56e89f6f99f483106dde477c81c9ef73786f32

SHA256
e825a3120e20b8f492d50d1c9b8b0e721ac50103a56fee50147cf0bba8287b85

SHA512
1dffd76eeca517f36b3a5c768a20138bd8532b83b21953aa86c4b3c0c111499446fbc82f9a42b6a59f4c864da277d4962f510d6b1c871a5476c0bd3e4213d422

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
1KB

MD5
ce481147d3e043345d86efec57522453

SHA1
27cb6a986bfc48f9e3339d11bc3361729dbc5994

SHA256
cad894f473273546f1054130505ba665bf1de9890286ff4da8cbbfd7e1d24dfa

SHA512
0d36adbb267e67fb41286fa1235fbff9f28e6d02529d1520028db7ba7b2494a83d5ab51d415b2e8ba957954c37e96924ad369f1a82f3afac189575f5d7c47962

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/2392-56-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2392-77-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2392-43-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2392-251-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2392-33-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2392-11-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2392-18-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2392-25-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2392-60-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2392-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2392-65-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2392-67-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2392-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2392-72-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2392-79-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2392-38-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2884-0-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2884-71-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2884-64-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2884-59-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2884-23-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/2884-22-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/2884-76-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2884-17-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2884-249-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2884-55-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2884-37-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2884-4-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/2884-9-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads