647615ccb7d1795429d5720476049f3a087d72f1bd67cc61fff9aa3835feab94

Analysis

max time kernel
213s
max time network
248s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 16:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2cffea1a8b250322814985924dbc4a80.exe
Size

268KB
MD5

2cffea1a8b250322814985924dbc4a80
SHA1

396e72627e1aca3faab789a3bc9f145960f8a95a
SHA256

647615ccb7d1795429d5720476049f3a087d72f1bd67cc61fff9aa3835feab94
SHA512

f089aabd94ecd2b448f21bf0e420ff708422814e44dc0bc68fde837893e72ecf2b7e5a8a057d3930ae2a02cc8ac04883ab4d8b5ad85c7e518471692b8a8bf384
SSDEEP

6144:AI1v9PfKoXjllMoVpfZLijwDAhtCx6o3yG4/xFk:A4vFfVzv2qZitZFk

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\2CFFEA~1.EXE,"	2cffea1a8b250322814985924dbc4a80.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2CFFEA~1.EXE"	2cffea1a8b250322814985924dbc4a80.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\35e2155a = "O\x19G\nGÞR-ßÖD\x0eøètVŽv\u0081TxG\x05À\x0f(\x1f·tÿ\u00a0‘¨÷ÕÐ?žZ\"pÀ{gÄRI@3ÜE\x14ãïlNRb4éªwOò ß&bŒ\x02¼E¾\x17•¿Õ¤\aîcŸö—Ù\x7f7”¦\x17\x19N“€¹$†þ`×ö§;Åé‹_X#·yô\x16CýA+«ËÄvô÷ß\x1fØËvU\a~3dç,ö)[´£Ë\x03ËsóŒ³×Á~4Lfþ3\x1f\x1c}\x18àÝ>ÍvüÄÝ\x03»\vŒa#ëpÇ›¬ðGeì?0\x03·¡äË+Ð\b\x0fA¤}[;fÃ±å\x06Ï…ùÿ†Öq7ÌÞK“D\x03\x10\x04Ø¡S¼€\x10Ë$¸<\x0e\a\x0eM…œîw{i¬¶Qž\x1bãn\v}eF£äP‘>\r[¨{\a"	2cffea1a8b250322814985924dbc4a80.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2CFFEA~1.EXE"	2cffea1a8b250322814985924dbc4a80.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118	2cffea1a8b250322814985924dbc4a80.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118\Blob = 0f00000001000000140000001e427a3639cce4c27e94b1777964ca289a722cad09000000010000003e000000303c06082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030806082b060105050703091400000001000000140000006daa9b0987c4d0d422ed4007374d19f191ffded31d000000010000001000000096f98b6e79a74810ce7d398a82f977780b000000010000000e000000430065007200740075006d0000000300000001000000140000006252dc40f71143a22fde9ef7348e064251b181182000000001000000100300003082030c308201f4a0030201020203010020300d06092a864886f70d0101050500303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d204341301e170d3032303631313130343633395a170d3237303631313130343633395a303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ceb1c12ed34f7ccd25ce183e4fc48c6f806a73c85b51f89bd2dcbb005cb1a0fc7503ee81f088ee2352e9e615338dac2d09c576f92b398089e4974b90a5a878f873437ba461b0d858cce16c667e9cf3095e556384d5a8eff3b12e3068b3c43cd8ac6e8d995a904e34dc369a8f818850b76d964209f3d795830d414bb06a6bf8fc0f7e629f67c4ed265f10260f084ff0a45728ce8fb8ed45f66eee255daa6e39bee4932fd947a072ebfaa65bafca533fe20ec69656116ef7e966a926d87f9553ed0a8588ba4f29a5428c5eb6fc852000aa680ba11a85019cc446638288b622b1eefeaa46597ecf352cd5b6da5df748331454b6ebd96fcecd88d6ab1bda963b1d590203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010505000382010100b88dceefe714bacfeeb044926cb4393ea2846eadb82177d2d4778287e6204181eee2f811b763d11737be1976241c041a4ceb3daa676f2dd4cdfe653170c51ba6020aba607b6d58c29a49fe63320b6be33ac0acab3bb0e8d309518c1083c634e0c52be01ab66014276c32778cbcb27298cfcdcc3fb9c8244214d657fce62643a91de58090ce0354283ef73fd3f84ded6a0a3a93139b3b142313639c3fd1872779e54c51e301ad855d1a3bb1d57310a4d3f2bc6e64f55a5690a8c70e4c740f2e713bf7c847f4696f15f2115e831e9c7c52aefd02da12a8596718dbbc70dd9bb169ed80ce8940486a0e35ca29661521942ce8602a9b854a40f36b8a24ec06162c73	2cffea1a8b250322814985924dbc4a80.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118\Blob = 1900000001000000100000000b6cd9778e41ad67fd6be0a6903710440300000001000000140000006252dc40f71143a22fde9ef7348e064251b181180b000000010000000e000000430065007200740075006d0000001d000000010000001000000096f98b6e79a74810ce7d398a82f977781400000001000000140000006daa9b0987c4d0d422ed4007374d19f191ffded309000000010000003e000000303c06082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030806082b060105050703090f00000001000000140000001e427a3639cce4c27e94b1777964ca289a722cad2000000001000000100300003082030c308201f4a0030201020203010020300d06092a864886f70d0101050500303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d204341301e170d3032303631313130343633395a170d3237303631313130343633395a303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ceb1c12ed34f7ccd25ce183e4fc48c6f806a73c85b51f89bd2dcbb005cb1a0fc7503ee81f088ee2352e9e615338dac2d09c576f92b398089e4974b90a5a878f873437ba461b0d858cce16c667e9cf3095e556384d5a8eff3b12e3068b3c43cd8ac6e8d995a904e34dc369a8f818850b76d964209f3d795830d414bb06a6bf8fc0f7e629f67c4ed265f10260f084ff0a45728ce8fb8ed45f66eee255daa6e39bee4932fd947a072ebfaa65bafca533fe20ec69656116ef7e966a926d87f9553ed0a8588ba4f29a5428c5eb6fc852000aa680ba11a85019cc446638288b622b1eefeaa46597ecf352cd5b6da5df748331454b6ebd96fcecd88d6ab1bda963b1d590203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010505000382010100b88dceefe714bacfeeb044926cb4393ea2846eadb82177d2d4778287e6204181eee2f811b763d11737be1976241c041a4ceb3daa676f2dd4cdfe653170c51ba6020aba607b6d58c29a49fe63320b6be33ac0acab3bb0e8d309518c1083c634e0c52be01ab66014276c32778cbcb27298cfcdcc3fb9c8244214d657fce62643a91de58090ce0354283ef73fd3f84ded6a0a3a93139b3b142313639c3fd1872779e54c51e301ad855d1a3bb1d57310a4d3f2bc6e64f55a5690a8c70e4c740f2e713bf7c847f4696f15f2115e831e9c7c52aefd02da12a8596718dbbc70dd9bb169ed80ce8940486a0e35ca29661521942ce8602a9b854a40f36b8a24ec06162c73	2cffea1a8b250322814985924dbc4a80.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118\Blob = 0400000001000000100000002c8f9f661d1890b147269d8e86828ca90f00000001000000140000001e427a3639cce4c27e94b1777964ca289a722cad09000000010000003e000000303c06082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030806082b060105050703091400000001000000140000006daa9b0987c4d0d422ed4007374d19f191ffded31d000000010000001000000096f98b6e79a74810ce7d398a82f977780b000000010000000e000000430065007200740075006d0000000300000001000000140000006252dc40f71143a22fde9ef7348e064251b181181900000001000000100000000b6cd9778e41ad67fd6be0a6903710442000000001000000100300003082030c308201f4a0030201020203010020300d06092a864886f70d0101050500303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d204341301e170d3032303631313130343633395a170d3237303631313130343633395a303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ceb1c12ed34f7ccd25ce183e4fc48c6f806a73c85b51f89bd2dcbb005cb1a0fc7503ee81f088ee2352e9e615338dac2d09c576f92b398089e4974b90a5a878f873437ba461b0d858cce16c667e9cf3095e556384d5a8eff3b12e3068b3c43cd8ac6e8d995a904e34dc369a8f818850b76d964209f3d795830d414bb06a6bf8fc0f7e629f67c4ed265f10260f084ff0a45728ce8fb8ed45f66eee255daa6e39bee4932fd947a072ebfaa65bafca533fe20ec69656116ef7e966a926d87f9553ed0a8588ba4f29a5428c5eb6fc852000aa680ba11a85019cc446638288b622b1eefeaa46597ecf352cd5b6da5df748331454b6ebd96fcecd88d6ab1bda963b1d590203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010505000382010100b88dceefe714bacfeeb044926cb4393ea2846eadb82177d2d4778287e6204181eee2f811b763d11737be1976241c041a4ceb3daa676f2dd4cdfe653170c51ba6020aba607b6d58c29a49fe63320b6be33ac0acab3bb0e8d309518c1083c634e0c52be01ab66014276c32778cbcb27298cfcdcc3fb9c8244214d657fce62643a91de58090ce0354283ef73fd3f84ded6a0a3a93139b3b142313639c3fd1872779e54c51e301ad855d1a3bb1d57310a4d3f2bc6e64f55a5690a8c70e4c740f2e713bf7c847f4696f15f2115e831e9c7c52aefd02da12a8596718dbbc70dd9bb169ed80ce8940486a0e35ca29661521942ce8602a9b854a40f36b8a24ec06162c73	2cffea1a8b250322814985924dbc4a80.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2580	2cffea1a8b250322814985924dbc4a80.exe
2580	2cffea1a8b250322814985924dbc4a80.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2580	2cffea1a8b250322814985924dbc4a80.exe
Token: SeSecurityPrivilege	2580	2cffea1a8b250322814985924dbc4a80.exe
Token: SeSecurityPrivilege	2580	2cffea1a8b250322814985924dbc4a80.exe
Token: SeSecurityPrivilege	2580	2cffea1a8b250322814985924dbc4a80.exe

C:\Users\Admin\AppData\Local\Temp\2cffea1a8b250322814985924dbc4a80.exe
"C:\Users\Admin\AppData\Local\Temp\2cffea1a8b250322814985924dbc4a80.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Modifies WinLogon
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
821348ee5170f13162ffdd8553a0b71d

SHA1
ee100a01c4f9c881979590b07d66bda2bc5268a6

SHA256
f955add5fea2a639c2643c0d7df1625384e515771c7bb299d5508fb82908f1d5

SHA512
8af709612c34dcb49cec8ab6edbf0ba0589f5e9a77ce8ac686af8d88f6f3bbfe08a84e338f95e130cf269f84dbf1c464af2676f3f8c31fc0bdb711d2fb5dada2

Download Submit
C:\Users\Admin\AppData\Local\Temp\5584.tmp

Filesize
715B

MD5
587be65a5dd511a9c7cf5c53a0dde1df

SHA1
47bf97e955842990ef23b199d9c448886af30d15

SHA256
4f149c2ac62924f2999c207ec8a05337aafd43cccbddaf1c75dfb00d09a341fa

SHA512
10828a505bef5081749a1709063a43e02dbd1a5e6b71c7577914d65993632d82741bcc90f17db919fa3a52ca5b543b5783b8842a2e40c534dda1ca0ab1665873

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabEE5E.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar940.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
memory/2580-0-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2580-1-0x0000000000230000-0x0000000000299000-memory.dmp

Filesize
420KB

Download
memory/2580-2-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2580-3-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2580-5-0x0000000001CB0000-0x0000000001D6F000-memory.dmp

Filesize
764KB

Download
memory/2580-7-0x0000000001CB0000-0x0000000001D6F000-memory.dmp

Filesize
764KB

Download
memory/2580-9-0x0000000001CB0000-0x0000000001D6F000-memory.dmp

Filesize
764KB

Download
memory/2580-11-0x0000000001CB0000-0x0000000001D6F000-memory.dmp

Filesize
764KB

Download
memory/2580-13-0x0000000001CB0000-0x0000000001D6F000-memory.dmp

Filesize
764KB

Download
memory/2580-15-0x0000000001CB0000-0x0000000001D6F000-memory.dmp

Filesize
764KB

Download
memory/2580-16-0x0000000002060000-0x0000000002126000-memory.dmp

Filesize
792KB

Download
memory/2580-18-0x0000000002060000-0x0000000002126000-memory.dmp

Filesize
792KB

Download
memory/2580-20-0x0000000002060000-0x0000000002126000-memory.dmp

Filesize
792KB

Download
memory/2580-21-0x0000000002060000-0x0000000002126000-memory.dmp

Filesize
792KB

Download
memory/2580-51-0x0000000000230000-0x0000000000299000-memory.dmp

Filesize
420KB

Download
memory/2580-53-0x0000000002060000-0x0000000002126000-memory.dmp

Filesize
792KB

Download
memory/2580-54-0x0000000002060000-0x0000000002126000-memory.dmp

Filesize
792KB

Download
memory/2580-55-0x0000000002060000-0x0000000002126000-memory.dmp

Filesize
792KB

Download
memory/2580-56-0x0000000002060000-0x0000000002126000-memory.dmp

Filesize
792KB

Download
memory/2580-57-0x0000000002060000-0x0000000002126000-memory.dmp

Filesize
792KB

Download
memory/2580-58-0x0000000002060000-0x0000000002126000-memory.dmp

Filesize
792KB

Download
memory/2580-59-0x0000000002060000-0x0000000002126000-memory.dmp

Filesize
792KB

Download
memory/2580-63-0x0000000002060000-0x0000000002126000-memory.dmp

Filesize
792KB

Download
memory/2580-65-0x0000000002060000-0x0000000002126000-memory.dmp

Filesize
792KB

Download
memory/2580-64-0x0000000002060000-0x0000000002126000-memory.dmp

Filesize
792KB

Download
memory/2580-61-0x0000000002060000-0x0000000002126000-memory.dmp

Filesize
792KB

Download
memory/2580-66-0x0000000002060000-0x0000000002126000-memory.dmp

Filesize
792KB

Download
memory/2580-67-0x0000000002060000-0x0000000002126000-memory.dmp

Filesize
792KB

Download
memory/2580-62-0x0000000002060000-0x0000000002126000-memory.dmp

Filesize
792KB

Download
memory/2580-60-0x0000000002060000-0x0000000002126000-memory.dmp

Filesize
792KB

Download
memory/2580-68-0x0000000002060000-0x0000000002126000-memory.dmp

Filesize
792KB

Download
memory/2580-69-0x0000000002060000-0x0000000002126000-memory.dmp

Filesize
792KB

Download
memory/2580-71-0x0000000002060000-0x0000000002126000-memory.dmp

Filesize
792KB

Download
memory/2580-75-0x0000000002060000-0x0000000002126000-memory.dmp

Filesize
792KB

Download
memory/2580-77-0x0000000002060000-0x0000000002126000-memory.dmp

Filesize
792KB

Download
memory/2580-76-0x0000000002060000-0x0000000002126000-memory.dmp

Filesize
792KB

Download
memory/2580-78-0x0000000002060000-0x0000000002126000-memory.dmp

Filesize
792KB

Download
memory/2580-80-0x0000000002060000-0x0000000002126000-memory.dmp

Filesize
792KB

Download
memory/2580-74-0x0000000002060000-0x0000000002126000-memory.dmp

Filesize
792KB

Download
memory/2580-81-0x0000000002060000-0x0000000002126000-memory.dmp

Filesize
792KB

Download
memory/2580-85-0x0000000002060000-0x0000000002126000-memory.dmp

Filesize
792KB

Download
memory/2580-88-0x0000000002060000-0x0000000002126000-memory.dmp

Filesize
792KB

Download
memory/2580-92-0x0000000002060000-0x0000000002126000-memory.dmp

Filesize
792KB

Download
memory/2580-95-0x0000000002060000-0x0000000002126000-memory.dmp

Filesize
792KB

Download
memory/2580-93-0x0000000002060000-0x0000000002126000-memory.dmp

Filesize
792KB

Download
memory/2580-94-0x0000000002060000-0x0000000002126000-memory.dmp

Filesize
792KB

Download
memory/2580-91-0x0000000002060000-0x0000000002126000-memory.dmp

Filesize
792KB

Download
memory/2580-90-0x0000000002060000-0x0000000002126000-memory.dmp

Filesize
792KB

Download
memory/2580-89-0x0000000002060000-0x0000000002126000-memory.dmp

Filesize
792KB

Download
memory/2580-87-0x0000000002060000-0x0000000002126000-memory.dmp

Filesize
792KB

Download
memory/2580-86-0x0000000002060000-0x0000000002126000-memory.dmp

Filesize
792KB

Download
memory/2580-84-0x0000000002060000-0x0000000002126000-memory.dmp

Filesize
792KB

Download
memory/2580-82-0x0000000002060000-0x0000000002126000-memory.dmp

Filesize
792KB

Download
memory/2580-83-0x0000000002060000-0x0000000002126000-memory.dmp

Filesize
792KB

Download
memory/2580-79-0x0000000002060000-0x0000000002126000-memory.dmp

Filesize
792KB

Download
memory/2580-73-0x0000000002060000-0x0000000002126000-memory.dmp

Filesize
792KB

Download
memory/2580-72-0x0000000002060000-0x0000000002126000-memory.dmp

Filesize
792KB

Download
memory/2580-70-0x0000000002060000-0x0000000002126000-memory.dmp

Filesize
792KB

Download
memory/2580-175-0x0000000002060000-0x0000000002126000-memory.dmp

Filesize
792KB

Download