fa26c4168f6518c8c4169e170046652565718984f29b6cf78f38f993bbf043b6

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 06:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

115ca675f0098d320aeeaca88e9b248c.exe
Size

52KB
MD5

115ca675f0098d320aeeaca88e9b248c
SHA1

c254ec13ab67c6c3b5fdbeee8151a1c5544e95b3
SHA256

fa26c4168f6518c8c4169e170046652565718984f29b6cf78f38f993bbf043b6
SHA512

c2fdff3229f61ba68eaa3417c5de6eefef2625c382d51dc38c624e936073bf03ca64a3bbed7ec9da2b3ecc84f4ee0723a2ff234e46e805d67117fa3dfa9cc75e
SSDEEP

768:Yl0RWNvjjZpolW1dmaW4KpQDxdjjmADoOEsxzWM6H8A7DOEAc:cAQbcy0Oc

Score

10^/10

evasion

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	115ca675f0098d320aeeaca88e9b248c.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\z_115ca675f0098d320aeeaca88e9b248c_debug.txt	115ca675f0098d320aeeaca88e9b248c.exe
File opened for modification	C:\Windows\SysWOW64\svcctrl.exe	115ca675f0098d320aeeaca88e9b248c.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2780	sc.exe
2684	sc.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	115ca675f0098d320aeeaca88e9b248c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	115ca675f0098d320aeeaca88e9b248c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	115ca675f0098d320aeeaca88e9b248c.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2084	115ca675f0098d320aeeaca88e9b248c.exe
Token: SeDebugPrivilege	2084	115ca675f0098d320aeeaca88e9b248c.exe
Token: SeRestorePrivilege	2084	115ca675f0098d320aeeaca88e9b248c.exe
Token: SeBackupPrivilege	2084	115ca675f0098d320aeeaca88e9b248c.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2084	115ca675f0098d320aeeaca88e9b248c.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2632	2084	115ca675f0098d320aeeaca88e9b248c.exe	28
PID 2084 wrote to memory of 2632	2084	115ca675f0098d320aeeaca88e9b248c.exe	28
PID 2084 wrote to memory of 2632	2084	115ca675f0098d320aeeaca88e9b248c.exe	28
PID 2084 wrote to memory of 2632	2084	115ca675f0098d320aeeaca88e9b248c.exe	28
PID 2084 wrote to memory of 2632	2084	115ca675f0098d320aeeaca88e9b248c.exe	28
PID 2084 wrote to memory of 2632	2084	115ca675f0098d320aeeaca88e9b248c.exe	28
PID 2084 wrote to memory of 2632	2084	115ca675f0098d320aeeaca88e9b248c.exe	28
PID 2084 wrote to memory of 1912	2084	115ca675f0098d320aeeaca88e9b248c.exe	30
PID 2084 wrote to memory of 1912	2084	115ca675f0098d320aeeaca88e9b248c.exe	30
PID 2084 wrote to memory of 1912	2084	115ca675f0098d320aeeaca88e9b248c.exe	30
PID 2084 wrote to memory of 1912	2084	115ca675f0098d320aeeaca88e9b248c.exe	30
PID 2084 wrote to memory of 1912	2084	115ca675f0098d320aeeaca88e9b248c.exe	30
PID 2084 wrote to memory of 1912	2084	115ca675f0098d320aeeaca88e9b248c.exe	30
PID 2084 wrote to memory of 1912	2084	115ca675f0098d320aeeaca88e9b248c.exe	30
PID 2632 wrote to memory of 2744	2632	net.exe	33
PID 2632 wrote to memory of 2744	2632	net.exe	33
PID 2632 wrote to memory of 2744	2632	net.exe	33
PID 1912 wrote to memory of 2760	1912	net.exe	32
PID 1912 wrote to memory of 2760	1912	net.exe	32
PID 1912 wrote to memory of 2760	1912	net.exe	32
PID 2632 wrote to memory of 2744	2632	net.exe	33
PID 2632 wrote to memory of 2744	2632	net.exe	33
PID 2632 wrote to memory of 2744	2632	net.exe	33
PID 1912 wrote to memory of 2760	1912	net.exe	32
PID 1912 wrote to memory of 2760	1912	net.exe	32
PID 1912 wrote to memory of 2760	1912	net.exe	32
PID 2632 wrote to memory of 2744	2632	net.exe	33
PID 1912 wrote to memory of 2760	1912	net.exe	32
PID 2084 wrote to memory of 2780	2084	115ca675f0098d320aeeaca88e9b248c.exe	34
PID 2084 wrote to memory of 2780	2084	115ca675f0098d320aeeaca88e9b248c.exe	34
PID 2084 wrote to memory of 2780	2084	115ca675f0098d320aeeaca88e9b248c.exe	34
PID 2084 wrote to memory of 2780	2084	115ca675f0098d320aeeaca88e9b248c.exe	34
PID 2084 wrote to memory of 2780	2084	115ca675f0098d320aeeaca88e9b248c.exe	34
PID 2084 wrote to memory of 2780	2084	115ca675f0098d320aeeaca88e9b248c.exe	34
PID 2084 wrote to memory of 2780	2084	115ca675f0098d320aeeaca88e9b248c.exe	34
PID 2084 wrote to memory of 2684	2084	115ca675f0098d320aeeaca88e9b248c.exe	36
PID 2084 wrote to memory of 2684	2084	115ca675f0098d320aeeaca88e9b248c.exe	36
PID 2084 wrote to memory of 2684	2084	115ca675f0098d320aeeaca88e9b248c.exe	36
PID 2084 wrote to memory of 2684	2084	115ca675f0098d320aeeaca88e9b248c.exe	36
PID 2084 wrote to memory of 2684	2084	115ca675f0098d320aeeaca88e9b248c.exe	36
PID 2084 wrote to memory of 2684	2084	115ca675f0098d320aeeaca88e9b248c.exe	36
PID 2084 wrote to memory of 2684	2084	115ca675f0098d320aeeaca88e9b248c.exe	36

C:\Users\Admin\AppData\Local\Temp\115ca675f0098d320aeeaca88e9b248c.exe
"C:\Users\Admin\AppData\Local\Temp\115ca675f0098d320aeeaca88e9b248c.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Drops file in System32 directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Windows\SysWOW64\net.exe
  net stop wscsvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop wscsvc
    3⤵
    PID:2744
- C:\Windows\SysWOW64\net.exe
  net stop sharedaccess
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1912
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop sharedaccess
    3⤵
    PID:2760
- C:\Windows\SysWOW64\sc.exe
  sc delete wscsvc
  2⤵
  - Launches sc.exe
  PID:2780
- C:\Windows\SysWOW64\sc.exe
  sc delete sharedaccess
  2⤵
  - Launches sc.exe
  PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab96D5.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9755.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Windows\SysWOW64\svcctrl.exe

Filesize
41KB

MD5
8d5e53fc7b8b425a6f652d594b0e92d3

SHA1
b791e8d13ee985b7ccf1d2b6a99d74fc0bf2d542

SHA256
5f8b89b370cb0ba73505da4b4c214b73f27dc2181a24a610226ff1560a58610c

SHA512
cfab526a65a5f3ad744e28226cdf2238d31478902caf6e37ab3293e959bb944c3edadc655aa3403bd0057540fbe9026f7385f8f5f1124b832c5eb2789308e4b4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads