055eeb231a8d164638fb06673045514b018f738753e48f57f8ed48cac34f7af7

Analysis

max time kernel
176s
max time network
195s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2023 01:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23149475a606c307ddfbd83ec62eae50.exe
Size

1.0MB
MD5

23149475a606c307ddfbd83ec62eae50
SHA1

7b26528730414618ecdcce58f3f5ba16d604e13b
SHA256

055eeb231a8d164638fb06673045514b018f738753e48f57f8ed48cac34f7af7
SHA512

21ddb20d0177918248a95bf20fd2438a7ab67925c04ee8f4fc272a1a392df6ca481790457dd5f1698c636cb39299ea50986037e6dc8c79798871ce492b586ed2
SSDEEP

24576:HbSaE4mvt/+/EWIw4ri+BQNnMabVAF318gp:HbSv4mvEDOgsPp

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	23149475a606c307ddfbd83ec62eae50.exe

Executes dropped EXE 2 IoCs

pid	Process
2068	File.exe
4992	eicabfbcibhi.exe

Loads dropped DLL 2 IoCs

pid	Process
2068	File.exe
2068	File.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3204	4992	WerFault.exe	95

NSIS installer 6 IoCs

installer

resource	yara_rule
behavioral2/files/0x000b000000023119-20.dat	nsis_installer_1
behavioral2/files/0x000b000000023119-20.dat	nsis_installer_2
behavioral2/files/0x000b000000023119-30.dat	nsis_installer_1
behavioral2/files/0x000b000000023119-30.dat	nsis_installer_2
behavioral2/files/0x000b000000023119-31.dat	nsis_installer_1
behavioral2/files/0x000b000000023119-31.dat	nsis_installer_2

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce7f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c06200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f1400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e00000074006800610077007400650000007e000000010000000800000000c0032f2df8d60168000000010000000000000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b812000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	23149475a606c307ddfbd83ec62eae50.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0400000001000000100000008ccadc0b22cef5be72ac411a11a8d81203000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b816800000001000000000000007e000000010000000800000000c0032f2df8d6010b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748506200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f53000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703010f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	23149475a606c307ddfbd83ec62eae50.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d0f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce7f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c06200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f1400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e00000074006800610077007400650000007e000000010000000800000000c0032f2df8d60168000000010000000000000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b810400000001000000100000008ccadc0b22cef5be72ac411a11a8d8122000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	23149475a606c307ddfbd83ec62eae50.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 5c0000000100000004000000000800000400000001000000100000008ccadc0b22cef5be72ac411a11a8d81203000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b816800000001000000000000007e000000010000000800000000c0032f2df8d6010b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748506200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f53000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703010f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	23149475a606c307ddfbd83ec62eae50.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81	23149475a606c307ddfbd83ec62eae50.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1580	23149475a606c307ddfbd83ec62eae50.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1580	23149475a606c307ddfbd83ec62eae50.exe
Token: SeIncreaseQuotaPrivilege	3608	wmic.exe
Token: SeSecurityPrivilege	3608	wmic.exe
Token: SeTakeOwnershipPrivilege	3608	wmic.exe
Token: SeLoadDriverPrivilege	3608	wmic.exe
Token: SeSystemProfilePrivilege	3608	wmic.exe
Token: SeSystemtimePrivilege	3608	wmic.exe
Token: SeProfSingleProcessPrivilege	3608	wmic.exe
Token: SeIncBasePriorityPrivilege	3608	wmic.exe
Token: SeCreatePagefilePrivilege	3608	wmic.exe
Token: SeBackupPrivilege	3608	wmic.exe
Token: SeRestorePrivilege	3608	wmic.exe
Token: SeShutdownPrivilege	3608	wmic.exe
Token: SeDebugPrivilege	3608	wmic.exe
Token: SeSystemEnvironmentPrivilege	3608	wmic.exe
Token: SeRemoteShutdownPrivilege	3608	wmic.exe
Token: SeUndockPrivilege	3608	wmic.exe
Token: SeManageVolumePrivilege	3608	wmic.exe
Token: 33	3608	wmic.exe
Token: 34	3608	wmic.exe
Token: 35	3608	wmic.exe
Token: 36	3608	wmic.exe
Token: SeIncreaseQuotaPrivilege	3608	wmic.exe
Token: SeSecurityPrivilege	3608	wmic.exe
Token: SeTakeOwnershipPrivilege	3608	wmic.exe
Token: SeLoadDriverPrivilege	3608	wmic.exe
Token: SeSystemProfilePrivilege	3608	wmic.exe
Token: SeSystemtimePrivilege	3608	wmic.exe
Token: SeProfSingleProcessPrivilege	3608	wmic.exe
Token: SeIncBasePriorityPrivilege	3608	wmic.exe
Token: SeCreatePagefilePrivilege	3608	wmic.exe
Token: SeBackupPrivilege	3608	wmic.exe
Token: SeRestorePrivilege	3608	wmic.exe
Token: SeShutdownPrivilege	3608	wmic.exe
Token: SeDebugPrivilege	3608	wmic.exe
Token: SeSystemEnvironmentPrivilege	3608	wmic.exe
Token: SeRemoteShutdownPrivilege	3608	wmic.exe
Token: SeUndockPrivilege	3608	wmic.exe
Token: SeManageVolumePrivilege	3608	wmic.exe
Token: 33	3608	wmic.exe
Token: 34	3608	wmic.exe
Token: 35	3608	wmic.exe
Token: 36	3608	wmic.exe
Token: SeIncreaseQuotaPrivilege	3056	wmic.exe
Token: SeSecurityPrivilege	3056	wmic.exe
Token: SeTakeOwnershipPrivilege	3056	wmic.exe
Token: SeLoadDriverPrivilege	3056	wmic.exe
Token: SeSystemProfilePrivilege	3056	wmic.exe
Token: SeSystemtimePrivilege	3056	wmic.exe
Token: SeProfSingleProcessPrivilege	3056	wmic.exe
Token: SeIncBasePriorityPrivilege	3056	wmic.exe
Token: SeCreatePagefilePrivilege	3056	wmic.exe
Token: SeBackupPrivilege	3056	wmic.exe
Token: SeRestorePrivilege	3056	wmic.exe
Token: SeShutdownPrivilege	3056	wmic.exe
Token: SeDebugPrivilege	3056	wmic.exe
Token: SeSystemEnvironmentPrivilege	3056	wmic.exe
Token: SeRemoteShutdownPrivilege	3056	wmic.exe
Token: SeUndockPrivilege	3056	wmic.exe
Token: SeManageVolumePrivilege	3056	wmic.exe
Token: 33	3056	wmic.exe
Token: 34	3056	wmic.exe
Token: 35	3056	wmic.exe
Token: 36	3056	wmic.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1580 wrote to memory of 2068	1580	23149475a606c307ddfbd83ec62eae50.exe	92
PID 1580 wrote to memory of 2068	1580	23149475a606c307ddfbd83ec62eae50.exe	92
PID 1580 wrote to memory of 2068	1580	23149475a606c307ddfbd83ec62eae50.exe	92
PID 2068 wrote to memory of 4992	2068	File.exe	95
PID 2068 wrote to memory of 4992	2068	File.exe	95
PID 2068 wrote to memory of 4992	2068	File.exe	95
PID 4992 wrote to memory of 3608	4992	eicabfbcibhi.exe	96
PID 4992 wrote to memory of 3608	4992	eicabfbcibhi.exe	96
PID 4992 wrote to memory of 3608	4992	eicabfbcibhi.exe	96
PID 4992 wrote to memory of 3056	4992	eicabfbcibhi.exe	99
PID 4992 wrote to memory of 3056	4992	eicabfbcibhi.exe	99
PID 4992 wrote to memory of 3056	4992	eicabfbcibhi.exe	99
PID 4992 wrote to memory of 3836	4992	eicabfbcibhi.exe	100
PID 4992 wrote to memory of 3836	4992	eicabfbcibhi.exe	100
PID 4992 wrote to memory of 3836	4992	eicabfbcibhi.exe	100
PID 4992 wrote to memory of 4116	4992	eicabfbcibhi.exe	103
PID 4992 wrote to memory of 4116	4992	eicabfbcibhi.exe	103
PID 4992 wrote to memory of 4116	4992	eicabfbcibhi.exe	103
PID 4992 wrote to memory of 4720	4992	eicabfbcibhi.exe	105
PID 4992 wrote to memory of 4720	4992	eicabfbcibhi.exe	105
PID 4992 wrote to memory of 4720	4992	eicabfbcibhi.exe	105

C:\Users\Admin\AppData\Local\Temp\23149475a606c307ddfbd83ec62eae50.exe
"C:\Users\Admin\AppData\Local\Temp\23149475a606c307ddfbd83ec62eae50.exe"
1⤵
- Checks computer location settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1580
- C:\Users\Admin\AppData\Local\Temp\File.exe
  "C:\Users\Admin\AppData\Local\Temp\File.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Users\Admin\AppData\Local\Temp\eicabfbcibhi.exe
    C:\Users\Admin\AppData\Local\Temp\eicabfbcibhi.exe 9-5-2-9-3-5-1-5-3-4-9 JktHOzosMis0LxcmTlM5TURDOC0cJkVAUk5MTUpEQTknFypCQFBPSD86LisvMjUXLD5IPzosFyZLUEZBUEJPXEU7NC4xKTIbLk5CTk08TV1MT0c8Y3FwZzEqLWpvcS0/Qk9CJE9NRyo8T0srRUU9Sh4mQEdIPkhFOzQ/WCgtZzVqamJPFypCKDpJVEg/QUkXKkIpOigwGyxAKjQoLxcsPzM4Ki0XJj8zNCosHypNTkY7UEFLXEtRRFM9OlA4HiZNTU4/Uj9LVkBTQz44HypNTkY7UEFLXElASEI5FyZAVjxcUFFHOhwmPFNDVkBIQ0dGSjw0Gy0/TE5TWj9ORk5OQ0k6LR8qUUQ4RUZXRlJaVE1JORcmUUs0LxsuP1AtNBcqUExLT0hIQltOPEdBRkpASEg+QzxMTUo0HSpITlxOTEVPR0RCOHNtcmEXJk1DS1JNTURLQ1ZMTkNJXD9AVFA5KRcqRkBBQFc4LhwmQE5dO1ZJQEhGP1Y8SUFJVktTQEE5XVhncVwdKkNKVEpDRjxCVkZLPCwtNSUoLTAlLi0xKTEwFyZPR0RCODAvLzQsKSs2KzIbLj9MU0VDSj87XE9ISEI5KyYzLSktLDQlNDYpJzUyLCdLTA==
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4992
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic /output:C:\Users\Admin\AppData\Local\Temp\81704421457.txt bios get serialnumber
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3608
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic /output:C:\Users\Admin\AppData\Local\Temp\81704421457.txt bios get version
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3056
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic /output:C:\Users\Admin\AppData\Local\Temp\81704421457.txt bios get version
      4⤵
      PID:3836
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic /output:C:\Users\Admin\AppData\Local\Temp\81704421457.txt bios get version
      4⤵
      PID:4116
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic /output:C:\Users\Admin\AppData\Local\Temp\81704421457.txt bios get version
      4⤵
      PID:4720
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 916
      4⤵
      Program crash
      PID:3204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4992 -ip 4992
1⤵
PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81704421457.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\81704421457.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\81704421457.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe

Filesize
213KB

MD5
36c5f695dd38a7f4831a2e38ed62dabb

SHA1
82e3420917660c53da71d1fb14060bd7468a1e1b

SHA256
d8c367077883368093001f19edee00d4976a40f1348c3e9da15716b22380c81e

SHA512
1e41024b7264abad4a9537a6956872791012f93ceab097797970748e73b4e56e5022146eb3f703e4d283dcf72c8b32d913d5b76128a352d6a2b443b07932626b

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe

Filesize
146KB

MD5
fd6bbeb02d96a192e0951ed75e3ce875

SHA1
0cf91f2c30bc30eea9b2bf09382af846d8244a87

SHA256
39134e6ef2e31e074271117ddc9c979a9284fec3699b412fbf9926cd464f7857

SHA512
97ba05db2a02bb69e3cdeee120f70963cf01ecb5c837b011b72c300e64c45dab59c02f202ad98c4e326ffab4162f9c228eb03a7c4018b494b25ce510bb6724a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe

Filesize
202KB

MD5
b44a9de5aaa13753949c7bfc4505a7e6

SHA1
86549fb6fe492bc6c192f6da0265deb0057f115a

SHA256
c3adb9be64e3975ac89af6a4719854df65ec4d689347143ea5d225f0904a5085

SHA512
c31083aea9fc3dba53dc9677ff83d3fa5237eb76a930d58f731752e944a0003db350582ab42e7d1c737671eb7816a8ac41f3d042902a6627cc4113b6bccfc871

Download Submit
C:\Users\Admin\AppData\Local\Temp\eicabfbcibhi.exe

Filesize
764KB

MD5
286462dd4060b816f673431fe19d9855

SHA1
0f93f8fb93025b9ddcc4674cf843e7e6bafd2fb9

SHA256
d67a728d2e997c38fc86e4b3bd63f0b544783794b6274dd9a65f58d8f793882c

SHA512
91f79d9a07c3eb6af1a71657f9c9c1ca8bb719e22bd365357c335713719c9b5d0eceedc0d9f85bdd1f491d85c27b49defe9f8fe0e3f2e4766c488be308a54011

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxACA.tmp\dnjzh.dll

Filesize
125KB

MD5
7d7518d98e68eebbb02ee06a931fd0c6

SHA1
73a1c22beb0381aa241a4542df29d20a9da5e033

SHA256
6fd1735c87fd55624f93a5141710324ba6c23788c8804ce387592a6599fe7f14

SHA512
bb33af0a4b0f21fb13112cdd6880575c5ff7b19b67ec6db74f7c558a7666f8aa34864650313a4e5f56afb239da0d7e1a6c9e6c1d789907aa2c31e930e7103117

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxACA.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit
memory/1580-1-0x0000000000D20000-0x0000000000D30000-memory.dmp

Filesize
64KB

Download
memory/1580-15-0x000000001C090000-0x000000001C108000-memory.dmp

Filesize
480KB

Download
memory/1580-0-0x00007FFD71AE0000-0x00007FFD72481000-memory.dmp

Filesize
9.6MB

Download
memory/1580-91-0x00007FFD71AE0000-0x00007FFD72481000-memory.dmp

Filesize
9.6MB

Download