8ed183df76d08024f15e051f4f5711535dde6372ff4beafecfff07f82e846800

Analysis

max time kernel
21s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01-01-2024 15:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67beeb7a196a91ffdb77af4e53143e75a157ea6cf3432a2e14e1c55d11ef2f08.exe
Size

416KB
MD5

bd4ea1c3cb843597d5b3a560f95840bb
SHA1

f81c504435d27e6a502acee3d1834121517ea194
SHA256

67beeb7a196a91ffdb77af4e53143e75a157ea6cf3432a2e14e1c55d11ef2f08
SHA512

7ac8ef4f1f6f9aab30ea183e5377b6bdd617f7c18af86cdde4da8f2e8528835faf659b9fad8b8bffc22b98b4659967f013155c257feedddfaf9b332dd77c565a
SSDEEP

3072:1VAz+HYRuV4ek4gX/am6/iQ0ET1fY/Tnib6qICONXvm0JZxkW5QGmwFp+1mSZoNJ:7c+HY0n/p0VTJq+9wm0sfi4J

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1220 1676 WerFault.exe 67beeb7a196a91ffdb77af4e53143e75a157ea6cf3432a2e14e1c55d11ef2f08.exe

pid	pid_target	process	target process
1220	1676	WerFault.exe	67beeb7a196a91ffdb77af4e53143e75a157ea6cf3432a2e14e1c55d11ef2f08.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

67beeb7a196a91ffdb77af4e53143e75a157ea6cf3432a2e14e1c55d11ef2f08.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e52000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	67beeb7a196a91ffdb77af4e53143e75a157ea6cf3432a2e14e1c55d11ef2f08.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e51d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af33313353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c92000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	67beeb7a196a91ffdb77af4e53143e75a157ea6cf3432a2e14e1c55d11ef2f08.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\SystemCertificates\CA\Certificates\007790F6561DAD89B0BCD85585762495E358F8A5	67beeb7a196a91ffdb77af4e53143e75a157ea6cf3432a2e14e1c55d11ef2f08.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\SystemCertificates\CA\Certificates\007790F6561DAD89B0BCD85585762495E358F8A5\Blob = 030000000100000014000000007790f6561dad89b0bcd85585762495e358f8a5140000000100000014000000963b53f0793397af7d83ef2e2bcccab7861e7266040000000100000010000000197460a709d4f4c8fac4b9e3322054340f0000000100000020000000a08e79c386083d875014c409c13d144e0a24386132980df11ff59737c8489eb11900000001000000100000008c94d3a163ad461aff343c0b830a90ce180000000100000010000000d8b5fb368468620275d142ffd2aade374b0000000100000044000000430034003600450037004200300046003900340032003600360033004100310045004400430038004400390044003600440037003800360039003100370033005f00000020000000010000005d0500003082055930820441a00302010202103d78d7f9764960b2617df4f01eca862a300d06092a864886f70d01010b05003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3133313231303030303030305a170d3233313230393233353935395a307f310b3009060355040613025553311d301b060355040a131453796d616e74656320436f72706f726174696f6e311f301d060355040b131653796d616e746563205472757374204e6574776f726b3130302e0603550403132753796d616e74656320436c61737320332053484132353620436f6465205369676e696e6720434130820122300d06092a864886f70d01010105000382010f003082010a028201010097831e0016af2cb1d208c4d7689351601e71f6e247b4db584d23626ab4bf5a1b51f7a30d187768bbd836ab2f2150da9ef3e75f274e0bc297c8097093a9da5c0d4ea40d91a0b4ec14ce9172542ecea3db44e9521b3f413cca4ae4aac0e839ab53cc21d0cccf7f9be6c2cc586a8215ee3d36cf1cc59707248ef17bbe312d3d6edcb599429f4b61955f1c70ee177ddb8be5618978c7681baf11781a98aec4554753d9b332d6a10e4640c597928ad153a7995b853557d3ea936261200ac7307724114d6283b6ba7b688231ee65cadff9d58db235dc8c2b6f6a725c60849cf20c945ec056520048ccd3f8a57dde2fd713e438a884d546b81386c21b9dea5a38dd9bdb0203010001a38201833082017f302f06082b0601050507010104233021301f06082b060105050730018613687474703a2f2f73322e73796d63622e636f6d30120603551d130101ff040830060101ff020100306c0603551d20046530633061060b6086480186f845010717033052302606082b06010505070201161a687474703a2f2f7777772e73796d617574682e636f6d2f637073302806082b06010505070202301c1a1a687474703a2f2f7777772e73796d617574682e636f6d2f72706130300603551d1f042930273025a023a021861f687474703a2f2f73312e73796d63622e636f6d2f706361332d67352e63726c301d0603551d250416301406082b0601050507030206082b06010505070303300e0603551d0f0101ff04040302010630290603551d1104223020a41e301c311a30180603550403131153796d616e746563504b492d312d353637301d0603551d0e04160414963b53f0793397af7d83ef2e2bcccab7861e7266301f0603551d230418301680147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d01010b0500038201010013851a1e69a937f7a0bda4af7e1d6153fe9d8c5e0ca6751e781723ddfdec1a035539fb7195c7655aa78e30d2445a61db706fda2105c22e73ba49f1d193fe5dc9cd5e03e0899e3f741ed7f7388ba9d6cfbb352f3358a89256d1c84d3b82e6798416fc28b0b147f31da23eee87d9a67fa456a53fad842e29de7cbca8aaa33d0401eaba93a20e502229174c87e43a115fd6a425899b056b2fb4c9014c277b0bac190522a060153fdac9fb4d4c8ffb726777fd2794c7ba350e8849fe8dfd28af4a12bd0db39705de440c15fa362b03dcc15001f1a1115d14e5e2bd274b54be2b845e0fa6c374050aef97c38922b11f77f3bdcd43d4f14ca93fb58b84af64f2d01421	67beeb7a196a91ffdb77af4e53143e75a157ea6cf3432a2e14e1c55d11ef2f08.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	67beeb7a196a91ffdb77af4e53143e75a157ea6cf3432a2e14e1c55d11ef2f08.exe

NTFS ADS 1 IoCs

Processes:

cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\67beeb7a196a91ffdb77af4e53143e75a157ea6cf3432a2e14e1c55d11ef2f08.exe:Zone.Identifier	cmd.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

67beeb7a196a91ffdb77af4e53143e75a157ea6cf3432a2e14e1c55d11ef2f08.exe

description	pid	process	target process
PID 1676 wrote to memory of 2912	1676	67beeb7a196a91ffdb77af4e53143e75a157ea6cf3432a2e14e1c55d11ef2f08.exe	cmd.exe
PID 1676 wrote to memory of 2912	1676	67beeb7a196a91ffdb77af4e53143e75a157ea6cf3432a2e14e1c55d11ef2f08.exe	cmd.exe
PID 1676 wrote to memory of 2912	1676	67beeb7a196a91ffdb77af4e53143e75a157ea6cf3432a2e14e1c55d11ef2f08.exe	cmd.exe
PID 1676 wrote to memory of 2912	1676	67beeb7a196a91ffdb77af4e53143e75a157ea6cf3432a2e14e1c55d11ef2f08.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\67beeb7a196a91ffdb77af4e53143e75a157ea6cf3432a2e14e1c55d11ef2f08.exe
"C:\Users\Admin\AppData\Local\Temp\67beeb7a196a91ffdb77af4e53143e75a157ea6cf3432a2e14e1c55d11ef2f08.exe"
1⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\67beeb7a196a91ffdb77af4e53143e75a157ea6cf3432a2e14e1c55d11ef2f08.exe:Zone.Identifier"
2⤵
PID:1572

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\67beeb7a196a91ffdb77af4e53143e75a157ea6cf3432a2e14e1c55d11ef2f08.exe:Zone.Identifier"
2⤵
- NTFS ADS
PID:2912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 1564
2⤵
- Program crash
PID:1220

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab17C7.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar17E9.tmp
Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
\Users\Admin\AppData\Local\Temp\67beeb7a196a91ffdb77af4e53143e75a157ea6cf3432a2e14e1c55d11ef2f08.exe
Filesize
102KB

MD5
41ceec98b7c1cbd0c843b3e7afe590f4

SHA1
f28755b06f6a714d33d7de106144eb71e4b35498

SHA256
7487c1b2ead2d06dac48afb43d8fd21bb4e02e24c83fdcc1cf41065e4768d523

SHA512
ceb4067a1f90f02dc65044844eedb5b42af1caa206eeb0977f6752885468b1ee65addca3680e74e95484d54028c38e98a3c50461c1768bca03d04ecdd50d4fe7

Download Submit
\Users\Admin\AppData\Local\Temp\67beeb7a196a91ffdb77af4e53143e75a157ea6cf3432a2e14e1c55d11ef2f08.exe
Filesize
204KB

MD5
c0f5b341b793df9a7dd9b36b71d5ab8a

SHA1
e041f505e75c7c86e001b7730869962067a194c5

SHA256
3c9f331fbad1b8c5aa8f0e0d14e9ed7c120777e54050418928e6368de58b2eaa

SHA512
2c7996d03d48546406a4f7812678139f69506be78241be3f35dd08be3d94a7b592e7bf16070d8d27a7e6cdccc4c24a416a9ecf6b6e5f6baa3b4bfd59d340fb10

Download Submit
\Users\Admin\AppData\Local\Temp\67beeb7a196a91ffdb77af4e53143e75a157ea6cf3432a2e14e1c55d11ef2f08.exe
Filesize
180KB

MD5
3ae869442d6f495019b3874d5db95cc7

SHA1
ac57a1a9938533be5135a7fe5f1f2f0ad6fdabf9

SHA256
1876ff41b0d9897df27321c1ab53e4a1f2cbc3080fea679d80a25ea1a5d90327

SHA512
08ebe42d2a907021560837dba03766a71b45c6fbe739989a0cf0bcc58e148b160bda32912fbce019ccd2a8b523012c5bfca608dcff98afa59f685a79e21d6d61

Download Submit
\Users\Admin\AppData\Local\Temp\67beeb7a196a91ffdb77af4e53143e75a157ea6cf3432a2e14e1c55d11ef2f08.exe
Filesize
198KB

MD5
ef4613df2bf6da732ac3bd0e12bbcafc

SHA1
78b7440870ce6789595b7244679e344636d2e7a6

SHA256
2fce7808f21513eb1267d6f23c60dcfa233c4acffdc20feae8bc32c8f99190b8

SHA512
08302d697da09ec06aea34146ee691786de013f94116c0a239144bc712fc6d7cb583451a913987d7910eb7be9902020603c59343c8957ce08f2e017b201c89bd

Download Submit
\Users\Admin\AppData\Local\Temp\67beeb7a196a91ffdb77af4e53143e75a157ea6cf3432a2e14e1c55d11ef2f08.exe
Filesize
170KB

MD5
748d4ee0e8e7d8a1c9657b624c672ee7

SHA1
5626c42d0a2bc01abcb3b092fc20e2724b842110

SHA256
b055b5fc325610b05e1c30edd5aa43376f086a8e08ccba8c0e6154c10b2835e5

SHA512
b03cdc7de958831e752630343ad003e1f4ccd5a1cc1d39e9a8e3a8ed056db509c12fec15dafce393a83460dd3049e37c363a84067d77eb2070a868f9842ae02f

Download Submit
memory/1676-79-0x0000000005850000-0x0000000005890000-memory.dmp

Filesize
256KB

Download
memory/1676-83-0x0000000074C80000-0x000000007536E000-memory.dmp

Filesize
6.9MB

Download
memory/1676-84-0x0000000005850000-0x0000000005890000-memory.dmp

Filesize
256KB

Download
memory/1676-85-0x0000000000B40000-0x0000000000B4C000-memory.dmp

Filesize
48KB

Download
memory/1676-81-0x0000000000A70000-0x0000000000A78000-memory.dmp

Filesize
32KB

Download
memory/1676-82-0x0000000000B80000-0x0000000000B8C000-memory.dmp

Filesize
48KB

Download
memory/1676-80-0x0000000000500000-0x000000000052A000-memory.dmp

Filesize
168KB

Download
memory/1676-0-0x00000000013E0000-0x000000000144A000-memory.dmp

Filesize
424KB

Download
memory/1676-1-0x0000000074C80000-0x000000007536E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads