80db8be3a65030d614e9b01c1bab3e568bfdef5c367e51b0292a7d57338cbf4c

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
18/01/2024, 11:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6544eb01ffa6fdac7678a21893d5b672.exe
Size

1.9MB
MD5

6544eb01ffa6fdac7678a21893d5b672
SHA1

b1557bff478b9961c390c0c38abf54b8236fb237
SHA256

80db8be3a65030d614e9b01c1bab3e568bfdef5c367e51b0292a7d57338cbf4c
SHA512

3bc8db13c30787dc55ae7625c5406ff464eb3c6b637ca120b49e6d21eca2cfd832f7fd62932edd4676e77ea18f74e4e9065172c915d74e06c50c142689af3c84
SSDEEP

49152:/YdNpL8fTRc/qadSqx5OiXLDZaYZYKm8981BqeFRX:KLD/qadSqx3LNRbmgyTX

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2876	ALUpProduct.exe
1364	eausvc.exe

Loads dropped DLL 4 IoCs

pid	Process
2180	6544eb01ffa6fdac7678a21893d5b672.exe
2180	6544eb01ffa6fdac7678a21893d5b672.exe
2876	ALUpProduct.exe
2876	ALUpProduct.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\ESTsoft\ALUpdate\ALUpProduct.exe	6544eb01ffa6fdac7678a21893d5b672.exe
File created	C:\Program Files\ESTsoft\ALUpdate\eausvc.exe	6544eb01ffa6fdac7678a21893d5b672.exe
File opened for modification	C:\Program Files\ESTsoft\ALUpdate\eausvc.exe	6544eb01ffa6fdac7678a21893d5b672.exe
File created	C:\Program Files\ESTsoft\ALUpdate\ALUpProduct.exe	6544eb01ffa6fdac7678a21893d5b672.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	eausvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	eausvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	eausvc.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2876	2180	6544eb01ffa6fdac7678a21893d5b672.exe	28
PID 2180 wrote to memory of 2876	2180	6544eb01ffa6fdac7678a21893d5b672.exe	28
PID 2180 wrote to memory of 2876	2180	6544eb01ffa6fdac7678a21893d5b672.exe	28
PID 2180 wrote to memory of 2876	2180	6544eb01ffa6fdac7678a21893d5b672.exe	28
PID 2876 wrote to memory of 1364	2876	ALUpProduct.exe	29
PID 2876 wrote to memory of 1364	2876	ALUpProduct.exe	29
PID 2876 wrote to memory of 1364	2876	ALUpProduct.exe	29

C:\Users\Admin\AppData\Local\Temp\6544eb01ffa6fdac7678a21893d5b672.exe
"C:\Users\Admin\AppData\Local\Temp\6544eb01ffa6fdac7678a21893d5b672.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Program Files\ESTsoft\ALUpdate\ALUpProduct.exe
  "C:\Program Files\ESTsoft\ALUpdate\ALUpProduct.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Program Files\ESTsoft\ALUpdate\eausvc.exe
    eausvc.exe
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    PID:1364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\ESTsoft\ALUpdate\ALUpProduct.exe

Filesize
821KB

MD5
7cc9a52e555d45bf3e4b8933fd8dc3f4

SHA1
98961345e676ccfe6b650a28a153cb62e977ad63

SHA256
c98aee55606f5b7be42d184e25bb589043253b6771be8c0bab72297b3f378665

SHA512
46ff8f897073a20685dda0d58299394d2d0c75dfe8be309f4aad08cf54fd7f269983ecaadffffe0c7f530976413f152f2de48751e96bfb37271f7cad3671bf00

Download Submit
C:\Program Files\ESTsoft\ALUpdate\ALUpProduct.exe

Filesize
512KB

MD5
ba37b82b164c4e6cadf59cbd806b142a

SHA1
cf930307ded74a3dea0734f65ee4262d85255707

SHA256
45c2d0c4cd6f443ada9c6a6803e1aa34226a7b5888e255d3875dc9d59f41781f

SHA512
a46ffa620e03705254c6b9b173505cd6ab1064073d60cbde8cca966a74658bf06bdcb87cf284802b46058b5de542b06933fe86c269d50623d398f6a887e1f80f

Download Submit
C:\Program Files\ESTsoft\ALUpdate\eausvc.exe

Filesize
395KB

MD5
945cf5af1245e6fc72cfe60f767077fe

SHA1
3f9fe0092156c3f722a972d607fc0ea2d5d234c1

SHA256
cc7ec582e9315062d508d8a1e10b26f462f398523e1da2b566e7fbb3e34755f9

SHA512
b603477499df380014e8a77a591fbfa1940bec4fa308671d6005d47af543f34c7e78f533de1b74e09239b3faf554ee93e9ba7429d65d4875fd20682b6bed2fc1

Download Submit
C:\Program Files\ESTsoft\ALUpdate\eausvc.exe

Filesize
616KB

MD5
9613be76713bb24a47bc0da2d89af9df

SHA1
28ad19caa336e924a40a7022a08ae7cb6c23fe6d

SHA256
0639e25eef223fd29ccc5143b43c7a203f632d6268bded1a4e5666ef112d97bf

SHA512
8b8f63d032b4f758e516981de1a9c3775fe71a379bc50f63a6db53dbc6b10f4d3df0cd39f861a14e562b19e577eae2d35eaa4ea8a78c41fed69a0a49579bc340

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE39.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
\Program Files\ESTsoft\ALUpdate\ALUpProduct.exe

Filesize
1.1MB

MD5
0612cbc66251bd34ba43c198e096130d

SHA1
105ab613debb391fe1b9f81b23e123fe7bc6abb8

SHA256
1932bdcf6f7bc471836885b804bc1982daa5b8ed58db1bb91c1ea26bd7053f40

SHA512
3b85d5efb50b3d727b56121cf874eb0030d9b309d5b6426f0af4c48830e4508244d704ee3c2c85ffcd91f530c48c474a71d7f55c41f4b0ed8531fa40b4254a6f

Download Submit
\Program Files\ESTsoft\ALUpdate\ALUpProduct.exe

Filesize
795KB

MD5
9627e4a754350f983ddb38cae379bd94

SHA1
8ce55b388dbe93ff35270b3230f8b80def739137

SHA256
472ddfe20bc722d024283ddf30455d772ca514d6ecb1f326add35ce903c320f1

SHA512
dc69ce6e7f61b2a074bc316bff2ba0a304b74bc4f177dec6c4457a934c03299b1bfe1edefda64c5062c23a340ae7f58ca334be4f84a1a2c497998e16e1a241b4

Download Submit
\Program Files\ESTsoft\ALUpdate\eausvc.exe

Filesize
740KB

MD5
ddf9103b1b9825266a99326f1f25faa7

SHA1
7d9f42010c4bb446404736c5e590daed0afebe37

SHA256
49b37cdfbe82f88dbe976351d572c3717b1f63edcc14a227c53389e3706cb6d7

SHA512
b801819536f8407fae89ec165112f44f99f7f69a720bb24f30446cd58ed0730dcc87c308e2e1177fcdb681dcbe60b643a961c430dca6a72bf837e7316a580af4

Download Submit
\Program Files\ESTsoft\ALUpdate\eausvc.exe

Filesize
683KB

MD5
8ab6d56ceb8fd9f92bce96908ad6c8ea

SHA1
dcb972967ee8feda9e45d65ce72a013972f18075

SHA256
c3b7afc2cc205caf58493c4c3f73407ed6cc03a2b38c3ddea336e6fd944038f0

SHA512
a4b7da76e5bb1a58988cf3476d2ff10a03910a0ad57e21b4ad50279911ae497a5213a095bd60a9f75e0516d8db106c1d2d0966c85426704834366e23bcf5e103

Download Submit
memory/1364-71-0x000000013F310000-0x000000013F487000-memory.dmp

Filesize
1.5MB

Download
memory/2180-0-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/2876-16-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download