Overview
overview
7Static
static
37b6e0e0a98...92.exe
windows7-x64
77b6e0e0a98...92.exe
windows10-2004-x64
7$TEMP/DSCT...30.dll
windows7-x64
1$TEMP/DSCT...30.dll
windows10-2004-x64
3$TEMP/DSCertEx.dll
windows7-x64
1$TEMP/DSCertEx.dll
windows10-2004-x64
1$TEMP/Mobi...32.dll
windows7-x64
1$TEMP/Mobi...32.dll
windows10-2004-x64
3$TEMP/NFil...eb.dll
windows7-x64
3$TEMP/NFil...eb.dll
windows10-2004-x64
3$TEMP/NpkiCard.dll
windows7-x64
1$TEMP/NpkiCard.dll
windows10-2004-x64
3$TEMP/SCSKAPPLink.dll
windows7-x64
1$TEMP/SCSKAPPLink.dll
windows10-2004-x64
1$TEMP/UBIK...In.exe
windows7-x64
7$TEMP/UBIK...In.exe
windows10-2004-x64
7$TEMP/UBIK...ce.exe
windows7-x64
1$TEMP/UBIK...ce.exe
windows10-2004-x64
1$TEMP/UbiKey.dll
windows7-x64
1$TEMP/UbiKey.dll
windows10-2004-x64
3$TEMP/UbiK...ll.exe
windows7-x64
1$TEMP/UbiK...ll.exe
windows10-2004-x64
1$TEMP/UbiKeyWin32.dll
windows7-x64
1$TEMP/UbiKeyWin32.dll
windows10-2004-x64
1$TEMP/Ubik...to.dll
windows7-x64
1$TEMP/Ubik...to.dll
windows10-2004-x64
1$TEMP/certadm.dll
windows7-x64
1$TEMP/certadm.dll
windows10-2004-x64
1$TEMP/certcli.dll
windows7-x64
1$TEMP/certcli.dll
windows10-2004-x64
1$TEMP/certutil.exe
windows7-x64
1$TEMP/certutil.exe
windows10-2004-x64
1Analysis
-
max time kernel
142s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
27/01/2024, 22:19
Static task
static1
Behavioral task
behavioral1
Sample
7b6e0e0a9844777fe52da9bd0a573d92.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral2
Sample
7b6e0e0a9844777fe52da9bd0a573d92.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$TEMP/DSCToolkitV30.dll
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral4
Sample
$TEMP/DSCToolkitV30.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$TEMP/DSCertEx.dll
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral6
Sample
$TEMP/DSCertEx.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$TEMP/MobileCertWin32.dll
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral8
Sample
$TEMP/MobileCertWin32.dll
Resource
win10v2004-20231222-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
$TEMP/NFilterOpenWeb.dll
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral10
Sample
$TEMP/NFilterOpenWeb.dll
Resource
win10v2004-20231222-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
$TEMP/NpkiCard.dll
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral12
Sample
$TEMP/NpkiCard.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
$TEMP/SCSKAPPLink.dll
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral14
Sample
$TEMP/SCSKAPPLink.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
$TEMP/UBIKeyPlugIn.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral16
Sample
$TEMP/UBIKeyPlugIn.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
$TEMP/UBIKeyService.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral18
Sample
$TEMP/UBIKeyService.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
$TEMP/UbiKey.dll
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral20
Sample
$TEMP/UbiKey.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
$TEMP/UbiKeyUninstall.exe
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral22
Sample
$TEMP/UbiKeyUninstall.exe
Resource
win10v2004-20231222-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
$TEMP/UbiKeyWin32.dll
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral24
Sample
$TEMP/UbiKeyWin32.dll
Resource
win10v2004-20231222-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
$TEMP/UbikeyCrypto.dll
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral26
Sample
$TEMP/UbikeyCrypto.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
$TEMP/certadm.dll
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral28
Sample
$TEMP/certadm.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
$TEMP/certcli.dll
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral30
Sample
$TEMP/certcli.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
$TEMP/certutil.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral32
Sample
$TEMP/certutil.exe
Resource
win10v2004-20231222-en
windows10-2004-x64
General
-
Target
$TEMP/certcli.dll
-
Size
185KB
-
MD5
f509af061bbf4eb9c39f3cca88c00505
-
SHA1
a83487b2f41631576606e318ee792de695de72be
-
SHA256
87ca129af67985dd5ed22913fd02402a9f2a965c13fa83be60fbeb94cbc595cd
-
SHA512
9b6dee15751d40eb27b8e82bcf88ecee8658be9316a194c8b9492ccf6697f93ae1558adcaa25fe6d317963850bde805f2de6b67cb369adcb228a043741c85365
-
SSDEEP
3072:2R+zHLqyTs5P/3AqYiHsq4zF4TPhS9JgUjY/Kv0V25N8HJjZ6nssxs3+HNJ8:Z1s5X3ACHsLzFoPhSAUjR0UcH6p
Malware Config
Signatures
-
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CertificateAuthority.ServerPolicy.1\ = "CertServerPolicy Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7FE0D935-DDA6-443F-85D0-1CFB58FE41DD} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D99E6E70-FC88-11D0-B498-00A0C90312F3}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA000926-FFBE-11CF-8800-00A0C903B83C}\VersionIndependentProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CertificateAuthority.ServerExit.1\ = "CertServerPolicy Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CertificateAuthority.ServerPolicy regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CertificateAuthority.GetConfig\CLSID\ = "{C6CC49B0-CE17-11D0-8833-00A0C903B83C}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CertificateAuthority.Request regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98AFF3F0-5524-11D0-8812-00A0C903B83C} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98AFF3F0-5524-11D0-8812-00A0C903B83C}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CertificateAuthority.Request.1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CertificateAuthority.Request\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4C4A5E40-732C-11D0-8816-00A0C903B83C}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5422FD3A-D4B8-4CEF-A12E-E87D4CA22E90}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D99E6E70-FC88-11D0-B498-00A0C90312F3}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CertificateAuthority.Config regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C6CC49B0-CE17-11D0-8833-00A0C903B83C}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5422FD3A-D4B8-4CEF-A12E-E87D4CA22E90}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CertificateAuthority.ServerExit.1\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CertificateAuthority.GetConfig.1\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C6CC49B0-CE17-11D0-8833-00A0C903B83C}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7FE0D935-DDA6-443F-85D0-1CFB58FE41DD}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CertificateAuthority.Config.1\ = "CertConfig Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{372FCE38-4324-11D0-8810-00A0C903B83C} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{372FCE38-4324-11D0-8810-00A0C903B83C}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5422FD3A-D4B8-4CEF-A12E-E87D4CA22E90} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CertificateAuthority.ServerPolicy\ = "CertServerPolicy Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4C4A5E40-732C-11D0-8816-00A0C903B83C} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4C4A5E40-732C-11D0-8816-00A0C903B83C}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{372FCE38-4324-11D0-8810-00A0C903B83C}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CertificateAuthority.ServerExit.1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CertificateAuthority.ServerExit regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CertificateAuthority.Request\CLSID\ = "{98AFF3F0-5524-11D0-8812-00A0C903B83C}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA000926-FFBE-11CF-8800-00A0C903B83C}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CertificateAuthority.ServerExit\ = "CertServerPolicy Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CertificateAuthority.ServerExit\CLSID\ = "{4C4A5E40-732C-11D0-8816-00A0C903B83C}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CertificateAuthority.GetConfig\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CertificateAuthority.ServerPolicy.1\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4C4A5E40-732C-11D0-8816-00A0C903B83C}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\WOW6432Node\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CertificateAuthority.Config\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7FE0D935-DDA6-443F-85D0-1CFB58FE41DD}\InProcServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D99E6E70-FC88-11D0-B498-00A0C90312F3} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CertificateAuthority.Config\CLSID\ = "{372FCE38-4324-11D0-8810-00A0C903B83C}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CertificateAuthority.GetConfig.1\ = "CertGetConfig Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C6CC49B0-CE17-11D0-8833-00A0C903B83C} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CertificateAuthority.ServerPolicy\CLSID\ = "{AA000926-FFBE-11CF-8800-00A0C903B83C}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7FE0D935-DDA6-443F-85D0-1CFB58FE41DD}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D99E6E71-FC88-11D0-B498-00A0C90312F3}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CertificateAuthority.Config.1\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{372FCE38-4324-11D0-8810-00A0C903B83C}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CertificateAuthority.GetConfig regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CertificateAuthority.Request.1\ = "CertRequest Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CertificateAuthority.Request\ = "CertRequest Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98AFF3F0-5524-11D0-8812-00A0C903B83C}\ProgID regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\WOW6432Node\Interface regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7FE0D935-DDA6-443F-85D0-1CFB58FE41DD} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CertificateAuthority.Config\ = "CertConfig Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CertificateAuthority.GetConfig.1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CertificateAuthority.ServerPolicy\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA000926-FFBE-11CF-8800-00A0C903B83C}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CertificateAuthority.ServerExit\CLSID regsvr32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3648 wrote to memory of 1064 3648 regsvr32.exe 86 PID 3648 wrote to memory of 1064 3648 regsvr32.exe 86 PID 3648 wrote to memory of 1064 3648 regsvr32.exe 86