lgoogloader | 9ae11d65b395971a284fc936690c5d1dfd035332321fba900dfa873c58243283

Analysis

max time kernel
147s
max time network
148s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25-02-2024 04:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19046ffd0a7a3365ba8e5b464bba149b.exe
Size

101KB
MD5

19046ffd0a7a3365ba8e5b464bba149b
SHA1

66ce137113ada0844a916252f0e456d06cf906c1
SHA256

9ae11d65b395971a284fc936690c5d1dfd035332321fba900dfa873c58243283
SHA512

639f852a4665bb80271f10e1c60e5fd6046c556aaaa5c6e9e5cbfb43552ce2d7d4d4df03c15d51ecd28f25845e71a1ee60dc49a6fd76a6b468abfb6e153a2fed
SSDEEP

3072:z2NFei6thiKp+Ag3Q5JMUXFKJUHL5typ2g4e2byJYN:uFjOg3Q511Km5omeS

Score

10^/10

lgoogloader discovery downloader evasion trojan

Malware Config

Signatures

Detects LgoogLoader payload 1 IoCs

resource	yara_rule
behavioral1/memory/2348-354-0x0000000000170000-0x000000000017D000-memory.dmp	family_lgoogloader

LgoogLoader
A downloader capable of dropping and executing other malware families.
downloader lgoogloader

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	19046ffd0a7a3365ba8e5b464bba149b.exe

Contacts a large (5241) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	19046ffd0a7a3365ba8e5b464bba149b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	19046ffd0a7a3365ba8e5b464bba149b.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1628 set thread context of 2348	1628	19046ffd0a7a3365ba8e5b464bba149b.exe	38

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 11 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	19046ffd0a7a3365ba8e5b464bba149b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	19046ffd0a7a3365ba8e5b464bba149b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	19046ffd0a7a3365ba8e5b464bba149b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	19046ffd0a7a3365ba8e5b464bba149b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	19046ffd0a7a3365ba8e5b464bba149b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	19046ffd0a7a3365ba8e5b464bba149b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	19046ffd0a7a3365ba8e5b464bba149b.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	19046ffd0a7a3365ba8e5b464bba149b.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	19046ffd0a7a3365ba8e5b464bba149b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	19046ffd0a7a3365ba8e5b464bba149b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	19046ffd0a7a3365ba8e5b464bba149b.exe

Runs regedit.exe 1 IoCs

pid	Process
2636	regedit.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1732	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1628	19046ffd0a7a3365ba8e5b464bba149b.exe
Token: SeDebugPrivilege	1732	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 1732	1628	19046ffd0a7a3365ba8e5b464bba149b.exe	29
PID 1628 wrote to memory of 1732	1628	19046ffd0a7a3365ba8e5b464bba149b.exe	29
PID 1628 wrote to memory of 1732	1628	19046ffd0a7a3365ba8e5b464bba149b.exe	29
PID 1628 wrote to memory of 2764	1628	19046ffd0a7a3365ba8e5b464bba149b.exe	30
PID 1628 wrote to memory of 2764	1628	19046ffd0a7a3365ba8e5b464bba149b.exe	30
PID 1628 wrote to memory of 2764	1628	19046ffd0a7a3365ba8e5b464bba149b.exe	30
PID 1628 wrote to memory of 2764	1628	19046ffd0a7a3365ba8e5b464bba149b.exe	30
PID 1628 wrote to memory of 2764	1628	19046ffd0a7a3365ba8e5b464bba149b.exe	30
PID 1628 wrote to memory of 2764	1628	19046ffd0a7a3365ba8e5b464bba149b.exe	30
PID 1628 wrote to memory of 2764	1628	19046ffd0a7a3365ba8e5b464bba149b.exe	30
PID 1628 wrote to memory of 2764	1628	19046ffd0a7a3365ba8e5b464bba149b.exe	30
PID 1628 wrote to memory of 2764	1628	19046ffd0a7a3365ba8e5b464bba149b.exe	30
PID 1628 wrote to memory of 2764	1628	19046ffd0a7a3365ba8e5b464bba149b.exe	30
PID 1628 wrote to memory of 2748	1628	19046ffd0a7a3365ba8e5b464bba149b.exe	31
PID 1628 wrote to memory of 2748	1628	19046ffd0a7a3365ba8e5b464bba149b.exe	31
PID 1628 wrote to memory of 2748	1628	19046ffd0a7a3365ba8e5b464bba149b.exe	31
PID 1628 wrote to memory of 2748	1628	19046ffd0a7a3365ba8e5b464bba149b.exe	31
PID 1628 wrote to memory of 2748	1628	19046ffd0a7a3365ba8e5b464bba149b.exe	31
PID 1628 wrote to memory of 2748	1628	19046ffd0a7a3365ba8e5b464bba149b.exe	31
PID 1628 wrote to memory of 2748	1628	19046ffd0a7a3365ba8e5b464bba149b.exe	31
PID 1628 wrote to memory of 2748	1628	19046ffd0a7a3365ba8e5b464bba149b.exe	31
PID 1628 wrote to memory of 2748	1628	19046ffd0a7a3365ba8e5b464bba149b.exe	31
PID 1628 wrote to memory of 2748	1628	19046ffd0a7a3365ba8e5b464bba149b.exe	31
PID 1628 wrote to memory of 2748	1628	19046ffd0a7a3365ba8e5b464bba149b.exe	31
PID 1628 wrote to memory of 2636	1628	19046ffd0a7a3365ba8e5b464bba149b.exe	32
PID 1628 wrote to memory of 2636	1628	19046ffd0a7a3365ba8e5b464bba149b.exe	32
PID 1628 wrote to memory of 2636	1628	19046ffd0a7a3365ba8e5b464bba149b.exe	32
PID 1628 wrote to memory of 2636	1628	19046ffd0a7a3365ba8e5b464bba149b.exe	32
PID 1628 wrote to memory of 2636	1628	19046ffd0a7a3365ba8e5b464bba149b.exe	32
PID 1628 wrote to memory of 2636	1628	19046ffd0a7a3365ba8e5b464bba149b.exe	32
PID 1628 wrote to memory of 2636	1628	19046ffd0a7a3365ba8e5b464bba149b.exe	32
PID 1628 wrote to memory of 2636	1628	19046ffd0a7a3365ba8e5b464bba149b.exe	32
PID 1628 wrote to memory of 2636	1628	19046ffd0a7a3365ba8e5b464bba149b.exe	32
PID 1628 wrote to memory of 2636	1628	19046ffd0a7a3365ba8e5b464bba149b.exe	32
PID 1628 wrote to memory of 864	1628	19046ffd0a7a3365ba8e5b464bba149b.exe	33
PID 1628 wrote to memory of 864	1628	19046ffd0a7a3365ba8e5b464bba149b.exe	33
PID 1628 wrote to memory of 864	1628	19046ffd0a7a3365ba8e5b464bba149b.exe	33
PID 1628 wrote to memory of 864	1628	19046ffd0a7a3365ba8e5b464bba149b.exe	33
PID 1628 wrote to memory of 864	1628	19046ffd0a7a3365ba8e5b464bba149b.exe	33
PID 1628 wrote to memory of 864	1628	19046ffd0a7a3365ba8e5b464bba149b.exe	33
PID 1628 wrote to memory of 864	1628	19046ffd0a7a3365ba8e5b464bba149b.exe	33
PID 1628 wrote to memory of 864	1628	19046ffd0a7a3365ba8e5b464bba149b.exe	33
PID 1628 wrote to memory of 864	1628	19046ffd0a7a3365ba8e5b464bba149b.exe	33
PID 1628 wrote to memory of 864	1628	19046ffd0a7a3365ba8e5b464bba149b.exe	33
PID 1628 wrote to memory of 864	1628	19046ffd0a7a3365ba8e5b464bba149b.exe	33
PID 1628 wrote to memory of 2428	1628	19046ffd0a7a3365ba8e5b464bba149b.exe	34
PID 1628 wrote to memory of 2428	1628	19046ffd0a7a3365ba8e5b464bba149b.exe	34
PID 1628 wrote to memory of 2428	1628	19046ffd0a7a3365ba8e5b464bba149b.exe	34
PID 1628 wrote to memory of 2428	1628	19046ffd0a7a3365ba8e5b464bba149b.exe	34
PID 1628 wrote to memory of 2428	1628	19046ffd0a7a3365ba8e5b464bba149b.exe	34
PID 1628 wrote to memory of 2428	1628	19046ffd0a7a3365ba8e5b464bba149b.exe	34
PID 1628 wrote to memory of 2428	1628	19046ffd0a7a3365ba8e5b464bba149b.exe	34
PID 1628 wrote to memory of 2428	1628	19046ffd0a7a3365ba8e5b464bba149b.exe	34
PID 1628 wrote to memory of 2428	1628	19046ffd0a7a3365ba8e5b464bba149b.exe	34
PID 1628 wrote to memory of 2428	1628	19046ffd0a7a3365ba8e5b464bba149b.exe	34
PID 1628 wrote to memory of 2428	1628	19046ffd0a7a3365ba8e5b464bba149b.exe	34
PID 1628 wrote to memory of 1716	1628	19046ffd0a7a3365ba8e5b464bba149b.exe	35
PID 1628 wrote to memory of 1716	1628	19046ffd0a7a3365ba8e5b464bba149b.exe	35
PID 1628 wrote to memory of 1716	1628	19046ffd0a7a3365ba8e5b464bba149b.exe	35
PID 1628 wrote to memory of 1716	1628	19046ffd0a7a3365ba8e5b464bba149b.exe	35
PID 1628 wrote to memory of 1716	1628	19046ffd0a7a3365ba8e5b464bba149b.exe	35
PID 1628 wrote to memory of 1716	1628	19046ffd0a7a3365ba8e5b464bba149b.exe	35
PID 1628 wrote to memory of 1716	1628	19046ffd0a7a3365ba8e5b464bba149b.exe	35
PID 1628 wrote to memory of 1716	1628	19046ffd0a7a3365ba8e5b464bba149b.exe	35

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	19046ffd0a7a3365ba8e5b464bba149b.exe

C:\Users\Admin\AppData\Local\Temp\19046ffd0a7a3365ba8e5b464bba149b.exe
"C:\Users\Admin\AppData\Local\Temp\19046ffd0a7a3365ba8e5b464bba149b.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\19046ffd0a7a3365ba8e5b464bba149b.exe" -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1732
- C:\Windows\System32\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:2764
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:2748
- C:\Windows\regedit.exe
  "C:\Windows\regedit.exe"
  2⤵
  - Runs regedit.exe
  PID:2636
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
  2⤵
  PID:2428
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:1716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:2292
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:484
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
  2⤵
  PID:2348
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
  2⤵
  PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Scripting

T1064

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Network Service Discovery

T1046

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
695ced7b236ee277e6cee98afc88ff29

SHA1
b126a7608858aaa38f9d45dda72ae267d76e0287

SHA256
bbf27e19c66175147385003e5be8c26d1da9b0bc564299078c522eb1e6c47c84

SHA512
53798968cb1fe7d9d1246cfb4de4639247faf573e38c60aae213ca435b4dd6a59df5b776ee4fcda59ef0560933c97312720df7c73845aec3eafa635f123e5d56

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab207E.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar21F7.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
memory/1628-332-0x000000001B220000-0x000000001B2A0000-memory.dmp

Filesize
512KB

Download
memory/1628-350-0x000007FEF5940000-0x000007FEF632C000-memory.dmp

Filesize
9.9MB

Download
memory/1628-1-0x000007FEF5940000-0x000007FEF632C000-memory.dmp

Filesize
9.9MB

Download
memory/1628-221-0x000000001BF50000-0x000000001BFE4000-memory.dmp

Filesize
592KB

Download
memory/1628-0-0x0000000000AE0000-0x0000000000AFC000-memory.dmp

Filesize
112KB

Download
memory/1628-2-0x000000001B220000-0x000000001B2A0000-memory.dmp

Filesize
512KB

Download
memory/1628-247-0x000007FEF5940000-0x000007FEF632C000-memory.dmp

Filesize
9.9MB

Download
memory/1732-230-0x000000001B3E0000-0x000000001B6C2000-memory.dmp

Filesize
2.9MB

Download
memory/1732-233-0x0000000002070000-0x0000000002078000-memory.dmp

Filesize
32KB

Download
memory/1732-244-0x00000000028C4000-0x00000000028C7000-memory.dmp

Filesize
12KB

Download
memory/1732-245-0x000007FEEDBC0000-0x000007FEEE55D000-memory.dmp

Filesize
9.6MB

Download
memory/1732-243-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/1732-246-0x00000000028CB000-0x0000000002932000-memory.dmp

Filesize
412KB

Download
memory/1732-242-0x000007FEEDBC0000-0x000007FEEE55D000-memory.dmp

Filesize
9.6MB

Download
memory/2348-355-0x0000000000170000-0x000000000017D000-memory.dmp

Filesize
52KB

Download
memory/2348-352-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download
memory/2348-353-0x0000000000140000-0x0000000000149000-memory.dmp

Filesize
36KB

Download
memory/2348-354-0x0000000000170000-0x000000000017D000-memory.dmp

Filesize
52KB

Download
memory/2764-222-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2764-240-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2764-238-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2764-236-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2764-234-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2764-231-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2764-228-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download