95961b8f5d59930b6e867f09c19e0b18a06445ce4d1bb8359d59ffbf0d01021c

Analysis

max time kernel
150s
max time network
145s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25/02/2024, 16:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a43517daccdad5d036434fa0cb36b5a0.exe
Size

60KB
MD5

a43517daccdad5d036434fa0cb36b5a0
SHA1

d8e43fbc599ceae39122b26851232d09658119a8
SHA256

95961b8f5d59930b6e867f09c19e0b18a06445ce4d1bb8359d59ffbf0d01021c
SHA512

64bd00a98e24b264fbf12055fe51bb051734ecaedba1fd25434a8dd949dab0755b9405e87399ff6e2f02597f0236f0c190d251cbc3c5c5d4f74445a568c0860c
SSDEEP

768:XAaDt+5D+wDmpnIy9NdfbVpWsyqAggqFU84Qt/QAcQVu84Qt/QA:Qqt2+wDmtlusyqFgWJtoApJtoA

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2944	updated1985.exe

Loads dropped DLL 4 IoCs

pid	Process
2436	a43517daccdad5d036434fa0cb36b5a0.exe
2944	updated1985.exe
2944	updated1985.exe
2944	updated1985.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\54rk = "C:\\Windows\\SysWOW64\\updated1985.exe"	updated1985.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\cfghw.tmp	a43517daccdad5d036434fa0cb36b5a0.exe
File created	C:\Windows\SysWOW64\updated1985.exe	a43517daccdad5d036434fa0cb36b5a0.exe
File opened for modification	C:\Windows\SysWOW64\cfghw.tmp	updated1985.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	updated1985.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	updated1985.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2944	updated1985.exe
2944	updated1985.exe
2944	updated1985.exe
2944	updated1985.exe
2944	updated1985.exe
2944	updated1985.exe
2944	updated1985.exe
2944	updated1985.exe
2944	updated1985.exe
2944	updated1985.exe
2944	updated1985.exe
2944	updated1985.exe
2944	updated1985.exe
2944	updated1985.exe
2944	updated1985.exe
2944	updated1985.exe
2944	updated1985.exe
2944	updated1985.exe
2944	updated1985.exe
2944	updated1985.exe
2944	updated1985.exe
2944	updated1985.exe
2944	updated1985.exe
2944	updated1985.exe
2944	updated1985.exe
2944	updated1985.exe
2944	updated1985.exe
2944	updated1985.exe
2944	updated1985.exe
2944	updated1985.exe
2944	updated1985.exe
2944	updated1985.exe
2944	updated1985.exe
2944	updated1985.exe
2944	updated1985.exe
2944	updated1985.exe
2944	updated1985.exe
2944	updated1985.exe
2944	updated1985.exe
2944	updated1985.exe
2944	updated1985.exe
2944	updated1985.exe
2944	updated1985.exe
2944	updated1985.exe
2944	updated1985.exe
2944	updated1985.exe
2944	updated1985.exe
2944	updated1985.exe
2944	updated1985.exe
2944	updated1985.exe
2944	updated1985.exe
2944	updated1985.exe
2944	updated1985.exe
2944	updated1985.exe
2944	updated1985.exe
2944	updated1985.exe
2944	updated1985.exe
2944	updated1985.exe
2944	updated1985.exe
2944	updated1985.exe
2944	updated1985.exe
2944	updated1985.exe
2944	updated1985.exe
2944	updated1985.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 2944	2436	a43517daccdad5d036434fa0cb36b5a0.exe	28
PID 2436 wrote to memory of 2944	2436	a43517daccdad5d036434fa0cb36b5a0.exe	28
PID 2436 wrote to memory of 2944	2436	a43517daccdad5d036434fa0cb36b5a0.exe	28
PID 2436 wrote to memory of 2944	2436	a43517daccdad5d036434fa0cb36b5a0.exe	28
PID 2436 wrote to memory of 2944	2436	a43517daccdad5d036434fa0cb36b5a0.exe	28
PID 2436 wrote to memory of 2944	2436	a43517daccdad5d036434fa0cb36b5a0.exe	28
PID 2436 wrote to memory of 2944	2436	a43517daccdad5d036434fa0cb36b5a0.exe	28

C:\Users\Admin\AppData\Local\Temp\a43517daccdad5d036434fa0cb36b5a0.exe
"C:\Users\Admin\AppData\Local\Temp\a43517daccdad5d036434fa0cb36b5a0.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Windows\SysWOW64\updated1985.exe
  C:\Windows\system32\updated1985.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\cfghw.tmp

Filesize
361B

MD5
fed513e713a3a892ff3daf9235fb67bd

SHA1
e6a48e3a676cc24160e76c1292151ced7c545110

SHA256
131d6c04a3295c49b694aace549c433dfe0610e376c54c1c43267e9ed47317b1

SHA512
c1dfae49d5a90a265f798345518704eeda7f7ecff6d11bdad5f3fcd96568ec9c7ab7ed15f282f6a5ad04b57022d489572bd0fa551517f8a5af9d0d658fedc6cd

Download Submit
C:\Windows\SysWOW64\cfghw.tmp

Filesize
466B

MD5
d7f3754acb5258c754d6407d2924bde3

SHA1
b1c195764ba742688ac62bdc18168e7dc5f99deb

SHA256
aba6b251b738d6b1f2f85917fa15808d0018ccb9e613da3d1f30965844e5777e

SHA512
f8390eb5add5727f8cd683332284ba3040a387939ab75ccab472e07701b0117005825f352ee0f34b5aba33f1ce8ae2702db9c5946caf2faf826a399f0ef38a94

Download Submit
\Windows\SysWOW64\updated1985.exe

Filesize
39KB

MD5
cdc555406c7ceacc5782eec02d44bb5a

SHA1
297908f62efb34be6b24c3cb2982149d76e5ce69

SHA256
293e7051a6160af58189b1128799edae1578ae9b9ae842e35b640179d9061a0e

SHA512
10617c7089301f9548880f7be0f47124457cf5c6ab0c647a812e9055b8469abb40c5b559e055fc5076ebe795f216a5f7879354954435f720a57d06b849d69b79

Download Submit
memory/2436-7-0x0000000000260000-0x0000000000270000-memory.dmp

Filesize
64KB

Download
memory/2436-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2436-106-0x0000000000260000-0x0000000000270000-memory.dmp

Filesize
64KB

Download
memory/2944-11-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2944-18-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2944-71-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2944-17-0x0000000000020000-0x0000000000030000-memory.dmp

Filesize
64KB

Download
memory/2944-121-0x0000000000020000-0x0000000000030000-memory.dmp

Filesize
64KB

Download
memory/2944-120-0x0000000000020000-0x0000000000030000-memory.dmp

Filesize
64KB

Download
memory/2944-133-0x0000000000020000-0x0000000000030000-memory.dmp

Filesize
64KB

Download