e701690143982cffafedb9656317ff7e7d5888801a8f684929cc85b3d787eb94

Analysis

max time kernel
149s
max time network
132s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
13/03/2024, 01:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4ad43721b0377fd4f9bb3781ce7fb07.exe
Size

2.0MB
MD5

c4ad43721b0377fd4f9bb3781ce7fb07
SHA1

57216c902035b16e0227c6d9081461f10b829a83
SHA256

e701690143982cffafedb9656317ff7e7d5888801a8f684929cc85b3d787eb94
SHA512

113f8356280bfa95ae3326ddfb1dfe333af16fd88cbc2cff9e113c99b03ee2940561e4c69757948b929070bf8c08a0dcbe336a8af9a9455b783b33cf8bbdd41a
SSDEEP

24576:XDJu+uolM+zEWkpDlnkOJBtCLS3qoPb3IzLKG3XlWuMt:Xtucjsll5CDA4fKilu

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 27 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1988-0-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1988-2-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1988-6-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1988-16-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1988-30-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1988-44-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1988-46-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1988-42-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1988-40-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1988-38-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1988-36-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1988-34-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1988-32-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1988-28-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1988-26-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1988-24-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1988-22-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1988-20-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1988-18-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1988-14-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1988-12-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1988-10-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1988-8-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1988-5-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1988-3-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1988-4-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1988-62-0x0000000010000000-0x000000001003D000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\windows\xl.txt	c4ad43721b0377fd4f9bb3781ce7fb07.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	c4ad43721b0377fd4f9bb3781ce7fb07.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	c4ad43721b0377fd4f9bb3781ce7fb07.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	c4ad43721b0377fd4f9bb3781ce7fb07.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	c4ad43721b0377fd4f9bb3781ce7fb07.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	c4ad43721b0377fd4f9bb3781ce7fb07.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	c4ad43721b0377fd4f9bb3781ce7fb07.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	c4ad43721b0377fd4f9bb3781ce7fb07.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	c4ad43721b0377fd4f9bb3781ce7fb07.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	c4ad43721b0377fd4f9bb3781ce7fb07.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1988	c4ad43721b0377fd4f9bb3781ce7fb07.exe
1988	c4ad43721b0377fd4f9bb3781ce7fb07.exe
1988	c4ad43721b0377fd4f9bb3781ce7fb07.exe
1988	c4ad43721b0377fd4f9bb3781ce7fb07.exe
1988	c4ad43721b0377fd4f9bb3781ce7fb07.exe
1988	c4ad43721b0377fd4f9bb3781ce7fb07.exe
1988	c4ad43721b0377fd4f9bb3781ce7fb07.exe
1988	c4ad43721b0377fd4f9bb3781ce7fb07.exe
1988	c4ad43721b0377fd4f9bb3781ce7fb07.exe
1988	c4ad43721b0377fd4f9bb3781ce7fb07.exe
1988	c4ad43721b0377fd4f9bb3781ce7fb07.exe
1988	c4ad43721b0377fd4f9bb3781ce7fb07.exe
1988	c4ad43721b0377fd4f9bb3781ce7fb07.exe
1988	c4ad43721b0377fd4f9bb3781ce7fb07.exe
1988	c4ad43721b0377fd4f9bb3781ce7fb07.exe
1988	c4ad43721b0377fd4f9bb3781ce7fb07.exe
1988	c4ad43721b0377fd4f9bb3781ce7fb07.exe
1988	c4ad43721b0377fd4f9bb3781ce7fb07.exe
1988	c4ad43721b0377fd4f9bb3781ce7fb07.exe
1988	c4ad43721b0377fd4f9bb3781ce7fb07.exe
1988	c4ad43721b0377fd4f9bb3781ce7fb07.exe
1988	c4ad43721b0377fd4f9bb3781ce7fb07.exe
1988	c4ad43721b0377fd4f9bb3781ce7fb07.exe
1988	c4ad43721b0377fd4f9bb3781ce7fb07.exe
1988	c4ad43721b0377fd4f9bb3781ce7fb07.exe
1988	c4ad43721b0377fd4f9bb3781ce7fb07.exe
1988	c4ad43721b0377fd4f9bb3781ce7fb07.exe
1988	c4ad43721b0377fd4f9bb3781ce7fb07.exe
1988	c4ad43721b0377fd4f9bb3781ce7fb07.exe
1988	c4ad43721b0377fd4f9bb3781ce7fb07.exe
1988	c4ad43721b0377fd4f9bb3781ce7fb07.exe
1988	c4ad43721b0377fd4f9bb3781ce7fb07.exe
1988	c4ad43721b0377fd4f9bb3781ce7fb07.exe
1988	c4ad43721b0377fd4f9bb3781ce7fb07.exe
1988	c4ad43721b0377fd4f9bb3781ce7fb07.exe
1988	c4ad43721b0377fd4f9bb3781ce7fb07.exe
1988	c4ad43721b0377fd4f9bb3781ce7fb07.exe
1988	c4ad43721b0377fd4f9bb3781ce7fb07.exe
1988	c4ad43721b0377fd4f9bb3781ce7fb07.exe
1988	c4ad43721b0377fd4f9bb3781ce7fb07.exe
1988	c4ad43721b0377fd4f9bb3781ce7fb07.exe
1988	c4ad43721b0377fd4f9bb3781ce7fb07.exe
1988	c4ad43721b0377fd4f9bb3781ce7fb07.exe
1988	c4ad43721b0377fd4f9bb3781ce7fb07.exe
1988	c4ad43721b0377fd4f9bb3781ce7fb07.exe
1988	c4ad43721b0377fd4f9bb3781ce7fb07.exe
1988	c4ad43721b0377fd4f9bb3781ce7fb07.exe
1988	c4ad43721b0377fd4f9bb3781ce7fb07.exe
1988	c4ad43721b0377fd4f9bb3781ce7fb07.exe
1988	c4ad43721b0377fd4f9bb3781ce7fb07.exe
1988	c4ad43721b0377fd4f9bb3781ce7fb07.exe
1988	c4ad43721b0377fd4f9bb3781ce7fb07.exe
1988	c4ad43721b0377fd4f9bb3781ce7fb07.exe
1988	c4ad43721b0377fd4f9bb3781ce7fb07.exe
1988	c4ad43721b0377fd4f9bb3781ce7fb07.exe
1988	c4ad43721b0377fd4f9bb3781ce7fb07.exe
1988	c4ad43721b0377fd4f9bb3781ce7fb07.exe
1988	c4ad43721b0377fd4f9bb3781ce7fb07.exe
1988	c4ad43721b0377fd4f9bb3781ce7fb07.exe
1988	c4ad43721b0377fd4f9bb3781ce7fb07.exe
1988	c4ad43721b0377fd4f9bb3781ce7fb07.exe
1988	c4ad43721b0377fd4f9bb3781ce7fb07.exe
1988	c4ad43721b0377fd4f9bb3781ce7fb07.exe
1988	c4ad43721b0377fd4f9bb3781ce7fb07.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1988	c4ad43721b0377fd4f9bb3781ce7fb07.exe
1988	c4ad43721b0377fd4f9bb3781ce7fb07.exe
1988	c4ad43721b0377fd4f9bb3781ce7fb07.exe
1988	c4ad43721b0377fd4f9bb3781ce7fb07.exe
1988	c4ad43721b0377fd4f9bb3781ce7fb07.exe

C:\Users\Admin\AppData\Local\Temp\c4ad43721b0377fd4f9bb3781ce7fb07.exe
"C:\Users\Admin\AppData\Local\Temp\c4ad43721b0377fd4f9bb3781ce7fb07.exe"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F59A01A8B782D93EA6991BC172CEFFB1

Filesize
867B

MD5
c5dfb849ca051355ee2dba1ac33eb028

SHA1
d69b561148f01c77c54578c10926df5b856976ad

SHA256
cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b

SHA512
88289cdd2c2dd1f5f4c13ab2cf9bc601fc634b5945309bedf9fc5b96bf21697b4cd6da2f383497825e02272816befbac4f44955282ffbbd4dd0ddc52281082da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3ba7cb0f308bb9c6d8c833e57b2ed353

SHA1
7b1b402ee8cfdbd3055d97c872b8114166c4b9a5

SHA256
e12306d531f6e4d46efc74e6ad37f0e4615173daedc83cd12671d3a84d50c3c7

SHA512
03ecf986288dfa7be0a953ca3704f4b0792ea5f3bc798fab34bcf59e5d08831085c2c6875dab5107830871bdba4c60e8e15601f1547429d3f1f98fe150323adc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
eaeb53c0a34424acd3f351a1598b990a

SHA1
f3527adc1ed259638480b3d08caf38abde4a1230

SHA256
59c06418f18382eac719bb37f6ea5fdbecdeba8fa8bccea01df36d725258531a

SHA512
8d129c99491a5106a550182fe694ec06884410ce910e6f94c7871074570eac7e1128ed91228daafc5a4b5390075c1054c2dbb22558db19c8589f644194e265de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
21fc78d5f53a8e445ec931eeb50bcc6a

SHA1
8b0af4eb74d15819c43990f12fe3c33570858264

SHA256
3ee5b42cf01d24abe45d54900c159accf6c22a600ac46f9ecf3d5509d5dd5f93

SHA512
6d28ea0709fe6fee9d7377d47b520baac0464cda8c82cf7f79c183ff5401f2371567eadede7f0ae28b5e3c39095c813d33244ed9a663150ed47aedc4c628e807

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
033ea15401e21c754f2512328e44f8c0

SHA1
ba61fb674aa02f2a208cbd36a7bf7d9fc7b0ddfd

SHA256
f106e51ea29c43d6a6e8cbe9539f3eb5b7a76e356259be2885c767aaed5f303c

SHA512
c9de3de5c551dc151023abf9255e6bd12875d0e8471cac67b0c468340e9ac13375ce9dc687662ded5773a13fb103a5e6009e824fbb26a76dba90d2f3fa753d25

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a826aa0c32308aaeb1fc4239653b9a1a

SHA1
f30f5bb79f505e5e46366d0d985b441e860e9e25

SHA256
e783a3dd3093f67f42c9c9fcaed045177bfca3070e34f182a0edff4417044b79

SHA512
b5ea63ccde3eb7619116add68d9a575bb3874138b974046fbacfe81064cb2a3ada6616a8c92384d422b953ca7cf72b06ff2031bd15f90e4d7903e4c0512a6fc3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2343ff4bdbc062158d3c4e180ccc45ca

SHA1
4fee07e8bcf178ec67bab489b34f727d8f19255b

SHA256
ecf8b8ed0b140678106387da88f102af7ec4580c7a1eccf7b1587239c5f7af9e

SHA512
4af9ce4f7bdb17bb5418e8793b2a364eda24df24074367e7f848772b9f616f04b0b933e55a42b0977b6d494c5df74f64776b099557dd7f0cb2a9384784c4353f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
b32b966f359afb72bce087a1f62c1ab4

SHA1
f5f53b70af1e46afe3e29ba0e8ac8a4d495e83af

SHA256
c6df01a1e3b684383ee4e8ef2ffe5d107f9f2a5d87fd5ea15073a13250f0c4db

SHA512
b1ed0df2053ba0929fe05c37c1a9598941863a58684fdf1f855ab88c7c37a0b6ada97946c1a8d462de4f8130f51508bb803dd23d7f05e752cb7eb8960d2fa8c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F59A01A8B782D93EA6991BC172CEFFB1

Filesize
242B

MD5
9fb652b8182a067eb5112133b0332f09

SHA1
d5d1f1b40a37a615386972b25ec772b364eeaf14

SHA256
bb9a198936696a695bd92601934e9665f174771bc86180a5d464387f875b2925

SHA512
a3fabc6a13fc494b87a5dc3aefae7c0d8132ec0b5fafce12a3de9fc822efb1a1e69030db67f087e261fa9525e0a7d026b4406ff9434caa469c2934986b42fbb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar35F4.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Windows\xl.txt

Filesize
4B

MD5
3515c7f06caa58302a8057e507f847ac

SHA1
69896c04cb8b179837fe293552fdf5af76081411

SHA256
d4f236c16e1a34c1205c607a1706fd305b205d90c22f0b46c6521fb81f16a856

SHA512
555f1278ad078eb25235b9be66f1dd034c4a2b9ebb3b9af813840cc0363225515be617375916cebd3a6f495abbbf0d33c70862bfb9ac6e93e57324100400c6f6

Download Submit
C:\mp3.htm

Filesize
286B

MD5
bd95ab15f0f73d3d56955dae57234e83

SHA1
86432c8a02ff589958e0a943b20b48209e96dc8b

SHA256
6a7d34824079eeca17b539c52a564546334ec914814ea5ea6eb77051a4d0f2f6

SHA512
b7e760cc9a97b605083af7c618db5a769cfe720628724391e95b6dfda9243d9b1f842bb9beff03c0d4e772b023d6d97919bfb48b84dc320ac97a4dfc49b27e45

Download Submit
memory/1988-36-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1988-28-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1988-22-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1988-20-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1988-18-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1988-14-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1988-12-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1988-10-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1988-8-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1988-5-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1988-3-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1988-4-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1988-49-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1988-62-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1988-26-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1988-24-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1988-32-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1988-34-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1988-0-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1988-38-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1988-40-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1988-42-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1988-46-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1988-44-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1988-30-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1988-16-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1988-6-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1988-2-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1988-896-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download