22a69f32b453621e3e74bf6d70c006a2b67406f283633ea21514d22226282a08

General

Target

22a69f32b453621e3e74bf6d70c006a2b67406f283633ea21514d22226282a08.exe
Size

84KB
MD5

f7ddc283c1c66b91300e627f175ecb84
SHA1

2fdb1d357047d7fab702889c97e02bfdade7e0a6
SHA256

22a69f32b453621e3e74bf6d70c006a2b67406f283633ea21514d22226282a08
SHA512

2c1bcae0988f96ccd71028b6d543e267e411a26a2a8389e38528358b770cb698938ea5635d88f289a734ce7bd0f32ff61c19536eca1786acb104c1ff2d1e6d51
SSDEEP

1536:jXn1JYSnExFkcgKKjxfmqshiKW5Xs/iYQqQJtsWFcdfRMvb+xWCuoriA:zE3x5KBDYiKWm/iSw0fRMvygCL

Score

8^/10

Malware Config

Signatures

Manipulates Digital Signatures 1 TTPs 8 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

Processes:

22a69f32b453621e3e74bf6d70c006a2b67406f283633ea21514d22226282a08.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\A41A37D0270D8433C3CD0220248AD84A5A6A1A26\Blob = 030000000100000014000000a41a37d0270d8433c3cd0220248ad84a5a6a1a26200000000100000078050000308205743082045ca003020102021004a03dbce32c5a34420a419fb740aa1a300d06092a864886f70d01010b0500307d310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312330210603550403131a434f4d4f444f2052534120436f6465205369676e696e67204341301e170d3136303230323030303030305a170d3139303230313233353935395a3081b7310b3009060355040613025553310e300c06035504110c0533333633343110300e06035504080c07466c6f72696461310e300c06035504070c0554616d70613124302206035504090c1b343131302047656f72676520526f61642c20537569746520323030310e300c06035504120c053333363334311f301d060355040a0c1653637265656e436f6e6e65637420536f667477617265311f301d06035504030c1653637265656e436f6e6e65637420536f66747761726530820122300d06092a864886f70d01010105000382010f003082010a0282010100ef53c03e3946aad66d87a2a761dd3f45401caf1ffa02df7f15d94dc61b6a7873d2671714d6c382d635025045ffb484bc2a50ebee0053c614226009d186cbdfb1f4ac68ff6648734c6deeb8dd82842ba107519322fd8d2a2767d1e370053ce48ea776b6bc137cc903a30dafff6e63c58cdc7fe40c832d16474f96631cb88141223a4cb6541e33675296fa57637f295553fb34409a00408613052e54935b092cbb303b1bec674753d044c9d2e260f6a1cd4eb4e176e0cb09fc271b79a0872df10746c8522969d8e30ed3a4bda84876713faa1534f00caee19b514ca24b5835742a636a281f82d8d2bf307bfb325ac1c087751dea457befec4f60847871122067cf0203010001a38201b3308201af301f0603551d23041830168014299160ff8a4dfaebf9a66ab8cff9e64bbd49ce12301d0603551d0e04160414dbab147ed014c81e0b99b50dec9abfc46911e7eb300e0603551d0f0101ff040403020780300c0603551d130101ff0402300030130603551d25040c300a06082b06010505070303301106096086480186f842010104040302041030460603551d20043f303d303b060c2b06010401b2310102010302302b302906082b06010505070201161d68747470733a2f2f7365637572652e636f6d6f646f2e6e65742f43505330430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f434f4d4f444f525341436f64655369676e696e6743412e63726c307406082b0601050507010104683066303e06082b060105050730028632687474703a2f2f6372742e636f6d6f646f63612e636f6d2f434f4d4f444f525341436f64655369676e696e6743412e637274302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d30240603551d11041d301b81196a6d6f7267616e4073637265656e636f6e6e6563742e636f6d300d06092a864886f70d01010b05000382010100501d24454fc8f1494e7d2858f99bf3d1532953cdd01c2868cfd790bf19100f9ad202ef66ee3dbb8db48912f6b127f549b1cca2e125897352f83cd72d4ad95566cc911a1becfc64b0199760970f06c28fc99352206e21e9a7bfe58a9c5ce29fe51bfed0e9b8262ca6bcac3cf0151b5cd5400391169a22a95fc747587c48fb70d7df0410c27d68dbce05bc9a0c6af54361f7a5879a4d11bf8d8826e58bdd9526706ec1044745a53a2d3af4aba2082964213659d372a28dd13cd37d5ba766410f33d04333257ff70db9fb4514859b335b5c4e9b932c2df3f7894b961f5c01cbc94e531290bd572e56b749fda0b4a78e4a22611e9942f4e776389e1a1fa76638cfb6	22a69f32b453621e3e74bf6d70c006a2b67406f283633ea21514d22226282a08.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0\Blob = 030000000100000014000000f5ad0bcc1ad56cd150725b1c866c30ad92ef21b0200000000100000078050000308205743082045ca00302010202102766ee56eb49f38eabd770a2fc84de22300d06092a864886f70d01010c0500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010091e85492d20a56b1ac0d24ddc5cf446774992b37a37d23700071bc53dfc4fa2a128f4b7f1056bd9f7072b7617fc94b0f17a73de3b00461eeff1197c7f4863e0afa3e5cf993e6347ad9146be79cb385a0827a76af7190d7ecfd0dfa9c6cfadfb082f4147ef9bec4a62f4f7f997fb5fc674372bd0c00d689eb6b2cd3ed8f981c14ab7ee5e36efcd8a8e49224da436b62b855fdeac1bc6cb68bf30e8d9ae49b6c6999f878483045d5ade10d3c4560fc32965127bc67c3ca2eb66bea46c7c720a0b11f65de4808baa44ea9f283463784ebe8cc814843674e722a9b5cbd4c1b288a5c227bb4ab98d9eee05183c309464e6d3e99fa9517da7c3357413c8d51ed0bb65caf2c631adf57c83fbce95dc49baf4599e2a35a24b4baa9563dcf6faaff4958bef0a8fff4b8ade937fbbab8f40b3af9e843421e89d884cb13f1d9bbe18960b88c2856ac141d9c0ae771ebcf0edd3da996a148bd3cf7afb50d224cc01181ec563bf6d3a2e25bb7b204225295809369e88e4c65f191032d707402ea8b671529695202bbd7df506a5546bfa0a328617f70d0c3a2aa2c21aa47ce289c064576bf821827b4d5aeb4cb50e66bf44c867130e9a6df1686e0d8ff40ddfbd042887fa3333a2e5c1e41118163ce18716b2beca68ab7315c3a6a47e0c37959d6201aaff26a98aa72bc574ad24b9dbb10fcb04c41e5ed1d3d5e289d9cccbfb351daa747e584530203010001a381f43081f1301f0603551d23041830168014adbd987a34b426f7fac42654ef03bde024cb541a301d0603551d0e04160414bbaf7e023dfaa6f13c848eadee3898ecd93232d4300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030440603551d1f043d303b3039a037a0358633687474703a2f2f63726c2e7573657274727573742e636f6d2f416464547275737445787465726e616c4341526f6f742e63726c303506082b0601050507010104293027302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300d06092a864886f70d01010c0500038201010064bf83f15f9a85d0cdb8a129570de85af7d1e93ef276046ef15270bb1e3cff4d0d746acc818225d3c3a02a5d4cf5ba8ba16dc4540975c7e3270e5d847937401377f5b4ac1cd03bab1712d6ef34187e2be979d3ab57450caf28fad0dbe5509588bbdf8557697d92d852ca7381bf1cf3e6b86e661105b31e942d7f91959259f14ccea391714c7c470c3b0b19f6a1b16c863e5caac42e82cbf90796ba484d90f294c8a973a2eb067b239ddea2f34d559f7a6145981868c75e406b23f5797aef8cb56b8bb76f46f47bf13d4b04d89380595ae041241db28f15605847dbef6e46fd15f5d95f9ab3dbd8b8e440b3cd9739ae85bb1d8ebcdc879bd1a6eff13b6f10386f	22a69f32b453621e3e74bf6d70c006a2b67406f283633ea21514d22226282a08.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\B69E752BBE88B4458200A7C0F4F5B3CCE6F35B47\Blob = 030000000100000014000000b69e752bbe88b4458200a7c0f4f5b3cce6f35b472000000001000000e4050000308205e0308203c8a00302010202102e7c87cc0e934a52fe94fd1cb7cd34af300d06092a864886f70d01010c0500308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f72697479301e170d3133303530393030303030305a170d3238303530383233353935395a307d310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312330210603550403131a434f4d4f444f2052534120436f6465205369676e696e6720434130820122300d06092a864886f70d01010105000382010f003082010a0282010100a69890637791347f8ad1dde9673111ebcc1efd311db3b962573f93bc5be39f1e243211276bbc5191a7cf9e9e25b35f81a8180f1d1e20300efb617b8609b3e3fda2689d1c2c9dbf72e3e475a0e535238ec98aee1a0c64c7d842a17bb552034b3ab08e234b4b63e02294377bd579900a1418512ce6fec112f01c3f61610a8ca2dcf6c330aacd28187548c1795a08cdbb8c558cf7d476903a33465073985cf4854a6b0f80dd5ed6bdfda92fc025f5f978d78d5f10c244553c903c3146cb70ae07a90ae3afc1016f901a23e25f38dbc6085d47b38341f02e003714b912aa799252cd870f7bd86229a47e30bd1bb58c72b448f2e3e821f95e4c62798b02069f7fd50b0203010001a38201513082014d301f0603551d23041830168014bbaf7e023dfaa6f13c848eadee3898ecd93232d4301d0603551d0e04160414299160ff8a4dfaebf9a66ab8cff9e64bbd49ce12300e0603551d0f0101ff04040302018630120603551d130101ff040830060101ff02010030130603551d25040c300a06082b0601050507030330110603551d20040a300830060604551d2000304c0603551d1f044530433041a03fa03d863b687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f434f4d4f444f52534143657274696669636174696f6e417574686f726974792e63726c307106082b0601050507010104653063303b06082b06010505073002862f687474703a2f2f6372742e636f6d6f646f63612e636f6d2f434f4d4f444f525341416464547275737443412e637274302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382020100023f0239c3eef8ca3b89de0c6d4db1f14e924fafc2382c04ccc56311ab0963afaba2d7023fcc6f19c33dd61a0894ff25d8a988a72b101ae09bb107221a511c3ad4e1e909bfe62474af1e7b16316e23ef54512d5202e27508054cf1b751e15100c687f66cee104476576af1df586b21aa49d47c374ebdffb67554401836576711cd4f02e4fef3dafc7517dbecb7f7650923491f435783ea7e207761c84df2bb654da8f7854507af7a6927659029408bdf7b3a51398ca81f7079ad6d4220a2cf0c6c038c4ccd730794e75a8e3a04baa2a17c1fcb633a15a7d4151ba7524732a9f4bf6447d1aa1f534e323073c26fb778829d5cff46bb6b221d880bf81baa34a6fc8cf5dd7f658c8c315731d036ec47a1cfcb8ba8ef1c1858c50677ca4b9b51af4c084a7a8fe2a352e28e8ecc26e4b2d8e538c2a8edc6819c356ba958614a0a97b44b42b6559dbe99e7706d59f86d2a0c7f19605f0c9a886c30ac520990161bff2b9ddbd020ca89ea287e328e19df7b48331ed765f8aec9f8831493767d64d08ecebe357dff72314d9f9ebd1e6c2fa88f0c0650fb8c27b376c9f4e6d7c334e28c87218661febf5574e12177030a686cbbe4c9a9e6cf5925eb7cec450e796668e822cdb8ef98854d96113c098ad07fbc282813fb6aca548d925ccdc26598069ece485bd4b5379346417c07ddcffa43efba6761ff7d49e0bb307d5c80e3e616394ba7	22a69f32b453621e3e74bf6d70c006a2b67406f283633ea21514d22226282a08.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\03A5B14663EB12023091B84A6D6A68BC871DE66B	22a69f32b453621e3e74bf6d70c006a2b67406f283633ea21514d22226282a08.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\A41A37D0270D8433C3CD0220248AD84A5A6A1A26	22a69f32b453621e3e74bf6d70c006a2b67406f283633ea21514d22226282a08.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0	22a69f32b453621e3e74bf6d70c006a2b67406f283633ea21514d22226282a08.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\B69E752BBE88B4458200A7C0F4F5B3CCE6F35B47	22a69f32b453621e3e74bf6d70c006a2b67406f283633ea21514d22226282a08.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\03A5B14663EB12023091B84A6D6A68BC871DE66B\Blob = 03000000010000001400000003a5b14663eb12023091b84a6d6a68bc871de66b20000000010000009d0400003082049930820381a003020102020f1688f039255e638e69143907e6330b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3135313233313030303030305a170d3139303730393138343033365a308184310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312a302806035504031321434f4d4f444f205348412d312054696d65205374616d70696e67205369676e657230820122300d06092a864886f70d01010105000382010f003082010a0282010100e9e93ddfd73708c91e38b25253426d22f1b1c406046b9efd827450437dc6a0bb1f4ef9027126b1ef43d8838c48fce70f977a9aeb9cdea6a30e3b1c4418758e78a51769fe4918a4e2bb5c4efe8e2a547a50f0d5f6cc91e79979d7de7994d79633fe0e83be22bf63162ca3dd281baf3dabea97d2f1bf0410e73d4845fd1f6865c17f599969c022310c626ea75c650121b063c4221827eee6fcd2003d472ea8b886565d04dc1317256e1cdf440f15cdb7dba55776426f00688299d2e3c1def08b94574cec08902221ce222b980c42e64293949893effd06d93fbc5b9b543c20b1ee6ad6477ac5ab80e9309adef1a43f554d0a09348a7529d269ad970f50bff8ca090203010001a381f43081f1301f0603551d23041830168014daed6474149c143cabdd99a9bd5b284d8b3cc9d8301d0603551d0e041604148e6b2d336bf433a793b3139aa5e00af712356a88300e0603551d0f0101ff0404030206c0300c0603551d130101ff0402300030160603551d250101ff040c300a06082b0601050507030830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c303506082b0601050507010104293027302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300d06092a864886f70d01010505000382010100ba332440408c7cdb589fb36098b2f5c031feeb1f6e50f60ae0e4e681ad2687a2dffdb3daf473f300fb291b891b153edb6b52932bc4ac3981d73c67579a3936e028089ae3394f9b89097f7bc5617f598932250a6aae1a3ef0a227a8b6c3b887f7160448413d5cd8ec9f4d203104d965a1edcd690753163ddd36020a88eb40e506300bb8164bdcefbc5509ffc63e122e76b3dcce42eff97657e1b70a054098589a5d711693718c6581ea6ff389f7fb73adb4e7bfd98e6faa0b4f25f3b8e1d5dd75986881f8aac0d180c2c4c43989c1f6c99e6cd774f9d997f84fc29a0acd5e8ff819e9e0a59fc4f09221e62d7925c922f9c3f03a8457ad3a16f46394101d5dd0c6	22a69f32b453621e3e74bf6d70c006a2b67406f283633ea21514d22226282a08.exe

Modifies registry class 21 IoCs

Processes:

dfsvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\ComponentStore_RandomString = "54RDZKCGP9XE61RY29A0MXMB"	dfsvc.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\VisibilityRoots	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager	dfsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\StateStore_RandomString = "PW71DPNATPPJJQRBK73EW76V"	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Applications	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Categories	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Installations	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Families	dfsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\ComponentStore_RandomString = "YMQ5ZZ7RKMQ6WZPXLVTWPNKV"	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Assemblies	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Visibility	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Software	dfsvc.exe

Modifies system certificate store 2 TTPs 12 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

22a69f32b453621e3e74bf6d70c006a2b67406f283633ea21514d22226282a08.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\03A5B14663EB12023091B84A6D6A68BC871DE66B	22a69f32b453621e3e74bf6d70c006a2b67406f283633ea21514d22226282a08.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\A41A37D0270D8433C3CD0220248AD84A5A6A1A26	22a69f32b453621e3e74bf6d70c006a2b67406f283633ea21514d22226282a08.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0	22a69f32b453621e3e74bf6d70c006a2b67406f283633ea21514d22226282a08.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0	22a69f32b453621e3e74bf6d70c006a2b67406f283633ea21514d22226282a08.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\03A5B14663EB12023091B84A6D6A68BC871DE66B\Blob = 03000000010000001400000003a5b14663eb12023091b84a6d6a68bc871de66b20000000010000009d0400003082049930820381a003020102020f1688f039255e638e69143907e6330b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3135313233313030303030305a170d3139303730393138343033365a308184310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312a302806035504031321434f4d4f444f205348412d312054696d65205374616d70696e67205369676e657230820122300d06092a864886f70d01010105000382010f003082010a0282010100e9e93ddfd73708c91e38b25253426d22f1b1c406046b9efd827450437dc6a0bb1f4ef9027126b1ef43d8838c48fce70f977a9aeb9cdea6a30e3b1c4418758e78a51769fe4918a4e2bb5c4efe8e2a547a50f0d5f6cc91e79979d7de7994d79633fe0e83be22bf63162ca3dd281baf3dabea97d2f1bf0410e73d4845fd1f6865c17f599969c022310c626ea75c650121b063c4221827eee6fcd2003d472ea8b886565d04dc1317256e1cdf440f15cdb7dba55776426f00688299d2e3c1def08b94574cec08902221ce222b980c42e64293949893effd06d93fbc5b9b543c20b1ee6ad6477ac5ab80e9309adef1a43f554d0a09348a7529d269ad970f50bff8ca090203010001a381f43081f1301f0603551d23041830168014daed6474149c143cabdd99a9bd5b284d8b3cc9d8301d0603551d0e041604148e6b2d336bf433a793b3139aa5e00af712356a88300e0603551d0f0101ff0404030206c0300c0603551d130101ff0402300030160603551d250101ff040c300a06082b0601050507030830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c303506082b0601050507010104293027302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300d06092a864886f70d01010505000382010100ba332440408c7cdb589fb36098b2f5c031feeb1f6e50f60ae0e4e681ad2687a2dffdb3daf473f300fb291b891b153edb6b52932bc4ac3981d73c67579a3936e028089ae3394f9b89097f7bc5617f598932250a6aae1a3ef0a227a8b6c3b887f7160448413d5cd8ec9f4d203104d965a1edcd690753163ddd36020a88eb40e506300bb8164bdcefbc5509ffc63e122e76b3dcce42eff97657e1b70a054098589a5d711693718c6581ea6ff389f7fb73adb4e7bfd98e6faa0b4f25f3b8e1d5dd75986881f8aac0d180c2c4c43989c1f6c99e6cd774f9d997f84fc29a0acd5e8ff819e9e0a59fc4f09221e62d7925c922f9c3f03a8457ad3a16f46394101d5dd0c6	22a69f32b453621e3e74bf6d70c006a2b67406f283633ea21514d22226282a08.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\A41A37D0270D8433C3CD0220248AD84A5A6A1A26\Blob = 030000000100000014000000a41a37d0270d8433c3cd0220248ad84a5a6a1a26200000000100000078050000308205743082045ca003020102021004a03dbce32c5a34420a419fb740aa1a300d06092a864886f70d01010b0500307d310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312330210603550403131a434f4d4f444f2052534120436f6465205369676e696e67204341301e170d3136303230323030303030305a170d3139303230313233353935395a3081b7310b3009060355040613025553310e300c06035504110c0533333633343110300e06035504080c07466c6f72696461310e300c06035504070c0554616d70613124302206035504090c1b343131302047656f72676520526f61642c20537569746520323030310e300c06035504120c053333363334311f301d060355040a0c1653637265656e436f6e6e65637420536f667477617265311f301d06035504030c1653637265656e436f6e6e65637420536f66747761726530820122300d06092a864886f70d01010105000382010f003082010a0282010100ef53c03e3946aad66d87a2a761dd3f45401caf1ffa02df7f15d94dc61b6a7873d2671714d6c382d635025045ffb484bc2a50ebee0053c614226009d186cbdfb1f4ac68ff6648734c6deeb8dd82842ba107519322fd8d2a2767d1e370053ce48ea776b6bc137cc903a30dafff6e63c58cdc7fe40c832d16474f96631cb88141223a4cb6541e33675296fa57637f295553fb34409a00408613052e54935b092cbb303b1bec674753d044c9d2e260f6a1cd4eb4e176e0cb09fc271b79a0872df10746c8522969d8e30ed3a4bda84876713faa1534f00caee19b514ca24b5835742a636a281f82d8d2bf307bfb325ac1c087751dea457befec4f60847871122067cf0203010001a38201b3308201af301f0603551d23041830168014299160ff8a4dfaebf9a66ab8cff9e64bbd49ce12301d0603551d0e04160414dbab147ed014c81e0b99b50dec9abfc46911e7eb300e0603551d0f0101ff040403020780300c0603551d130101ff0402300030130603551d25040c300a06082b06010505070303301106096086480186f842010104040302041030460603551d20043f303d303b060c2b06010401b2310102010302302b302906082b06010505070201161d68747470733a2f2f7365637572652e636f6d6f646f2e6e65742f43505330430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f434f4d4f444f525341436f64655369676e696e6743412e63726c307406082b0601050507010104683066303e06082b060105050730028632687474703a2f2f6372742e636f6d6f646f63612e636f6d2f434f4d4f444f525341436f64655369676e696e6743412e637274302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d30240603551d11041d301b81196a6d6f7267616e4073637265656e636f6e6e6563742e636f6d300d06092a864886f70d01010b05000382010100501d24454fc8f1494e7d2858f99bf3d1532953cdd01c2868cfd790bf19100f9ad202ef66ee3dbb8db48912f6b127f549b1cca2e125897352f83cd72d4ad95566cc911a1becfc64b0199760970f06c28fc99352206e21e9a7bfe58a9c5ce29fe51bfed0e9b8262ca6bcac3cf0151b5cd5400391169a22a95fc747587c48fb70d7df0410c27d68dbce05bc9a0c6af54361f7a5879a4d11bf8d8826e58bdd9526706ec1044745a53a2d3af4aba2082964213659d372a28dd13cd37d5ba766410f33d04333257ff70db9fb4514859b335b5c4e9b932c2df3f7894b961f5c01cbc94e531290bd572e56b749fda0b4a78e4a22611e9942f4e776389e1a1fa76638cfb6	22a69f32b453621e3e74bf6d70c006a2b67406f283633ea21514d22226282a08.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0\Blob = 030000000100000014000000f5ad0bcc1ad56cd150725b1c866c30ad92ef21b0200000000100000078050000308205743082045ca00302010202102766ee56eb49f38eabd770a2fc84de22300d06092a864886f70d01010c0500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010091e85492d20a56b1ac0d24ddc5cf446774992b37a37d23700071bc53dfc4fa2a128f4b7f1056bd9f7072b7617fc94b0f17a73de3b00461eeff1197c7f4863e0afa3e5cf993e6347ad9146be79cb385a0827a76af7190d7ecfd0dfa9c6cfadfb082f4147ef9bec4a62f4f7f997fb5fc674372bd0c00d689eb6b2cd3ed8f981c14ab7ee5e36efcd8a8e49224da436b62b855fdeac1bc6cb68bf30e8d9ae49b6c6999f878483045d5ade10d3c4560fc32965127bc67c3ca2eb66bea46c7c720a0b11f65de4808baa44ea9f283463784ebe8cc814843674e722a9b5cbd4c1b288a5c227bb4ab98d9eee05183c309464e6d3e99fa9517da7c3357413c8d51ed0bb65caf2c631adf57c83fbce95dc49baf4599e2a35a24b4baa9563dcf6faaff4958bef0a8fff4b8ade937fbbab8f40b3af9e843421e89d884cb13f1d9bbe18960b88c2856ac141d9c0ae771ebcf0edd3da996a148bd3cf7afb50d224cc01181ec563bf6d3a2e25bb7b204225295809369e88e4c65f191032d707402ea8b671529695202bbd7df506a5546bfa0a328617f70d0c3a2aa2c21aa47ce289c064576bf821827b4d5aeb4cb50e66bf44c867130e9a6df1686e0d8ff40ddfbd042887fa3333a2e5c1e41118163ce18716b2beca68ab7315c3a6a47e0c37959d6201aaff26a98aa72bc574ad24b9dbb10fcb04c41e5ed1d3d5e289d9cccbfb351daa747e584530203010001a381f43081f1301f0603551d23041830168014adbd987a34b426f7fac42654ef03bde024cb541a301d0603551d0e04160414bbaf7e023dfaa6f13c848eadee3898ecd93232d4300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030440603551d1f043d303b3039a037a0358633687474703a2f2f63726c2e7573657274727573742e636f6d2f416464547275737445787465726e616c4341526f6f742e63726c303506082b0601050507010104293027302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300d06092a864886f70d01010c0500038201010064bf83f15f9a85d0cdb8a129570de85af7d1e93ef276046ef15270bb1e3cff4d0d746acc818225d3c3a02a5d4cf5ba8ba16dc4540975c7e3270e5d847937401377f5b4ac1cd03bab1712d6ef34187e2be979d3ab57450caf28fad0dbe5509588bbdf8557697d92d852ca7381bf1cf3e6b86e661105b31e942d7f91959259f14ccea391714c7c470c3b0b19f6a1b16c863e5caac42e82cbf90796ba484d90f294c8a973a2eb067b239ddea2f34d559f7a6145981868c75e406b23f5797aef8cb56b8bb76f46f47bf13d4b04d89380595ae041241db28f15605847dbef6e46fd15f5d95f9ab3dbd8b8e440b3cd9739ae85bb1d8ebcdc879bd1a6eff13b6f10386f	22a69f32b453621e3e74bf6d70c006a2b67406f283633ea21514d22226282a08.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\B69E752BBE88B4458200A7C0F4F5B3CCE6F35B47	22a69f32b453621e3e74bf6d70c006a2b67406f283633ea21514d22226282a08.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\B69E752BBE88B4458200A7C0F4F5B3CCE6F35B47\Blob = 030000000100000014000000b69e752bbe88b4458200a7c0f4f5b3cce6f35b472000000001000000e4050000308205e0308203c8a00302010202102e7c87cc0e934a52fe94fd1cb7cd34af300d06092a864886f70d01010c0500308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f72697479301e170d3133303530393030303030305a170d3238303530383233353935395a307d310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312330210603550403131a434f4d4f444f2052534120436f6465205369676e696e6720434130820122300d06092a864886f70d01010105000382010f003082010a0282010100a69890637791347f8ad1dde9673111ebcc1efd311db3b962573f93bc5be39f1e243211276bbc5191a7cf9e9e25b35f81a8180f1d1e20300efb617b8609b3e3fda2689d1c2c9dbf72e3e475a0e535238ec98aee1a0c64c7d842a17bb552034b3ab08e234b4b63e02294377bd579900a1418512ce6fec112f01c3f61610a8ca2dcf6c330aacd28187548c1795a08cdbb8c558cf7d476903a33465073985cf4854a6b0f80dd5ed6bdfda92fc025f5f978d78d5f10c244553c903c3146cb70ae07a90ae3afc1016f901a23e25f38dbc6085d47b38341f02e003714b912aa799252cd870f7bd86229a47e30bd1bb58c72b448f2e3e821f95e4c62798b02069f7fd50b0203010001a38201513082014d301f0603551d23041830168014bbaf7e023dfaa6f13c848eadee3898ecd93232d4301d0603551d0e04160414299160ff8a4dfaebf9a66ab8cff9e64bbd49ce12300e0603551d0f0101ff04040302018630120603551d130101ff040830060101ff02010030130603551d25040c300a06082b0601050507030330110603551d20040a300830060604551d2000304c0603551d1f044530433041a03fa03d863b687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f434f4d4f444f52534143657274696669636174696f6e417574686f726974792e63726c307106082b0601050507010104653063303b06082b06010505073002862f687474703a2f2f6372742e636f6d6f646f63612e636f6d2f434f4d4f444f525341416464547275737443412e637274302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382020100023f0239c3eef8ca3b89de0c6d4db1f14e924fafc2382c04ccc56311ab0963afaba2d7023fcc6f19c33dd61a0894ff25d8a988a72b101ae09bb107221a511c3ad4e1e909bfe62474af1e7b16316e23ef54512d5202e27508054cf1b751e15100c687f66cee104476576af1df586b21aa49d47c374ebdffb67554401836576711cd4f02e4fef3dafc7517dbecb7f7650923491f435783ea7e207761c84df2bb654da8f7854507af7a6927659029408bdf7b3a51398ca81f7079ad6d4220a2cf0c6c038c4ccd730794e75a8e3a04baa2a17c1fcb633a15a7d4151ba7524732a9f4bf6447d1aa1f534e323073c26fb778829d5cff46bb6b221d880bf81baa34a6fc8cf5dd7f658c8c315731d036ec47a1cfcb8ba8ef1c1858c50677ca4b9b51af4c084a7a8fe2a352e28e8ecc26e4b2d8e538c2a8edc6819c356ba958614a0a97b44b42b6559dbe99e7706d59f86d2a0c7f19605f0c9a886c30ac520990161bff2b9ddbd020ca89ea287e328e19df7b48331ed765f8aec9f8831493767d64d08ecebe357dff72314d9f9ebd1e6c2fa88f0c0650fb8c27b376c9f4e6d7c334e28c87218661febf5574e12177030a686cbbe4c9a9e6cf5925eb7cec450e796668e822cdb8ef98854d96113c098ad07fbc282813fb6aca548d925ccdc26598069ece485bd4b5379346417c07ddcffa43efba6761ff7d49e0bb307d5c80e3e616394ba7	22a69f32b453621e3e74bf6d70c006a2b67406f283633ea21514d22226282a08.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\03A5B14663EB12023091B84A6D6A68BC871DE66B	22a69f32b453621e3e74bf6d70c006a2b67406f283633ea21514d22226282a08.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\A41A37D0270D8433C3CD0220248AD84A5A6A1A26	22a69f32b453621e3e74bf6d70c006a2b67406f283633ea21514d22226282a08.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\B69E752BBE88B4458200A7C0F4F5B3CCE6F35B47	22a69f32b453621e3e74bf6d70c006a2b67406f283633ea21514d22226282a08.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

dfsvc.exe

description pid process

Token: SeDebugPrivilege 1768 dfsvc.exe

description	pid	process
Token: SeDebugPrivilege	1768	dfsvc.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

22a69f32b453621e3e74bf6d70c006a2b67406f283633ea21514d22226282a08.exe

description	pid	process	target process
PID 2336 wrote to memory of 1768	2336	22a69f32b453621e3e74bf6d70c006a2b67406f283633ea21514d22226282a08.exe	dfsvc.exe
PID 2336 wrote to memory of 1768	2336	22a69f32b453621e3e74bf6d70c006a2b67406f283633ea21514d22226282a08.exe	dfsvc.exe
PID 2336 wrote to memory of 1768	2336	22a69f32b453621e3e74bf6d70c006a2b67406f283633ea21514d22226282a08.exe	dfsvc.exe
PID 2336 wrote to memory of 1768	2336	22a69f32b453621e3e74bf6d70c006a2b67406f283633ea21514d22226282a08.exe	dfsvc.exe

C:\Users\Admin\AppData\Local\Temp\22a69f32b453621e3e74bf6d70c006a2b67406f283633ea21514d22226282a08.exe
"C:\Users\Admin\AppData\Local\Temp\22a69f32b453621e3e74bf6d70c006a2b67406f283633ea21514d22226282a08.exe"
1⤵
- Manipulates Digital Signatures
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2336

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
2⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1768

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

2

T1553

SIP and Trust Provider Hijacking

1

T1553.003

Install Root Certificate

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1768-0-0x000007FEF5A53000-0x000007FEF5A54000-memory.dmp

Filesize
4KB

Download
memory/1768-1-0x0000000000D70000-0x0000000000D78000-memory.dmp

Filesize
32KB

Download
memory/1768-2-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp

Filesize
9.9MB

Download
memory/1768-5-0x000007FEF5A53000-0x000007FEF5A54000-memory.dmp

Filesize
4KB

Download
memory/1768-6-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads