Analysis
-
max time kernel
149s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
25-05-2024 19:09
Behavioral task
behavioral1
Sample
25eee366bfc5df2863f171c9de0fe6c2ae899e0588fc5485a5be31a3fad93ac9.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
25eee366bfc5df2863f171c9de0fe6c2ae899e0588fc5485a5be31a3fad93ac9.exe
Resource
win10v2004-20240426-en
General
-
Target
25eee366bfc5df2863f171c9de0fe6c2ae899e0588fc5485a5be31a3fad93ac9.exe
-
Size
10.2MB
-
MD5
64868096512b6e0abee29d12645a9077
-
SHA1
c272a484aca1b52eca12fb565a36d19904fa8c1b
-
SHA256
25eee366bfc5df2863f171c9de0fe6c2ae899e0588fc5485a5be31a3fad93ac9
-
SHA512
61cd7bfd7cf959d31193c127a9de94694bdba6fbd5fda73ac24232c136dc49d34887ff983f0ca3a3f20887819730f20399b3ce84c29a79015d8b0e82292b8746
-
SSDEEP
196608:D5IDVaHSbvxMVl1WDtyvJl2IMizYV0GRvZcDEYtOJzCLg+DJeCk8L+TtWLH:VIFvxW+tyhl2jahtWClzk8OOH
Malware Config
Signatures
-
Manipulates Digital Signatures 1 TTPs 3 IoCs
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7\Name = "szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL" certutil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION" certutil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION" certutil.exe -
Executes dropped EXE 1 IoCs
pid Process 3952 certmgr.exe -
resource yara_rule behavioral2/memory/4056-7-0x0000000010000000-0x00000000106F0000-memory.dmp upx behavioral2/memory/4056-10-0x0000000010000000-0x00000000106F0000-memory.dmp upx behavioral2/memory/4056-11-0x0000000003F90000-0x00000000040CB000-memory.dmp upx behavioral2/memory/4056-9-0x0000000010000000-0x00000000106F0000-memory.dmp upx behavioral2/memory/4056-15-0x0000000003F90000-0x00000000040CB000-memory.dmp upx behavioral2/memory/4056-14-0x0000000003F90000-0x00000000040CB000-memory.dmp upx behavioral2/memory/2204-30-0x0000000003DB0000-0x0000000003EEB000-memory.dmp upx behavioral2/memory/2204-34-0x0000000003DB0000-0x0000000003EEB000-memory.dmp upx behavioral2/memory/2204-33-0x0000000003DB0000-0x0000000003EEB000-memory.dmp upx behavioral2/memory/4708-46-0x0000000003E70000-0x0000000003FAB000-memory.dmp upx behavioral2/memory/4708-49-0x0000000003E70000-0x0000000003FAB000-memory.dmp upx behavioral2/memory/4708-48-0x0000000003E70000-0x0000000003FAB000-memory.dmp upx behavioral2/files/0x000500000002295f-54.dat upx behavioral2/memory/3952-56-0x0000000001000000-0x0000000001016000-memory.dmp upx behavioral2/memory/3952-57-0x0000000001000000-0x0000000001016000-memory.dmp upx behavioral2/memory/4708-61-0x0000000003DE0000-0x0000000003E2B000-memory.dmp upx behavioral2/memory/4708-60-0x0000000003DE0000-0x0000000003E2B000-memory.dmp upx behavioral2/memory/4708-58-0x0000000003DE0000-0x0000000003E2B000-memory.dmp upx -
resource yara_rule behavioral2/memory/4056-0-0x0000000000400000-0x0000000001C6F000-memory.dmp vmprotect behavioral2/memory/4056-3-0x0000000000400000-0x0000000001C6F000-memory.dmp vmprotect behavioral2/memory/4056-5-0x0000000000400000-0x0000000001C6F000-memory.dmp vmprotect behavioral2/memory/4056-6-0x0000000000400000-0x0000000001C6F000-memory.dmp vmprotect behavioral2/memory/4056-13-0x0000000000400000-0x0000000001C6F000-memory.dmp vmprotect behavioral2/memory/4056-16-0x0000000000400000-0x0000000001C6F000-memory.dmp vmprotect behavioral2/memory/2204-17-0x0000000000400000-0x0000000001C6F000-memory.dmp vmprotect behavioral2/memory/2204-22-0x0000000000400000-0x0000000001C6F000-memory.dmp vmprotect behavioral2/memory/4056-21-0x0000000000400000-0x0000000001C6F000-memory.dmp vmprotect behavioral2/memory/2204-24-0x0000000000400000-0x0000000001C6F000-memory.dmp vmprotect behavioral2/memory/2204-25-0x0000000000400000-0x0000000001C6F000-memory.dmp vmprotect behavioral2/memory/2204-32-0x0000000000400000-0x0000000001C6F000-memory.dmp vmprotect behavioral2/memory/2204-35-0x0000000000400000-0x0000000001C6F000-memory.dmp vmprotect behavioral2/memory/4708-36-0x0000000000400000-0x0000000001C6F000-memory.dmp vmprotect behavioral2/memory/4708-37-0x0000000000400000-0x0000000001C6F000-memory.dmp vmprotect behavioral2/memory/2204-41-0x0000000000400000-0x0000000001C6F000-memory.dmp vmprotect behavioral2/memory/4708-64-0x0000000000400000-0x0000000001C6F000-memory.dmp vmprotect -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 25EEE3~1.EXE -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 4056 25eee366bfc5df2863f171c9de0fe6c2ae899e0588fc5485a5be31a3fad93ac9.exe 2204 25EEE3~1.EXE 4708 25EEE3~1.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\25eee366bfc5df2863f171c9de0fe6c2ae899e0588fc5485a5be31a3fad93ac9.exe = "7000" 25eee366bfc5df2863f171c9de0fe6c2ae899e0588fc5485a5be31a3fad93ac9.exe Set value (int) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\25EEE3~1.EXE = "7000" 25EEE3~1.EXE -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B47DABE24A4E3F9F808716BA294AB25F4B19B9E certmgr.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B47DABE24A4E3F9F808716BA294AB25F4B19B9E\Blob = 0300000001000000140000002b47dabe24a4e3f9f808716ba294ab25f4b19b9e20000000010000000504000030820401308202e9a003020102020900976270bfb63b01e2300d06092a864886f70d01010b0500308195310b300906035504061302434e3110300e06035504080c076265696a696e673110300e06035504070c076265696a696e67310d300b060355040a0c04656d6963310d300b060355040b0c0474656368311e301c06035504030c156b7379772e7a7878732e656d69732e6564752e636e3124302206092a864886f70d010901161561646d696e40656d69632e6564752e676f762e636e3020170d3139303232333130313534305a180f32313139303133303130313534305a308195310b300906035504061302434e3110300e06035504080c076265696a696e673110300e06035504070c076265696a696e67310d300b060355040a0c04656d6963310d300b060355040b0c0474656368311e301c06035504030c156b7379772e7a7878732e656d69732e6564752e636e3124302206092a864886f70d010901161561646d696e40656d69632e6564752e676f762e636e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dadfc5aea0e2d7358e7895f14bafa1dd80ad41a95ac03cc40de34c12cb7c8dfa54ee412955b6f24006aa4a600d488017cff34e44d33d9c803d9d323807bba6882ca9c4bdbb8fca7cb86d06dd80a49c99da125693a8f99114f63c1ebdaa222e0033ebea44087613e9943433855edc3e0b15d8786ac07e769a8cdc10e10d1e96adbc7739f69b8b4977a1fbddfc628322cb756f82277a6713b5654f8686b584743e0ce6c627aa79b758b77a79862e76b38bf2ab0f9809d9bcea71a3e394256a785b8f721135b3b9538b2e58be25c3135a397c20863b58a518fdfbdb312b326b9e570733127b55a7d3c2129f89ac868eadad01b0f7e0fd39f10752e8bd04881296870203010001a350304e301d0603551d0e04160414513edb47cf09de0ee23f363f8f440c1be5ab7961301f0603551d23041830168014513edb47cf09de0ee23f363f8f440c1be5ab7961300c0603551d13040530030101ff300d06092a864886f70d01010b0500038201010033d3a6481b61d23310b49e9a408eacd14bd6c9812f13442a37552f69230dff6aed86d59c040490607a326f7285802ab6ba592d7116f490be1f0808aaeb7dea5acc3ef9cc1d07e09724229dd76f3b7efded78863b3a84f1e84033773aa51b87a0647229712f734ebab87f4d494b4b5acb0c56d9f22ad32280e53f51fde5fbf9fc166af4fa6e9735102dae6ce20a54a0b9c57f82697401afb0d568a4685259a672df02901e2703abac4049a32327e0ff3c25d8d624d196b04f6ac694026ce40aaba1a02ce7541ad8a5123e65e9a14483a2b4f0b434616089207d1411e37c22bb692be6f684aa96adead03d78e14ca9937211c94db5724889a5635dd9a9968fa6db certmgr.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 4056 25eee366bfc5df2863f171c9de0fe6c2ae899e0588fc5485a5be31a3fad93ac9.exe 4056 25eee366bfc5df2863f171c9de0fe6c2ae899e0588fc5485a5be31a3fad93ac9.exe 2204 25EEE3~1.EXE 2204 25EEE3~1.EXE 4708 25EEE3~1.EXE 4708 25EEE3~1.EXE 4708 25EEE3~1.EXE 4708 25EEE3~1.EXE 4708 25EEE3~1.EXE 4708 25EEE3~1.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 4056 25eee366bfc5df2863f171c9de0fe6c2ae899e0588fc5485a5be31a3fad93ac9.exe 4056 25eee366bfc5df2863f171c9de0fe6c2ae899e0588fc5485a5be31a3fad93ac9.exe 4056 25eee366bfc5df2863f171c9de0fe6c2ae899e0588fc5485a5be31a3fad93ac9.exe 4056 25eee366bfc5df2863f171c9de0fe6c2ae899e0588fc5485a5be31a3fad93ac9.exe 2204 25EEE3~1.EXE 2204 25EEE3~1.EXE 2204 25EEE3~1.EXE 2204 25EEE3~1.EXE 4708 25EEE3~1.EXE 4708 25EEE3~1.EXE 4708 25EEE3~1.EXE 4708 25EEE3~1.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 4056 wrote to memory of 2204 4056 25eee366bfc5df2863f171c9de0fe6c2ae899e0588fc5485a5be31a3fad93ac9.exe 86 PID 4056 wrote to memory of 2204 4056 25eee366bfc5df2863f171c9de0fe6c2ae899e0588fc5485a5be31a3fad93ac9.exe 86 PID 4056 wrote to memory of 2204 4056 25eee366bfc5df2863f171c9de0fe6c2ae899e0588fc5485a5be31a3fad93ac9.exe 86 PID 2204 wrote to memory of 4708 2204 25EEE3~1.EXE 87 PID 2204 wrote to memory of 4708 2204 25EEE3~1.EXE 87 PID 2204 wrote to memory of 4708 2204 25EEE3~1.EXE 87 PID 4708 wrote to memory of 3212 4708 25EEE3~1.EXE 88 PID 4708 wrote to memory of 3212 4708 25EEE3~1.EXE 88 PID 4708 wrote to memory of 3212 4708 25EEE3~1.EXE 88 PID 3212 wrote to memory of 5292 3212 cmd.exe 90 PID 3212 wrote to memory of 5292 3212 cmd.exe 90 PID 3212 wrote to memory of 5292 3212 cmd.exe 90 PID 4708 wrote to memory of 4720 4708 25EEE3~1.EXE 91 PID 4708 wrote to memory of 4720 4708 25EEE3~1.EXE 91 PID 4708 wrote to memory of 4720 4708 25EEE3~1.EXE 91 PID 4720 wrote to memory of 3952 4720 cmd.exe 93 PID 4720 wrote to memory of 3952 4720 cmd.exe 93 PID 4720 wrote to memory of 3952 4720 cmd.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\25eee366bfc5df2863f171c9de0fe6c2ae899e0588fc5485a5be31a3fad93ac9.exe"C:\Users\Admin\AppData\Local\Temp\25eee366bfc5df2863f171c9de0fe6c2ae899e0588fc5485a5be31a3fad93ac9.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Users\Admin\AppData\Local\Temp\25EEE3~1.EXEC:\Users\Admin\AppData\Local\Temp\25EEE3~1.EXE2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Users\Admin\AppData\Local\Temp\25EEE3~1.EXEC:\Users\Admin\AppData\Local\Temp\25EEE3~1.EXE3⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Windows\SysWOW64\cmd.execmd.exe /c certutil -store AuthRoot4⤵
- Suspicious use of WriteProcessMemory
PID:3212 -
C:\Windows\SysWOW64\certutil.execertutil -store AuthRoot5⤵
- Manipulates Digital Signatures
PID:5292
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\ksywzs\certmgr.exe /c /add C:\Users\Admin\AppData\Local\Temp\ksywzs\kspt.crt /s /r localMachine AuthRoot4⤵
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Users\Admin\AppData\Local\Temp\ksywzs\certmgr.exeC:\Users\Admin\AppData\Local\Temp\ksywzs\certmgr.exe /c /add C:\Users\Admin\AppData\Local\Temp\ksywzs\kspt.crt /s /r localMachine AuthRoot5⤵
- Executes dropped EXE
- Modifies system certificate store
PID:3952
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
35KB
MD553d93f81c9f18bb548d1d0d8ac9b0695
SHA1f7a620e722eede78493fdf45942d958cdb753820
SHA25669ecd50e3a508f32dfc246523766a557fca61817e8e1fa71718fa66a1c2ae802
SHA5124b3b942bc429bb82d073f71f115c7b5ad66191f7c51c5066431be530f03fa24a90f06286a86c3864bcd6f06e017529507f209b276635af7c9bbc8dc44b333a18
-
Filesize
1KB
MD5dccaa52994def4f24a8dc7cfc5004a7a
SHA1797d1829abb4c83f1d756056a5533b02f4011402
SHA256f14bf733e5584841b12cb9f4b4eb189649be6310324984af2242289dd31d5387
SHA512784aaeee8023f410eb9753b7080b57dca37a5e628311b5c9a24bb6f0db59f07ef674db0004e78da17b2e3007526ddafab1f1ac4524dd4b4095e43d74deeba6a9