97ec855a73ef9fc27b5b804dd0e5e882741c3dcfe316d3ecb6eb582aea38ed8e

General

Target

6cdb5689c39841cb71537410e90fcd6db86ef27dff8cf9eac5ac8122997f5b90.exe
Size

421KB
MD5

e62848b3576538fa77777032c232436b
SHA1

0049ca2473da98bc37394d5bb4c05852356c8bcb
SHA256

6cdb5689c39841cb71537410e90fcd6db86ef27dff8cf9eac5ac8122997f5b90
SHA512

ded4ab36f0401e7330de3e0347328ff1218338388268e45f0f79e23d8c95ba22b6f1454e2f908952acee023d1e5087b47f0cc38e23e151e7130e385951043822
SSDEEP

12288:sXLuBglhv+vNO6bVeKGA/Py3B1KuJ+NiKYU/d7tnUv:OLKgHv+vNOSV/vyrnKtF5Uv

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2200 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2200	powershell.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

6cdb5689c39841cb71537410e90fcd6db86ef27dff8cf9eac5ac8122997f5b90.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\29B9B6B8A1B770E87881347B0DE532DDB1262F63\Blob = 140000000100000014000000831254141f266c6819e9d5866c31d235d627f71703000000010000001400000029b9b6b8a1b770e87881347b0de532ddb1262f630f00000001000000200000003bcf530ef7f046e29cca7f7a98ee2dc32695a8f10f565db44b1830259c99547b2000000001000000f9020000308202f5308201dda003020102021066f8a9576c24bbfe65d8a1d0464750b5300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3234303631383132303030305a170d3239303631373132303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100c170cbbc0a786bb4d4a04ee8c0f3d7c8a7ffa1187b5fe65abd8d952810df5a912e93e9c92aa70c0131ec6d3126fb4c0a81cd318e725cc81f4403a574afbc28cf024a9302729ffdd098e1956b3b7b5bdb7dd1d7b23f1123465ed11b18752061bda5c19da5816660e052ea2eab6e266589971cafa41af878b370afbf05c1da55fc8bd96f456fb07552982e4aa8fbdf76ff733b369144c93b55fafe08e5db8ddb93ec30c0b11cd67791e1ff7e03724a61ce62777606f88f10553bf68960ccea8c0816c45bfe67deead563aa7a4f2fba4c57d6be55f7ab45751d0786b284f1d71d7bf6d7f7c760317958b9d865f34ed68fa7cbd187ed548384f6b34953e025ce73010203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414831254141f266c6819e9d5866c31d235d627f717300d06092a864886f70d01010b0500038201010074cf49948930b038bb5e35f499ad3281509873029d5808ba58b705fc893e5e002b6d974f7b7d83d538d4726f7037b93433275d46e1397a793cf8dac2161ea031b0996e66a8798f9584883722a58c54468affa639d50d0c486818351b25e2d0da2c012fa15eb942ee8b443ffdcdc6b3b9255633cd610a3a8e98eb5b708bc913cd3e1daa75dd045c5f9ff36da926892f72e18c7375b0a0ffd9bae71fdf3bad413ff928430f8ab039e2806fabc12340c8dfc095740ba5a647a249110205e4f45275546427cdf49cd31bada7be5a90e44d8781c8fb59d1490296c6e10f9c8a3ecc0cd84e88c0bb4c22c6c73ba001f4b1593b4c49f6e8a50798309534e9d6799f3d5a	6cdb5689c39841cb71537410e90fcd6db86ef27dff8cf9eac5ac8122997f5b90.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\29B9B6B8A1B770E87881347B0DE532DDB1262F63\Blob = 19000000010000001000000028bfb0064ebe7450c3bc60cc37b841ac0f00000001000000200000003bcf530ef7f046e29cca7f7a98ee2dc32695a8f10f565db44b1830259c99547b03000000010000001400000029b9b6b8a1b770e87881347b0de532ddb1262f63140000000100000014000000831254141f266c6819e9d5866c31d235d627f7172000000001000000f9020000308202f5308201dda003020102021066f8a9576c24bbfe65d8a1d0464750b5300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3234303631383132303030305a170d3239303631373132303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100c170cbbc0a786bb4d4a04ee8c0f3d7c8a7ffa1187b5fe65abd8d952810df5a912e93e9c92aa70c0131ec6d3126fb4c0a81cd318e725cc81f4403a574afbc28cf024a9302729ffdd098e1956b3b7b5bdb7dd1d7b23f1123465ed11b18752061bda5c19da5816660e052ea2eab6e266589971cafa41af878b370afbf05c1da55fc8bd96f456fb07552982e4aa8fbdf76ff733b369144c93b55fafe08e5db8ddb93ec30c0b11cd67791e1ff7e03724a61ce62777606f88f10553bf68960ccea8c0816c45bfe67deead563aa7a4f2fba4c57d6be55f7ab45751d0786b284f1d71d7bf6d7f7c760317958b9d865f34ed68fa7cbd187ed548384f6b34953e025ce73010203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414831254141f266c6819e9d5866c31d235d627f717300d06092a864886f70d01010b0500038201010074cf49948930b038bb5e35f499ad3281509873029d5808ba58b705fc893e5e002b6d974f7b7d83d538d4726f7037b93433275d46e1397a793cf8dac2161ea031b0996e66a8798f9584883722a58c54468affa639d50d0c486818351b25e2d0da2c012fa15eb942ee8b443ffdcdc6b3b9255633cd610a3a8e98eb5b708bc913cd3e1daa75dd045c5f9ff36da926892f72e18c7375b0a0ffd9bae71fdf3bad413ff928430f8ab039e2806fabc12340c8dfc095740ba5a647a249110205e4f45275546427cdf49cd31bada7be5a90e44d8781c8fb59d1490296c6e10f9c8a3ecc0cd84e88c0bb4c22c6c73ba001f4b1593b4c49f6e8a50798309534e9d6799f3d5a	6cdb5689c39841cb71537410e90fcd6db86ef27dff8cf9eac5ac8122997f5b90.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\29B9B6B8A1B770E87881347B0DE532DDB1262F63	6cdb5689c39841cb71537410e90fcd6db86ef27dff8cf9eac5ac8122997f5b90.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\29B9B6B8A1B770E87881347B0DE532DDB1262F63\Blob = 0f00000001000000200000003bcf530ef7f046e29cca7f7a98ee2dc32695a8f10f565db44b1830259c99547b03000000010000001400000029b9b6b8a1b770e87881347b0de532ddb1262f632000000001000000f9020000308202f5308201dda003020102021066f8a9576c24bbfe65d8a1d0464750b5300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3234303631383132303030305a170d3239303631373132303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100c170cbbc0a786bb4d4a04ee8c0f3d7c8a7ffa1187b5fe65abd8d952810df5a912e93e9c92aa70c0131ec6d3126fb4c0a81cd318e725cc81f4403a574afbc28cf024a9302729ffdd098e1956b3b7b5bdb7dd1d7b23f1123465ed11b18752061bda5c19da5816660e052ea2eab6e266589971cafa41af878b370afbf05c1da55fc8bd96f456fb07552982e4aa8fbdf76ff733b369144c93b55fafe08e5db8ddb93ec30c0b11cd67791e1ff7e03724a61ce62777606f88f10553bf68960ccea8c0816c45bfe67deead563aa7a4f2fba4c57d6be55f7ab45751d0786b284f1d71d7bf6d7f7c760317958b9d865f34ed68fa7cbd187ed548384f6b34953e025ce73010203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414831254141f266c6819e9d5866c31d235d627f717300d06092a864886f70d01010b0500038201010074cf49948930b038bb5e35f499ad3281509873029d5808ba58b705fc893e5e002b6d974f7b7d83d538d4726f7037b93433275d46e1397a793cf8dac2161ea031b0996e66a8798f9584883722a58c54468affa639d50d0c486818351b25e2d0da2c012fa15eb942ee8b443ffdcdc6b3b9255633cd610a3a8e98eb5b708bc913cd3e1daa75dd045c5f9ff36da926892f72e18c7375b0a0ffd9bae71fdf3bad413ff928430f8ab039e2806fabc12340c8dfc095740ba5a647a249110205e4f45275546427cdf49cd31bada7be5a90e44d8781c8fb59d1490296c6e10f9c8a3ecc0cd84e88c0bb4c22c6c73ba001f4b1593b4c49f6e8a50798309534e9d6799f3d5a	6cdb5689c39841cb71537410e90fcd6db86ef27dff8cf9eac5ac8122997f5b90.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2200 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2200 powershell.exe

pid	process
2200	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2200	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

6cdb5689c39841cb71537410e90fcd6db86ef27dff8cf9eac5ac8122997f5b90.exe

description	pid	process	target process
PID 2792 wrote to memory of 2200	2792	6cdb5689c39841cb71537410e90fcd6db86ef27dff8cf9eac5ac8122997f5b90.exe	powershell.exe
PID 2792 wrote to memory of 2200	2792	6cdb5689c39841cb71537410e90fcd6db86ef27dff8cf9eac5ac8122997f5b90.exe	powershell.exe
PID 2792 wrote to memory of 2200	2792	6cdb5689c39841cb71537410e90fcd6db86ef27dff8cf9eac5ac8122997f5b90.exe	powershell.exe
PID 2792 wrote to memory of 2200	2792	6cdb5689c39841cb71537410e90fcd6db86ef27dff8cf9eac5ac8122997f5b90.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\6cdb5689c39841cb71537410e90fcd6db86ef27dff8cf9eac5ac8122997f5b90.exe
"C:\Users\Admin\AppData\Local\Temp\6cdb5689c39841cb71537410e90fcd6db86ef27dff8cf9eac5ac8122997f5b90.exe"
1⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2792

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000003041\run.ps1"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2200

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

1

T1553

Install Root Certificate

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000003041\run.ps1
Filesize
15KB

MD5
0fb684cc15d197c0b937e5528359d7c8

SHA1
7d963246f52f42012bdcddb31214283c84c954ed

SHA256
e767d70fc57483aae7a20cb094a9bfc1fd4f04e97fb772cd6892d057e5be4260

SHA512
c40335f72f802479dc0926704d87670a782362fedae5bb50179d427fc343c6a33cfe09f4640acb15624d1511d3d66f76d87f663f9ad430fc2ddb00c54056103c

Download Submit
memory/2200-24-0x00000000731E1000-0x00000000731E2000-memory.dmp

Filesize
4KB

Download
memory/2200-25-0x00000000731E0000-0x000000007378B000-memory.dmp

Filesize
5.7MB

Download
memory/2200-26-0x00000000731E0000-0x000000007378B000-memory.dmp

Filesize
5.7MB

Download
memory/2200-27-0x00000000731E0000-0x000000007378B000-memory.dmp

Filesize
5.7MB

Download
memory/2200-28-0x00000000731E0000-0x000000007378B000-memory.dmp

Filesize
5.7MB

Download
memory/2200-30-0x00000000731E0000-0x000000007378B000-memory.dmp

Filesize
5.7MB

Download

Resubmissions

Analysis

Sharing