ff69010fe2cae32c85038035426d63cc92e8e8d06b71f243a2abfdc27d0b440e

Analysis

max time kernel
119s
max time network
127s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
23-07-2024 23:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff69010fe2cae32c85038035426d63cc92e8e8d06b71f243a2abfdc27d0b440e.exe
Size

101KB
MD5

e558e912a3017607e2fd40a00690a763
SHA1

6b5a62c5536b79714e83c97a8f20dc8c77b362ca
SHA256

ff69010fe2cae32c85038035426d63cc92e8e8d06b71f243a2abfdc27d0b440e
SHA512

29000cdd9ef7b2fe4a9f3d591541980f9bdf9865d97fd8a46b804dea301c31b99c58f3d71c04ee07e21cc66efcecb904cdc0de4626daabeea830a064b0b79c60
SSDEEP

1536:a4GZnjfFGS6VW3RtfNTwxfHKMFHPGwFCVZUpbdXH+j0NJs:a4GZnrASj3/5QLFvGwFCZ+XH+I

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
2836	setup.exe
2720	setup.exe

Loads dropped DLL 23 IoCs

pid	Process
2572	ff69010fe2cae32c85038035426d63cc92e8e8d06b71f243a2abfdc27d0b440e.exe
2836	setup.exe
2720	setup.exe
2720	setup.exe
2720	setup.exe
2720	setup.exe
2720	setup.exe
2720	setup.exe
2720	setup.exe
2720	setup.exe
2720	setup.exe
2720	setup.exe
2720	setup.exe
2720	setup.exe
2720	setup.exe
2720	setup.exe
2720	setup.exe
2720	setup.exe
2720	setup.exe
2720	setup.exe
2720	setup.exe
2720	setup.exe
2720	setup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ff69010fe2cae32c85038035426d63cc92e8e8d06b71f243a2abfdc27d0b440e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	ff69010fe2cae32c85038035426d63cc92e8e8d06b71f243a2abfdc27d0b440e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	ff69010fe2cae32c85038035426d63cc92e8e8d06b71f243a2abfdc27d0b440e.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2720	setup.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2572 wrote to memory of 2836	2572	ff69010fe2cae32c85038035426d63cc92e8e8d06b71f243a2abfdc27d0b440e.exe	31
PID 2572 wrote to memory of 2836	2572	ff69010fe2cae32c85038035426d63cc92e8e8d06b71f243a2abfdc27d0b440e.exe	31
PID 2572 wrote to memory of 2836	2572	ff69010fe2cae32c85038035426d63cc92e8e8d06b71f243a2abfdc27d0b440e.exe	31
PID 2572 wrote to memory of 2836	2572	ff69010fe2cae32c85038035426d63cc92e8e8d06b71f243a2abfdc27d0b440e.exe	31
PID 2572 wrote to memory of 2836	2572	ff69010fe2cae32c85038035426d63cc92e8e8d06b71f243a2abfdc27d0b440e.exe	31
PID 2572 wrote to memory of 2836	2572	ff69010fe2cae32c85038035426d63cc92e8e8d06b71f243a2abfdc27d0b440e.exe	31
PID 2572 wrote to memory of 2836	2572	ff69010fe2cae32c85038035426d63cc92e8e8d06b71f243a2abfdc27d0b440e.exe	31
PID 2836 wrote to memory of 2720	2836	setup.exe	32
PID 2836 wrote to memory of 2720	2836	setup.exe	32
PID 2836 wrote to memory of 2720	2836	setup.exe	32
PID 2836 wrote to memory of 2720	2836	setup.exe	32
PID 2836 wrote to memory of 2720	2836	setup.exe	32
PID 2836 wrote to memory of 2720	2836	setup.exe	32
PID 2836 wrote to memory of 2720	2836	setup.exe	32

C:\Users\Admin\AppData\Local\Temp\ff69010fe2cae32c85038035426d63cc92e8e8d06b71f243a2abfdc27d0b440e.exe
"C:\Users\Admin\AppData\Local\Temp\ff69010fe2cae32c85038035426d63cc92e8e8d06b71f243a2abfdc27d0b440e.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2572
- C:\Users\Admin\AppData\Local\Temp\adguard\setup.exe
  C:\Users\Admin\AppData\Local\Temp\adguard\setup.exe AID=31220
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Windows\Temp\{0E2A3435-6A9A-4C65-AE8D-885322A5B1B8}\.cr\setup.exe
    "C:\Windows\Temp\{0E2A3435-6A9A-4C65-AE8D-885322A5B1B8}\.cr\setup.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\adguard\setup.exe" -burn.filehandle.attached=280 -burn.filehandle.self=288 AID=31220
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\{293FC154-3170-4B38-AACE-D919C598FDF6}\.ba\BootstrapperCore.config

Filesize
1KB

MD5
f6e583d741ff2c5987ca3c453a5b5489

SHA1
8ec7fd6be78ba0522c22e3924e452a5a3b7e7243

SHA256
69820ee33cd6ab53ff12951ba70ffe5a59860fbd96b83d2316c786013936b4f8

SHA512
3377157af3acd69386805d88d437b683c47cd441343e50099cc1da1ab6af1db13f96d1e489e121ac4d2385181fd96351c782a4ceda1bebc88692c68494ed2dcd

Download Submit
\Users\Admin\AppData\Local\Temp\adguard\setup.exe

Filesize
35.2MB

MD5
0dcf2c128dfae2a95a3bd8502c82c00b

SHA1
e73568b45b1752d7e4773d4f5aaa43b6339938aa

SHA256
ad2b2993980a870b44d93a88f7652dddbc133b874caa636dee49469eedbb569c

SHA512
cc24896e1311939f60132d1caa3e2fd9105ca1e91bf5ae67d894dbe3d82265a6342a99d6bf0346f0af84c2c04a17298840e2b1f0fda9044a6556fe9cf08da218

Download Submit
\Windows\Temp\{0E2A3435-6A9A-4C65-AE8D-885322A5B1B8}\.cr\setup.exe

Filesize
7.1MB

MD5
bdd2706a63b0a996731d1398182e02ae

SHA1
832d3fbd93461ac7cc6bf680d404fd21c5e5b161

SHA256
6a7d13333e576b8a07af161edaef4f4ab728026c57a32881359c1fcd0c7881fe

SHA512
01a10f0a1188786b00e3e03b10c978b503343f06d202371d141ad7c3a16eaad29b81a0370bbb7b4d90d2385c75b7a3d420b71ee47537722ebc709fa5f48eee2b

Download Submit
\Windows\Temp\{293FC154-3170-4B38-AACE-D919C598FDF6}\.ba\AdGuard.CrashReporter.dll

Filesize
479KB

MD5
42ce699939ff84e1094607553f847a07

SHA1
13bf720e3b6c046febef489a0de42b5434790940

SHA256
2c7cc31f967b289c1867c0152f280cd2ec76eb8140b80266a19a4b5ce552aede

SHA512
37839b53d10b96ff1bd4819ee62390b7dec6c08e6466a5da3afeecd85ff12ccdb939c975255b518c810a7233b7c69113c7610f352a58c3d8ba3946752fb1ce87

Download Submit
\Windows\Temp\{293FC154-3170-4B38-AACE-D919C598FDF6}\.ba\AdGuard.Utils.Base.dll

Filesize
890KB

MD5
0ce102f0fd975d32b81838254115c4a8

SHA1
d42c7ed91782bbfa5e3dd03c1df56bcfcc977dde

SHA256
c08cff2d4964708c4fd2279d32639d07e00e7bffa2abeb051680f60a4a7c92b2

SHA512
2fe882fb8eae4aa90de139624681d202d2d527ad6486e8e1354f14ad700c6180bfce1a1e80cf39eb51e96d700055a0522f98ed8e4a88744572c1d5f21bb704d0

Download Submit
\Windows\Temp\{293FC154-3170-4B38-AACE-D919C598FDF6}\.ba\AdGuard.Utils.Installer.dll

Filesize
56KB

MD5
2596c68bb84722499cd94b69b8b017d5

SHA1
8a1f7867666287dd43c7a9bf717fa6e201af31ae

SHA256
f91688a69358f2733d627bd43625c48f6159041edf7415b779b75d7ca8ce2f84

SHA512
7f401568bb23e406db54af2b6b59fdc2a8414a54d0860134f938ea29217b6a8a845211cb9b2c9712452a306154ac2da9424da6e083af307b89aa082f8b2bd890

Download Submit
\Windows\Temp\{293FC154-3170-4B38-AACE-D919C598FDF6}\.ba\AdGuard.Utils.UI.dll

Filesize
687KB

MD5
1ef206a3248a94aea1b1afb4664bb9f3

SHA1
880ffdd62af189d00286993b153f914268c946d1

SHA256
d792969ada5a92335a3f9fb8ca58d2fc66c5f0d66ba72797dc598f8856efbc21

SHA512
1e3ec63d3f9c1d1bd73c7a6fa182e372219558b8c903bd21d00610e44b4f7a47bbe9bdd144f9d7cbfbe186ea86a581185de54a003ba8fb8d78f8e3b12899c32c

Download Submit
\Windows\Temp\{293FC154-3170-4B38-AACE-D919C598FDF6}\.ba\AdGuard.Utils.dll

Filesize
1.8MB

MD5
4d3789b8d5c00fe763552a4006fab3e2

SHA1
123a21cc44d46fd3e4a824a4810fc36ca0265577

SHA256
a61cdd6e91c6708210cadd7573785d16444541716eb0e687ddb5d0fbd22204af

SHA512
80c17c01190c3cbde3fad5bf52d1a2277ba28910be3a75f003ca52ac308243117a5681262fdc380f9b4bd7b31f2ed8b7fc2b1cba25a54755833ff01a0f2a333c

Download Submit
\Windows\Temp\{293FC154-3170-4B38-AACE-D919C598FDF6}\.ba\AdGuardVpn.Burn.dll

Filesize
255KB

MD5
0cfd8faf4a9303f57d64a615519f5dae

SHA1
5e47a2a2a47b6f36ea3292e1d52230f1fb35a3b0

SHA256
586557532484f320308b76e1849efe54456f367b1f22bb5707ad319b75ccf2f2

SHA512
a0dcd566f73dc0f902158cc75cd15a0c93b5b7549e96e12128939a1ec9068b790625d2afe9261de8c61657b08d1c89abca4d66be51f84e4f7a9764ac78230630

Download Submit
\Windows\Temp\{293FC154-3170-4B38-AACE-D919C598FDF6}\.ba\BootstrapperCore.dll

Filesize
87KB

MD5
b0d10a2a622a322788780e7a3cbb85f3

SHA1
04d90b16fa7b47a545c1133d5c0ca9e490f54633

SHA256
f2c2b3ce2df70a3206f3111391ffc7b791b32505fa97aef22c0c2dbf6f3b0426

SHA512
62b0aa09234067e67969c5f785736d92cd7907f1f680a07f6b44a1caf43bfeb2df96f29034016f3345c4580c6c9bc1b04bea932d06e53621da4fcf7b8c0a489f

Download Submit
\Windows\Temp\{293FC154-3170-4B38-AACE-D919C598FDF6}\.ba\Newtonsoft.Json.dll

Filesize
695KB

MD5
195ffb7167db3219b217c4fd439eedd6

SHA1
1e76e6099570ede620b76ed47cf8d03a936d49f8

SHA256
e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

SHA512
56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

Download Submit
\Windows\Temp\{293FC154-3170-4B38-AACE-D919C598FDF6}\.ba\SharpRaven.dll

Filesize
114KB

MD5
89a2762f19597b82d5c501366e5b2f29

SHA1
f5df7962015164e4bfed0ae361f988c1e581677e

SHA256
a236377db9ee299087c4f8fa6e345765ac4a25aa5d7fabfd8b724f1889324167

SHA512
bd2a4ab78835092abb0cf3cae0850c8b2aa344247f6479cfd59d52bba60c4b605ada4bf885e1ab0b86d4fab138a9084900b954e62e6384d794f2ce61c999cb13

Download Submit
\Windows\Temp\{293FC154-3170-4B38-AACE-D919C598FDF6}\.ba\mbahost.dll

Filesize
119KB

MD5
c59832217903ce88793a6c40888e3cae

SHA1
6d9facabf41dcf53281897764d467696780623b8

SHA256
9dfa1bc5d2ab4c652304976978749141b8c312784b05cb577f338a0aa91330db

SHA512
1b1f4cb2e3fa57cb481e28a967b19a6fefa74f3c77a3f3214a6b09e11ceb20ae428d036929f000710b4eb24a2c57d5d7dfe39661d5a1f48ee69a02d83381d1a9

Download Submit
memory/2572-17-0x00000000008A0000-0x00000000008C0000-memory.dmp

Filesize
128KB

Download
memory/2720-149-0x00000000068D0000-0x0000000006AA6000-memory.dmp

Filesize
1.8MB

Download
memory/2720-154-0x00000000066D0000-0x0000000006780000-memory.dmp

Filesize
704KB

Download
memory/2720-143-0x0000000006290000-0x0000000006372000-memory.dmp

Filesize
904KB

Download
memory/2720-159-0x00000000031C0000-0x000000000323C000-memory.dmp

Filesize
496KB

Download
memory/2720-139-0x00000000008C0000-0x00000000008D2000-memory.dmp

Filesize
72KB

Download
memory/2720-165-0x0000000002B30000-0x0000000002B4E000-memory.dmp

Filesize
120KB

Download
memory/2720-135-0x0000000001F90000-0x0000000001FD6000-memory.dmp

Filesize
280KB

Download
memory/2720-128-0x0000000000760000-0x0000000000778000-memory.dmp

Filesize
96KB

Download
memory/2720-172-0x0000000007170000-0x0000000007222000-memory.dmp

Filesize
712KB

Download
memory/2720-181-0x0000000003520000-0x000000000352A000-memory.dmp

Filesize
40KB

Download
memory/2720-180-0x0000000003520000-0x000000000352A000-memory.dmp

Filesize
40KB

Download
memory/2720-183-0x0000000003520000-0x000000000352A000-memory.dmp

Filesize
40KB

Download
memory/2720-182-0x0000000003520000-0x000000000352A000-memory.dmp

Filesize
40KB

Download