strela | 49a7d26eb8022c5edc59707b013f38d41ba8838f987e676f6385c3d46c7ab998

Analysis

max time kernel
116s
max time network
117s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
24/07/2024, 09:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ee09985aad01926c5ec335e48c36950N.exe
Size

1.9MB
MD5

6ee09985aad01926c5ec335e48c36950
SHA1

e21abc81cb0516782168eda2bc1706f7bf1a3614
SHA256

49a7d26eb8022c5edc59707b013f38d41ba8838f987e676f6385c3d46c7ab998
SHA512

dafa5a6b7a4408f2e3d9b920ce4e03e45638ca767cb9dd585d7417bb6ce11b092287f08c7b97e9f8c9d2af7cdb6585dcb3c2bec36afdc22c460a5f0299e36a1a
SSDEEP

49152:Q8t9VWdeTu1rsEJHCPwVmb8AKe3kAIugoiau0zZEjafp:Q8qeTUsRP+AKSZzJR

Score

10^/10

strela discovery stealer

Malware Config

Signatures

Detects Strela Stealer payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000500000001926b-34.dat	family_strela

Strela stealer
An info stealer targeting mail credentials first seen in late 2022.
stealer strela

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DRIVERS\SETB49F.tmp	DrvInst.exe
File created	C:\Windows\system32\DRIVERS\SETB49F.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\DRIVERS\ssmirrdr.sys	DrvInst.exe

Executes dropped EXE 5 IoCs

pid	Process
3004	driverinst64.exe
2248	ssrangsv.exe
1396	ssrangsv.exe
2372	ssrangsv.exe
3040	ssrangui.exe

Loads dropped DLL 11 IoCs

pid	Process
3060	6ee09985aad01926c5ec335e48c36950N.exe
3060	6ee09985aad01926c5ec335e48c36950N.exe
3060	6ee09985aad01926c5ec335e48c36950N.exe
3060	6ee09985aad01926c5ec335e48c36950N.exe
3060	6ee09985aad01926c5ec335e48c36950N.exe
3060	6ee09985aad01926c5ec335e48c36950N.exe
2372	ssrangsv.exe
2372	ssrangsv.exe
2372	ssrangsv.exe
2372	ssrangsv.exe
2372	ssrangsv.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 39 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{500209a5-d188-0264-cd34-781ede0e7f7e}\nt_amd64\SETB137.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ssmirrdr.inf_amd64_neutral_f60e4a3bb7f7b95a\ssmirrdr.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{500209a5-d188-0264-cd34-781ede0e7f7e}\nt_amd64	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6B2043001D270792DFFD725518EAFE2C	ssrangsv.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\current_time_in_US-CA[1].aspx	ssrangsv.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstor.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	driverinst64.exe
File opened for modification	C:\Windows\system32\ssmirrdr.dll	DrvInst.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\AI1Y3MY4.txt	ssrangsv.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{500209a5-d188-0264-cd34-781ede0e7f7e}\ssmirrdr-nt_amd64.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	driverinst64.exe
File created	C:\Windows\system32\SETB56B.tmp	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	ssrangsv.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\current_time_in_US-CA[1].htm	ssrangsv.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ssmirrdr.inf_amd64_neutral_f60e4a3bb7f7b95a\ssmirrdr.PNF	DrvInst.exe
File created	C:\Windows\System32\DriverStore\INFCACHE.0	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	ssrangsv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\AI1Y3MY4.txt	ssrangsv.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{500209a5-d188-0264-cd34-781ede0e7f7e}\SETB138.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{500209a5-d188-0264-cd34-781ede0e7f7e}\SETB138.tmp	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6B2043001D270792DFFD725518EAFE2C	ssrangsv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	ssrangsv.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{500209a5-d188-0264-cd34-781ede0e7f7e}\nt_amd64\SETB126.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{500209a5-d188-0264-cd34-781ede0e7f7e}\nt_amd64\SETB126.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{500209a5-d188-0264-cd34-781ede0e7f7e}\ssmirrdr.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File opened for modification	C:\Windows\system32\SETB56B.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{500209a5-d188-0264-cd34-781ede0e7f7e}\nt_amd64\ssmirrdr.dll	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{500209a5-d188-0264-cd34-781ede0e7f7e}\nt_amd64\SETB137.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{500209a5-d188-0264-cd34-781ede0e7f7e}\nt_amd64\ssmirrdr.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{500209a5-d188-0264-cd34-781ede0e7f7e}\SETB148.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{500209a5-d188-0264-cd34-781ede0e7f7e}\SETB148.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{500209a5-d188-0264-cd34-781ede0e7f7e}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	driverinst64.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	ssrangsv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	ssrangsv.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\supportdotcom\rang\ca-bundle.crt	6ee09985aad01926c5ec335e48c36950N.exe
File opened for modification	C:\Program Files (x86)\supportdotcom\rang\	6ee09985aad01926c5ec335e48c36950N.exe
File created	C:\Program Files (x86)\Common Files\supportdotcom\rang\ssmirrdr-nt_amd64.cat	6ee09985aad01926c5ec335e48c36950N.exe
File created	C:\Program Files (x86)\Common Files\supportdotcom\rang\ssmirrdr-nt_x86.cat	6ee09985aad01926c5ec335e48c36950N.exe
File created	C:\Program Files (x86)\Common Files\supportdotcom\rang\ssmirrdr.inf	6ee09985aad01926c5ec335e48c36950N.exe
File created	C:\Program Files (x86)\Common Files\supportdotcom\rang\nt_amd64\ssmirrdr.sys	6ee09985aad01926c5ec335e48c36950N.exe
File opened for modification	C:\Program Files (x86)\supportdotcom\rang\nsjADC0.tmp	6ee09985aad01926c5ec335e48c36950N.exe
File created	C:\Program Files (x86)\supportdotcom\rang\support.ico	6ee09985aad01926c5ec335e48c36950N.exe
File created	C:\Program Files (x86)\supportdotcom\rang\logs\ssrangsv_[7-24-2024 - 9.36.42].log	ssrangsv.exe
File created	C:\Program Files (x86)\Common Files\supportdotcom\rang\nt_x86\ssmirrdr.sys	6ee09985aad01926c5ec335e48c36950N.exe
File created	C:\Program Files (x86)\supportdotcom\rang\uninst.exe	6ee09985aad01926c5ec335e48c36950N.exe
File opened for modification	C:\Program Files (x86)\supportdotcom\rang\logs\ssrangsv_[7-24-2024 - 9.36.46].log	ssrangsv.exe
File created	C:\Program Files (x86)\Common Files\supportdotcom\rang\nt_amd64\ssmirrdr.dll	6ee09985aad01926c5ec335e48c36950N.exe
File created	C:\Program Files (x86)\Common Files\supportdotcom\rang\nt_x86\ssmirrdr.dll	6ee09985aad01926c5ec335e48c36950N.exe
File opened for modification	C:\Program Files (x86)\supportdotcom\rang\nsjAE0F.tmp	6ee09985aad01926c5ec335e48c36950N.exe
File created	C:\Program Files (x86)\Common Files\supportdotcom\rang\driverinst.exe	6ee09985aad01926c5ec335e48c36950N.exe
File created	C:\Program Files (x86)\Common Files\supportdotcom\rang\driverinst64.exe	6ee09985aad01926c5ec335e48c36950N.exe
File opened for modification	C:\Program Files (x86)\supportdotcom\rang\nsjADBF.tmp	6ee09985aad01926c5ec335e48c36950N.exe
File created	C:\Program Files (x86)\supportdotcom\rang\ssranghk.dll	6ee09985aad01926c5ec335e48c36950N.exe
File created	C:\Program Files (x86)\supportdotcom\rang\logs\ssrangsv_[7-24-2024 - 9.36.46].log	ssrangsv.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev2	DrvInst.exe
File opened for modification	C:\Windows\setuperr.log	driverinst64.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\INF\oem2.PNF	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\setuperr.log	DrvInst.exe
File opened for modification	C:\Windows\setupact.log	driverinst64.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	driverinst64.exe
File created	C:\Windows\INF\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\setupact.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	driverinst64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ssrangui.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6ee09985aad01926c5ec335e48c36950N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ssrangsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ssrangsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ssrangsv.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\ScreenSaveActive = "0"	ssrangui.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\ScreenSaveTimeOut = "0"	ssrangui.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ssrangsv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	ssrangsv.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5C4E294B-3230-4770-91C3-CA402A02B996}\WpadDecisionTime = 60d12839adddda01	ssrangsv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	ssrangsv.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5C4E294B-3230-4770-91C3-CA402A02B996}\WpadDecisionTime = c0270d26adddda01	ssrangsv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	ssrangsv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	ssrangsv.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\92-37-78-c7-56-a8\WpadDecisionTime = 60d12839adddda01	ssrangsv.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000005000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0195000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	ssrangsv.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\92-37-78-c7-56-a8\WpadDecisionTime = 601b4302adddda01	ssrangsv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	ssrangsv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	ssrangsv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	ssrangsv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	ssrangsv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	ssrangsv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	ssrangsv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	ssrangsv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5C4E294B-3230-4770-91C3-CA402A02B996}\WpadDecisionReason = "1"	ssrangsv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	ssrangsv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	ssrangsv.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\92-37-78-c7-56-a8\WpadDecisionTime = 60763014adddda01	ssrangsv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	ssrangsv.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0195000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	ssrangsv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0195000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	ssrangsv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	ssrangsv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	ssrangsv.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	ssrangsv.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5C4E294B-3230-4770-91C3-CA402A02B996}\WpadDecisionTime = 60763014adddda01	ssrangsv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	ssrangsv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	ssrangsv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5C4E294B-3230-4770-91C3-CA402A02B996}\WpadNetworkName = "Network 3"	ssrangsv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	ssrangsv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{10645F09-C446-4AA9-A691-5AB96783DCA2}\ProxyStubClsid32\ = "{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}"	ssrangsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D92995F8-CF5E-4A76-BF59-EAD39EA2B97E}\NumMethods\ = "7"	ssrangsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9C7EAD52-8023-4936-A4DB-D2A9A99E436A}\ProxyStubClsid32	ssrangsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{85131631-480C-11D2-B1F9-00C04F86C324}\ProgID	ssrangsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{012DD920-7B26-11D0-8CA9-00A0C92DBFE8}\ProxyStubClsid32\ = "{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}"	ssrangsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7CC7AED8-290E-49BC-8945-C1401CC9306C}\ = "INameSpaceTreeControl2"	ssrangsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8E621D2B-5A4C-450C-8B78-C7F52C1F1D9B}\ProxyStubClsid32	ssrangsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{52BBC746-9F9C-44B4-8D7C-0AAAB79BC7DC}\NumMethods\ = "6"	ssrangsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1DEECAB6-1CFF-4923-9A53-BC2C5D199544}\ = "ICDBurnGlobalSettingsDialog"	ssrangsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D57C7288-D4AD-4768-BE02-9D969532D960}	ssrangsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{215913CC-57EB-4FAB-AB5A-E5FA7BEA2A6C}\ProxyStubClsid32\ = "{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}"	ssrangsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AB481469-2D98-42D2-9DDF-9161E8BD44B1}\NumMethods\ = "12"	ssrangsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A530E6D3-0EA0-4B6D-AF89-FBA0944D1A10}\ProxyStubClsid32	ssrangsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{30176CFE-6F36-4EA4-BE65-A4B728FECE39}\NumMethods\ = "6"	ssrangsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A7A2DA3F-4CDA-4FEA-A907-DC6C32B8C3B5}\ProxyStubClsid32	ssrangsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4BFDDEB8-130E-41D1-8E6E-670E469DC9CD}\ProxyStubClsid32\ = "{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}"	ssrangsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32	ssrangsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FFFA805B-896A-41FF-9FE0-840DA6476686}\ProxyStubClsid32	ssrangsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1B0120C9-73AB-4249-91E0-CA3E61924B7F}\NumMethods\ = "12"	ssrangsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{88E39E80-3578-11CF-AE69-08002B2E1262}\NumMethods\ = "20"	ssrangsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{42C9F529-AC7B-45D3-A320-C2F23F250B94}\ProxyStubClsid32	ssrangsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FE812157-522C-46CB-8D53-6EFE3DCE2C46}	ssrangsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{52B14A6A-58F1-45BD-B00A-DCE7403D951E}\NumMethods\ = "4"	ssrangsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{50A87BAA-5F79-4C31-B6B3-28F6F2D097E6}	ssrangsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6BC63938-8254-4965-9680-565933185060}	ssrangsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7E1AF054-83A6-47FC-AB27-A58AE8D9C705}\NumMethods\ = "13"	ssrangsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4623BD61-5603-444F-824A-AAEBCEED93FA}\ProxyStubClsid32\ = "{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}"	ssrangsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile	ssrangsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2660212B-070F-40D3-AFC1-1EC7DF0A995D}\ = "IMultiComplete"	ssrangsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6DFC60FB-F2E9-459B-BEB5-288F1A7C7D54}\ProxyStubClsid32	ssrangsv.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1\CLSID	ssrangsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4E982FED-D14B-440C-B8D6-BB386453D386}\ = "IIdentityAdvise"	ssrangsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1B155F51-7593-4458-B3BC-B196A750C014}	ssrangsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\ScriptHostEncode	ssrangsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DA22171F-70B4-43DB-B38F-296741D1494C}\NumMethods	ssrangsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{504B27AA-001F-4179-9AD0-663A37C317A9}\NumMethods	ssrangsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{18140CBD-AA23-4384-A38D-6A8D3E2BE505}\ = "IBrowserProgressSessionProvider"	ssrangsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{240A7174-D653-4A1D-A6D3-D4943CFBFE3D}	ssrangsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CD9617E6-E67F-4F7B-8B64-11B05F507868}\ = "IRelocateFolderInNamespace"	ssrangsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}	ssrangsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A561E69A-B4B8-4113-91A5-64C6BCCA3430}\ProxyStubClsid32	ssrangsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{36DF1A3D-973D-4956-B55A-47DE453E8103}\ = "IElevatedFactoryServerManager"	ssrangsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6B353825-C58B-4F03-AEC4-8DE179122661}\ProxyStubClsid32	ssrangsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CB072FAA-CF74-45AB-AFB0-FE3D89FFDD94}\NumMethods	ssrangsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9C204249-C443-4BA4-85ED-C972681DB137}\NumMethods\ = "8"	ssrangsv.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\PROGID	ssrangsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CAFEC873-94B2-47A4-AA4A-6A54F2DF865D}\NumMethods	ssrangsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4EEA50C7-78D0-47C2-B585-3B7C026CCC15}\ProxyStubClsid32\ = "{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}"	ssrangsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E7FD9502-BE0C-4464-90A1-2B5277031232}\ = "ISyncMgrSyncItemInfo"	ssrangsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{241C033E-E659-43DA-AA4D-4086DBC4758D}\ = "ITravelLogClient"	ssrangsv.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\OLESCRIPT	ssrangsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1823E7BA-EC36-447A-9B2E-B4912E15AFE7}\NumMethods	ssrangsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F1DB8392-7331-11D0-8C99-00A0C92DBFE8}	ssrangsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DC2601D7-059E-42FC-A09D-2AFD21B6D5F7}	ssrangsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{59007C49-CB25-4BD5-AAD9-6943F08F4F9E}\ = "IMediaTranscoder"	ssrangsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9838AAB6-32FD-455A-823D-83CFE06E4D48}\ProxyStubClsid32	ssrangsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8E621D2B-5A4C-450C-8B78-C7F52C1F1D9B}\NumMethods	ssrangsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{18140CBD-AA23-4384-A38D-6A8D3E2BE505}\ProxyStubClsid32	ssrangsv.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author	ssrangsv.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.Dictionary	ssrangsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{709A7BE5-63F9-4568-A1EE-2F4C4A38978E}\ProxyStubClsid32\ = "{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}"	ssrangsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DC2601D7-059E-42FC-A09D-2AFD21B6D5F7}\ProxyStubClsid32\ = "{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}"	ssrangsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{86187C37-E662-4D1E-A122-7478676D7E6E}\NumMethods\ = "19"	ssrangsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1AF3A467-214F-4298-908E-06B03E0B39F9}\ProxyStubClsid32	ssrangsv.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	ssrangsv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	ssrangsv.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeRestorePrivilege	3004	driverinst64.exe
Token: SeRestorePrivilege	3004	driverinst64.exe
Token: SeRestorePrivilege	3004	driverinst64.exe
Token: SeRestorePrivilege	3004	driverinst64.exe
Token: SeRestorePrivilege	3004	driverinst64.exe
Token: SeRestorePrivilege	3004	driverinst64.exe
Token: SeRestorePrivilege	3004	driverinst64.exe
Token: SeRestorePrivilege	3004	driverinst64.exe
Token: SeRestorePrivilege	3004	driverinst64.exe
Token: SeRestorePrivilege	3004	driverinst64.exe
Token: SeRestorePrivilege	3004	driverinst64.exe
Token: SeRestorePrivilege	3004	driverinst64.exe
Token: SeRestorePrivilege	3004	driverinst64.exe
Token: SeRestorePrivilege	3004	driverinst64.exe
Token: SeRestorePrivilege	2760	DrvInst.exe
Token: SeRestorePrivilege	2760	DrvInst.exe
Token: SeRestorePrivilege	2760	DrvInst.exe
Token: SeRestorePrivilege	2760	DrvInst.exe
Token: SeRestorePrivilege	2760	DrvInst.exe
Token: SeRestorePrivilege	2760	DrvInst.exe
Token: SeRestorePrivilege	2760	DrvInst.exe
Token: SeRestorePrivilege	2760	DrvInst.exe
Token: SeRestorePrivilege	2760	DrvInst.exe
Token: SeRestorePrivilege	2760	DrvInst.exe
Token: SeRestorePrivilege	2760	DrvInst.exe
Token: SeRestorePrivilege	2760	DrvInst.exe
Token: SeRestorePrivilege	2760	DrvInst.exe
Token: SeRestorePrivilege	2760	DrvInst.exe
Token: SeRestorePrivilege	3004	driverinst64.exe
Token: SeLoadDriverPrivilege	3004	driverinst64.exe
Token: SeRestorePrivilege	2944	DrvInst.exe
Token: SeRestorePrivilege	2944	DrvInst.exe
Token: SeRestorePrivilege	2944	DrvInst.exe
Token: SeRestorePrivilege	2944	DrvInst.exe
Token: SeRestorePrivilege	2944	DrvInst.exe
Token: SeRestorePrivilege	2944	DrvInst.exe
Token: SeRestorePrivilege	2944	DrvInst.exe
Token: SeRestorePrivilege	2944	DrvInst.exe
Token: SeRestorePrivilege	2944	DrvInst.exe
Token: SeLoadDriverPrivilege	2944	DrvInst.exe
Token: SeLoadDriverPrivilege	2944	DrvInst.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 3004	3060	6ee09985aad01926c5ec335e48c36950N.exe	30
PID 3060 wrote to memory of 3004	3060	6ee09985aad01926c5ec335e48c36950N.exe	30
PID 3060 wrote to memory of 3004	3060	6ee09985aad01926c5ec335e48c36950N.exe	30
PID 3060 wrote to memory of 3004	3060	6ee09985aad01926c5ec335e48c36950N.exe	30
PID 3060 wrote to memory of 2248	3060	6ee09985aad01926c5ec335e48c36950N.exe	31
PID 3060 wrote to memory of 2248	3060	6ee09985aad01926c5ec335e48c36950N.exe	31
PID 3060 wrote to memory of 2248	3060	6ee09985aad01926c5ec335e48c36950N.exe	31
PID 3060 wrote to memory of 2248	3060	6ee09985aad01926c5ec335e48c36950N.exe	31
PID 3060 wrote to memory of 1396	3060	6ee09985aad01926c5ec335e48c36950N.exe	35
PID 3060 wrote to memory of 1396	3060	6ee09985aad01926c5ec335e48c36950N.exe	35
PID 3060 wrote to memory of 1396	3060	6ee09985aad01926c5ec335e48c36950N.exe	35
PID 3060 wrote to memory of 1396	3060	6ee09985aad01926c5ec335e48c36950N.exe	35
PID 2372 wrote to memory of 3040	2372	ssrangsv.exe	37
PID 2372 wrote to memory of 3040	2372	ssrangsv.exe	37
PID 2372 wrote to memory of 3040	2372	ssrangsv.exe	37
PID 2372 wrote to memory of 3040	2372	ssrangsv.exe	37

C:\Users\Admin\AppData\Local\Temp\6ee09985aad01926c5ec335e48c36950N.exe
"C:\Users\Admin\AppData\Local\Temp\6ee09985aad01926c5ec335e48c36950N.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Program Files (x86)\Common Files\supportdotcom\rang\driverinst64.exe
  "C:\Program Files (x86)\Common Files\supportdotcom\rang/driverinst64.exe" /Install
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:3004
- C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe
  "C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe" /provider supportdotcom /setup
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2248
- C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe
  "C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe" /provider supportdotcom /regserver /start
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:1396

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{37cc2436-ef8e-1ac3-bf81-2607edbf665d}\ssmirrdr.inf" "9" "67bd61347" "0000000000000594" "WinSta0\Default" "00000000000002C8" "208" "c:\program files (x86)\common files\supportdotcom\rang"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2760

C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\SSMIRR_DRIVER\0000" "C:\Windows\INF\oem2.inf" "ssmirrdr.inf:ssmirrdr.Mfg.ntamd64:ssmirrdr:2.0.0.0:ssmirr_driver" "67bd61347" "0000000000000594" "0000000000000064" "0000000000000068"
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2944

C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe
"C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe" -service "-provider" "supportdotcom"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Program Files (x86)\supportdotcom\rang\ssrangui.exe
  "ssrangui.exe" -start -ec 1 2647238069 -agentFriendlyName 'ATS Agent'
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  PID:3040

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\supportdotcom\rang\driverinst64.exe

Filesize
16KB

MD5
38377a28f213b6bb042e60e4b457f516

SHA1
0499b92faa65cd1d00640715c998d2500ff4eebc

SHA256
ca67f164a2ee8be79fb156ac3cdbc154ea8a761bf49e88197c4c07a3a325a2a9

SHA512
e522e4a4157849612017af61b8e6db94c67503872a76fdfa1e342908f9292f296e7e462b8bf02155028e10e1860288bc5acb5490fa7b3136b19d6b8b68fe3319

Download Submit
C:\Program Files (x86)\supportdotcom\rang\ca-bundle.crt

Filesize
251KB

MD5
478f2561ec0658265a01993e00ee89f2

SHA1
3845dc7fd32fb08600ebd5902bc1bd7e7bfa63a1

SHA256
d42fa29fd8a06ea428d041a26d4e6831bbf8538f83032e922287832c39b06b86

SHA512
82636f4317d561a38134f919d6197abbeea56c2a2c750350148b54fb5b864babd8711876d6e322ffdd12489305ca96b9d209335998b922d2c9e4f198ae84f470

Download Submit
C:\Program Files (x86)\supportdotcom\rang\logs\ssrangsv_[7-24-2024 - 9.36.46].log

Filesize
309B

MD5
11c569068df757e0c6d81d167cd83448

SHA1
4e4d35d710bfe9911343007fb6f82875b691d390

SHA256
aa8f926c017d0e6fbc393653e82d0bd320904cf74bca38d50415874df9f37408

SHA512
329de1f37b240656f4ee0afe1ff3c0013bc35772726a78a704e4739551f42b2b7f4b84189ddd4a36f71fd4b3c9622481a53ba706433d4151538c120de9e09ba3

Download Submit
C:\Program Files (x86)\supportdotcom\rang\ssrangsv.exe

Filesize
2.2MB

MD5
8e1f07c8ec91b5c63eccd0c6cb00a027

SHA1
89afb7d39ed1935f25f8c43b60ab2fdcba58447f

SHA256
d82c089a395db0691c1c845b68c1b1743de8985feb47ec5e03f0db80a5c1b195

SHA512
138f90453e58a34f53cbd7d1700fbc9377c4d67f55119df5198d5575a1ab07e2d00e51562c14d9f8f8120169f2d977948a06cb600ba16c5d53e141b76e39f497

Download Submit
C:\Program Files (x86)\supportdotcom\rang\ssrangui.exe

Filesize
1.7MB

MD5
69d7734b204b81b646d0f8576e7dc8d6

SHA1
a37786dcab45c963d44a135db52b21177847508b

SHA256
24316fd026bcf76caa990e27e3dfd38126fa5b71763fa576ccab43cba6eafb2e

SHA512
0d93c3b9f664c36af3568484352aa09925cf04f9ccdf07bf7a1c7dbd791cbb98b8c18043c8220fce0c9b3defab90586a86d2cddf225980518a3b9e854026c79d

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
ec313d5b7d7c9685e4d32ff05e6d5ea8

SHA1
c334fd6d27510fe6eb8fe684a54bbe7462466ec0

SHA256
7d2f91bd798d9d63f8011c9ad6ac3a895c2a4a36bffdca0cc79b2eb472da2f08

SHA512
679851f08233a3331a5536a76d1aeb24ddfc9162fe51e0c82779760f0209c7ec2aecd192fa911cf4cdfc811683b1e58e118e0fbd8008b53a2fbadab8d3c4d244

Download Submit
C:\Windows\System32\DriverStore\FileRepository\ssmirrdr.inf_amd64_neutral_f60e4a3bb7f7b95a\ssmirrdr.PNF

Filesize
9KB

MD5
6341c4eed3b4f77cd067cd2db2b592a9

SHA1
3594c5374a4fe9c9ba8046b06eea4ababd73b680

SHA256
bea564e0d2e00c48571b0992cd13a4aa163e7fc396f9d0d549cd8e5d025246f7

SHA512
321737ee2e210e1808a35fc3b5df860a0d6a6e617295ec97f68af912f66d500a215a24c084264b13e4dfce9353c645eb1363d6a327250ab34bf1835ee6a177a3

Download Submit
C:\Windows\System32\DriverStore\INFCACHE.1

Filesize
1.4MB

MD5
35b452e8bbebc7f7ea4969b7a82d1ffd

SHA1
57241b0d729f0dd2f91181fd59285c75bbb36a3d

SHA256
69d1fd51691f985a324f54da9c00e256c5f9f0f2231ba805a6fe813439ba9257

SHA512
665f1aa9cb8ca0bdbb0a6a7f3ec602561749ce54df7c1ed481c2d3af08147586df7c298a04ed7c0994940dd786001234f748041cd4c2800c352f5dbb568f71e3

Download Submit
C:\Windows\Temp\TarD79F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\inf\oem2.PNF

Filesize
9KB

MD5
fed87ccdd12af5095f46d54deed3ce09

SHA1
f7db563d5f63a011934c115245b8d1fe1af239a9

SHA256
31a7677b235b7b9cf7e9d81279366037279c13699e0bfd9823846afaaba705f3

SHA512
f3eff6ed1f5ae7d8ebb387c68a8f3ddf5770fb8f7c4da52628fae6f97cb31331f4230c188f3572607af9956573b68ba2b55be6fac1c98610268cb274c93ecc6a

Download Submit
\??\c:\PROGRA~2\COMMON~1\SUPPOR~1\rang\nt_amd64\ssmirrdr.dll

Filesize
31KB

MD5
28b26600204f79045eda8f7fd8ca3c86

SHA1
b9f19e36b80eb862370d99b466664380440af6d5

SHA256
5140f07b878efd1b74ee9f5821a207d1cee65952702ff75c49a4522face230c6

SHA512
aebd4425b846883e1f49da18edf3b7c96a9fb9ddb7ce709938b21eae169bdaeb5ce6bf8593638b5c887b26de7476b793a4691a7d56e46796bb658f1e516ad3c1

Download Submit
\??\c:\PROGRA~2\COMMON~1\SUPPOR~1\rang\nt_amd64\ssmirrdr.sys

Filesize
9KB

MD5
1100066057fbf612b573efd3b21383f1

SHA1
f95db83ea936f1fe70583a4eca810da807167dfe

SHA256
894f5a999e03807dffea67938d2e456d50d9e5511fe91d2e2293c51d98b3d87d

SHA512
62850de88b00daeab3299fec2bbd9aa0b07f766b96f42392310cb4f23c9e50f0aa8bc87f82e28cd99c195ea205a26c083d048cbac3341861dcee4a5eabb9dea8

Download Submit
\??\c:\program files (x86)\common files\supportdotcom\rang\ssmirrdr-nt_amd64.cat

Filesize
8KB

MD5
31f007d8f2de5e945dc2e2234628bc37

SHA1
76fb2cd66c869bae25589298a971b458bd06c18e

SHA256
a179d2176962ff702eb57417f931deb3e8c9f2cfb61311d767b243e111b83973

SHA512
170e8ac2cb4decb9fe07f8811c58155c377fc20af3748bcc33cdb203a2780c749f0cc721ba293874ecab1e0423682679ff7a1bccc26caa185af279796112dc18

Download Submit
\??\c:\program files (x86)\common files\supportdotcom\rang\ssmirrdr.inf

Filesize
2KB

MD5
6c4423d9cb9921a25de76b2d9f390f74

SHA1
5abdfd7b7d0e454a6ac117c90077b3379e48d666

SHA256
3cb8307e59f4483ec329cd2b92690a877eb4b3a0c3633c9e012a4f8aac249c82

SHA512
9f28e9a824e0983e180bcefdd347ee145c406e920f660622e34bedf5c3b7e7cd083c3f60528f135e341621248a53ad16cca5ebbb6c8b66af166304ab8b94628c

Download Submit
\Users\Admin\AppData\Local\Temp\nsdAD9E.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit