6ad1835f4a03f110b2094ede277a362ccb36bef8613bffb0a07380e3a666f18c

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12-08-2024 14:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Immunos.exe
Size

482KB
MD5

6df39f5c2653ac3d2705f5b05f3be5c5
SHA1

be7fc46ceace5d92e62443c60cb83215ae981511
SHA256

7582012542ef9bdc64d0ce1885e56411daec403cdbf086ba913f9c7722f78ca8
SHA512

8ae4245c9f4c3ece22602783d9006342d196a01240805bcf632fdc48c284f2804f8d33055dffa052801c0834d37ae6acb1cd047d42c3aed5e419e80ce326c409
SSDEEP

6144:SJaVkrbZLHa+87aJOn3n8pmPqBl/+NpPIoDMchZh69rBl/+NpPIoDMc:SkVib1Va38Fl4VIspOl4VIM

Score

1^/10

Malware Config

Signatures

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

Immunos.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	Immunos.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	Immunos.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	Immunos.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Immunos.exe

pid	Process
4788	Immunos.exe

Suspicious use of SendNotifyMessage 1 IoCs

Processes:

Immunos.exe

pid	Process
4788	Immunos.exe

C:\Users\Admin\AppData\Local\Temp\Immunos.exe
"C:\Users\Admin\AppData\Local\Temp\Immunos.exe"
1⤵
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4788

C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
1⤵
PID:1140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1140-20-0x00007FFE50AC0000-0x00007FFE51461000-memory.dmp

Filesize
9.6MB

Download
memory/1140-35-0x00007FFE50AC0000-0x00007FFE51461000-memory.dmp

Filesize
9.6MB

Download
memory/1140-23-0x00007FFE50AC0000-0x00007FFE51461000-memory.dmp

Filesize
9.6MB

Download
memory/1140-22-0x00007FFE50AC0000-0x00007FFE51461000-memory.dmp

Filesize
9.6MB

Download
memory/1140-19-0x0000000001040000-0x0000000001060000-memory.dmp

Filesize
128KB

Download
memory/1140-21-0x00007FFE50AC0000-0x00007FFE51461000-memory.dmp

Filesize
9.6MB

Download
memory/4788-24-0x00007FFE50AC0000-0x00007FFE51461000-memory.dmp

Filesize
9.6MB

Download
memory/4788-27-0x00007FFE50AC0000-0x00007FFE51461000-memory.dmp

Filesize
9.6MB

Download
memory/4788-18-0x000000001E5A0000-0x000000001E63C000-memory.dmp

Filesize
624KB

Download
memory/4788-16-0x00000000010A0000-0x00000000010B0000-memory.dmp

Filesize
64KB

Download
memory/4788-15-0x000000001BA70000-0x000000001BABC000-memory.dmp

Filesize
304KB

Download
memory/4788-14-0x000000001CFA0000-0x000000001D374000-memory.dmp

Filesize
3.8MB

Download
memory/4788-13-0x000000001CA80000-0x000000001CBB6000-memory.dmp

Filesize
1.2MB

Download
memory/4788-12-0x000000001C430000-0x000000001C93E000-memory.dmp

Filesize
5.1MB

Download
memory/4788-0-0x00007FFE50D75000-0x00007FFE50D76000-memory.dmp

Filesize
4KB

Download
memory/4788-25-0x000000001ECD0000-0x000000001ED04000-memory.dmp

Filesize
208KB

Download
memory/4788-26-0x000000001D990000-0x000000001D99E000-memory.dmp

Filesize
56KB

Download
memory/4788-17-0x000000001E030000-0x000000001E4FE000-memory.dmp

Filesize
4.8MB

Download
memory/4788-28-0x00007FFE50AC0000-0x00007FFE51461000-memory.dmp

Filesize
9.6MB

Download
memory/4788-29-0x00007FFE50AC0000-0x00007FFE51461000-memory.dmp

Filesize
9.6MB

Download
memory/4788-30-0x00007FFE50AC0000-0x00007FFE51461000-memory.dmp

Filesize
9.6MB

Download
memory/4788-31-0x000000001EE70000-0x000000001EE8C000-memory.dmp

Filesize
112KB

Download
memory/4788-32-0x00007FFE50AC0000-0x00007FFE51461000-memory.dmp

Filesize
9.6MB

Download
memory/4788-33-0x00007FFE50D75000-0x00007FFE50D76000-memory.dmp

Filesize
4KB

Download
memory/4788-34-0x00007FFE50AC0000-0x00007FFE51461000-memory.dmp

Filesize
9.6MB

Download
memory/4788-1-0x00007FFE50AC0000-0x00007FFE51461000-memory.dmp

Filesize
9.6MB

Download
memory/4788-36-0x00007FFE50AC0000-0x00007FFE51461000-memory.dmp

Filesize
9.6MB

Download
memory/4788-37-0x00007FFE50AC0000-0x00007FFE51461000-memory.dmp

Filesize
9.6MB

Download