694aab9ca8b165b08b40cc45a9058c5a54088104feef55e3258e92b438bd0181

General

Target

694aab9ca8b165b08b40cc45a9058c5a54088104feef55e3258e92b438bd0181.exe
Size

893KB
MD5

84552f0baff76fc1ab09a7ed62d75aa1
SHA1

f83c077bf68580e41f457594cd029076b76da79b
SHA256

694aab9ca8b165b08b40cc45a9058c5a54088104feef55e3258e92b438bd0181
SHA512

bce65d53fdde5610f66833ae1a83267dc2c9e4449d0e35fe5d13dc170590112179103d829b46cb9d7a2c351822d36abc48cd2f5aa1a99ddf8caac8510cd84cce
SSDEEP

12288:bOw2ad+evaRFzor4QYJuWbFPBbah11/ZyF7YLWYgeWYg955/155/7nwnS1dcs/:j2mvGhu4QiuWbFPUj1RG7YYnwnS1dc0

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
2680	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2860	cmd.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	694aab9ca8b165b08b40cc45a9058c5a54088104feef55e3258e92b438bd0181.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	694aab9ca8b165b08b40cc45a9058c5a54088104feef55e3258e92b438bd0181.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	694aab9ca8b165b08b40cc45a9058c5a54088104feef55e3258e92b438bd0181.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2680	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeRestorePrivilege	884	7z.exe
Token: 35	884	7z.exe
Token: SeSecurityPrivilege	884	7z.exe
Token: SeSecurityPrivilege	884	7z.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1676 wrote to memory of 2600	1676	694aab9ca8b165b08b40cc45a9058c5a54088104feef55e3258e92b438bd0181.exe	32
PID 1676 wrote to memory of 2600	1676	694aab9ca8b165b08b40cc45a9058c5a54088104feef55e3258e92b438bd0181.exe	32
PID 1676 wrote to memory of 2600	1676	694aab9ca8b165b08b40cc45a9058c5a54088104feef55e3258e92b438bd0181.exe	32
PID 1676 wrote to memory of 2600	1676	694aab9ca8b165b08b40cc45a9058c5a54088104feef55e3258e92b438bd0181.exe	32
PID 1676 wrote to memory of 2600	1676	694aab9ca8b165b08b40cc45a9058c5a54088104feef55e3258e92b438bd0181.exe	32
PID 2600 wrote to memory of 2680	2600	cmd.exe	34
PID 2600 wrote to memory of 2680	2600	cmd.exe	34
PID 2600 wrote to memory of 2680	2600	cmd.exe	34
PID 1676 wrote to memory of 2860	1676	694aab9ca8b165b08b40cc45a9058c5a54088104feef55e3258e92b438bd0181.exe	35
PID 1676 wrote to memory of 2860	1676	694aab9ca8b165b08b40cc45a9058c5a54088104feef55e3258e92b438bd0181.exe	35
PID 1676 wrote to memory of 2860	1676	694aab9ca8b165b08b40cc45a9058c5a54088104feef55e3258e92b438bd0181.exe	35
PID 2860 wrote to memory of 884	2860	cmd.exe	37
PID 2860 wrote to memory of 884	2860	cmd.exe	37
PID 2860 wrote to memory of 884	2860	cmd.exe	37
PID 1676 wrote to memory of 1128	1676	694aab9ca8b165b08b40cc45a9058c5a54088104feef55e3258e92b438bd0181.exe	38
PID 1676 wrote to memory of 1128	1676	694aab9ca8b165b08b40cc45a9058c5a54088104feef55e3258e92b438bd0181.exe	38
PID 1676 wrote to memory of 1128	1676	694aab9ca8b165b08b40cc45a9058c5a54088104feef55e3258e92b438bd0181.exe	38

C:\Users\Admin\AppData\Local\Temp\694aab9ca8b165b08b40cc45a9058c5a54088104feef55e3258e92b438bd0181.exe
"C:\Users\Admin\AppData\Local\Temp\694aab9ca8b165b08b40cc45a9058c5a54088104feef55e3258e92b438bd0181.exe"
1⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\install7zip.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://www.7-zip.org/a/7z2301-x64.exe' -OutFile 'C:\Users\Admin\AppData\Local\Temp\7z2301-x64.exe'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2680
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Mapping.bat" "
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Program Files\7-Zip\7z.exe
    "C:\Program Files\7-Zip\7z.exe" x "C:\Users\Admin\AppData\Local\MapperBackgroundHost.zip" -o"C:\Users\Admin\AppData\Local\Temp" -p123
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:884
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\mapper.bat" "
  2⤵
  PID:1128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

System Information Discovery

1

T1082

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\MapperBackgroundHost.zip

Filesize
8.1MB

MD5
071c4249e578294f2006c126b1b7d52c

SHA1
8b98e00f9df45631be24c7523ab3fc5329fc06c1

SHA256
8fedbe177e68447258df0db02e5f566307c1e21e3d6db3d5a7939274999abcc3

SHA512
144d9059e295d995c148a0c3aeb6383c4b13fee5ad621e53411896d107eefc4d38440d59a788802e5ef66b7366e43403df59669ac88f97a911def33073070d0d

Download Submit
C:\Users\Admin\AppData\Local\Mapping.bat

Filesize
483B

MD5
65ab752c33c277e2ece2b3387eb7b4ca

SHA1
6ad1eea8f64e072ddaa02f30eb1600795461457e

SHA256
30280cdbf48de9cde1895491a29f53d94bf28bdbbd2b9efc5eb9a178cf9de2ee

SHA512
729319fd971481883993f5f32facd8cb6494b97454f927b30bc2716f5fbe056d7542ce8756f11e017debad7966f32201e1093b3ac56183dbf7a11f64cc29c5f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB0EA.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB11C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\install7zip.bat

Filesize
741B

MD5
95e9966322c5d14439e0fb7ebb396833

SHA1
83ce9879bcc9c0fa86fa8daa86240d6499380784

SHA256
88a2aac0c2c285bb0fe110caafa553a438cecac00b504b195953b098dea14f47

SHA512
f2ebc31cf5bbe3f0e25bdd1aa84b294af2e97f9dec5eebee793e18d32b4c1079e4d3f29c452a1423b72397210ee324ca55dc2ccf524a5408ededc4303f47b764

Download Submit
C:\Users\Admin\AppData\Local\mapper.bat

Filesize
175B

MD5
2fe5a041baa9b097b49fe8fdad381254

SHA1
28099a854b4726ca228934606716f318533ed9f1

SHA256
39ac04c955f43c1cc3a07ecc66ef1ffb80edc4f09520ce7b68fb645fd14eabea

SHA512
f6ab109cc069b014cd336d6eec517176741c91d08f8b2b364ea111eacd167dfc2633d32993906cfd579c97ce6c432a24c9c2dca575d0290cdf1be92fbc027473

Download Submit
memory/2680-77-0x000007FEF5CF0000-0x000007FEF668D000-memory.dmp

Filesize
9.6MB

Download
memory/2680-74-0x00000000022C0000-0x00000000022C8000-memory.dmp

Filesize
32KB

Download
memory/2680-73-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

Filesize
2.9MB

Download
memory/2680-78-0x000007FEF5CF0000-0x000007FEF668D000-memory.dmp

Filesize
9.6MB

Download
memory/2680-79-0x000007FEF5CF0000-0x000007FEF668D000-memory.dmp

Filesize
9.6MB

Download
memory/2680-76-0x000007FEF5CF0000-0x000007FEF668D000-memory.dmp

Filesize
9.6MB

Download
memory/2680-75-0x000007FEF5CF0000-0x000007FEF668D000-memory.dmp

Filesize
9.6MB

Download
memory/2680-72-0x000007FEF5FAE000-0x000007FEF5FAF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing