80627619c1b54c44d43741b17502ee0b38d568404cbd1102570787ae356936e9

General

Target

80627619c1b54c44d43741b17502ee0b38d568404cbd1102570787ae356936e9.exe
Size

620KB
MD5

254ef7f8072c9ab2a2245c9607d1a9da
SHA1

c9e9e2d1536f047eaa4599b5d6bc68a8ee85c817
SHA256

80627619c1b54c44d43741b17502ee0b38d568404cbd1102570787ae356936e9
SHA512

975cd7f0974e311c4f97852c5f65659d31ffc7e7ce7910b98e10340ed96daeb4246c1e97b4219df93532e7855a39e77edc98e2e903d33b7492d8c9b1e4d9bff2
SSDEEP

12288:ej+BuagU0y60p1u8lES1PBD7aJOth+no0Ukhf/kGIQ3:k+BIU0GO8lEEPN75tSBlf/TIQ3

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\mspci.sys	80627619c1b54c44d43741b17502ee0b38d568404cbd1102570787ae356936e9.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	80627619c1b54c44d43741b17502ee0b38d568404cbd1102570787ae356936e9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4612	PING.EXE

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D8C7019BD363CEA27D25594A5517BD6A5225E04B	80627619c1b54c44d43741b17502ee0b38d568404cbd1102570787ae356936e9.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D8C7019BD363CEA27D25594A5517BD6A5225E04B\Blob = 030000000100000014000000d8c7019bd363cea27d25594a5517bd6a5225e04b2000000001000000d6030000308203d2308202baa003020102020100300d06092a864886f70d0101050500308180310b3009060355040613025553312e302c06035504031325566572695369676e20436c617373203320436f6465205369676e696e672032303038204341311f301d06035504081316566572695369676e205472757374204e6574776f726b3120301e060355040b1317286329203230303820566572695369676e2c20496e632e301e170d3038303732353033313432315a170d3238303732303033313432315a308180310b3009060355040613025553312e302c06035504031325566572695369676e20436c617373203320436f6465205369676e696e672032303038204341311f301d06035504081316566572695369676e205472757374204e6574776f726b3120301e060355040b1317286329203230303820566572695369676e2c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100d29becc60b5391e3db6292a31b911ac3f3dbd1895bf1dde238ef7f89d5d366f8c099b973878a9a2548e9eefb25b417328629943feec5fcb3cb4568d6ce8966fdba88576e82ec41f5beb8f9e5db2e5fda9fae0b829116c6f052d2bffcab79d5ca7979ed758fbed8d68689f3d84bfdcc3d964b024391a2e544cbd8ef8772d44a72034c4e36290b9ea46b036448c52e4f4b2dd0fc722eae20a4957af2b2b5bc865d139bb6bd98622c6cb51fc453db26afd6fb1caf3c03483e17f04e2f471b7ccba2c1e5bff9bfe9c6986ba2d5501c35c69342bfbd75e8b0a1a6e4df5d87b55814a51fcfc88ec2737f6ce128270b4f50822255473fea1871d69e30edd9f8c37d82a10203010001a3553053300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604148077abe4ae125c8c9ea2e1b390a509944e3b5105301106096086480186f8420101040403020204300d06092a864886f70d010105050003820101003c95b3597084897b3dcdbeac0aa1b682d2329fc1b0cf8c613f18b1b436b65d97bf746668bf070d5aa1c38910004c85fab1fb569bbfeb64a5b58f7fe5cc9cdebca2505d5fae1508d2109c193c9bfe4c65e36703f2da8f4a606b7dd5edb9162e202df27104c52e7f3dccf23cb64aa9ffe537fa06273ebfe210825eb8dfbcf9f02cae323600d8d0dadc0f7022775ea019bf7139f9ce915d344ebf5e4cde507ae8147a1717ab2d7bc5e76d23fc76741bcaae03f69d0960ed77e754217fd5699dbe295eafb9f8774023d0aca0ee219141c68047558277e6418e2aa61043dfaececfc5fc80f746ea90d8cbb249147769ab656b36bb20bc6a62473e1376f3bdf21d6140	80627619c1b54c44d43741b17502ee0b38d568404cbd1102570787ae356936e9.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4612	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5044	80627619c1b54c44d43741b17502ee0b38d568404cbd1102570787ae356936e9.exe
5044	80627619c1b54c44d43741b17502ee0b38d568404cbd1102570787ae356936e9.exe
5044	80627619c1b54c44d43741b17502ee0b38d568404cbd1102570787ae356936e9.exe
5044	80627619c1b54c44d43741b17502ee0b38d568404cbd1102570787ae356936e9.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
652	Process not Found

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5044	80627619c1b54c44d43741b17502ee0b38d568404cbd1102570787ae356936e9.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5044 wrote to memory of 512	5044	80627619c1b54c44d43741b17502ee0b38d568404cbd1102570787ae356936e9.exe	89
PID 5044 wrote to memory of 512	5044	80627619c1b54c44d43741b17502ee0b38d568404cbd1102570787ae356936e9.exe	89
PID 5044 wrote to memory of 512	5044	80627619c1b54c44d43741b17502ee0b38d568404cbd1102570787ae356936e9.exe	89
PID 512 wrote to memory of 4612	512	cmd.exe	91
PID 512 wrote to memory of 4612	512	cmd.exe	91
PID 512 wrote to memory of 4612	512	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\80627619c1b54c44d43741b17502ee0b38d568404cbd1102570787ae356936e9.exe
"C:\Users\Admin\AppData\Local\Temp\80627619c1b54c44d43741b17502ee0b38d568404cbd1102570787ae356936e9.exe"
1⤵
- Drops file in Drivers directory
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5044
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nvsBmz.bat""
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:512
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 2 127.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Remote System Discovery

1

T1018

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nvsBmz.bat

Filesize
406B

MD5
81cb2a503dcc27c182f12dc8f96cba98

SHA1
a0d26e61e8a32c7921d44ff7f1b659decd5451fb

SHA256
43a433c19243627bc4deba72dd873f58ed5385be74437cd96958f65d0d4b817d

SHA512
2029cae2cbc15eccce9f3651734996f6e8c688eedff5855b49acf9951cc1308e19e9258be331d977c226ec5e817efb5ff389b27b14c7c404ffc0cebe8c16e445

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads