7aa0f21e3daa05edf5cc09a397247a9471d2e7558703e56fd8f4d1b399dcdcf5

Analysis

max time kernel
94s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/10/2024, 12:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7aa0f21e3daa05edf5cc09a397247a9471d2e7558703e56fd8f4d1b399dcdcf5N.exe
Size

274KB
MD5

0a7bd79d9cd424f7cf646a7883c6c400
SHA1

8685a2b580bf964af97446a3229a34e32a38501e
SHA256

7aa0f21e3daa05edf5cc09a397247a9471d2e7558703e56fd8f4d1b399dcdcf5
SHA512

ec268ad373b1f36f400383a75452a878212f98e59de075be899f31e5336d2b81f80a7208a7182eeff17982b797380f94c5f7db615cd01c13703a91fd073d62cc
SSDEEP

6144:7saocyLCfcZxEQx8OXsk8Y018Y/+kY6F2hIWFl4WWlGTamELkTVS:7tobwQ+Ock8Y0hZYg2hIWFl5A+CLcVS

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	installer.exe

Executes dropped EXE 2 IoCs

pid	Process
2984	installer.exe
3552	4fe0cf9f-1fe4-4abb-905a-57915bc06f2f.exe

Loads dropped DLL 1 IoCs

pid	Process
3652	7aa0f21e3daa05edf5cc09a397247a9471d2e7558703e56fd8f4d1b399dcdcf5N.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	installer.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	installer.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\Desktop.ini	installer.exe
File opened for modification	C:\Windows\assembly	installer.exe
File created	C:\Windows\assembly\Desktop.ini	installer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7aa0f21e3daa05edf5cc09a397247a9471d2e7558703e56fd8f4d1b399dcdcf5N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4fe0cf9f-1fe4-4abb-905a-57915bc06f2f.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8120f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce7f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c06200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f1400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e00000074006800610077007400650000007e000000010000000800000000c0032f2df8d60168000000010000000000000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b81190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 5c000000010000000400000000080000190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d03000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b816800000001000000000000007e000000010000000800000000c0032f2df8d6010b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748506200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f53000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703010f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8122000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	installer.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3552	4fe0cf9f-1fe4-4abb-905a-57915bc06f2f.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3552	4fe0cf9f-1fe4-4abb-905a-57915bc06f2f.exe
3552	4fe0cf9f-1fe4-4abb-905a-57915bc06f2f.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3652 wrote to memory of 2984	3652	7aa0f21e3daa05edf5cc09a397247a9471d2e7558703e56fd8f4d1b399dcdcf5N.exe	82
PID 3652 wrote to memory of 2984	3652	7aa0f21e3daa05edf5cc09a397247a9471d2e7558703e56fd8f4d1b399dcdcf5N.exe	82
PID 3652 wrote to memory of 2984	3652	7aa0f21e3daa05edf5cc09a397247a9471d2e7558703e56fd8f4d1b399dcdcf5N.exe	82
PID 2984 wrote to memory of 3552	2984	installer.exe	84
PID 2984 wrote to memory of 3552	2984	installer.exe	84
PID 2984 wrote to memory of 3552	2984	installer.exe	84

C:\Users\Admin\AppData\Local\Temp\7aa0f21e3daa05edf5cc09a397247a9471d2e7558703e56fd8f4d1b399dcdcf5N.exe
"C:\Users\Admin\AppData\Local\Temp\7aa0f21e3daa05edf5cc09a397247a9471d2e7558703e56fd8f4d1b399dcdcf5N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3652
- C:\Users\Admin\AppData\Local\Temp\nsyB596.tmp\installer.exe
  C:\Users\Admin\AppData\Local\Temp\nsyB596.tmp\installer.exe 4fe0cf9f-1fe4-4abb-905a-57915bc06f2f.exe /t /dT131900333S /e5844780 /u4fe0cf9f-1fe4-4abb-905a-57915bc06f2f
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Users\Admin\AppData\Local\Temp\nsyB596.tmp\4fe0cf9f-1fe4-4abb-905a-57915bc06f2f.exe
    "C:\Users\Admin\AppData\Local\Temp\nsyB596.tmp\4fe0cf9f-1fe4-4abb-905a-57915bc06f2f.exe" /t /dT131900333S /e5844780 /u4fe0cf9f-1fe4-4abb-905a-57915bc06f2f
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\12236C41CDDF9E40BA5606CDF086B821

Filesize
75KB

MD5
8b601e4a878a5f36fed27d3649df0030

SHA1
d198666c5bfa454ab6ca6cb28a5b47923bd2a3a6

SHA256
b149e2f1d25834aee44c8e7f9ba60e680862f969dfb00cedb523c8bb3209317a

SHA512
eed65ee83b24e8d9965bd507b48806ec51ba929b1a8cd645a15bb6fbd31cdbc784f6d79fef62790299acf287d3624bf55c5076901e4f5ede627aa053be64ad94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EDCF682921FE94F4A02A43CD1A28E6B

Filesize
604B

MD5
3a0e39c53630ecfc2720aee27fe32557

SHA1
ce9b2fbd4efce495b07ac98b4cb54b12dd3cf3c0

SHA256
18da8779683e3e688ac75a896d738eb4e958763e153e56cb06432bafd3d6ef38

SHA512
3598a8fa245b68d4ea236355c00c80710105704efb08e889edea0afd79e079224083c0d034e6b2454189bb8057ea9037ae48e0791bc5b6c54a4af90541fda166

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\955CAB6FF6A24D5820D50B5BA1CF79C7_CC1689C2A9A5CB35265F3C2516751959

Filesize
5B

MD5
4842e206e4cfff2954901467ad54169e

SHA1
80c9820ff2efe8aa3d361df7011ae6eee35ec4f0

SHA256
2acab1228e8935d5dfdd1756b8a19698b6c8b786c90f87993ce9799a67a96e4e

SHA512
ff537b1808fcb03cfb52f768fbd7e7bd66baf6a8558ee5b8f2a02f629e021aa88a1df7a8750bae1f04f3b9d86da56f0bdcba2fdbc81d366da6c97eb76ecb6cba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\12236C41CDDF9E40BA5606CDF086B821

Filesize
202B

MD5
ec2775e072e78293c9f08d9d5d3ddc54

SHA1
a01191323ad13deff2c5d56e13fd73fca2974f25

SHA256
6df6fa3ef3381f81f5431d2f25f13693810cd8e9b15274f86b0370a84c589ddd

SHA512
a0c3d44e456ceb5002bc6845cc83c1044fc9b5c7370566001ce61ea808b560bc8f7ebe6af40e6d9294093a2802410048f359b18a6f41b2d07d84abbd3e576040

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EDCF682921FE94F4A02A43CD1A28E6B

Filesize
188B

MD5
706acc4d405111deb9ff317bb343520c

SHA1
178a6ade594c44d8be58b081a170c910f169feea

SHA256
2fb51f18f5052862f2b02d59f27fec573ffbefe2cd2f37f0c3ad41010425ad15

SHA512
8e72fa655ed4b974bd5310b83097e162c3b73d5dc5db448b01cca451ffd973574832179d3c1fae68a13b2193d002b0e7b91c661645ccc82b646ee86cf388626b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\955CAB6FF6A24D5820D50B5BA1CF79C7_AD9E7615297A3A83320AACE5801A04F9

Filesize
404B

MD5
8952321ef5f32e71362481985685c6a3

SHA1
e8eed6f89b6abd7fcbf017cefe5ba439a463b391

SHA256
a3f26d544c0dbbb840865e089f869b7358b72c72a646512c2cb8db1f6b171144

SHA512
ec8e27eadd4574e048ee93a5b50689dd3ad5bee5a1a4eef7804f76afe7e9ac70c6b9646add7d9a8fe613aa8ac3c9412cbccb01bd6791ed7de221272b00e19eba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\955CAB6FF6A24D5820D50B5BA1CF79C7_CC1689C2A9A5CB35265F3C2516751959

Filesize
482B

MD5
7b96cdc8c2693b1939bc47253dd05f01

SHA1
1d7f91010a339f378dd9c91310cffa8fabf91cc5

SHA256
b0e73d771a2161f85ab3e0faa1d26d92a552ee1724eeb48d9b6974bb63833696

SHA512
66c07c7430625014929ea740800567bd1be840ab0488615875e8c31bef0add0252137c273f9419280aea64a012ddce5cb1ce33dd191384446bd4ff5630824ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyB596.tmp\4fe0cf9f-1fe4-4abb-905a-57915bc06f2f.exe

Filesize
256KB

MD5
6e68cf541f031c7de9da6ec8d86862aa

SHA1
115f143b5f585a27006159dc1b2d4d23a7af5295

SHA256
d1763b911eebce060a4c479190e83ff5747f5e75f938fb1cb23d5fcaba249e35

SHA512
022af872f2343293a0d71c6cc3ca3f13001ce7ad8e04cf740b75574272cad1dcb40a97a0e860082e7080a69a0367438728f1983317349d5a33ca969c3d877de1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyB596.tmp\installer.exe

Filesize
214KB

MD5
7cf3bce5ecf2aea97b49e2eba8ca0aba

SHA1
543f5fc23df08f946488d27b2fb16b13b6311d1a

SHA256
7358afae03a24b31c0d82ee4e5fd2f17cafe6c3bdd8e26326aa4118f2169f736

SHA512
5f9184189940af27e25ae2988db8d15923dac81b2410c5fe3287f126fb50df43735fccb4e4d9f376e9f24700604c157aa1828622dab54014d9583a56ab698d8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyB596.tmp\nsExec.dll

Filesize
8KB

MD5
249ae678f0dac4c625c6de6aca53823a

SHA1
6ac2b9e90e8445fed4c45c5dbf2d0227cd3b5201

SHA256
7298024a36310b7c4c112be87b61b62a0b1be493e2d5252a19e5e976daf674ce

SHA512
66e4081a40f3191bf28b810cf8411cb3c8c3e3ec5943e18d6672414fb5e7b4364f862cba44c9115c599ac90890ef02a773e254e7c979e930946bc52b0693aad7

Download Submit
memory/2984-11-0x00000000744D0000-0x0000000074A81000-memory.dmp

Filesize
5.7MB

Download
memory/2984-10-0x00000000744D0000-0x0000000074A81000-memory.dmp

Filesize
5.7MB

Download
memory/2984-9-0x00000000744D2000-0x00000000744D3000-memory.dmp

Filesize
4KB

Download
memory/2984-57-0x00000000744D2000-0x00000000744D3000-memory.dmp

Filesize
4KB

Download
memory/2984-58-0x00000000744D0000-0x0000000074A81000-memory.dmp

Filesize
5.7MB

Download
memory/2984-62-0x00000000744D0000-0x0000000074A81000-memory.dmp

Filesize
5.7MB

Download
memory/3552-44-0x00000000744D0000-0x0000000074A81000-memory.dmp

Filesize
5.7MB

Download
memory/3552-54-0x00000000744D0000-0x0000000074A81000-memory.dmp

Filesize
5.7MB

Download
memory/3552-53-0x00000000744D0000-0x0000000074A81000-memory.dmp

Filesize
5.7MB

Download
memory/3552-55-0x00000000744D0000-0x0000000074A81000-memory.dmp

Filesize
5.7MB

Download
memory/3552-56-0x00000000744D0000-0x0000000074A81000-memory.dmp

Filesize
5.7MB

Download
memory/3552-60-0x00000000744D0000-0x0000000074A81000-memory.dmp

Filesize
5.7MB

Download
memory/3652-66-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download