revengerat | baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8

Analysis

max time kernel
120s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-11-2024 03:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8.exe
Size

2.1MB
MD5

5d8b1d0b165e6c4b4d78bcf52fb99570
SHA1

01a30b1390af9daf7d24a6f7a9e28ee883d5b2ee
SHA256

baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8
SHA512

8b0508add284eb79bae3432225aad66759329b31dc5258dbbf76c1a7b0c7f847cbc10a51134348ccbdec74b84367cab855c3172d31916c9837965dd1bfe35695
SSDEEP

49152:PhxkP/I9K3pr4ZCOz5xLmKot5C7UzaxVlHAlImt4+O5XK2v0uV+w:AoQ3V4IGxLmKK4PA6E1GXzM4

Score

10^/10

revengerat discovery stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral1/files/0x0008000000015baa-36.dat	revengerat

Executes dropped EXE 37 IoCs

pid	Process
2580	winvnc.exe
692	ETConnectServer.exe
2276	winvnc.exe
2284	ETConnectService.exe
2528	winvnc.exe
3048	ETConnectService.exe
2400	winvnc.exe
2932	ETConnectService.exe
3008	winvnc.exe
988	ETConnectService.exe
3000	winvnc.exe
2968	ETConnectService.exe
2164	winvnc.exe
1264	ETConnectService.exe
896	winvnc.exe
2908	ETConnectService.exe
1700	winvnc.exe
1496	ETConnectService.exe
2136	winvnc.exe
736	ETConnectService.exe
1632	winvnc.exe
2628	ETConnectService.exe
3060	winvnc.exe
2012	ETConnectService.exe
1552	winvnc.exe
2724	ETConnectService.exe
1656	winvnc.exe
1528	ETConnectService.exe
2640	winvnc.exe
1256	ETConnectService.exe
1496	winvnc.exe
1580	ETConnectService.exe
1636	winvnc.exe
1524	ETConnectService.exe
2628	winvnc.exe
1608	ETConnectService.exe
2784	winvnc.exe

Loads dropped DLL 7 IoCs

pid	Process
2820	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8.exe
2820	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8.exe
2820	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8.exe
2820	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8.exe
2820	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8.exe
2820	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8.exe
2820	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1F356F4D07FE8C483E769E4586569404	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F4D9C889B7AEBCF4E1A2DAABC5C3628A_56782B60EBD33D72B102F2EB4D58E017	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B90B117906B8A74C79D1BC450C2B94B1_A54F26A8A41DE52C237D54D67F12793F	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B90B117906B8A74C79D1BC450C2B94B1_A54F26A8A41DE52C237D54D67F12793F	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F4D9C889B7AEBCF4E1A2DAABC5C3628A_56782B60EBD33D72B102F2EB4D58E017	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1F356F4D07FE8C483E769E4586569404	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	ETConnectService.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectServer.exe	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\ldapauth.dll	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\MSRC4Plugin.dsm	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\License.txt	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\SCHook.dll	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\SecureVNCPlugin.dsm	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\uvnc_settings.exe	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\authSSP.dll	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\vnchooks.dll	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\vncviewer.exe	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\Whatsnew.txt	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\workgrpdomnt4.dll	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\uninstall.exe	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\authadmin.dll	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\logging.dll	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\logmessages.dll	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\MSLogonACL.exe	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\Readme.txt	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x0006000000016d31-32.dat	nsis_installer_1
behavioral1/files/0x0006000000016d31-32.dat	nsis_installer_2

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	ETConnectService.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	ETConnectService.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46	ETConnectServer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 0f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d80b000000010000001400000055005300450052005400720075007300740000001d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf6708030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d4620000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8	ETConnectServer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 190000000100000010000000e843ac3b52ec8c297fa948c9b1fb2819030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d461d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf67080b00000001000000140000005500530045005200540072007500730074000000140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d8090000000100000016000000301406082b0601050507030306082b060105050703080f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb20000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8	ETConnectServer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 040000000100000010000000a7f2e41606411150306b9ce3b49cb0c90f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d80b000000010000001400000055005300450052005400720075007300740000001d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf6708030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d46190000000100000010000000e843ac3b52ec8c297fa948c9b1fb281920000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8	ETConnectServer.exe

Runs net.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 2580	2820	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8.exe	30
PID 2820 wrote to memory of 2580	2820	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8.exe	30
PID 2820 wrote to memory of 2580	2820	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8.exe	30
PID 2820 wrote to memory of 2580	2820	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8.exe	30
PID 2580 wrote to memory of 532	2580	winvnc.exe	31
PID 2580 wrote to memory of 532	2580	winvnc.exe	31
PID 2580 wrote to memory of 532	2580	winvnc.exe	31
PID 2580 wrote to memory of 532	2580	winvnc.exe	31
PID 2820 wrote to memory of 692	2820	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8.exe	33
PID 2820 wrote to memory of 692	2820	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8.exe	33
PID 2820 wrote to memory of 692	2820	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8.exe	33
PID 2820 wrote to memory of 692	2820	baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8.exe	33
PID 532 wrote to memory of 2568	532	net.exe	34
PID 532 wrote to memory of 2568	532	net.exe	34
PID 532 wrote to memory of 2568	532	net.exe	34
PID 532 wrote to memory of 2568	532	net.exe	34

C:\Users\Admin\AppData\Local\Temp\baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8.exe
"C:\Users\Admin\AppData\Local\Temp\baacdf22042a8c366b12cc0db7b0b9138b3a95a062a000d344f0b62be46059b8.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
  "C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -install
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Windows\SysWOW64\net.exe
    net start "uvnc_service"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:532
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start "uvnc_service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2568
- C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectServer.exe
  "C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectServer.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  PID:692

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2276

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2284

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2528

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3048

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2400

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2932

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3008

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:988

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3000

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2968

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2164

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1264

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:896

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2908

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1700

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1496

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2136

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:736

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1632

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2628

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3060

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2012

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1552

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2724

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1656

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1528

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2640

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1256

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1496

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1580

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1636

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1524

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2628

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1608

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe

Filesize
49KB

MD5
ba106429ad90a831e33c3f5446c59162

SHA1
837c576971ec4f6bdfbefe80437370f1a10100a0

SHA256
49734852249278a7c2fc2e39a6e1a501f1606b9e7696c281ff4e4a5c15df1ed5

SHA512
1e823216918d9e583d7046a111f3b3828f65e193254263cac29ed320b119150ad9492f134c6233e03b19ca7a2e2a4aeda4f45c01b4ac114cafff4f9361f68d46

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9C70.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9C73.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
192d85d6d51c29cbbea0da1194e37cbc

SHA1
8a9139dd94211ac7c704d4c06a575b80b141e14a

SHA256
fb6f4ba8521153e55ecf5727b1907ce9ad3e450df7c8f9755d6d3464a2708b4f

SHA512
aca134d01c9bde644ced94bd656190d520d6795f8cba8d817d0a02a3e32552b9154f4c973f94f535341c2f70f2e9c4070801c264b63a106c22510ca6d3dc7876

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
0112e7c1c9e857b357683ef1bfc566af

SHA1
e9c7a878a6323290cbf3de21b9e530de86d5b3b3

SHA256
d944ac0d8701ebe0240bb0cff072d9404eac43467ef97d3e7d1c8af58471bc37

SHA512
1f91db386856042e8727c1e588d3ed1142cb36bdeb6c0883ffeb7d978841b78dcefc0afea83aad7a0f024756fae175022ae591fe9579dec82b2ee529da6fbc7c

Download Submit
C:\Windows\Temp\CabA67E.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1F356F4D07FE8C483E769E4586569404

Filesize
69KB

MD5
d5e6defaad50f11e32da8fa8a39ffe95

SHA1
f4f2cb83dab549ff39ec598cbb815971665f7530

SHA256
2038cdd54cc377f811d3b11a8256163e0f0df21b66cae82bbd4941809a9ef5c7

SHA512
0389844b180b9f0d53696bcd69fd30793e64742c70c7f7097e482fa4d0760f1946d4fe0c674695f7cfba646ea046b1d0396dca62ecd0d22f2f63759670b80e25

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B90B117906B8A74C79D1BC450C2B94B1_A54F26A8A41DE52C237D54D67F12793F

Filesize
1KB

MD5
d4babba7cf1ab726842bf95fcee4b433

SHA1
001f8a2ca0c99e85b93386a2433f8b8a95af16b1

SHA256
ce836583c2821f48ebfb718557efc1ba5a5eeaad413030154f372fdb188371bd

SHA512
fa741efb5c3c5fbfe7d5d315c775bd52968131d6161010000b94ddbfac01a458738296bd5d71e6395d10a612ecbf6523bca812d27cedfe5133b166903d460fd6

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F4D9C889B7AEBCF4E1A2DAABC5C3628A_56782B60EBD33D72B102F2EB4D58E017

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1F356F4D07FE8C483E769E4586569404

Filesize
300B

MD5
aa36e1e86da529f975483ef1df60e7e7

SHA1
9cfe1a16553ff93e0c6dc1d00ad90aa337f26d8c

SHA256
dd9c861bfe2b365bc773c9f35668bc0e34d75b348530b8d79f7bb46ca8bdbc42

SHA512
bef4e8a74c47473d682e0c70510b794a4d737138d5ce07ac1c91941c500c1a1cd15775143cf62050d3a968445eaa9d43ae3be0bab6b6bc892294e8229064fd80

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ac580a34ff8dd5ec814ca7cc489c744f

SHA1
f093e1f91a94447cd1da323f0ea57d84b55de34c

SHA256
134b12823d9cb93a683a6dd5a19dcb8399327eebb51209146bc702ed83c63d22

SHA512
2de278331387f5302644f12f0588a0d75fa66c578693911f71f188407a52455cbfeeefa50f16a229e37c700301ee8e55440600bf045868ce48c6ba8c3f2bc7db

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c5c68b7de7da7ffcac2e4d39977a4ee0

SHA1
7a28b09fdf58fbbb0127d6e5f9fae0e21fc70303

SHA256
a0699f95f972f4f8fc5d3fa52907ea9978508bf4eff9cada608a888552b9e3d7

SHA512
57b5168bbe9af33294addcb7b3b1837835e9cd7ca4e40142f7a0ca5bf39b7c33d2b005f54bb7859099132fd8c4d4a72c29b4136df4306997eb56169e7019ad42

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a5943a0f0c9e2ed0142fc3a1b090f0b8

SHA1
18cc654706e3acd9b09ed00171d36df0fd3c6f45

SHA256
ca246942c41e832126707725c5bf9bbafa68ee6e97f48132e95378cc35969114

SHA512
b2e6f9e5610413591badd76765012cb0c240028908e87d2fd9890d379017dcd93f2e3048429cb17579960e3c5962441c30dc8820961aa4ee5aef1f496c871dd0

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
782f28c8e645a19b63e34e82dc398604

SHA1
e5faed02ddf64b524fd96bb799213ff5bda9fbd1

SHA256
5d15525388e5628321cd7e51e39d9e68cc7f2f568dd2e1a23d2a8353534bf460

SHA512
0e373b1ab9d49745c3699ce822f19c33d5fdd1a6ef5b8ccce15a68c8eff600d85248bc5ed6683fb1b2cce48791b6271fa4dc063ffbbb62c8599d943a5fc9efec

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f68849e78225c4d08b7bed534ed6ff08

SHA1
e8ab4358da96af4043d16903acafcef6a859127d

SHA256
b57bc597f03c544b6b325e17775543bf7e6c635ded917a916be402f4c28c8aa6

SHA512
0c32d41de2b5f56ae73ef51ea49b3841b3b4a4994072c747dff2d46edea2994a3dc80475e5b80ef37cdc303da56c648856c9426d0f3ba25a3ab82c04538b0614

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cf6a32f28e7e687f6827f4a3c591bc3c

SHA1
4381fd52fb0f0f8f8ca9603ef89701cff4b117a2

SHA256
a7973ef2f87353c4ba1934bcb8fd123ce580d29b60f82bd1cc52e35b657e0fd9

SHA512
facdec528e0f86de1519604031649c6dd14ea46fe58bd4e5c0e3122a58b753f835b7f3af95121c8813cb5bc92434e495c091c624f6c5a0e13ea96c4b13c8f4d4

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c34185bc6ad1242cf15e80beba9c9c7d

SHA1
52b5be0b4ec84017e04a106838a2a882f5bf8724

SHA256
77487e1830fff1f79a7c55409cd75d8e5fb75ac43dc51f8e5f84386ae032500e

SHA512
91a0ab45b437ddbc49b515a78a4968dba2b3b96029a930b4aa3e45912bf85145c8bc7ef7407f327a7c89c1d3da9779c99315d11d2259961dd0f2b7a170bed60e

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8e065a9504b53dac745a933b3759d673

SHA1
509648ff22437cd286e1360dae4ec0b27ffcb77c

SHA256
c18b9ca3e379e90dc6e69c1260c79222cada1040f76df74c92851f59f35a562b

SHA512
768a30ef3a6beeae143a3fc039906202b64a4d88dbc31200868d07fdd8ec57e01c07eb6d9780a83f235b0b01d5c1f81bbd69ee1cac874b03ffa27c167204394d

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dbf3f06fafcb1830f3d99725197668af

SHA1
b357c391ceaf1a215f2924ab80f768559deca70d

SHA256
f922ee435308dcebeda8ddbcaf5551b11bff02c4f404e4c11291e747e0533176

SHA512
996be9aa8ba2b3b026436ff94ab0247615c9cb2a290501488d20f2f77683ede1709333c2cbb54ebbff2bfe6bae4ed77e6232cfec57c7cb4eec6c6fba435b081b

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bf919f58f4cc61f8ab84da438ac5be67

SHA1
ed241c08d7a23c0db542d3eb05e84061d5d46cb1

SHA256
2306ae5ac30505c0bc83b97c3baae543c4a4f9269477b09a72a99771197a4795

SHA512
ec89cc4481d15d8fc2e33b35d6edc285099975a105697ba2438822e489e45eeacd9e68d61504087278a201b2a687adaf2382311d94390dceb59c715d45533a4a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d2d0f94cf038d838bd4ddd632fe12289

SHA1
2ee62b0ae5fefdd316d2e8a89fb81000b8998e4a

SHA256
dad75d1a1a0790bc1add91a5e094d884bfa56cf76008bb679a98e00197615a44

SHA512
ef03fe05cd776bbc0e62befffd73da2252091f176e4472bb058649e7d9964e7d04afdb012ff3e3261711f19a2dc4fc7c40790bc1cb6a208cfd07f7fe12135834

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
acdae8849dc1795966e005f1b688c657

SHA1
05df1fef9b5c0498772325ce03cdfb8f4e1ccef0

SHA256
73103fc9ac50ae0f330485c7e31d200b9801070af9cf5caa3d7d43d955b0cf41

SHA512
7ce4642a17716aaa807410461bb44c5586244e95f84446d56ac7870d6dc0c406ff6aa2e0628e69d725db428911dfbb0edb5d9c71330fd3ee2a31f3b6903f08ae

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
51dc2d728ffa671dbc503555069bc61f

SHA1
8bbd7898a9460f36342b52896a4fc0d62e6220f0

SHA256
0558b441a162cad9191c9d7995204de0b87f4f9272da976d2c63526dd457025d

SHA512
bc9959125301beadf78e64d77e362c471b1eeeb8a16954091c1a09f4f77522d9408edf78df6f11b3b75177431eb8c1b25241c1e63e248f893a2c416179b926b5

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
54d77e2d39c135281f5d75ad83dfbede

SHA1
e894586911ef060ae386ea693e52de6d0d2fd535

SHA256
0f77730f83c1e4dad861dc411b447cc9cbdb350cdc7430d16456317a75d2cb84

SHA512
87f2d7577f4b28ad55a40400a26900d7a7bf863562d6fb983ebcc694b3274b49f8b112a15470d87670234425b7ac33c92bd17c8daf9696ef713774ec86e96477

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B90B117906B8A74C79D1BC450C2B94B1_A54F26A8A41DE52C237D54D67F12793F

Filesize
500B

MD5
b7ae94894949617e4de562675f59b399

SHA1
e3ee7aa27808c6d7428127721d32714927154bab

SHA256
a2b69d85d2affc0db5435d5e6a803f0af2dedc731cb1d49847c5c2a68229e86e

SHA512
fc6e5f963719bf416b4b9e0a8e68c58bff670de2a8d51fab0c25f48c8b88ad2f659c702ef1d177fc21dc94020ea97ab5437899558ca724499ada67683483c83c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F4D9C889B7AEBCF4E1A2DAABC5C3628A_56782B60EBD33D72B102F2EB4D58E017

Filesize
400B

MD5
c980f2bc641ec6c11a60b200334eddd2

SHA1
5b395ab8e213fc5925ee4bc0cb05acb7f046fe4a

SHA256
47310d7490a4e88051930f20631fa3e1ac9eb252f191db95e3e8acb6a2fc48c5

SHA512
0787fd23ce66480061662413e37260d31b404848f3262a7a08ccb540a30fadb8ede43f2ac35152b3eae760dd87419b39bf92614f389681910a52143d47ae28a0

Download Submit
\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectServer.exe

Filesize
99KB

MD5
4986a56019bc459b3ab0c76d4cc12261

SHA1
48f308ec91d6d07e71a859d72c344ffaf232be92

SHA256
7417554d18b5a59936d83e96c7f83d3d030fa1ed0f70faa36099ba1bc309588a

SHA512
6aebf45b020b68c10d802cfebc8088a7194af4733c5f8c98c90eb16cfe3ca47764e50b0a565bf41033f3893b048dc339148c309057cc2698f3ced71a26d35804

Download Submit
\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe

Filesize
1.7MB

MD5
c77e369fcb8a75659035978e415e00a1

SHA1
0b58b5593a2718941828a9cd779fe1e7afc758a6

SHA256
f7d380fe1107d8fcc825bae0722da16293aabac259f49f1463fd8926be6dd353

SHA512
2753a751899e8fea977157c426200900d835cb0b63fa5b3f653545387a9658bc079f516f8326674f2b1d5479ad1a0af61f5d251b8dc95d17d5a723f49172ddfd

Download Submit
\Program Files (x86)\ExecuTech\ETConnectServer\uninstall.exe

Filesize
92KB

MD5
868a941db98bdc0e5a886818d73a3881

SHA1
fe305c2a2d6a0f7863e395b44c3713bb273b9d44

SHA256
8e96347d00d379e42cffd00d771b22a8dd96a0d426d50473374f99e65b343391

SHA512
ceeab3d6fa68c911ff96a5be3ca904f3e558b1bacf6b7b5eb60fa2a351ec196e54700305f13576f7f1b98cc259f6f925ac4a590a4276e847bdd97aeb742e54dc

Download Submit
\Users\Admin\AppData\Local\Temp\nsj92A0.tmp\SimpleSC.dll

Filesize
59KB

MD5
52aaf305fba84b5107c453424df1864e

SHA1
9887f4bd7458e1a7724b90256c073492843841a7

SHA256
f41f1173b9d367bb6a085ff0b19d1273fc0b7dad32fedbb69b07240cfc9950c8

SHA512
9a05e7a2f62956bc46d2257496256606f40e7e78ca6199a80f5945f609e4c049a92c03d7b44d301a854a0bce32ff100ff6aa2b66d4fed649c2d90de95875dced

Download Submit
memory/692-414-0x0000000000AC0000-0x0000000000B40000-memory.dmp

Filesize
512KB

Download
memory/692-50-0x0000000000AC0000-0x0000000000B40000-memory.dmp

Filesize
512KB

Download
memory/2820-23-0x00000000024E0000-0x00000000024F3000-memory.dmp

Filesize
76KB

Download