revengerat | dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93

Analysis

max time kernel
111s
max time network
123s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
25-11-2024 18:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93N.exe
Size

2.1MB
MD5

0083bb621656471496f60d1973318730
SHA1

2d0209b0f14a8279efd85589dfb33b9b31fab77e
SHA256

dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93
SHA512

178833c13dee9466e2c8123280fb203c07b13831b1711d4687ce8495c28f1160c7a893c9a5d6a6874d6f44c1c21e5fb571221824248f13f9bfc3f08f61f3d28e
SSDEEP

49152:PhxkP/I9K3pr4ZCOz5xLmKot5C7UzaxVlHAlImt4+O5XK2v0uV+g:AoQ3V4IGxLmKK4PA6E1GXzM4

Score

10^/10

revengerat discovery stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

Processes:

resource	yara_rule
\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectServer.exe	revengerat

Executes dropped EXE 29 IoCs

Processes:

winvnc.exeETConnectServer.exewinvnc.exeETConnectService.exewinvnc.exeETConnectService.exewinvnc.exeETConnectService.exeETConnectService.exewinvnc.exeETConnectService.exewinvnc.exeETConnectService.exewinvnc.exeETConnectService.exewinvnc.exeETConnectService.exewinvnc.exeETConnectService.exewinvnc.exeETConnectService.exewinvnc.exeETConnectService.exewinvnc.exeETConnectService.exewinvnc.exeETConnectService.exewinvnc.exeETConnectService.exe

pid	process
2936	winvnc.exe
2812	ETConnectServer.exe
2744	winvnc.exe
2584	ETConnectService.exe
3000	winvnc.exe
2892	ETConnectService.exe
368	winvnc.exe
588	ETConnectService.exe
2340	ETConnectService.exe
1632	winvnc.exe
2224	ETConnectService.exe
2260	winvnc.exe
1820	ETConnectService.exe
1332	winvnc.exe
2388	ETConnectService.exe
1388	winvnc.exe
1984	ETConnectService.exe
2260	winvnc.exe
1704	ETConnectService.exe
940	winvnc.exe
2916	ETConnectService.exe
832	winvnc.exe
2212	ETConnectService.exe
1984	winvnc.exe
2640	ETConnectService.exe
2620	winvnc.exe
2288	ETConnectService.exe
3008	winvnc.exe
2112	ETConnectService.exe

Loads dropped DLL 7 IoCs

Processes:

dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93N.exe

pid	process
2528	dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93N.exe
2528	dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93N.exe
2528	dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93N.exe
2528	dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93N.exe
2528	dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93N.exe
2528	dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93N.exe
2528	dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93N.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 22 IoCs

Processes:

ETConnectService.exeETConnectService.exeETConnectService.exeETConnectService.exeETConnectService.exeETConnectService.exeETConnectService.exeETConnectService.exeETConnectService.exeETConnectService.exeETConnectService.exeETConnectService.exeETConnectService.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B90B117906B8A74C79D1BC450C2B94B1_A54F26A8A41DE52C237D54D67F12793F	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B90B117906B8A74C79D1BC450C2B94B1_A54F26A8A41DE52C237D54D67F12793F	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F4D9C889B7AEBCF4E1A2DAABC5C3628A_56782B60EBD33D72B102F2EB4D58E017	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1F356F4D07FE8C483E769E4586569404	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F4D9C889B7AEBCF4E1A2DAABC5C3628A_56782B60EBD33D72B102F2EB4D58E017	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1F356F4D07FE8C483E769E4586569404	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	ETConnectService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	ETConnectService.exe

Drops file in Program Files directory 20 IoCs

Processes:

dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93N.exe

description	ioc	process
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\authadmin.dll	dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93N.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\logmessages.dll	dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93N.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\workgrpdomnt4.dll	dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93N.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\ldapauth.dll	dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93N.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\MSLogonACL.exe	dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93N.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\Readme.txt	dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93N.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\SCHook.dll	dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93N.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\vnchooks.dll	dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93N.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectServer.exe	dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93N.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe	dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93N.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\authSSP.dll	dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93N.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\logging.dll	dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93N.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\vncviewer.exe	dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93N.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\License.txt	dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93N.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\MSRC4Plugin.dsm	dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93N.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\SecureVNCPlugin.dsm	dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93N.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\uvnc_settings.exe	dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93N.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\Whatsnew.txt	dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93N.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe	dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93N.exe
File created	C:\Program Files (x86)\ExecuTech\ETConnectServer\uninstall.exe	dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

net.exewinvnc.exewinvnc.exewinvnc.exedba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93N.exewinvnc.exewinvnc.exewinvnc.exewinvnc.exenet1.exewinvnc.exewinvnc.exewinvnc.exewinvnc.exewinvnc.exewinvnc.exewinvnc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winvnc.exe

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
\Program Files (x86)\ExecuTech\ETConnectServer\uninstall.exe	nsis_installer_1
\Program Files (x86)\ExecuTech\ETConnectServer\uninstall.exe	nsis_installer_2

Modifies data under HKEY_USERS 64 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	ETConnectService.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	ETConnectService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	ETConnectService.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

ETConnectServer.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 0f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d80b000000010000001400000055005300450052005400720075007300740000001d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf6708030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d4620000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8	ETConnectServer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 190000000100000010000000e843ac3b52ec8c297fa948c9b1fb2819030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d461d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf67080b00000001000000140000005500530045005200540072007500730074000000140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d8090000000100000016000000301406082b0601050507030306082b060105050703080f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb20000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8	ETConnectServer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 040000000100000010000000a7f2e41606411150306b9ce3b49cb0c90f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d80b000000010000001400000055005300450052005400720075007300740000001d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf6708030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d46190000000100000010000000e843ac3b52ec8c297fa948c9b1fb281920000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8	ETConnectServer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46	ETConnectServer.exe

Runs net.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93N.exewinvnc.exenet.exe

description	pid	process	target process
PID 2528 wrote to memory of 2936	2528	dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93N.exe	winvnc.exe
PID 2528 wrote to memory of 2936	2528	dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93N.exe	winvnc.exe
PID 2528 wrote to memory of 2936	2528	dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93N.exe	winvnc.exe
PID 2528 wrote to memory of 2936	2528	dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93N.exe	winvnc.exe
PID 2936 wrote to memory of 2772	2936	winvnc.exe	net.exe
PID 2936 wrote to memory of 2772	2936	winvnc.exe	net.exe
PID 2936 wrote to memory of 2772	2936	winvnc.exe	net.exe
PID 2936 wrote to memory of 2772	2936	winvnc.exe	net.exe
PID 2528 wrote to memory of 2812	2528	dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93N.exe	ETConnectServer.exe
PID 2528 wrote to memory of 2812	2528	dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93N.exe	ETConnectServer.exe
PID 2528 wrote to memory of 2812	2528	dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93N.exe	ETConnectServer.exe
PID 2528 wrote to memory of 2812	2528	dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93N.exe	ETConnectServer.exe
PID 2772 wrote to memory of 2224	2772	net.exe	net1.exe
PID 2772 wrote to memory of 2224	2772	net.exe	net1.exe
PID 2772 wrote to memory of 2224	2772	net.exe	net1.exe
PID 2772 wrote to memory of 2224	2772	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93N.exe
"C:\Users\Admin\AppData\Local\Temp\dba8e948206d56025bdbf1471cf7a2defc33fbc2bbde0c5634361d661d67ab93N.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
  "C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -install
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Windows\SysWOW64\net.exe
    net start "uvnc_service"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start "uvnc_service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2224
- C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectServer.exe
  "C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectServer.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  PID:2812

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2744

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2584

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3000

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2892

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:368

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:588

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2340

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1632

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2224

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2260

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1820

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1332

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2388

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1388

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1984

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2260

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1704

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:940

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2916

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:832

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2212

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1984

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2640

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2620

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2288

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3008

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2112

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
PID:1564

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe"
1⤵
PID:2284

C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe
"C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe" -service
1⤵
PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectService.exe

Filesize
49KB

MD5
ba106429ad90a831e33c3f5446c59162

SHA1
837c576971ec4f6bdfbefe80437370f1a10100a0

SHA256
49734852249278a7c2fc2e39a6e1a501f1606b9e7696c281ff4e4a5c15df1ed5

SHA512
1e823216918d9e583d7046a111f3b3828f65e193254263cac29ed320b119150ad9492f134c6233e03b19ca7a2e2a4aeda4f45c01b4ac114cafff4f9361f68d46

Download Submit
C:\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe

Filesize
1.6MB

MD5
0983c0945f7481596b92acacb51b92ad

SHA1
09c15b1202f455e42d95559cc7dab64dd1309a2d

SHA256
c58a604712e6edae87d00541c3dfc2d630ed993db93aad7c1dab902081e64dc5

SHA512
ec7de461e0978c8a8b61ec6e6d5a915cf89168af407c4e44bf91f4a23d24a2bc9428a5057366fdc7edd51c29ffc35d331d76d05fda97d0739f447aa96c1bf816

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0591f50237b4bb715252be72555d0742

SHA1
2456174095173f4fe3b9dbef6fa0d08f349e0aa2

SHA256
1a960366a546149532fa8ed5d50be92f094fd8dd5c40adea67b3d6fd438eab39

SHA512
dec41d7f4ce85bf34eabe5b4bf74819720c7204d7109ce7e6b365fd0a7390ceaf3d0c2ac1d0325538f596ec9fdb9505adb85a62a09a63e0634fab9abf0dff7bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDB82.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDBC4.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
6cfc936b757f542dd256eb868498dbab

SHA1
f8b99b82be866906065f1ec0c16d841bdeb91489

SHA256
c89110a35383efa7f55540ae2915b207a125864385b552978ba8eedf3be6478f

SHA512
0019b4a3e2be2dffd4ad914613e65e0c392fbe2d033f1d9194ef23ae4cfea1c0f0a0d3a08168c5a1b7072fc41e46b19bb6314d82028f9309bcbbe5c843ac6038

Download Submit
C:\Windows\Temp\CabF910.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1F356F4D07FE8C483E769E4586569404

Filesize
69KB

MD5
d5e6defaad50f11e32da8fa8a39ffe95

SHA1
f4f2cb83dab549ff39ec598cbb815971665f7530

SHA256
2038cdd54cc377f811d3b11a8256163e0f0df21b66cae82bbd4941809a9ef5c7

SHA512
0389844b180b9f0d53696bcd69fd30793e64742c70c7f7097e482fa4d0760f1946d4fe0c674695f7cfba646ea046b1d0396dca62ecd0d22f2f63759670b80e25

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B90B117906B8A74C79D1BC450C2B94B1_A54F26A8A41DE52C237D54D67F12793F

Filesize
1KB

MD5
4bb5de919803c626b842db0b6274363d

SHA1
d037b69859c962e2ce774fa918f2db3f570f2142

SHA256
ae2ca8ab288f108444fab761c9a66b22eb817f2345a205cd99ab1b29b8a73b4f

SHA512
e435abf141fe4b182fecad68020d53cc848494ec1b2da09293a1b361e3770a605fd7cbece89211b0e4efe6b906c451536819d41c0253f8bb37d5a8826be3ac21

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F4D9C889B7AEBCF4E1A2DAABC5C3628A_56782B60EBD33D72B102F2EB4D58E017

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1F356F4D07FE8C483E769E4586569404

Filesize
300B

MD5
a825687c6b71fac3ea009a9973174096

SHA1
a01da2fd96589e201c6f0bdaabec7b56ebe1babf

SHA256
0dcdbcac2ef24dd4e42dc4581226941e63323af1eaba5fb5b6676000d88eb3bf

SHA512
63f94496a94f81b96a03a6eb87eb000c45d06c09308a01d9c074c917765b799da7f9716ac919414307e9317ceb6c5eda920e20b8057f65254ba8c835460aba48

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e44aab366ade7828040f2ee984abdc9b

SHA1
69e81d8f9a1647e58c6cbdbcaa8f96b6478a98eb

SHA256
6c543f9ae9cdcad597c474fdafaf4b20422f424a18936f2f1c3cbe0aba40972a

SHA512
6eb8a4a40ec0c3acf646dd122ee66b648dbb95300f13325457c0a47161c9438c7e05f14c8f87d72cc98339d39004ceb296023c1de804b9d6c7b218705351a108

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
510c66d4a86831fe0c70c6c9ff3b0164

SHA1
5240346b0d739bd93e7eec9e057c9bf6a64da5e8

SHA256
993a1100e13359283e053e8c14141ab739d3ddcbe0b7eb751ecb2443d15109fd

SHA512
cf96953812bd5c36bf33d9939d15c48325b923c27013efde8824a4dd246d3db306abfe6238cd4c602a0b3928beff46ccc968995ab3b2344db7c167d678cb3d55

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
80fbd7b38afcad1beaba05ec5a15025a

SHA1
ec3cf6d2fe7392ba4d00c39e2c9a2ab8018fba6f

SHA256
e765e3c5ac513e949cdd9a6a7b2e1d52dcd42f6eda394772f2935a6ff6cc8f48

SHA512
4f7bd7a7c9b485ee1c80b38ade31dc4487083aefa6d89699a5e944e06108b037e0d27b7cea4caabf0c0e809179212429c33136a05fb13196a822e34560560d36

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fd0d84c2831ed7190f45d0e5c685ddd4

SHA1
c8d47d0986640d4e208909b7fb9f118431bff4c4

SHA256
c4a373c9e60050009ffa14fcecee36e33fdc4720fafa52be7acd9007daa4c189

SHA512
e8f0206ab62e85696d36cae6f79b803aa14c6bf873a5b82759a2f92c6e16eda8b89595e7badb578c46a4b6c6a513d8abd492e5e23913599084cfb0487d501207

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9e3dd565788ab9069590576683034acb

SHA1
feefb085984c3f2725ade4c054b84a5f5f41ee39

SHA256
1f0d4e4a5743896c24e0433bb483548af25a77ca05a76faf50c2ddc25a7f6eaa

SHA512
c022c59ce3ddf6f83aa1a1f0f9b3a0786f0eea1bb8e92605c9607344467c71c7a81427a36b4c9e86d1e2d404b4e9f81e62a5b372fc17015448a91a3fe9607154

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5fedb50a821d100a750fe60ee55941f6

SHA1
8b970a5f16419b610ea4b6d2051dd7290f52f8d2

SHA256
87b7723ac1ce2a519cfddd2971e28479e641a1d708bfa4b600c68daa161820ec

SHA512
6b70b30c46352302de0f3e5204156932023ff057b560bce0ced7944143420982a9da86f8cdf4825d755e247918c2191e0665f02f9f1816dcb25168238054480b

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9f75015cae0f627b9da75eeffd2e563b

SHA1
517a1bd856c4862023ecf69ece11d8d2170ab7ce

SHA256
a238eb8c4bac5ce711bc4de5b1bf385e04873a3bc7f28fc659eae9471cbce387

SHA512
848903725638f09bfbab2dbdc57f61bfdaf0b185fd4ed179fc75d8d13016e5f14e1825d2ee521ab403ea220b3e9fc9c3240dd58a78e86b65fc968cd69edb1f76

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
873ea2330ac7b66a92dc47b7e8591209

SHA1
e1c56c81715d1ae8822ed66338472c8cdf18dabf

SHA256
d0693f04091c5d6963b8f00c531d74e5a07f96afb7d9c2d5b74e2d57931bc958

SHA512
b7956a88f9009ee2571fa0c9821e5cf43086b6bedb4f7126bb98962d64bc4317ce348d515fdba3613a2a457f15be5ce2df81ebcfbbc9eebb00014edbe767d3e1

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fe9ef56955ec2c02cb6e237ece034da2

SHA1
5266e2ee608acb0db69f2273600bfc5670dd48c2

SHA256
59d61b5804dacabed070811c72f98a2c1739ec9c62e4bc75868679727b1eba8f

SHA512
8df3a430f2d3fe2b08c7e3a5270ab55285ec7ba63eab6852ab95ef6e732ecffbe3851900a2e519c1569c79767ff5b7dde69217f3d98ebc58054acba3a4fb4b7c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b1cbda86daa3eca4f18340081089bf6a

SHA1
f9a98facf85c505e9460a3e5968015843a70d8a3

SHA256
952ce36063249145f13d9fe9733a99a10cf54975a94220d2823de6563cdf6dad

SHA512
f02b29d9bbfec631743ece6b39b1a584f1fa99d52f8ee40bdd20f57a366f5afa607f0d9b68ea5944160aa2f5daa1b24aa02db80daa54f27a11be5f74cceba880

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a12b1b3e2063aea5d674416265da5523

SHA1
c2e137ebde1c8905c94b56c37011d5fb705239ec

SHA256
3a9c93f022a0e5a1900bd4c87e147331d1fb22667e0691969af70197c11b79b8

SHA512
cff411cb4dbbecc18170a7a9947c3e0fb8d68a0284bae90e86b6b0a5be54d72b65b8366765386077b25fd55587031d17e4985eb4efb2b12bf5f1ce142e937a42

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3c255f32a74a25e203b0b79211eb7fad

SHA1
373172c76560cb5500cacdef9c93c309d7b3c173

SHA256
1974ccb3865256eba56ddbc2d3f0def0683a1f3c726ad18e8e1ca0c38e54ffd4

SHA512
e9a1176216c34b1b482a3967f8e557835b287d60139ac6bd8636a318c45a1d3c65a0933cf7c86937fe29551953ff6ec05cca87f292530f0fd501d8752a5791fb

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cc7bbfdcaa0b602fbbf248dfdc59747a

SHA1
692857e81823de92b24f859ee0a6421be74210d6

SHA256
c49351356bfb17a236c7cbe54d9649e44e886762e377efc217df2331fc44feae

SHA512
8067b50ac688688c072c569a845bb8c18db0c0b388b7e0567bd34f05089f9e1b59793327b54f063f3c472ca405e7f8270cec7d04b6579353b46815b40446a595

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
50ef7e53134c89e8108c96bb0fe3e8ab

SHA1
388872d3e6716036a9d2c818464fd9347964d343

SHA256
a5b1e41d8a9c2754005eaccd1a3146dc8a886faa5fbedcc546323ceec1a14cf6

SHA512
98643145c4b9dec0464a051066158ca8d9e75ceaa5e23a4f8e4eb8c6295be62e51abce913b7236b42df26790bc844ea8e31b76e10da4fb1dedfea4d0d208578d

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B90B117906B8A74C79D1BC450C2B94B1_A54F26A8A41DE52C237D54D67F12793F

Filesize
500B

MD5
04430556c478368cf7ddcc421e73d25d

SHA1
5c81c225a0c82f239e6622e63105e70f620c4482

SHA256
3142b2a15067bcd44c71ef07de6b0de0ee169879267543bf763d3a98f5b4e4c2

SHA512
6c75503dfe2ff7a903866079e5039716375141e35469160fed64ee96559bbfacd032a98ca894e49b16d52da758e7a7bcc95f79dd67da9af510d14c8cca62cc26

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F4D9C889B7AEBCF4E1A2DAABC5C3628A_56782B60EBD33D72B102F2EB4D58E017

Filesize
400B

MD5
0f87b2c8ed45a4239a69b335e1a2de1c

SHA1
cd526fae8e67f084cf9281f9a34161159518d9c9

SHA256
777c1253552f3f33d8280a48f7020f5a6b8815082e320f16c761ea7d94f8bae9

SHA512
a36f40c3283f2e4127ea9c4815c5e18969ad17d77efcdcf2b782fde13fe3d06d29635cf71e12e6d76d5acea2f9a1e3d88266f4d1367b9683df36c146b7cd6140

Download Submit
\Program Files (x86)\ExecuTech\ETConnectServer\ETConnectServer.exe

Filesize
99KB

MD5
4986a56019bc459b3ab0c76d4cc12261

SHA1
48f308ec91d6d07e71a859d72c344ffaf232be92

SHA256
7417554d18b5a59936d83e96c7f83d3d030fa1ed0f70faa36099ba1bc309588a

SHA512
6aebf45b020b68c10d802cfebc8088a7194af4733c5f8c98c90eb16cfe3ca47764e50b0a565bf41033f3893b048dc339148c309057cc2698f3ced71a26d35804

Download Submit
\Program Files (x86)\ExecuTech\ETConnectServer\bin\winvnc.exe

Filesize
1.7MB

MD5
c77e369fcb8a75659035978e415e00a1

SHA1
0b58b5593a2718941828a9cd779fe1e7afc758a6

SHA256
f7d380fe1107d8fcc825bae0722da16293aabac259f49f1463fd8926be6dd353

SHA512
2753a751899e8fea977157c426200900d835cb0b63fa5b3f653545387a9658bc079f516f8326674f2b1d5479ad1a0af61f5d251b8dc95d17d5a723f49172ddfd

Download Submit
\Program Files (x86)\ExecuTech\ETConnectServer\uninstall.exe

Filesize
92KB

MD5
868a941db98bdc0e5a886818d73a3881

SHA1
fe305c2a2d6a0f7863e395b44c3713bb273b9d44

SHA256
8e96347d00d379e42cffd00d771b22a8dd96a0d426d50473374f99e65b343391

SHA512
ceeab3d6fa68c911ff96a5be3ca904f3e558b1bacf6b7b5eb60fa2a351ec196e54700305f13576f7f1b98cc259f6f925ac4a590a4276e847bdd97aeb742e54dc

Download Submit
\Users\Admin\AppData\Local\Temp\nszCE0A.tmp\SimpleSC.dll

Filesize
59KB

MD5
52aaf305fba84b5107c453424df1864e

SHA1
9887f4bd7458e1a7724b90256c073492843841a7

SHA256
f41f1173b9d367bb6a085ff0b19d1273fc0b7dad32fedbb69b07240cfc9950c8

SHA512
9a05e7a2f62956bc46d2257496256606f40e7e78ca6199a80f5945f609e4c049a92c03d7b44d301a854a0bce32ff100ff6aa2b66d4fed649c2d90de95875dced

Download Submit
memory/2528-23-0x0000000002310000-0x0000000002323000-memory.dmp

Filesize
76KB

Download
memory/2812-50-0x0000000002190000-0x0000000002210000-memory.dmp

Filesize
512KB

Download
memory/2812-312-0x0000000002190000-0x0000000002210000-memory.dmp

Filesize
512KB

Download