f8e9936d8d5c19cc1eecf7175004f5223355d598e4834cb07cf2d03e0ae7aff4

Analysis

max time kernel
140s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 10:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f8e9936d8d5c19cc1eecf7175004f5223355d598e4834cb07cf2d03e0ae7aff4.exe
Size

360KB
MD5

0d347ef94018fa95cb30820ce61f0d45
SHA1

ac953981f20f323b3a6148951dbc441608bdf5b9
SHA256

f8e9936d8d5c19cc1eecf7175004f5223355d598e4834cb07cf2d03e0ae7aff4
SHA512

43db5307590fffd7cb5e9f8f36e9a9785054f6186cc001f00de10e1c60e7a766a74967d90e69764105283a6a0d6bdb0d81b3b4a231058defe925d5b7a6ab6ea0
SSDEEP

6144:7jeBu0ndSdYCX6+9E8KgmYWfcpJuaeMBaYSi+neTg23J+y:7cndSdYY6+9E8KgmYWfsJEy

Score

1^/10

Malware Config

Signatures

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

f8e9936d8d5c19cc1eecf7175004f5223355d598e4834cb07cf2d03e0ae7aff4.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	f8e9936d8d5c19cc1eecf7175004f5223355d598e4834cb07cf2d03e0ae7aff4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	f8e9936d8d5c19cc1eecf7175004f5223355d598e4834cb07cf2d03e0ae7aff4.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

f8e9936d8d5c19cc1eecf7175004f5223355d598e4834cb07cf2d03e0ae7aff4.exe

description	pid	process	target process
PID 2224 wrote to memory of 2568	2224	f8e9936d8d5c19cc1eecf7175004f5223355d598e4834cb07cf2d03e0ae7aff4.exe	WerFault.exe
PID 2224 wrote to memory of 2568	2224	f8e9936d8d5c19cc1eecf7175004f5223355d598e4834cb07cf2d03e0ae7aff4.exe	WerFault.exe
PID 2224 wrote to memory of 2568	2224	f8e9936d8d5c19cc1eecf7175004f5223355d598e4834cb07cf2d03e0ae7aff4.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\f8e9936d8d5c19cc1eecf7175004f5223355d598e4834cb07cf2d03e0ae7aff4.exe
"C:\Users\Admin\AppData\Local\Temp\f8e9936d8d5c19cc1eecf7175004f5223355d598e4834cb07cf2d03e0ae7aff4.exe"
1⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2224

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2224 -s 752
2⤵
PID:2568

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2224-0-0x000000013F650000-0x000000013F6B1000-memory.dmp

Filesize
388KB

Download