Technical Information
Modifies file system
Creates the following files
- %TEMP%\vknobtrups_signer.bat
- nul
- %APPDATA%\microsoft\crypto\keys\cad4278bbe2300e223125400ed43daed_8cf7b530-613e-439b-a8c5-ccfc0e745400
- %APPDATA%\microsoft\systemcertificates\request\certificates\6a2eeeeb731158eb13584e05ed67e705fa9840e8
- %APPDATA%\microsoft\systemcertificates\my\certificates\9ddf1eb561149ba2f4b9821a0b0f04f1845fdd35
- %APPDATA%\microsoft\systemcertificates\my\keys\907a56413a9700c27051a25b698eb2971fddb224
- %TEMP%\temp_cert.cer
Deletes following files that it created itself
- %APPDATA%\microsoft\systemcertificates\request\certificates\6a2eeeeb731158eb13584e05ed67e705fa9840e8
- %TEMP%\temp_cert.cer
Network activity
Connects to
- '<DNS_SERVER>':53
Miscellaneous
Adds a root certificate
Restarts the analyzed sample
Executes the following
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\VknObtRuPS_signer.bat" "
- '<SYSTEM32>\timeout.exe' /t 1 /nobreak
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass -Command "$cert = New-SelfSignedCertificate -Type CodeSigningCert -Subject 'CN=FKPzeEPBKi' -CertStoreLocation Cert:\CurrentUser\My -NotAfter (Get-Date).AddYears(1); $cer...
- '<SYSTEM32>\svchost.exe' -k LocalSystemNetworkRestricted -p -s NgcSvc
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\VknObtRuPS_signer.bat" "' (with hidden window)
