1c3d30d7637b1a6fb648b1cf1de6c7a8375337327cd243f87d525c109554db7d

General

Target

PO570943.exe
Size

850KB
MD5

15b8b9017505c2a13e8a513e9a92b3e0
SHA1

587304393a857e9f8feef26b5f44ac9d4cac5827
SHA256

1c3d30d7637b1a6fb648b1cf1de6c7a8375337327cd243f87d525c109554db7d
SHA512

7379421656a6640668399d8edb46bb34f6bbe386c50abc6fa07cf6c485dcba928a2a9a679234c6cecde34c7852ebb5698172caba6d0c7eb327872e417c28b84a

Score

8^/10

evasion spyware trojan

Malware Config

Signatures

Suspicious use of SendNotifyMessage 4 IoCs

Processes:

PO570943.exe

pid process

112 PO570943.exe
112 PO570943.exe
112 PO570943.exe
112 PO570943.exe
Loads dropped DLL 4 IoCs

Processes:

PO570943.exe

pid process

112 PO570943.exe
112 PO570943.exe
112 PO570943.exe
112 PO570943.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

1828 AcroRd32.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

PO570943.exe

pid process

112 PO570943.exe
112 PO570943.exe
112 PO570943.exe
112 PO570943.exe

pid	process
112	PO570943.exe
112	PO570943.exe
112	PO570943.exe
112	PO570943.exe

pid	process
112	PO570943.exe
112	PO570943.exe
112	PO570943.exe
112	PO570943.exe

pid	process
1828	AcroRd32.exe

pid	process
112	PO570943.exe
112	PO570943.exe
112	PO570943.exe
112	PO570943.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

PO570943.exeTemp5900785.exe

description	pid	process	target process
PID 112 wrote to memory of 1828	112	PO570943.exe	AcroRd32.exe
PID 112 wrote to memory of 1828	112	PO570943.exe	AcroRd32.exe
PID 112 wrote to memory of 1828	112	PO570943.exe	AcroRd32.exe
PID 112 wrote to memory of 1828	112	PO570943.exe	AcroRd32.exe
PID 112 wrote to memory of 1868	112	PO570943.exe	Temp5900785.exe
PID 112 wrote to memory of 1868	112	PO570943.exe	Temp5900785.exe
PID 112 wrote to memory of 1868	112	PO570943.exe	Temp5900785.exe
PID 112 wrote to memory of 1868	112	PO570943.exe	Temp5900785.exe
PID 1868 wrote to memory of 1628	1868	Temp5900785.exe	Temp5900785.exe
PID 1868 wrote to memory of 1628	1868	Temp5900785.exe	Temp5900785.exe
PID 1868 wrote to memory of 1628	1868	Temp5900785.exe	Temp5900785.exe
PID 1868 wrote to memory of 1628	1868	Temp5900785.exe	Temp5900785.exe
PID 1868 wrote to memory of 1628	1868	Temp5900785.exe	Temp5900785.exe
PID 1868 wrote to memory of 1628	1868	Temp5900785.exe	Temp5900785.exe
PID 1868 wrote to memory of 1628	1868	Temp5900785.exe	Temp5900785.exe
PID 1868 wrote to memory of 1628	1868	Temp5900785.exe	Temp5900785.exe
PID 1868 wrote to memory of 1628	1868	Temp5900785.exe	Temp5900785.exe

Executes dropped EXE 2 IoCs

Processes:

Temp5900785.exeTemp5900785.exe

pid process

1868 Temp5900785.exe
1628 Temp5900785.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

AcroRd32.exe

pid process

1828 AcroRd32.exe
1828 AcroRd32.exe
1828 AcroRd32.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Temp5900785.exe

description pid process target process

PID 1868 set thread context of 1628 1868 Temp5900785.exe Temp5900785.exe

pid	process
1868	Temp5900785.exe
1628	Temp5900785.exe

pid	process
1828	AcroRd32.exe
1828	AcroRd32.exe
1828	AcroRd32.exe

description	pid	process	target process
PID 1868 set thread context of 1628	1868	Temp5900785.exe	Temp5900785.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

PO570943.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	PO570943.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	PO570943.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	PO570943.exe

C:\Users\Admin\AppData\Local\Temp\PO570943.exe
"C:\Users\Admin\AppData\Local\Temp\PO570943.exe"
1⤵
- Suspicious use of SendNotifyMessage
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- Modifies system certificate store
PID:112

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp200423-2020501-pds-ostrichoo-ffp2-rdy.pdf"
2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1828

C:\Users\Admin\AppData\Local\Temp5900785.exe
"C:\Users\Admin\AppData\Local\Temp5900785.exe"
2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1868

C:\Users\Admin\AppData\Local\Temp5900785.exe
"{path}"
3⤵
- Executes dropped EXE
PID:1628

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp200423-2020501-pds-ostrichoo-ffp2-rdy.pdf

Download Submit
C:\Users\Admin\AppData\Local\Temp5900785.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp5900785.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp5900785.exe

Download Submit
\Users\Admin\AppData\Local\Temp5900785.exe

Download Submit
\Users\Admin\AppData\Local\Temp5900785.exe

Download Submit
\Users\Admin\AppData\Local\Temp5900785.exe

Download Submit
\Users\Admin\AppData\Local\Temp5900785.exe

Download Submit
memory/1628-11-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1628-12-0x000000000040C62E-mapping.dmp

Download
memory/1628-14-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1628-15-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1828-0-0x0000000000000000-mapping.dmp

Download
memory/1868-5-0x0000000000000000-mapping.dmp

Download
memory/1868-10-0x0000000000000000-0x0000000000000000-disk.dmp

Download

Analysis

Sharing