523580b16e141809cb5c874e3436d5545e46d364d9d2d67cfc2758fe6a4f92a3

General

Target

523580b16e141809cb5c874e3436d5545e46d364d9d2d67cfc2758fe6a4f92a3.exe
Size

208KB
MD5

41c860f6170bfec4e64452470328df07
SHA1

650ae39c8a280e864899b6ca9a0e155bf450ded2
SHA256

523580b16e141809cb5c874e3436d5545e46d364d9d2d67cfc2758fe6a4f92a3
SHA512

0cf116be3e1f5c73f7d820a47cdee3bcf8ed3fe30b19334cd9dbf469f442304d48b6b325fc054dee1fbd64e97c623dff7c59b6b9b7d93c0010a07f7881b25fa5

Score

10^/10

persistence suricata

Malware Config

Signatures

suricata: ET MALWARE Zbot Generic URI/Header Struct .bin
suricata: ET MALWARE Zbot Generic URI/Header Struct .bin
suricata

Executes dropped EXE 2 IoCs

pid	Process
1248	usku.exe
432	usku.exe

Deletes itself 1 IoCs

pid	Process
856	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
980	523580b16e141809cb5c874e3436d5545e46d364d9d2d67cfc2758fe6a4f92a3.exe
980	523580b16e141809cb5c874e3436d5545e46d364d9d2d67cfc2758fe6a4f92a3.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\Currentversion\Run	usku.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\{F912CD81-9941-9439-AF8A-D4DF28349A90} = "C:\\Users\\Admin\\AppData\\Roaming\\Xuwey\\usku.exe"	usku.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 360 set thread context of 980	360	523580b16e141809cb5c874e3436d5545e46d364d9d2d67cfc2758fe6a4f92a3.exe	27
PID 1248 set thread context of 432	1248	usku.exe	29

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	usku.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	usku.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
432	usku.exe
432	usku.exe
432	usku.exe
432	usku.exe
432	usku.exe
432	usku.exe
432	usku.exe
432	usku.exe
432	usku.exe
432	usku.exe
432	usku.exe
432	usku.exe
432	usku.exe
432	usku.exe
432	usku.exe
432	usku.exe
432	usku.exe
432	usku.exe
432	usku.exe
432	usku.exe
432	usku.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
432	usku.exe
432	usku.exe
432	usku.exe
432	usku.exe
432	usku.exe
432	usku.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	980	523580b16e141809cb5c874e3436d5545e46d364d9d2d67cfc2758fe6a4f92a3.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
432	usku.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 360 wrote to memory of 980	360	523580b16e141809cb5c874e3436d5545e46d364d9d2d67cfc2758fe6a4f92a3.exe	27
PID 360 wrote to memory of 980	360	523580b16e141809cb5c874e3436d5545e46d364d9d2d67cfc2758fe6a4f92a3.exe	27
PID 360 wrote to memory of 980	360	523580b16e141809cb5c874e3436d5545e46d364d9d2d67cfc2758fe6a4f92a3.exe	27
PID 360 wrote to memory of 980	360	523580b16e141809cb5c874e3436d5545e46d364d9d2d67cfc2758fe6a4f92a3.exe	27
PID 360 wrote to memory of 980	360	523580b16e141809cb5c874e3436d5545e46d364d9d2d67cfc2758fe6a4f92a3.exe	27
PID 360 wrote to memory of 980	360	523580b16e141809cb5c874e3436d5545e46d364d9d2d67cfc2758fe6a4f92a3.exe	27
PID 360 wrote to memory of 980	360	523580b16e141809cb5c874e3436d5545e46d364d9d2d67cfc2758fe6a4f92a3.exe	27
PID 360 wrote to memory of 980	360	523580b16e141809cb5c874e3436d5545e46d364d9d2d67cfc2758fe6a4f92a3.exe	27
PID 360 wrote to memory of 980	360	523580b16e141809cb5c874e3436d5545e46d364d9d2d67cfc2758fe6a4f92a3.exe	27
PID 980 wrote to memory of 1248	980	523580b16e141809cb5c874e3436d5545e46d364d9d2d67cfc2758fe6a4f92a3.exe	28
PID 980 wrote to memory of 1248	980	523580b16e141809cb5c874e3436d5545e46d364d9d2d67cfc2758fe6a4f92a3.exe	28
PID 980 wrote to memory of 1248	980	523580b16e141809cb5c874e3436d5545e46d364d9d2d67cfc2758fe6a4f92a3.exe	28
PID 980 wrote to memory of 1248	980	523580b16e141809cb5c874e3436d5545e46d364d9d2d67cfc2758fe6a4f92a3.exe	28
PID 1248 wrote to memory of 432	1248	usku.exe	29
PID 1248 wrote to memory of 432	1248	usku.exe	29
PID 1248 wrote to memory of 432	1248	usku.exe	29
PID 1248 wrote to memory of 432	1248	usku.exe	29
PID 1248 wrote to memory of 432	1248	usku.exe	29
PID 1248 wrote to memory of 432	1248	usku.exe	29
PID 1248 wrote to memory of 432	1248	usku.exe	29
PID 1248 wrote to memory of 432	1248	usku.exe	29
PID 1248 wrote to memory of 432	1248	usku.exe	29
PID 980 wrote to memory of 856	980	523580b16e141809cb5c874e3436d5545e46d364d9d2d67cfc2758fe6a4f92a3.exe	30
PID 980 wrote to memory of 856	980	523580b16e141809cb5c874e3436d5545e46d364d9d2d67cfc2758fe6a4f92a3.exe	30
PID 980 wrote to memory of 856	980	523580b16e141809cb5c874e3436d5545e46d364d9d2d67cfc2758fe6a4f92a3.exe	30
PID 980 wrote to memory of 856	980	523580b16e141809cb5c874e3436d5545e46d364d9d2d67cfc2758fe6a4f92a3.exe	30

C:\Users\Admin\AppData\Local\Temp\523580b16e141809cb5c874e3436d5545e46d364d9d2d67cfc2758fe6a4f92a3.exe
"C:\Users\Admin\AppData\Local\Temp\523580b16e141809cb5c874e3436d5545e46d364d9d2d67cfc2758fe6a4f92a3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:360
- C:\Users\Admin\AppData\Local\Temp\523580b16e141809cb5c874e3436d5545e46d364d9d2d67cfc2758fe6a4f92a3.exe
  C:\Users\Admin\AppData\Local\Temp\523580b16e141809cb5c874e3436d5545e46d364d9d2d67cfc2758fe6a4f92a3.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:980
- - C:\Users\Admin\AppData\Roaming\Xuwey\usku.exe
    "C:\Users\Admin\AppData\Roaming\Xuwey\usku.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1248
  - - C:\Users\Admin\AppData\Roaming\Xuwey\usku.exe
      C:\Users\Admin\AppData\Roaming\Xuwey\usku.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of FindShellTrayWindow
      PID:432
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpef1dbabc.bat"
    3⤵
    - Deletes itself
    PID:856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpef1dbabc.bat

Filesize
307B

MD5
2e5296bed0938ede7d6a76aaf8e8a1bb

SHA1
96b65a8a1ad34b5b93c64754f9996f9e5a88aa17

SHA256
682729f08292bc1a49ddb5f82ace159e206b00920cc6b95f15ca850456646281

SHA512
e4227d044a5d29bb3b996c25de7ec4108368d9171b7694868e47a079cce3576d45490c6056a6322560a85c81bb27f72e60f06bb15ffe2de40f8b5d7b49d4e91f

Download Submit
C:\Users\Admin\AppData\Roaming\Xuwey\usku.exe

Filesize
208KB

MD5
7bf91a0ab1935e2dbec7a4f51dae7cea

SHA1
24ecbab9f4ab84aff84bd52c3f3ae5f5c437f438

SHA256
fafc11273a48ad1765635f4653cee1c7e8df900df9f724cb853d50f73e688396

SHA512
f9d2718896512a7914054aec81abe38b001ea364d98e59e6166ed195a1fe4d50af3fb6b8f4f848252f3caf49a7f8c9d104665580d17795d62d67eb6b63cfc5e1

Download Submit
C:\Users\Admin\AppData\Roaming\Xuwey\usku.exe

Filesize
208KB

MD5
7bf91a0ab1935e2dbec7a4f51dae7cea

SHA1
24ecbab9f4ab84aff84bd52c3f3ae5f5c437f438

SHA256
fafc11273a48ad1765635f4653cee1c7e8df900df9f724cb853d50f73e688396

SHA512
f9d2718896512a7914054aec81abe38b001ea364d98e59e6166ed195a1fe4d50af3fb6b8f4f848252f3caf49a7f8c9d104665580d17795d62d67eb6b63cfc5e1

Download Submit
C:\Users\Admin\AppData\Roaming\Xuwey\usku.exe

Filesize
208KB

MD5
7bf91a0ab1935e2dbec7a4f51dae7cea

SHA1
24ecbab9f4ab84aff84bd52c3f3ae5f5c437f438

SHA256
fafc11273a48ad1765635f4653cee1c7e8df900df9f724cb853d50f73e688396

SHA512
f9d2718896512a7914054aec81abe38b001ea364d98e59e6166ed195a1fe4d50af3fb6b8f4f848252f3caf49a7f8c9d104665580d17795d62d67eb6b63cfc5e1

Download Submit
\Users\Admin\AppData\Roaming\Xuwey\usku.exe

Filesize
208KB

MD5
7bf91a0ab1935e2dbec7a4f51dae7cea

SHA1
24ecbab9f4ab84aff84bd52c3f3ae5f5c437f438

SHA256
fafc11273a48ad1765635f4653cee1c7e8df900df9f724cb853d50f73e688396

SHA512
f9d2718896512a7914054aec81abe38b001ea364d98e59e6166ed195a1fe4d50af3fb6b8f4f848252f3caf49a7f8c9d104665580d17795d62d67eb6b63cfc5e1

Download Submit
\Users\Admin\AppData\Roaming\Xuwey\usku.exe

Filesize
208KB

MD5
7bf91a0ab1935e2dbec7a4f51dae7cea

SHA1
24ecbab9f4ab84aff84bd52c3f3ae5f5c437f438

SHA256
fafc11273a48ad1765635f4653cee1c7e8df900df9f724cb853d50f73e688396

SHA512
f9d2718896512a7914054aec81abe38b001ea364d98e59e6166ed195a1fe4d50af3fb6b8f4f848252f3caf49a7f8c9d104665580d17795d62d67eb6b63cfc5e1

Download Submit
memory/360-54-0x0000000075E31000-0x0000000075E33000-memory.dmp

Filesize
8KB

Download
memory/360-66-0x0000000074EA0000-0x000000007544B000-memory.dmp

Filesize
5.7MB

Download
memory/360-55-0x0000000074EA0000-0x000000007544B000-memory.dmp

Filesize
5.7MB

Download
memory/432-92-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/432-96-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/980-62-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/980-60-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/980-70-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/980-69-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/980-56-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/980-68-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/980-57-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/980-67-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/980-94-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/980-72-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/980-59-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1248-91-0x0000000074D80000-0x000000007532B000-memory.dmp

Filesize
5.7MB

Download
memory/1248-78-0x0000000074D80000-0x000000007532B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads