416bccea325ef89df8d6bcbaa8c8e8d2a00f0b505b8a998e70ff2524a9c56414

General

Target

416bccea325ef89df8d6bcbaa8c8e8d2a00f0b505b8a998e70ff2524a9c56414.exe
Size

657KB
MD5

f1fb157ce9b7c6d4aef539fe915e8ee5
SHA1

1a3b96d6f33726c97da8d0c148662a5066d4c400
SHA256

416bccea325ef89df8d6bcbaa8c8e8d2a00f0b505b8a998e70ff2524a9c56414
SHA512

83120c27a5503003a19a4a696bcfd9fc4af5968b94d70f5f5410c5313e048cea71eb4b687b508f767ddca032f17b343b7d8e6ea169101ef41b329c0b540315b2
SSDEEP

12288:K/iSu68aZ2NHx8eBPh7VwwsaTyItetooaUt788+PJ2Cwwa7z:K/imXY5CeBkKM/ar1J2hwY

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

DropboxUpdate.exe

pid process

840 DropboxUpdate.exe
Loads dropped DLL 1 IoCs

Processes:

416bccea325ef89df8d6bcbaa8c8e8d2a00f0b505b8a998e70ff2524a9c56414.exe

pid process

1356 416bccea325ef89df8d6bcbaa8c8e8d2a00f0b505b8a998e70ff2524a9c56414.exe

pid	process
840	DropboxUpdate.exe

pid	process
1356	416bccea325ef89df8d6bcbaa8c8e8d2a00f0b505b8a998e70ff2524a9c56414.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

DropboxUpdate.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	DropboxUpdate.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	DropboxUpdate.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	DropboxUpdate.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

416bccea325ef89df8d6bcbaa8c8e8d2a00f0b505b8a998e70ff2524a9c56414.exe

description	pid	process	target process
PID 1356 wrote to memory of 840	1356	416bccea325ef89df8d6bcbaa8c8e8d2a00f0b505b8a998e70ff2524a9c56414.exe	DropboxUpdate.exe
PID 1356 wrote to memory of 840	1356	416bccea325ef89df8d6bcbaa8c8e8d2a00f0b505b8a998e70ff2524a9c56414.exe	DropboxUpdate.exe
PID 1356 wrote to memory of 840	1356	416bccea325ef89df8d6bcbaa8c8e8d2a00f0b505b8a998e70ff2524a9c56414.exe	DropboxUpdate.exe
PID 1356 wrote to memory of 840	1356	416bccea325ef89df8d6bcbaa8c8e8d2a00f0b505b8a998e70ff2524a9c56414.exe	DropboxUpdate.exe
PID 1356 wrote to memory of 840	1356	416bccea325ef89df8d6bcbaa8c8e8d2a00f0b505b8a998e70ff2524a9c56414.exe	DropboxUpdate.exe
PID 1356 wrote to memory of 840	1356	416bccea325ef89df8d6bcbaa8c8e8d2a00f0b505b8a998e70ff2524a9c56414.exe	DropboxUpdate.exe
PID 1356 wrote to memory of 840	1356	416bccea325ef89df8d6bcbaa8c8e8d2a00f0b505b8a998e70ff2524a9c56414.exe	DropboxUpdate.exe

C:\Users\Admin\AppData\Local\Temp\416bccea325ef89df8d6bcbaa8c8e8d2a00f0b505b8a998e70ff2524a9c56414.exe
"C:\Users\Admin\AppData\Local\Temp\416bccea325ef89df8d6bcbaa8c8e8d2a00f0b505b8a998e70ff2524a9c56414.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1356

C:\Users\Admin\AppData\Local\Temp\GUM1A74.tmp\DropboxUpdate.exe
C:\Users\Admin\AppData\Local\Temp\GUM1A74.tmp\DropboxUpdate.exe /installsource taggedmi /install "appguid={CC46080E-4C33-4981-859A-BBA2F780F31E}&appname=Dropbox&needsadmin=Prefers&dropbox_data=eyJUQUdTIjoiZUp5clZpcE9MUzdPek0tTHoweFJzbEl3TmpZM01qSzNNTFl3TVRNek1qQzJNRGN3TkRjMU5EUURpaGxhV3BpWW1scWFtVm1ZVzlRQ0FLbzBEZGd-QE1FVEEifQ"
2⤵
- Executes dropped EXE
- Modifies system certificate store
PID:840

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GUM1A74.tmp\DropboxUpdate.exe
Filesize
139KB

MD5
a1f58fff448e4099297d6ee0641d4d0e

SHA1
d3a77e94d08f2eb9a8276f32ca16f65d1ce8b524

SHA256
47839789332aaf8861f7731bf2d3fbb5e0991ea0d0b457bb4c8c1784f76c73dc

SHA512
860de9ea16b3f5b5c0eaf81a57a857ac60bf035877bcc1cfe489109735f7a8d784f38f0961b0c5584309c3825501db9b3aa2f385c860e149b020967468edc556

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUM1A74.tmp\goopdate.dll
Filesize
1.1MB

MD5
01fcad9acf3724382c4bad474bae9b2f

SHA1
a7261b5b298262a592a2848a9fbb150f2a2b4409

SHA256
5d0d980ef653dd1de8f385e6080e63c7b535d6b614aff3f45bc75b76cab6fad6

SHA512
719b64d6ec6ae96cccd39109f478e0bdea13889d03208d901c02ad62eb04134d833ad6c4186929e262b4a571c485f7dde4fff8470926610547e3647a1cabf765

Download Submit
\Users\Admin\AppData\Local\Temp\GUM1A74.tmp\DropboxUpdate.exe
Filesize
139KB

MD5
a1f58fff448e4099297d6ee0641d4d0e

SHA1
d3a77e94d08f2eb9a8276f32ca16f65d1ce8b524

SHA256
47839789332aaf8861f7731bf2d3fbb5e0991ea0d0b457bb4c8c1784f76c73dc

SHA512
860de9ea16b3f5b5c0eaf81a57a857ac60bf035877bcc1cfe489109735f7a8d784f38f0961b0c5584309c3825501db9b3aa2f385c860e149b020967468edc556

Download Submit
memory/840-55-0x0000000000000000-mapping.dmp

Download
memory/840-57-0x0000000074DA1000-0x0000000074DA3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing