33a3f5327e741cb84d4149ea12b2c6ebed753243e547bf8789b712bc421f8fa1

Analysis

max time kernel
151s
max time network
64s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07-10-2022 17:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TradingApp.exe
Size

700.0MB
MD5

d928e057dbcce6a89c7a88d7758480e2
SHA1

330e61dfc3b0d4dcee04df4b4e6cd7a8af446347
SHA256

33a3f5327e741cb84d4149ea12b2c6ebed753243e547bf8789b712bc421f8fa1
SHA512

173cff5f150d54129a14efabced41d1ca72fe3db53a27293317d7d9df288b6c7ccb7c2f79ea85a20bfaadef1cff3463480b09320e652e058e2f65cc5dc38b159
SSDEEP

24576:BpQ4GQUFIf/IZwlnjevRcN09FmR/OwP0T8eH:rQOPnIsjev9wVGT8I

Score

8^/10

agilenet discovery persistence spyware stealer

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

directx_12.exeDIRECT~1.EXE

pid process

1656 directx_12.exe
1620 DIRECT~1.EXE
Loads dropped DLL 1 IoCs

Processes:

TradingApp.exe

pid process

1348 TradingApp.exe

pid	process
1656	directx_12.exe
1620	DIRECT~1.EXE

pid	process
1348	TradingApp.exe

Obfuscated with Agile.Net obfuscator 8 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/1348-56-0x0000000001250000-0x0000000001476000-memory.dmp	agile_net
behavioral1/memory/1348-62-0x0000000001250000-0x0000000001476000-memory.dmp	agile_net
behavioral1/memory/1348-64-0x0000000001250000-0x0000000001476000-memory.dmp	agile_net
behavioral1/memory/1348-65-0x0000000001250000-0x0000000001476000-memory.dmp	agile_net
behavioral1/memory/1348-69-0x0000000001250000-0x0000000001476000-memory.dmp	agile_net
behavioral1/memory/1348-70-0x0000000001250000-0x0000000001476000-memory.dmp	agile_net
behavioral1/memory/1348-76-0x0000000001250000-0x0000000001476000-memory.dmp	agile_net
behavioral1/memory/1348-133-0x0000000001250000-0x0000000001476000-memory.dmp	agile_net

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

directx_12.exeDIRECT~1.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	directx_12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	directx_12.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Vaiupya = "\"C:\\Users\\Admin\\AppData\\Roaming\\Sgezzxprr\\Vaiupya.exe\""	DIRECT~1.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

TradingApp.exe

pid process

1348 TradingApp.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

DIRECT~1.EXE

description pid process target process

PID 1620 set thread context of 1800 1620 DIRECT~1.EXE RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1348	TradingApp.exe

description	pid	process	target process
PID 1620 set thread context of 1800	1620	DIRECT~1.EXE	RegAsm.exe

Modifies registry class 10 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\appinstaller_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\appinstaller_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\appinstaller_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\.appinstaller	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\.appinstaller\ = "appinstaller_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\appinstaller_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\appinstaller_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\appinstaller_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

TradingApp.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	TradingApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	TradingApp.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	TradingApp.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	TradingApp.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	TradingApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	TradingApp.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	TradingApp.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

TradingApp.exepowershell.exeDIRECT~1.EXE

pid process

1348 TradingApp.exe
1348 TradingApp.exe
1348 TradingApp.exe
1036 powershell.exe
1620 DIRECT~1.EXE
1620 DIRECT~1.EXE
1620 DIRECT~1.EXE
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

TradingApp.exeDIRECT~1.EXEpowershell.exe

description pid process

Token: SeDebugPrivilege 1348 TradingApp.exe
Token: SeDebugPrivilege 1620 DIRECT~1.EXE
Token: SeDebugPrivilege 1036 powershell.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

AcroRd32.exe

pid process

2040 AcroRd32.exe
2040 AcroRd32.exe
2040 AcroRd32.exe

pid	process
1348	TradingApp.exe
1348	TradingApp.exe
1348	TradingApp.exe
1036	powershell.exe
1620	DIRECT~1.EXE
1620	DIRECT~1.EXE
1620	DIRECT~1.EXE

description	pid	process
Token: SeDebugPrivilege	1348	TradingApp.exe
Token: SeDebugPrivilege	1620	DIRECT~1.EXE
Token: SeDebugPrivilege	1036	powershell.exe

pid	process
2040	AcroRd32.exe
2040	AcroRd32.exe
2040	AcroRd32.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

TradingApp.exerundll32.exedirectx_12.exeDIRECT~1.EXE

description	pid	process	target process
PID 1348 wrote to memory of 1364	1348	TradingApp.exe	rundll32.exe
PID 1348 wrote to memory of 1364	1348	TradingApp.exe	rundll32.exe
PID 1348 wrote to memory of 1364	1348	TradingApp.exe	rundll32.exe
PID 1348 wrote to memory of 1364	1348	TradingApp.exe	rundll32.exe
PID 1348 wrote to memory of 1364	1348	TradingApp.exe	rundll32.exe
PID 1348 wrote to memory of 1364	1348	TradingApp.exe	rundll32.exe
PID 1348 wrote to memory of 1364	1348	TradingApp.exe	rundll32.exe
PID 1348 wrote to memory of 1656	1348	TradingApp.exe	directx_12.exe
PID 1348 wrote to memory of 1656	1348	TradingApp.exe	directx_12.exe
PID 1348 wrote to memory of 1656	1348	TradingApp.exe	directx_12.exe
PID 1348 wrote to memory of 1656	1348	TradingApp.exe	directx_12.exe
PID 1364 wrote to memory of 2040	1364	rundll32.exe	AcroRd32.exe
PID 1364 wrote to memory of 2040	1364	rundll32.exe	AcroRd32.exe
PID 1364 wrote to memory of 2040	1364	rundll32.exe	AcroRd32.exe
PID 1364 wrote to memory of 2040	1364	rundll32.exe	AcroRd32.exe
PID 1656 wrote to memory of 1620	1656	directx_12.exe	DIRECT~1.EXE
PID 1656 wrote to memory of 1620	1656	directx_12.exe	DIRECT~1.EXE
PID 1656 wrote to memory of 1620	1656	directx_12.exe	DIRECT~1.EXE
PID 1656 wrote to memory of 1620	1656	directx_12.exe	DIRECT~1.EXE
PID 1656 wrote to memory of 1620	1656	directx_12.exe	DIRECT~1.EXE
PID 1656 wrote to memory of 1620	1656	directx_12.exe	DIRECT~1.EXE
PID 1656 wrote to memory of 1620	1656	directx_12.exe	DIRECT~1.EXE
PID 1620 wrote to memory of 1036	1620	DIRECT~1.EXE	powershell.exe
PID 1620 wrote to memory of 1036	1620	DIRECT~1.EXE	powershell.exe
PID 1620 wrote to memory of 1036	1620	DIRECT~1.EXE	powershell.exe
PID 1620 wrote to memory of 1036	1620	DIRECT~1.EXE	powershell.exe
PID 1620 wrote to memory of 1800	1620	DIRECT~1.EXE	RegAsm.exe
PID 1620 wrote to memory of 1800	1620	DIRECT~1.EXE	RegAsm.exe
PID 1620 wrote to memory of 1800	1620	DIRECT~1.EXE	RegAsm.exe
PID 1620 wrote to memory of 1800	1620	DIRECT~1.EXE	RegAsm.exe
PID 1620 wrote to memory of 1800	1620	DIRECT~1.EXE	RegAsm.exe
PID 1620 wrote to memory of 1800	1620	DIRECT~1.EXE	RegAsm.exe
PID 1620 wrote to memory of 1800	1620	DIRECT~1.EXE	RegAsm.exe
PID 1620 wrote to memory of 1800	1620	DIRECT~1.EXE	RegAsm.exe
PID 1620 wrote to memory of 1800	1620	DIRECT~1.EXE	RegAsm.exe
PID 1620 wrote to memory of 1800	1620	DIRECT~1.EXE	RegAsm.exe
PID 1620 wrote to memory of 1800	1620	DIRECT~1.EXE	RegAsm.exe
PID 1620 wrote to memory of 1800	1620	DIRECT~1.EXE	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\TradingApp.exe
"C:\Users\Admin\AppData\Local\Temp\TradingApp.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1348

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\TradingView.appinstaller
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1364

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\TradingView.appinstaller"
3⤵
- Suspicious use of SetWindowsHookEx
PID:2040

C:\Users\Admin\AppData\Local\Temp\directx_12.exe
"C:\Users\Admin\AppData\Local\Temp\directx_12.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1656

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DIRECT~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DIRECT~1.EXE
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAyAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
4⤵
PID:1800

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DIRECT~1.EXE
Filesize
700.0MB

MD5
b620c8694e9ad9c1d498443cee19dd38

SHA1
26e8160be844e0898000a3820a8101c63f6e66f7

SHA256
bdf6a656ffca0cb26fe3681a3d45c7fceaa6ec0e658a97e0ad4353660672453b

SHA512
4719a3cb067d8b86189bde79bb71e19032b09023519aa078d3f477f30e299df9896b810cf33307c11fe851dcfb98fbb6e0c5d799696f72f881c3677bc24a4ee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DIRECT~1.EXE
Filesize
700.0MB

MD5
b620c8694e9ad9c1d498443cee19dd38

SHA1
26e8160be844e0898000a3820a8101c63f6e66f7

SHA256
bdf6a656ffca0cb26fe3681a3d45c7fceaa6ec0e658a97e0ad4353660672453b

SHA512
4719a3cb067d8b86189bde79bb71e19032b09023519aa078d3f477f30e299df9896b810cf33307c11fe851dcfb98fbb6e0c5d799696f72f881c3677bc24a4ee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TradingView.appinstaller
Filesize
4KB

MD5
68e53e57c6a614ca10e7b4e47eda2fee

SHA1
d41c4f5325b53d248847509c72c143ef3bb20d4b

SHA256
f805fa86f5830ce0afc9ae9f4d5da4410cde3d62a81bf0a9d36aea67874fb49e

SHA512
bd17bdef7178835066e837fa58b96cd95bdebea96804a598d0dac8371de54da6d2e5efb518f954d3381827934e0241d27b5595df4a457b52bf11bfe53e8a09c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\directx_12.exe
Filesize
4.7MB

MD5
e0487986aa0e09385590ae9c62844666

SHA1
49d08bd93cbfd11d976e5f30d33b10a1709e5904

SHA256
fe837ac0ea3cbc7748ee99c30a1f721c062db57b2b901986300f448ac5b2b048

SHA512
66a2ae65bec14a29ec5d1fb7a8e1b8251cd0150fe906036523f3dd90cec99ffb4a6adcd2911416aa40648378963c8bcf25ed838a546085f5ca3d31078479fc8d

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\directx_12.exe
Filesize
4.7MB

MD5
e0487986aa0e09385590ae9c62844666

SHA1
49d08bd93cbfd11d976e5f30d33b10a1709e5904

SHA256
fe837ac0ea3cbc7748ee99c30a1f721c062db57b2b901986300f448ac5b2b048

SHA512
66a2ae65bec14a29ec5d1fb7a8e1b8251cd0150fe906036523f3dd90cec99ffb4a6adcd2911416aa40648378963c8bcf25ed838a546085f5ca3d31078479fc8d

Download Submit
memory/1036-148-0x000000006F0F0000-0x000000006F69B000-memory.dmp

Filesize
5.7MB

Download
memory/1036-147-0x000000006F0F0000-0x000000006F69B000-memory.dmp

Filesize
5.7MB

Download
memory/1036-146-0x000000006F0F0000-0x000000006F69B000-memory.dmp

Filesize
5.7MB

Download
memory/1036-143-0x0000000000000000-mapping.dmp

Download
memory/1348-100-0x000000006AB50000-0x000000006AB5E000-memory.dmp

Filesize
56KB

Download
memory/1348-105-0x00000000769A0000-0x0000000076B3D000-memory.dmp

Filesize
1.6MB

Download
memory/1348-65-0x0000000001250000-0x0000000001476000-memory.dmp

Filesize
2.1MB

Download
memory/1348-66-0x0000000075FA0000-0x0000000075FE7000-memory.dmp

Filesize
284KB

Download
memory/1348-69-0x0000000001250000-0x0000000001476000-memory.dmp

Filesize
2.1MB

Download
memory/1348-68-0x0000000076DD0000-0x0000000076F2C000-memory.dmp

Filesize
1.4MB

Download
memory/1348-70-0x0000000001250000-0x0000000001476000-memory.dmp

Filesize
2.1MB

Download
memory/1348-71-0x0000000075CF0000-0x0000000075D7F000-memory.dmp

Filesize
572KB

Download
memory/1348-73-0x0000000074F40000-0x0000000075B8A000-memory.dmp

Filesize
12.3MB

Download
memory/1348-74-0x0000000073B40000-0x0000000073B57000-memory.dmp

Filesize
92KB

Download
memory/1348-75-0x0000000076D90000-0x0000000076DC5000-memory.dmp

Filesize
212KB

Download
memory/1348-76-0x0000000001250000-0x0000000001476000-memory.dmp

Filesize
2.1MB

Download
memory/1348-77-0x0000000075FA0000-0x0000000075FE7000-memory.dmp

Filesize
284KB

Download
memory/1348-78-0x000000006AF30000-0x000000006AF47000-memory.dmp

Filesize
92KB

Download
memory/1348-79-0x000000006AEB0000-0x000000006AEC5000-memory.dmp

Filesize
84KB

Download
memory/1348-80-0x000000006AED0000-0x000000006AF22000-memory.dmp

Filesize
328KB

Download
memory/1348-81-0x000000006AEA0000-0x000000006AEAD000-memory.dmp

Filesize
52KB

Download
memory/1348-82-0x0000000076D60000-0x0000000076D79000-memory.dmp

Filesize
100KB

Download
memory/1348-83-0x000000006ADF0000-0x000000006AE3F000-memory.dmp

Filesize
316KB

Download
memory/1348-84-0x000000006AE40000-0x000000006AE98000-memory.dmp

Filesize
352KB

Download
memory/1348-85-0x0000000074E50000-0x0000000074E5C000-memory.dmp

Filesize
48KB

Download
memory/1348-87-0x000000006ADC0000-0x000000006ADDC000-memory.dmp

Filesize
112KB

Download
memory/1348-88-0x0000000076630000-0x0000000076657000-memory.dmp

Filesize
156KB

Download
memory/1348-89-0x000000006AD30000-0x000000006AD74000-memory.dmp

Filesize
272KB

Download
memory/1348-90-0x000000006ABD0000-0x000000006AC0D000-memory.dmp

Filesize
244KB

Download
memory/1348-91-0x0000000076990000-0x000000007699C000-memory.dmp

Filesize
48KB

Download
memory/1348-92-0x0000000075B90000-0x0000000075CAD000-memory.dmp

Filesize
1.1MB

Download
memory/1348-93-0x000000006AC10000-0x000000006AC48000-memory.dmp

Filesize
224KB

Download
memory/1348-94-0x00000000762F0000-0x0000000076335000-memory.dmp

Filesize
276KB

Download
memory/1348-95-0x000000006AB90000-0x000000006ABAC000-memory.dmp

Filesize
112KB

Download
memory/1348-96-0x0000000074A00000-0x0000000074A0B000-memory.dmp

Filesize
44KB

Download
memory/1348-97-0x0000000076260000-0x0000000076272000-memory.dmp

Filesize
72KB

Download
memory/1348-98-0x00000000769A0000-0x0000000076B3D000-memory.dmp

Filesize
1.6MB

Download
memory/1348-99-0x000000006AB60000-0x000000006AB75000-memory.dmp

Filesize
84KB

Download
memory/1348-63-0x0000000000830000-0x0000000000875000-memory.dmp

Filesize
276KB

Download
memory/1348-102-0x0000000076260000-0x0000000076272000-memory.dmp

Filesize
72KB

Download
memory/1348-103-0x00000000769A0000-0x0000000076B3D000-memory.dmp

Filesize
1.6MB

Download
memory/1348-104-0x0000000076260000-0x0000000076272000-memory.dmp

Filesize
72KB

Download
memory/1348-110-0x0000000076260000-0x0000000076272000-memory.dmp

Filesize
72KB

Download
memory/1348-54-0x0000000074F41000-0x0000000074F43000-memory.dmp

Filesize
8KB

Download
memory/1348-64-0x0000000001250000-0x0000000001476000-memory.dmp

Filesize
2.1MB

Download
memory/1348-109-0x00000000769A0000-0x0000000076B3D000-memory.dmp

Filesize
1.6MB

Download
memory/1348-108-0x0000000076260000-0x0000000076272000-memory.dmp

Filesize
72KB

Download
memory/1348-111-0x00000000769A0000-0x0000000076B3D000-memory.dmp

Filesize
1.6MB

Download
memory/1348-107-0x00000000769A0000-0x0000000076B3D000-memory.dmp

Filesize
1.6MB

Download
memory/1348-112-0x0000000076260000-0x0000000076272000-memory.dmp

Filesize
72KB

Download
memory/1348-113-0x00000000769A0000-0x0000000076B3D000-memory.dmp

Filesize
1.6MB

Download
memory/1348-114-0x0000000076260000-0x0000000076272000-memory.dmp

Filesize
72KB

Download
memory/1348-115-0x00000000769A0000-0x0000000076B3D000-memory.dmp

Filesize
1.6MB

Download
memory/1348-116-0x0000000076260000-0x0000000076272000-memory.dmp

Filesize
72KB

Download
memory/1348-117-0x00000000769A0000-0x0000000076B3D000-memory.dmp

Filesize
1.6MB

Download
memory/1348-118-0x0000000076260000-0x0000000076272000-memory.dmp

Filesize
72KB

Download
memory/1348-119-0x00000000769A0000-0x0000000076B3D000-memory.dmp

Filesize
1.6MB

Download
memory/1348-120-0x0000000076260000-0x0000000076272000-memory.dmp

Filesize
72KB

Download
memory/1348-121-0x00000000769A0000-0x0000000076B3D000-memory.dmp

Filesize
1.6MB

Download
memory/1348-123-0x00000000769A0000-0x0000000076B3D000-memory.dmp

Filesize
1.6MB

Download
memory/1348-122-0x0000000076260000-0x0000000076272000-memory.dmp

Filesize
72KB

Download
memory/1348-124-0x000000006AA50000-0x000000006AB45000-memory.dmp

Filesize
980KB

Download
memory/1348-135-0x0000000075FA0000-0x0000000075FE7000-memory.dmp

Filesize
284KB

Download
memory/1348-134-0x0000000000830000-0x0000000000875000-memory.dmp

Filesize
276KB

Download
memory/1348-133-0x0000000001250000-0x0000000001476000-memory.dmp

Filesize
2.1MB

Download
memory/1348-55-0x0000000074C50000-0x0000000074C9A000-memory.dmp

Filesize
296KB

Download
memory/1348-62-0x0000000001250000-0x0000000001476000-memory.dmp

Filesize
2.1MB

Download
memory/1348-61-0x0000000074970000-0x0000000074979000-memory.dmp

Filesize
36KB

Download
memory/1348-56-0x0000000001250000-0x0000000001476000-memory.dmp

Filesize
2.1MB

Download
memory/1348-60-0x0000000076B40000-0x0000000076B97000-memory.dmp

Filesize
348KB

Download
memory/1348-58-0x0000000076F30000-0x0000000076FDC000-memory.dmp

Filesize
688KB

Download
memory/1348-59-0x0000000075FA0000-0x0000000075FE7000-memory.dmp

Filesize
284KB

Download
memory/1348-106-0x0000000076260000-0x0000000076272000-memory.dmp

Filesize
72KB

Download
memory/1364-125-0x0000000000000000-mapping.dmp

Download
memory/1620-141-0x00000000055C0000-0x0000000005690000-memory.dmp

Filesize
832KB

Download
memory/1620-140-0x0000000000BD0000-0x000000000108C000-memory.dmp

Filesize
4.7MB

Download
memory/1620-137-0x0000000000000000-mapping.dmp

Download
memory/1620-142-0x0000000005100000-0x0000000005192000-memory.dmp

Filesize
584KB

Download
memory/1656-128-0x0000000000000000-mapping.dmp

Download
memory/1656-130-0x000007FEFBAE1000-0x000007FEFBAE3000-memory.dmp

Filesize
8KB

Download
memory/1800-149-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1800-150-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1800-156-0x00000000004558AA-mapping.dmp

Download
memory/2040-131-0x0000000000000000-mapping.dmp

Download