12e8ca4bcf45941c89025d441e9697f4171edacf8c487280814b92a412bada6b

General

Target

12e8ca4bcf45941c89025d441e9697f4171edacf8c487280814b92a412bada6b.exe
Size

252KB
MD5

047c156bac3a1b49b36d8654cfbfd462
SHA1

63a61c568e0e55737168627ec14430189aa17e1a
SHA256

12e8ca4bcf45941c89025d441e9697f4171edacf8c487280814b92a412bada6b
SHA512

7fbbe4dbb9d0c6465febc2869a6b854963ed7fe96110314e415ebcbef3ab3545c77a042996097fa2f8cdcfe12aaf1954b731f8a5dde988cb1b9ab88848bf4745
SSDEEP

3072:lCfFBrDkiap75bTlxPCMwy6K9MHecBQ41pBYe6:lCfFtDg9JqS0Heo6

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1956	simc.tmp

Loads dropped DLL 2 IoCs

pid	Process
1136	12e8ca4bcf45941c89025d441e9697f4171edacf8c487280814b92a412bada6b.exe
1136	12e8ca4bcf45941c89025d441e9697f4171edacf8c487280814b92a412bada6b.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\FreeRapid\2.bat	12e8ca4bcf45941c89025d441e9697f4171edacf8c487280814b92a412bada6b.exe
File created	C:\Program Files\FreeRapid\4.bat	12e8ca4bcf45941c89025d441e9697f4171edacf8c487280814b92a412bada6b.exe
File created	C:\Program Files\FreeRapid\resv.bin	12e8ca4bcf45941c89025d441e9697f4171edacf8c487280814b92a412bada6b.exe
File created	C:\Program Files\FreeRapid\1.bat	12e8ca4bcf45941c89025d441e9697f4171edacf8c487280814b92a412bada6b.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\windows\Comres.dll	simc.tmp

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\68A12DE4422589E97E1C6396FE17B5024FE0547A	simc.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\68A12DE4422589E97E1C6396FE17B5024FE0547A\Blob = 03000000010000001400000068a12de4422589e97e1c6396fe17b5024fe0547a2000000001000000600200003082025c308201c5a0030201020210a675093732e9e788423ec7ea62044de5300d06092a864886f70d01010405003036313430320603550403132b566572695369676e2054696d65205374616d70696e67205365727669636573205369676e6572202d204732301e170d3131303531393134333632345a170d3339313233313233353935395a3036313430320603550403132b566572695369676e2054696d65205374616d70696e67205365727669636573205369676e6572202d20473230819f300d06092a864886f70d010101050003818d0030818902818100ae2150b067d03ac307c1d6cfb294b8e57d1ec3335542584552a96b7926d1b95483aa79a52165c6c18b4aa502ca2f736d2ea84a299def604899f8a50b9932200c00a32c187fdfed2fb767783c1d6c27e55fee9aeb5d7b1085cb8fcc151bdebcdbecc5748cbb451b20f5ecd9e197c154e477d9d5d6a0cf8e9dabaf4e07fbf5f79f0203010001a36b306930670603551d010460305e80102128591d26a9fe32d38e84450f52f750a1383036313430320603550403132b566572695369676e2054696d65205374616d70696e67205365727669636573205369676e6572202d2047328210a675093732e9e788423ec7ea62044de5300d06092a864886f70d01010405000381810069c4dcd3b8649bd6c952a0251d6a645c98c3d94ba7a9945992ee06fdbc1d36c53f9e4c77f25f77b6ad4df7599089a7d68cf89221fc49fda540341c833f692ee6cdd740da4b599e9a902c325b2de32d3657d8cf1206883b2e8296ab9c1d4ef406603a138ce17b8ee0740c990c99774f63fe8f8d5bd35d35591d2a3d6675b49967	simc.tmp

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1956	simc.tmp

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeBackupPrivilege	1956	simc.tmp
Token: SeRestorePrivilege	1956	simc.tmp

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1136 wrote to memory of 1956	1136	12e8ca4bcf45941c89025d441e9697f4171edacf8c487280814b92a412bada6b.exe	30
PID 1136 wrote to memory of 1956	1136	12e8ca4bcf45941c89025d441e9697f4171edacf8c487280814b92a412bada6b.exe	30
PID 1136 wrote to memory of 1956	1136	12e8ca4bcf45941c89025d441e9697f4171edacf8c487280814b92a412bada6b.exe	30
PID 1136 wrote to memory of 1956	1136	12e8ca4bcf45941c89025d441e9697f4171edacf8c487280814b92a412bada6b.exe	30
PID 1956 wrote to memory of 1756	1956	simc.tmp	31
PID 1956 wrote to memory of 1756	1956	simc.tmp	31
PID 1956 wrote to memory of 1756	1956	simc.tmp	31
PID 1956 wrote to memory of 1756	1956	simc.tmp	31

C:\Users\Admin\AppData\Local\Temp\12e8ca4bcf45941c89025d441e9697f4171edacf8c487280814b92a412bada6b.exe
"C:\Users\Admin\AppData\Local\Temp\12e8ca4bcf45941c89025d441e9697f4171edacf8c487280814b92a412bada6b.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1136
- C:\Users\Admin\AppData\Roaming\simc.tmp
  C:\Users\Admin\AppData\Roaming\simc.tmp
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1956
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c afc9fe2f418b00a0.bat
    3⤵
    PID:1756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\afc9fe2f418b00a0.bat

Filesize
2KB

MD5
3d15f5598c7304d4620c459d16b672d6

SHA1
d5fd318f2347ef63c062aef5658c5ad5934107c6

SHA256
30d8d0e43a0eece7b003fbeb6077a07e910afe03199d3d0022fae0d4be94b7f6

SHA512
09c2b357d31851c209d078e3787407555710b2b837ad94f11f9d113259a7f8bdda199c2cea45ab6338d1a8e4ec94f0cb663f13260c4e47383886cb897e9b9a10

Download Submit
C:\Users\Admin\AppData\Roaming\simc.tmp

Filesize
89KB

MD5
6c118890d74486df4fded70e3766a789

SHA1
717ba50c0932dd2156580c670d0fa6a42c495c52

SHA256
58acb26a1f46ce0b52f11af2fd63acfbfe56b5d7fc4da642ab063b9cbc018320

SHA512
31b8f1be0f1cbbaf43219ff3c521515e88ecd6b068b911158cd735122639dbcb911c39eabe06c29f33d5e451a2cf8041e1b9cee78e8e745ee701e1b0046bc1af

Download Submit
C:\Users\Admin\AppData\Roaming\simc.tmp

Filesize
89KB

MD5
6c118890d74486df4fded70e3766a789

SHA1
717ba50c0932dd2156580c670d0fa6a42c495c52

SHA256
58acb26a1f46ce0b52f11af2fd63acfbfe56b5d7fc4da642ab063b9cbc018320

SHA512
31b8f1be0f1cbbaf43219ff3c521515e88ecd6b068b911158cd735122639dbcb911c39eabe06c29f33d5e451a2cf8041e1b9cee78e8e745ee701e1b0046bc1af

Download Submit
\Users\Admin\AppData\Roaming\simc.tmp

Filesize
89KB

MD5
6c118890d74486df4fded70e3766a789

SHA1
717ba50c0932dd2156580c670d0fa6a42c495c52

SHA256
58acb26a1f46ce0b52f11af2fd63acfbfe56b5d7fc4da642ab063b9cbc018320

SHA512
31b8f1be0f1cbbaf43219ff3c521515e88ecd6b068b911158cd735122639dbcb911c39eabe06c29f33d5e451a2cf8041e1b9cee78e8e745ee701e1b0046bc1af

Download Submit
\Users\Admin\AppData\Roaming\simc.tmp

Filesize
89KB

MD5
6c118890d74486df4fded70e3766a789

SHA1
717ba50c0932dd2156580c670d0fa6a42c495c52

SHA256
58acb26a1f46ce0b52f11af2fd63acfbfe56b5d7fc4da642ab063b9cbc018320

SHA512
31b8f1be0f1cbbaf43219ff3c521515e88ecd6b068b911158cd735122639dbcb911c39eabe06c29f33d5e451a2cf8041e1b9cee78e8e745ee701e1b0046bc1af

Download Submit
memory/1136-54-0x0000000075F51000-0x0000000075F53000-memory.dmp

Filesize
8KB

Download
memory/1136-55-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1136-60-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing