35c421c06c8c02839bcde4df85d29760808b7d0a550bcb64fb4f8a724cbee148

General

Target

35c421c06c8c02839bcde4df85d29760808b7d0a550bcb64fb4f8a724cbee148.exe
Size

448KB
MD5

4b474710105ef3fb6be98cb295f279a2
SHA1

027feed77bdc42f65a22d6440ff02033cebc7c7a
SHA256

35c421c06c8c02839bcde4df85d29760808b7d0a550bcb64fb4f8a724cbee148
SHA512

bd703b21f9fa97444d19798ce727d262185735478a10a4072e5673c9d6cb54f137eb7f1dea2766489a095c85156820e98f7b05e79961dd0b12ec58ec384ec99a
SSDEEP

12288:YXe9PPlowWX0t6mOQwg1Qd15CcYk0We1GUuaOCOz:VhloDX0XOf4oUuPCOz

Score

10^/10

evasion spyware stealer trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

35c421c06c8c02839bcde4df85d29760808b7d0a550bcb64fb4f8a724cbee148.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	35c421c06c8c02839bcde4df85d29760808b7d0a550bcb64fb4f8a724cbee148.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	35c421c06c8c02839bcde4df85d29760808b7d0a550bcb64fb4f8a724cbee148.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/896-55-0x0000000000BE0000-0x0000000000CF1000-memory.dmp	upx
behavioral1/memory/896-56-0x0000000000BE0000-0x0000000000CF1000-memory.dmp	upx
behavioral1/memory/896-58-0x0000000000BE0000-0x0000000000CF1000-memory.dmp	upx

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1752 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1752	cmd.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

35c421c06c8c02839bcde4df85d29760808b7d0a550bcb64fb4f8a724cbee148.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	35c421c06c8c02839bcde4df85d29760808b7d0a550bcb64fb4f8a724cbee148.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/896-55-0x0000000000BE0000-0x0000000000CF1000-memory.dmp	autoit_exe
behavioral1/memory/896-56-0x0000000000BE0000-0x0000000000CF1000-memory.dmp	autoit_exe
behavioral1/memory/896-58-0x0000000000BE0000-0x0000000000CF1000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

35c421c06c8c02839bcde4df85d29760808b7d0a550bcb64fb4f8a724cbee148.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	35c421c06c8c02839bcde4df85d29760808b7d0a550bcb64fb4f8a724cbee148.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	35c421c06c8c02839bcde4df85d29760808b7d0a550bcb64fb4f8a724cbee148.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	35c421c06c8c02839bcde4df85d29760808b7d0a550bcb64fb4f8a724cbee148.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	35c421c06c8c02839bcde4df85d29760808b7d0a550bcb64fb4f8a724cbee148.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	35c421c06c8c02839bcde4df85d29760808b7d0a550bcb64fb4f8a724cbee148.exe

NTFS ADS 1 IoCs

Processes:

35c421c06c8c02839bcde4df85d29760808b7d0a550bcb64fb4f8a724cbee148.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\root\cimv2	35c421c06c8c02839bcde4df85d29760808b7d0a550bcb64fb4f8a724cbee148.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

35c421c06c8c02839bcde4df85d29760808b7d0a550bcb64fb4f8a724cbee148.exe

pid	process
896	35c421c06c8c02839bcde4df85d29760808b7d0a550bcb64fb4f8a724cbee148.exe
896	35c421c06c8c02839bcde4df85d29760808b7d0a550bcb64fb4f8a724cbee148.exe
896	35c421c06c8c02839bcde4df85d29760808b7d0a550bcb64fb4f8a724cbee148.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

35c421c06c8c02839bcde4df85d29760808b7d0a550bcb64fb4f8a724cbee148.exe

pid	process
896	35c421c06c8c02839bcde4df85d29760808b7d0a550bcb64fb4f8a724cbee148.exe
896	35c421c06c8c02839bcde4df85d29760808b7d0a550bcb64fb4f8a724cbee148.exe
896	35c421c06c8c02839bcde4df85d29760808b7d0a550bcb64fb4f8a724cbee148.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

35c421c06c8c02839bcde4df85d29760808b7d0a550bcb64fb4f8a724cbee148.exe

pid	process
896	35c421c06c8c02839bcde4df85d29760808b7d0a550bcb64fb4f8a724cbee148.exe
896	35c421c06c8c02839bcde4df85d29760808b7d0a550bcb64fb4f8a724cbee148.exe
896	35c421c06c8c02839bcde4df85d29760808b7d0a550bcb64fb4f8a724cbee148.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

35c421c06c8c02839bcde4df85d29760808b7d0a550bcb64fb4f8a724cbee148.exe

description	pid	process	target process
PID 896 wrote to memory of 1752	896	35c421c06c8c02839bcde4df85d29760808b7d0a550bcb64fb4f8a724cbee148.exe	cmd.exe
PID 896 wrote to memory of 1752	896	35c421c06c8c02839bcde4df85d29760808b7d0a550bcb64fb4f8a724cbee148.exe	cmd.exe
PID 896 wrote to memory of 1752	896	35c421c06c8c02839bcde4df85d29760808b7d0a550bcb64fb4f8a724cbee148.exe	cmd.exe
PID 896 wrote to memory of 1752	896	35c421c06c8c02839bcde4df85d29760808b7d0a550bcb64fb4f8a724cbee148.exe	cmd.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

35c421c06c8c02839bcde4df85d29760808b7d0a550bcb64fb4f8a724cbee148.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	35c421c06c8c02839bcde4df85d29760808b7d0a550bcb64fb4f8a724cbee148.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	35c421c06c8c02839bcde4df85d29760808b7d0a550bcb64fb4f8a724cbee148.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	35c421c06c8c02839bcde4df85d29760808b7d0a550bcb64fb4f8a724cbee148.exe

C:\Users\Admin\AppData\Local\Temp\35c421c06c8c02839bcde4df85d29760808b7d0a550bcb64fb4f8a724cbee148.exe
"C:\Users\Admin\AppData\Local\Temp\35c421c06c8c02839bcde4df85d29760808b7d0a550bcb64fb4f8a724cbee148.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Modifies system certificate store
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:896

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\~adios.bat
2⤵
- Deletes itself
PID:1752

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Install Root Certificate

Modify Registry

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~adios.bat

Filesize
343B

MD5
9c4e22b45c3cafd26f95ee7a5413b1cd

SHA1
6d14c95fe86b5b754f0398d6d60f817bece25ce9

SHA256
f82655d51c3a4106633267ed919c683f8ccf0233d665caecc9848bb82fa7b0ac

SHA512
fb57507888752de23a360b06bd7e0e2202e8d4403eb1a5b53dc0071947e3cd46ab90684e36c85dbd53b97edd3b7787637c5b84b4ecfd6929ab17ebe4924f292f

Download Submit
memory/896-54-0x0000000075E31000-0x0000000075E33000-memory.dmp

Filesize
8KB

Download
memory/896-55-0x0000000000BE0000-0x0000000000CF1000-memory.dmp

Filesize
1.1MB

Download
memory/896-56-0x0000000000BE0000-0x0000000000CF1000-memory.dmp

Filesize
1.1MB

Download
memory/896-58-0x0000000000BE0000-0x0000000000CF1000-memory.dmp

Filesize
1.1MB

Download
memory/1752-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads