b2808470a527e4ea38fc8b1f27b3215666f174a263a103bc9e95624380b09cd1

General

Target

b2808470a527e4ea38fc8b1f27b3215666f174a263a103bc9e95624380b09cd1.exe
Size

330KB
MD5

c74ce3c717eb54abb4281448a86093ba
SHA1

0b8ce40d3a4fe0e4511bd007d8fb94cfcbd19f32
SHA256

b2808470a527e4ea38fc8b1f27b3215666f174a263a103bc9e95624380b09cd1
SHA512

dce195daf9aaaa4f236fb002c5ce33bbead0570d78fa2e41cf54328f93fce5a7ca8fcd28b12ec22d847b4348c15cdb695dccd3500c845325510c8f3dff6ad595
SSDEEP

6144:GNut5Y66DJQLNE6AEYQmgoUVnDDaTZ/Bc1cYROZ+76:DcDJQxE61pDfVnvCZ/Bc1co6+W

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

akcyd.exeakcyd.exe

pid process

1972 akcyd.exe
864 akcyd.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1132 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

b2808470a527e4ea38fc8b1f27b3215666f174a263a103bc9e95624380b09cd1.exe

pid process

1004 b2808470a527e4ea38fc8b1f27b3215666f174a263a103bc9e95624380b09cd1.exe

pid	process
1972	akcyd.exe
864	akcyd.exe

pid	process
1132	cmd.exe

pid	process
1004	b2808470a527e4ea38fc8b1f27b3215666f174a263a103bc9e95624380b09cd1.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

akcyd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\Currentversion\Run	akcyd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\{A9351AFE-A131-C481-2BFA-738A5699DAE2} = "C:\\Users\\Admin\\AppData\\Roaming\\Evquok\\akcyd.exe"	akcyd.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

b2808470a527e4ea38fc8b1f27b3215666f174a263a103bc9e95624380b09cd1.exeakcyd.exe

description	pid	process	target process
PID 1388 set thread context of 1004	1388	b2808470a527e4ea38fc8b1f27b3215666f174a263a103bc9e95624380b09cd1.exe	b2808470a527e4ea38fc8b1f27b3215666f174a263a103bc9e95624380b09cd1.exe
PID 1972 set thread context of 864	1972	akcyd.exe	akcyd.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

akcyd.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	akcyd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	akcyd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	akcyd.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

b2808470a527e4ea38fc8b1f27b3215666f174a263a103bc9e95624380b09cd1.exeakcyd.exeakcyd.exe

pid	process
1388	b2808470a527e4ea38fc8b1f27b3215666f174a263a103bc9e95624380b09cd1.exe
1972	akcyd.exe
864	akcyd.exe
864	akcyd.exe
864	akcyd.exe
864	akcyd.exe
864	akcyd.exe
864	akcyd.exe
864	akcyd.exe
864	akcyd.exe
864	akcyd.exe
864	akcyd.exe
864	akcyd.exe
864	akcyd.exe
864	akcyd.exe
864	akcyd.exe
864	akcyd.exe
864	akcyd.exe
864	akcyd.exe
864	akcyd.exe
864	akcyd.exe
864	akcyd.exe
864	akcyd.exe
864	akcyd.exe
864	akcyd.exe
864	akcyd.exe
864	akcyd.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

akcyd.exe

pid process

864 akcyd.exe
864 akcyd.exe
864 akcyd.exe
864 akcyd.exe
864 akcyd.exe

pid	process
864	akcyd.exe
864	akcyd.exe
864	akcyd.exe
864	akcyd.exe
864	akcyd.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

b2808470a527e4ea38fc8b1f27b3215666f174a263a103bc9e95624380b09cd1.exeb2808470a527e4ea38fc8b1f27b3215666f174a263a103bc9e95624380b09cd1.exeakcyd.exe

description	pid	process
Token: SeDebugPrivilege	1388	b2808470a527e4ea38fc8b1f27b3215666f174a263a103bc9e95624380b09cd1.exe
Token: SeSecurityPrivilege	1004	b2808470a527e4ea38fc8b1f27b3215666f174a263a103bc9e95624380b09cd1.exe
Token: SeDebugPrivilege	1972	akcyd.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

akcyd.exe

pid process

864 akcyd.exe

pid	process
864	akcyd.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

b2808470a527e4ea38fc8b1f27b3215666f174a263a103bc9e95624380b09cd1.exeb2808470a527e4ea38fc8b1f27b3215666f174a263a103bc9e95624380b09cd1.exeakcyd.exe

description	pid	process	target process
PID 1388 wrote to memory of 1004	1388	b2808470a527e4ea38fc8b1f27b3215666f174a263a103bc9e95624380b09cd1.exe	b2808470a527e4ea38fc8b1f27b3215666f174a263a103bc9e95624380b09cd1.exe
PID 1388 wrote to memory of 1004	1388	b2808470a527e4ea38fc8b1f27b3215666f174a263a103bc9e95624380b09cd1.exe	b2808470a527e4ea38fc8b1f27b3215666f174a263a103bc9e95624380b09cd1.exe
PID 1388 wrote to memory of 1004	1388	b2808470a527e4ea38fc8b1f27b3215666f174a263a103bc9e95624380b09cd1.exe	b2808470a527e4ea38fc8b1f27b3215666f174a263a103bc9e95624380b09cd1.exe
PID 1388 wrote to memory of 1004	1388	b2808470a527e4ea38fc8b1f27b3215666f174a263a103bc9e95624380b09cd1.exe	b2808470a527e4ea38fc8b1f27b3215666f174a263a103bc9e95624380b09cd1.exe
PID 1388 wrote to memory of 1004	1388	b2808470a527e4ea38fc8b1f27b3215666f174a263a103bc9e95624380b09cd1.exe	b2808470a527e4ea38fc8b1f27b3215666f174a263a103bc9e95624380b09cd1.exe
PID 1388 wrote to memory of 1004	1388	b2808470a527e4ea38fc8b1f27b3215666f174a263a103bc9e95624380b09cd1.exe	b2808470a527e4ea38fc8b1f27b3215666f174a263a103bc9e95624380b09cd1.exe
PID 1388 wrote to memory of 1004	1388	b2808470a527e4ea38fc8b1f27b3215666f174a263a103bc9e95624380b09cd1.exe	b2808470a527e4ea38fc8b1f27b3215666f174a263a103bc9e95624380b09cd1.exe
PID 1388 wrote to memory of 1004	1388	b2808470a527e4ea38fc8b1f27b3215666f174a263a103bc9e95624380b09cd1.exe	b2808470a527e4ea38fc8b1f27b3215666f174a263a103bc9e95624380b09cd1.exe
PID 1388 wrote to memory of 1004	1388	b2808470a527e4ea38fc8b1f27b3215666f174a263a103bc9e95624380b09cd1.exe	b2808470a527e4ea38fc8b1f27b3215666f174a263a103bc9e95624380b09cd1.exe
PID 1004 wrote to memory of 1972	1004	b2808470a527e4ea38fc8b1f27b3215666f174a263a103bc9e95624380b09cd1.exe	akcyd.exe
PID 1004 wrote to memory of 1972	1004	b2808470a527e4ea38fc8b1f27b3215666f174a263a103bc9e95624380b09cd1.exe	akcyd.exe
PID 1004 wrote to memory of 1972	1004	b2808470a527e4ea38fc8b1f27b3215666f174a263a103bc9e95624380b09cd1.exe	akcyd.exe
PID 1004 wrote to memory of 1972	1004	b2808470a527e4ea38fc8b1f27b3215666f174a263a103bc9e95624380b09cd1.exe	akcyd.exe
PID 1972 wrote to memory of 864	1972	akcyd.exe	akcyd.exe
PID 1972 wrote to memory of 864	1972	akcyd.exe	akcyd.exe
PID 1972 wrote to memory of 864	1972	akcyd.exe	akcyd.exe
PID 1972 wrote to memory of 864	1972	akcyd.exe	akcyd.exe
PID 1972 wrote to memory of 864	1972	akcyd.exe	akcyd.exe
PID 1972 wrote to memory of 864	1972	akcyd.exe	akcyd.exe
PID 1972 wrote to memory of 864	1972	akcyd.exe	akcyd.exe
PID 1972 wrote to memory of 864	1972	akcyd.exe	akcyd.exe
PID 1972 wrote to memory of 864	1972	akcyd.exe	akcyd.exe
PID 1004 wrote to memory of 1132	1004	b2808470a527e4ea38fc8b1f27b3215666f174a263a103bc9e95624380b09cd1.exe	cmd.exe
PID 1004 wrote to memory of 1132	1004	b2808470a527e4ea38fc8b1f27b3215666f174a263a103bc9e95624380b09cd1.exe	cmd.exe
PID 1004 wrote to memory of 1132	1004	b2808470a527e4ea38fc8b1f27b3215666f174a263a103bc9e95624380b09cd1.exe	cmd.exe
PID 1004 wrote to memory of 1132	1004	b2808470a527e4ea38fc8b1f27b3215666f174a263a103bc9e95624380b09cd1.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\b2808470a527e4ea38fc8b1f27b3215666f174a263a103bc9e95624380b09cd1.exe
"C:\Users\Admin\AppData\Local\Temp\b2808470a527e4ea38fc8b1f27b3215666f174a263a103bc9e95624380b09cd1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1388

C:\Users\Admin\AppData\Local\Temp\b2808470a527e4ea38fc8b1f27b3215666f174a263a103bc9e95624380b09cd1.exe
"C:\Users\Admin\AppData\Local\Temp\b2808470a527e4ea38fc8b1f27b3215666f174a263a103bc9e95624380b09cd1.exe"
2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1004

C:\Users\Admin\AppData\Roaming\Evquok\akcyd.exe
"C:\Users\Admin\AppData\Roaming\Evquok\akcyd.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972

C:\Users\Admin\AppData\Roaming\Evquok\akcyd.exe
"C:\Users\Admin\AppData\Roaming\Evquok\akcyd.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
PID:864

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp6248f00e.bat"
3⤵
- Deletes itself
PID:1132

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6248f00e.bat
Filesize
307B

MD5
dff44610dc0e37a6b88e3c5190304470

SHA1
b81150cdbbb69fde113466c6f3b6381a4f6a31dc

SHA256
b24c6dd3caff203cf15ca91064296d9021af96b4c5fe07c30ea1672012a16aa7

SHA512
9a086a64d2c79d575f681a15671de4f501e4903aa33558b1765359bb41c6b2cad8ff983c4b72fa25d7042d2ca2b3164bd7dd9277194a5b3a81cbe9e6c5925a9d

Download Submit
C:\Users\Admin\AppData\Roaming\Evquok\akcyd.exe
Filesize
330KB

MD5
eee601042eb3bdd4c80ba050bc00b58d

SHA1
baf38b687cd65598a8f89557bdc6f6cf6ee0f0cc

SHA256
64855ad968265c2e824abdf2c1010beefe868039bf360fd2dccb170d764b0e11

SHA512
fdfe93cfac98503b4cdb067e25103fa439766b37deae1043399994acfaf7762204cba760316458ac7a9ab7f700e6c7a23065ee78d265c2123a663b5cf4bfe3bf

Download Submit
C:\Users\Admin\AppData\Roaming\Evquok\akcyd.exe
Filesize
330KB

MD5
eee601042eb3bdd4c80ba050bc00b58d

SHA1
baf38b687cd65598a8f89557bdc6f6cf6ee0f0cc

SHA256
64855ad968265c2e824abdf2c1010beefe868039bf360fd2dccb170d764b0e11

SHA512
fdfe93cfac98503b4cdb067e25103fa439766b37deae1043399994acfaf7762204cba760316458ac7a9ab7f700e6c7a23065ee78d265c2123a663b5cf4bfe3bf

Download Submit
C:\Users\Admin\AppData\Roaming\Evquok\akcyd.exe
Filesize
330KB

MD5
eee601042eb3bdd4c80ba050bc00b58d

SHA1
baf38b687cd65598a8f89557bdc6f6cf6ee0f0cc

SHA256
64855ad968265c2e824abdf2c1010beefe868039bf360fd2dccb170d764b0e11

SHA512
fdfe93cfac98503b4cdb067e25103fa439766b37deae1043399994acfaf7762204cba760316458ac7a9ab7f700e6c7a23065ee78d265c2123a663b5cf4bfe3bf

Download Submit
\Users\Admin\AppData\Roaming\Evquok\akcyd.exe
Filesize
330KB

MD5
eee601042eb3bdd4c80ba050bc00b58d

SHA1
baf38b687cd65598a8f89557bdc6f6cf6ee0f0cc

SHA256
64855ad968265c2e824abdf2c1010beefe868039bf360fd2dccb170d764b0e11

SHA512
fdfe93cfac98503b4cdb067e25103fa439766b37deae1043399994acfaf7762204cba760316458ac7a9ab7f700e6c7a23065ee78d265c2123a663b5cf4bfe3bf

Download Submit
memory/864-92-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/864-85-0x000000000040EADC-mapping.dmp

Download
memory/1004-62-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1004-59-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1004-56-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1004-67-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1004-57-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1004-70-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1004-71-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1004-72-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1004-63-0x000000000040EADC-mapping.dmp

Download
memory/1004-94-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1004-60-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1132-93-0x0000000000000000-mapping.dmp

Download
memory/1388-66-0x0000000000A26000-0x0000000000A37000-memory.dmp

Filesize
68KB

Download
memory/1388-55-0x00000000744E0000-0x0000000074A8B000-memory.dmp

Filesize
5.7MB

Download
memory/1388-54-0x0000000075CF1000-0x0000000075CF3000-memory.dmp

Filesize
8KB

Download
memory/1388-69-0x0000000000A26000-0x0000000000A37000-memory.dmp

Filesize
68KB

Download
memory/1388-68-0x00000000744E0000-0x0000000074A8B000-memory.dmp

Filesize
5.7MB

Download
memory/1972-74-0x0000000000000000-mapping.dmp

Download
memory/1972-89-0x0000000000CB6000-0x0000000000CC7000-memory.dmp

Filesize
68KB

Download
memory/1972-88-0x0000000073F30000-0x00000000744DB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads