f3e997e126aaec0734a6f2a5d68e3d3ec58cc863705cc3991989cc8183af283e

General

Target

f07db1e2a512171311f40d080034ba01.exe
Size

610KB
MD5

f07db1e2a512171311f40d080034ba01
SHA1

2296ad3bc8807dfa775d43d58c8d3b52d19dd7e2
SHA256

f3e997e126aaec0734a6f2a5d68e3d3ec58cc863705cc3991989cc8183af283e
SHA512

a8e4e28ff8332bc84471f1dfd02a9c519eda796196d4ce143bd3a7f94d91c2dab1a591996ece81de3f0e2fff2491efc66be611bd802857bb56b024240ad4026b
SSDEEP

12288:/YV6MorX7qzuC3QHO9FQVHPF51jgcosMlemlDoZ9jE5n:MBXu9HGaVHoFh24x

Score

8^/10

discovery persistence upx

Malware Config

Signatures

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1428-55-0x0000000001120000-0x000000000127E000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

f07db1e2a512171311f40d080034ba01.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	f07db1e2a512171311f40d080034ba01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ZeusTecnologia\|SuporteZeus.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\f07db1e2a512171311f40d080034ba01.exe\" -logonAA"	f07db1e2a512171311f40d080034ba01.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/1428-55-0x0000000001120000-0x000000000127E000-memory.dmp	autoit_exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

f07db1e2a512171311f40d080034ba01.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	f07db1e2a512171311f40d080034ba01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	f07db1e2a512171311f40d080034ba01.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	f07db1e2a512171311f40d080034ba01.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	f07db1e2a512171311f40d080034ba01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	f07db1e2a512171311f40d080034ba01.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

f07db1e2a512171311f40d080034ba01.exe

pid process

1428 f07db1e2a512171311f40d080034ba01.exe

Suspicious use of FindShellTrayWindow 61 IoCs

Processes:

f07db1e2a512171311f40d080034ba01.exe

pid	process
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe

Suspicious use of SendNotifyMessage 61 IoCs

Processes:

f07db1e2a512171311f40d080034ba01.exe

pid	process
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe
1428	f07db1e2a512171311f40d080034ba01.exe

C:\Users\Admin\AppData\Local\Temp\f07db1e2a512171311f40d080034ba01.exe
"C:\Users\Admin\AppData\Local\Temp\f07db1e2a512171311f40d080034ba01.exe"
1⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1428

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1428-54-0x0000000075591000-0x0000000075593000-memory.dmp

Filesize
8KB

Download
memory/1428-55-0x0000000001120000-0x000000000127E000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads