479200748de8926490fd2e41aaa0a4b710533e8d8f205bfbba9fba6416ca7731

General

Target

479200748de8926490fd2e41aaa0a4b710533e8d8f205bfbba9fba6416ca7731.exe
Size

7.7MB
MD5

626ca3c805656cb224a8979d8f3a5759
SHA1

ab79aa8261643739c6eb2810747fdf6fde5bef72
SHA256

479200748de8926490fd2e41aaa0a4b710533e8d8f205bfbba9fba6416ca7731
SHA512

d1e2b853d1736a8ab61ab880f78417c311ddb27a59695cbb3fc2314f46c7c51b8dbbb1b45b610f913ee9ebf292da56a54ba71471f7bade6159275a7bc423b21f
SSDEEP

196608:Lvi5h13yOdMV67aojkDkxCf0LgHSKDx96bwMhphUrBrPfg4:O5j3yO/aoJFgHSKDx0bvparBjfg4

Score

8^/10

persistence vmprotect

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

baprar.exefree.exe

pid process

588 baprar.exe
560 free.exe

pid	process
588	baprar.exe
560	free.exe

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

baprar.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\free\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\DE30.tmp\\free.sys"	baprar.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\baprar\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\DE30.tmp\\baprar.sys"	baprar.exe

VMProtect packed file 6 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\DE30.tmp\free.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\DE30.tmp\free.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\DE30.tmp\free.exe	vmprotect
behavioral1/memory/560-65-0x000000013F150000-0x000000013FBAF000-memory.dmp	vmprotect
behavioral1/memory/560-64-0x000000013F150000-0x000000013FBAF000-memory.dmp	vmprotect
behavioral1/memory/560-69-0x000000013F150000-0x000000013FBAF000-memory.dmp	vmprotect

Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

1532 cmd.exe
1532 cmd.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

pid	process
1532	cmd.exe
1532	cmd.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

free.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	free.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	free.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

free.exe

pid process

560 free.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

baprar.exe

pid process

588 baprar.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

baprar.exefree.exe

description pid process

Token: SeLoadDriverPrivilege 588 baprar.exe
Token: SeDebugPrivilege 560 free.exe
Token: SeLoadDriverPrivilege 560 free.exe

pid	process
560	free.exe

pid	process
588	baprar.exe

description	pid	process
Token: SeLoadDriverPrivilege	588	baprar.exe
Token: SeDebugPrivilege	560	free.exe
Token: SeLoadDriverPrivilege	560	free.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

479200748de8926490fd2e41aaa0a4b710533e8d8f205bfbba9fba6416ca7731.execmd.exe

description	pid	process	target process
PID 428 wrote to memory of 1532	428	479200748de8926490fd2e41aaa0a4b710533e8d8f205bfbba9fba6416ca7731.exe	cmd.exe
PID 428 wrote to memory of 1532	428	479200748de8926490fd2e41aaa0a4b710533e8d8f205bfbba9fba6416ca7731.exe	cmd.exe
PID 428 wrote to memory of 1532	428	479200748de8926490fd2e41aaa0a4b710533e8d8f205bfbba9fba6416ca7731.exe	cmd.exe
PID 428 wrote to memory of 1532	428	479200748de8926490fd2e41aaa0a4b710533e8d8f205bfbba9fba6416ca7731.exe	cmd.exe
PID 1532 wrote to memory of 588	1532	cmd.exe	baprar.exe
PID 1532 wrote to memory of 588	1532	cmd.exe	baprar.exe
PID 1532 wrote to memory of 588	1532	cmd.exe	baprar.exe
PID 1532 wrote to memory of 560	1532	cmd.exe	free.exe
PID 1532 wrote to memory of 560	1532	cmd.exe	free.exe
PID 1532 wrote to memory of 560	1532	cmd.exe	free.exe

C:\Users\Admin\AppData\Local\Temp\479200748de8926490fd2e41aaa0a4b710533e8d8f205bfbba9fba6416ca7731.exe
"C:\Users\Admin\AppData\Local\Temp\479200748de8926490fd2e41aaa0a4b710533e8d8f205bfbba9fba6416ca7731.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:428

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\DE30.tmp\DF59.tmp\DF5A.bat C:\Users\Admin\AppData\Local\Temp\479200748de8926490fd2e41aaa0a4b710533e8d8f205bfbba9fba6416ca7731.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1532

C:\Users\Admin\AppData\Local\Temp\DE30.tmp\baprar.exe
baprar.exe baprar.sys free.sys
3⤵
- Executes dropped EXE
- Sets service image path in registry
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:588

C:\Users\Admin\AppData\Local\Temp\DE30.tmp\free.exe
free.exe
3⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:560

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Install Root Certificate

1

T1130

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DE30.tmp\DF59.tmp\DF5A.bat
Filesize
67B

MD5
60dd9f76d5186c9529b030698147ecf4

SHA1
e9a7be9e9872bdea320dd108976dd33dff0686d1

SHA256
426fdf4e211c2a786ea51695a784babe5bcf59e5f72e796ec89b0a6c40e1ea03

SHA512
7fef023ab66172510c8516f7e8e24e494e17a8b973d7c8b080c2e95093452c281230e70a89876cea0d210ad1f7d0d0fbe7a84a840810509d9706cd90e2e87d5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DE30.tmp\baprar.exe
Filesize
20KB

MD5
104d16826db9b10ed83dd119e410b9f5

SHA1
f8f0468abaf481ab9590e7dd65f8c2ca3baf2aea

SHA256
9a097103785ddea1e9db97c2ac74347997913e705b0564be870c44704c36b604

SHA512
995babfb10713a422ba21fb009c394eb08ec06ca4394923d3efce37b3ca6fa18ef54563a17c2a503df12fbe8332bfb4b1808ba652b0e893556a4499898faab81

Download Submit
C:\Users\Admin\AppData\Local\Temp\DE30.tmp\free.exe
Filesize
5.6MB

MD5
093d03dba3010b8a0085e6477460f3d8

SHA1
bcf0aae36f38ff5bb2105ad7532c669986566a09

SHA256
f17d046c287609b896807b483450be5461bc03bce7a0ece44866141168fa1342

SHA512
b6a885d5dc34e5d59db68f6176af270aed979c379ca5c8ade0530f8eeccce5caa42f58feee4cbcacf5798938dd56bf69e4ca373c60663e305200de007111809d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DE30.tmp\free.exe
Filesize
5.6MB

MD5
093d03dba3010b8a0085e6477460f3d8

SHA1
bcf0aae36f38ff5bb2105ad7532c669986566a09

SHA256
f17d046c287609b896807b483450be5461bc03bce7a0ece44866141168fa1342

SHA512
b6a885d5dc34e5d59db68f6176af270aed979c379ca5c8ade0530f8eeccce5caa42f58feee4cbcacf5798938dd56bf69e4ca373c60663e305200de007111809d

Download Submit
\Users\Admin\AppData\Local\Temp\DE30.tmp\baprar.exe
Filesize
20KB

MD5
104d16826db9b10ed83dd119e410b9f5

SHA1
f8f0468abaf481ab9590e7dd65f8c2ca3baf2aea

SHA256
9a097103785ddea1e9db97c2ac74347997913e705b0564be870c44704c36b604

SHA512
995babfb10713a422ba21fb009c394eb08ec06ca4394923d3efce37b3ca6fa18ef54563a17c2a503df12fbe8332bfb4b1808ba652b0e893556a4499898faab81

Download Submit
\Users\Admin\AppData\Local\Temp\DE30.tmp\free.exe
Filesize
5.6MB

MD5
093d03dba3010b8a0085e6477460f3d8

SHA1
bcf0aae36f38ff5bb2105ad7532c669986566a09

SHA256
f17d046c287609b896807b483450be5461bc03bce7a0ece44866141168fa1342

SHA512
b6a885d5dc34e5d59db68f6176af270aed979c379ca5c8ade0530f8eeccce5caa42f58feee4cbcacf5798938dd56bf69e4ca373c60663e305200de007111809d

Download Submit
memory/428-54-0x0000000074ED1000-0x0000000074ED3000-memory.dmp

Filesize
8KB

Download
memory/560-61-0x0000000000000000-mapping.dmp

Download
memory/560-65-0x000000013F150000-0x000000013FBAF000-memory.dmp

Filesize
10.4MB

Download
memory/560-64-0x000000013F150000-0x000000013FBAF000-memory.dmp

Filesize
10.4MB

Download
memory/560-68-0x000007FEFB691000-0x000007FEFB693000-memory.dmp

Filesize
8KB

Download
memory/560-69-0x000000013F150000-0x000000013FBAF000-memory.dmp

Filesize
10.4MB

Download
memory/588-58-0x0000000000000000-mapping.dmp

Download
memory/1532-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads