cfadb4677652fba6e5eb1a52ffeaeb798e557e8059669400d4795bb14c05e0b0

General

Target

ͯ̳ܽ̳QQռ˵˵̬ʵʱޣɳ).exe
Size

1.1MB
MD5

55b4ced9ea0002587ddf9d03cfa7e701
SHA1

54e3af5de952fedd87e75eb64a47de198fcc4480
SHA256

9531316f957d0811b227f005bd88da5b641c42f2d585d3ee3abc318bf7653965
SHA512

d87c50af31662e5ce4c83050cc0b951c3253177b6c6224261285d1381b92adb247d91c9fb647145e23214a2163952dd625ba2a7804b103eee7bd3a3ad1c48807
SSDEEP

12288:o6aRprsnYVxcOodViS7pSQGN/EgZwwz3NjEq8uYjR5nWFpPoSKhW8turx:o687joziScQGnxEHuYSbA04urx

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral3/memory/1536-55-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral3/memory/1536-57-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral3/memory/1536-59-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral3/memory/1536-56-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral3/memory/1536-63-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral3/memory/1536-61-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral3/memory/1536-65-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral3/memory/1536-69-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral3/memory/1536-71-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral3/memory/1536-67-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral3/memory/1536-75-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral3/memory/1536-73-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral3/memory/1536-77-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral3/memory/1536-79-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral3/memory/1536-83-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral3/memory/1536-81-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral3/memory/1536-87-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral3/memory/1536-85-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral3/memory/1536-89-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral3/memory/1536-91-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral3/memory/1536-95-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral3/memory/1536-97-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral3/memory/1536-93-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral3/memory/1536-98-0x0000000010000000-0x000000001003E000-memory.dmp	upx

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	ͯ̳ܽ̳QQռ˵˵̬ʵʱޣɳ).exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	ͯ̳ܽ̳QQռ˵˵̬ʵʱޣɳ).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	ͯ̳ܽ̳QQռ˵˵̬ʵʱޣɳ).exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1536	ͯ̳ܽ̳QQռ˵˵̬ʵʱޣɳ).exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1536	ͯ̳ܽ̳QQռ˵˵̬ʵʱޣɳ).exe
1536	ͯ̳ܽ̳QQռ˵˵̬ʵʱޣɳ).exe
1536	ͯ̳ܽ̳QQռ˵˵̬ʵʱޣɳ).exe
1536	ͯ̳ܽ̳QQռ˵˵̬ʵʱޣɳ).exe
1536	ͯ̳ܽ̳QQռ˵˵̬ʵʱޣɳ).exe
1536	ͯ̳ܽ̳QQռ˵˵̬ʵʱޣɳ).exe
1536	ͯ̳ܽ̳QQռ˵˵̬ʵʱޣɳ).exe

C:\Users\Admin\AppData\Local\Temp\ͯ̳ܽ̳QQռ˵˵̬ʵʱޣɳ).exe
"C:\Users\Admin\AppData\Local\Temp\ͯ̳ܽ̳QQռ˵˵̬ʵʱޣɳ).exe"
1⤵
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1536

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1536-54-0x0000000075681000-0x0000000075683000-memory.dmp

Filesize
8KB

Download
memory/1536-55-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1536-57-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1536-59-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1536-56-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1536-63-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1536-61-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1536-65-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1536-69-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1536-71-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1536-67-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1536-75-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1536-73-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1536-77-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1536-79-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1536-83-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1536-81-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1536-87-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1536-85-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1536-89-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1536-91-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1536-95-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1536-97-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1536-93-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1536-98-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads