123504f0fc0253efa52a458d0a65bbbc6f648bf8dd2e1f60b9199afd1842ee5b

General

Target

123504f0fc0253efa52a458d0a65bbbc6f648bf8dd2e1f60b9199afd1842ee5b.exe
Size

11.0MB
MD5

ed467dd4850dc17520c7439172cb30b0
SHA1

f4a5fcebbe294475f58589460f2cb4573597986f
SHA256

123504f0fc0253efa52a458d0a65bbbc6f648bf8dd2e1f60b9199afd1842ee5b
SHA512

4f8f8cc38774b2584ee16c6c1b121242bbca725a8206b9ebead0fa6fc1906b3f128afdd95e3f66fe5f304c9b9ebf4927a2635467578422d5bce1a5dd65e383c9
SSDEEP

196608:KmLh2p3ANDneIlneIIWbODnHHlyV9DeqtRc+qASoFNASoF4ASoFY:KPAVeI4R4ODHFyV/RBuoFVoFooFY

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

setup.exe

pid process

1336 setup.exe

pid	process
1336	setup.exe

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1336-71-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1336-73-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1336-72-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1336-75-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1336-77-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1336-79-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1336-81-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1336-83-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1336-85-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1336-87-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1336-89-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1336-91-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1336-93-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1336-95-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1336-97-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1336-99-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1336-101-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1336-103-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1336-105-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1336-107-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1336-109-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1336-111-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1336-113-0x0000000010000000-0x000000001003E000-memory.dmp	upx

Loads dropped DLL 4 IoCs

Processes:

123504f0fc0253efa52a458d0a65bbbc6f648bf8dd2e1f60b9199afd1842ee5b.exesetup.exe

pid process

428 123504f0fc0253efa52a458d0a65bbbc6f648bf8dd2e1f60b9199afd1842ee5b.exe
1336 setup.exe
1336 setup.exe
1336 setup.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

123504f0fc0253efa52a458d0a65bbbc6f648bf8dd2e1f60b9199afd1842ee5b.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\smss = "c:\\smss.exe"	123504f0fc0253efa52a458d0a65bbbc6f648bf8dd2e1f60b9199afd1842ee5b.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

setup.exe

pid process

1336 setup.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1336	setup.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

123504f0fc0253efa52a458d0a65bbbc6f648bf8dd2e1f60b9199afd1842ee5b.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\Play_Background_Sounds = "yes"	123504f0fc0253efa52a458d0a65bbbc6f648bf8dd2e1f60b9199afd1842ee5b.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main	123504f0fc0253efa52a458d0a65bbbc6f648bf8dd2e1f60b9199afd1842ee5b.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

123504f0fc0253efa52a458d0a65bbbc6f648bf8dd2e1f60b9199afd1842ee5b.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	123504f0fc0253efa52a458d0a65bbbc6f648bf8dd2e1f60b9199afd1842ee5b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	123504f0fc0253efa52a458d0a65bbbc6f648bf8dd2e1f60b9199afd1842ee5b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	123504f0fc0253efa52a458d0a65bbbc6f648bf8dd2e1f60b9199afd1842ee5b.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

123504f0fc0253efa52a458d0a65bbbc6f648bf8dd2e1f60b9199afd1842ee5b.exesetup.exe

pid	process
428	123504f0fc0253efa52a458d0a65bbbc6f648bf8dd2e1f60b9199afd1842ee5b.exe
428	123504f0fc0253efa52a458d0a65bbbc6f648bf8dd2e1f60b9199afd1842ee5b.exe
428	123504f0fc0253efa52a458d0a65bbbc6f648bf8dd2e1f60b9199afd1842ee5b.exe
428	123504f0fc0253efa52a458d0a65bbbc6f648bf8dd2e1f60b9199afd1842ee5b.exe
1336	setup.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

123504f0fc0253efa52a458d0a65bbbc6f648bf8dd2e1f60b9199afd1842ee5b.exesetup.exe

pid	process
428	123504f0fc0253efa52a458d0a65bbbc6f648bf8dd2e1f60b9199afd1842ee5b.exe
428	123504f0fc0253efa52a458d0a65bbbc6f648bf8dd2e1f60b9199afd1842ee5b.exe
428	123504f0fc0253efa52a458d0a65bbbc6f648bf8dd2e1f60b9199afd1842ee5b.exe
428	123504f0fc0253efa52a458d0a65bbbc6f648bf8dd2e1f60b9199afd1842ee5b.exe
1336	setup.exe
1336	setup.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

123504f0fc0253efa52a458d0a65bbbc6f648bf8dd2e1f60b9199afd1842ee5b.exe

description	pid	process	target process
PID 428 wrote to memory of 1336	428	123504f0fc0253efa52a458d0a65bbbc6f648bf8dd2e1f60b9199afd1842ee5b.exe	setup.exe
PID 428 wrote to memory of 1336	428	123504f0fc0253efa52a458d0a65bbbc6f648bf8dd2e1f60b9199afd1842ee5b.exe	setup.exe
PID 428 wrote to memory of 1336	428	123504f0fc0253efa52a458d0a65bbbc6f648bf8dd2e1f60b9199afd1842ee5b.exe	setup.exe
PID 428 wrote to memory of 1336	428	123504f0fc0253efa52a458d0a65bbbc6f648bf8dd2e1f60b9199afd1842ee5b.exe	setup.exe
PID 428 wrote to memory of 1336	428	123504f0fc0253efa52a458d0a65bbbc6f648bf8dd2e1f60b9199afd1842ee5b.exe	setup.exe
PID 428 wrote to memory of 1336	428	123504f0fc0253efa52a458d0a65bbbc6f648bf8dd2e1f60b9199afd1842ee5b.exe	setup.exe
PID 428 wrote to memory of 1336	428	123504f0fc0253efa52a458d0a65bbbc6f648bf8dd2e1f60b9199afd1842ee5b.exe	setup.exe

C:\Users\Admin\AppData\Local\Temp\123504f0fc0253efa52a458d0a65bbbc6f648bf8dd2e1f60b9199afd1842ee5b.exe
"C:\Users\Admin\AppData\Local\Temp\123504f0fc0253efa52a458d0a65bbbc6f648bf8dd2e1f60b9199afd1842ee5b.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:428

C:\Users\Admin\AppData\Local\Temp\setup.exe
setup.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1336

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Install Root Certificate

1

T1130

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\setup.exe
Filesize
7.9MB

MD5
f63964f0b71013d32a86516a1abf9ffb

SHA1
aca537dc2eefed2517e14e5b3896a9e9f3415bda

SHA256
e17fc635b0e93d723f776ba91edce5d551d07f0ef74b31daf91f2b5eb69ff37e

SHA512
6381f5a1e7012362ea4a8ac9d318f1106aa7a0d7e8d2692f1dbadef096e4923e24ce4c5435c69505e23125628da6a000b9abbbe54b9755c16def9fff15de1344

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe
Filesize
7.9MB

MD5
f63964f0b71013d32a86516a1abf9ffb

SHA1
aca537dc2eefed2517e14e5b3896a9e9f3415bda

SHA256
e17fc635b0e93d723f776ba91edce5d551d07f0ef74b31daf91f2b5eb69ff37e

SHA512
6381f5a1e7012362ea4a8ac9d318f1106aa7a0d7e8d2692f1dbadef096e4923e24ce4c5435c69505e23125628da6a000b9abbbe54b9755c16def9fff15de1344

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe
Filesize
7.9MB

MD5
f63964f0b71013d32a86516a1abf9ffb

SHA1
aca537dc2eefed2517e14e5b3896a9e9f3415bda

SHA256
e17fc635b0e93d723f776ba91edce5d551d07f0ef74b31daf91f2b5eb69ff37e

SHA512
6381f5a1e7012362ea4a8ac9d318f1106aa7a0d7e8d2692f1dbadef096e4923e24ce4c5435c69505e23125628da6a000b9abbbe54b9755c16def9fff15de1344

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe
Filesize
7.9MB

MD5
f63964f0b71013d32a86516a1abf9ffb

SHA1
aca537dc2eefed2517e14e5b3896a9e9f3415bda

SHA256
e17fc635b0e93d723f776ba91edce5d551d07f0ef74b31daf91f2b5eb69ff37e

SHA512
6381f5a1e7012362ea4a8ac9d318f1106aa7a0d7e8d2692f1dbadef096e4923e24ce4c5435c69505e23125628da6a000b9abbbe54b9755c16def9fff15de1344

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe
Filesize
7.9MB

MD5
f63964f0b71013d32a86516a1abf9ffb

SHA1
aca537dc2eefed2517e14e5b3896a9e9f3415bda

SHA256
e17fc635b0e93d723f776ba91edce5d551d07f0ef74b31daf91f2b5eb69ff37e

SHA512
6381f5a1e7012362ea4a8ac9d318f1106aa7a0d7e8d2692f1dbadef096e4923e24ce4c5435c69505e23125628da6a000b9abbbe54b9755c16def9fff15de1344

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe
Filesize
7.9MB

MD5
f63964f0b71013d32a86516a1abf9ffb

SHA1
aca537dc2eefed2517e14e5b3896a9e9f3415bda

SHA256
e17fc635b0e93d723f776ba91edce5d551d07f0ef74b31daf91f2b5eb69ff37e

SHA512
6381f5a1e7012362ea4a8ac9d318f1106aa7a0d7e8d2692f1dbadef096e4923e24ce4c5435c69505e23125628da6a000b9abbbe54b9755c16def9fff15de1344

Download Submit
memory/428-54-0x0000000074E61000-0x0000000074E63000-memory.dmp

Filesize
8KB

Download
memory/428-61-0x0000000008FB0000-0x000000000A2F7000-memory.dmp

Filesize
19.3MB

Download
memory/1336-77-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1336-87-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1336-66-0x0000000002060000-0x00000000033A7000-memory.dmp

Filesize
19.3MB

Download
memory/1336-67-0x0000000002060000-0x00000000033A7000-memory.dmp

Filesize
19.3MB

Download
memory/1336-68-0x0000000002060000-0x00000000033A7000-memory.dmp

Filesize
19.3MB

Download
memory/1336-69-0x0000000000400000-0x0000000001747000-memory.dmp

Filesize
19.3MB

Download
memory/1336-71-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1336-73-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1336-72-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1336-75-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1336-57-0x0000000000000000-mapping.dmp

Download
memory/1336-79-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1336-81-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1336-83-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1336-85-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1336-62-0x0000000000400000-0x0000000001747000-memory.dmp

Filesize
19.3MB

Download
memory/1336-89-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1336-91-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1336-93-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1336-95-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1336-97-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1336-99-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1336-101-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1336-103-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1336-105-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1336-107-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1336-109-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1336-111-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1336-113-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1336-114-0x0000000000400000-0x0000000001747000-memory.dmp

Filesize
19.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads