93b5886b0c7bba8d349446a7be427a0ce35e626a2443e92878ee87b918a73171

General

Target

ȫԶQQռʵʱ̬۹.exe
Size

2.0MB
MD5

ec9d5905f6e79b21467a318fed5054d9
SHA1

ca987850add41791a20cd56017977679f9f30388
SHA256

b712edab45d38f33067c61f3d9fd8fcaedfd8f648776f34d4f8f0cdb4d0a60fb
SHA512

7a38cd6478581cb0766e2587df489aae65ddf53e2922c032cae45c75607c7ff5328f744208506b450416a57236fd65deba81df2404b493640e70a71c0f2097fa
SSDEEP

49152:8p4CkAI64NlqMWWNLMLf8vfGoOVbkYLYDwYflYYJYgY4:uDkBXqMWWWAHG5aYLYDwYflYYJYgY4

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1928	empty.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1112-55-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1112-56-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1112-57-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1112-59-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1112-61-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1112-63-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1112-65-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1112-67-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1112-69-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1112-71-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1112-73-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1112-75-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1112-77-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1112-79-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1112-81-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1112-83-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1112-85-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1112-87-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1112-89-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1112-91-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1112-95-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1112-97-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1112-93-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1112-104-0x0000000010000000-0x000000001003E000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\empty.exe	ȫԶQQռʵʱ̬۹.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	ȫԶQQռʵʱ̬۹.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	ȫԶQQռʵʱ̬۹.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	ȫԶQQռʵʱ̬۹.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1928	empty.exe
Token: 33	1928	empty.exe
Token: SeIncBasePriorityPrivilege	1928	empty.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1112	ȫԶQQռʵʱ̬۹.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1112	ȫԶQQռʵʱ̬۹.exe
1112	ȫԶQQռʵʱ̬۹.exe
1112	ȫԶQQռʵʱ̬۹.exe
1112	ȫԶQQռʵʱ̬۹.exe
1112	ȫԶQQռʵʱ̬۹.exe
1112	ȫԶQQռʵʱ̬۹.exe
1112	ȫԶQQռʵʱ̬۹.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1112 wrote to memory of 1928	1112	ȫԶQQռʵʱ̬۹.exe	30
PID 1112 wrote to memory of 1928	1112	ȫԶQQռʵʱ̬۹.exe	30
PID 1112 wrote to memory of 1928	1112	ȫԶQQռʵʱ̬۹.exe	30
PID 1112 wrote to memory of 1928	1112	ȫԶQQռʵʱ̬۹.exe	30

C:\Users\Admin\AppData\Local\Temp\ȫԶQQռʵʱ̬۹.exe
"C:\Users\Admin\AppData\Local\Temp\ȫԶQQռʵʱ̬۹.exe"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1112
- C:\Windows\empty.exe
  C:\Windows\empty.exe 1112
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\empty.exe

Filesize
9KB

MD5
523d5c39f9d8d2375c3df68251fa2249

SHA1
d4ed365c44bec9246fc1a65a32a7791792647a10

SHA256
20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78

SHA512
526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

Download Submit
memory/1112-79-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1112-55-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1112-57-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1112-59-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1112-61-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1112-63-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1112-65-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1112-67-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1112-69-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1112-71-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1112-73-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1112-81-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1112-56-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1112-77-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1112-75-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1112-83-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1112-85-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1112-87-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1112-89-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1112-91-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1112-95-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1112-97-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1112-93-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1112-98-0x0000000001EF0000-0x0000000001F75000-memory.dmp

Filesize
532KB

Download
memory/1112-54-0x0000000074D61000-0x0000000074D63000-memory.dmp

Filesize
8KB

Download
memory/1112-104-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads