1b25469cad4428c8f63b54b92bfa80d963c75791cac5f5868f84683fd4c71394

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 05:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b25469cad4428c8f63b54b92bfa80d963c75791cac5f5868f84683fd4c71394.exe
Size

2.0MB
MD5

620b8a4e8aa8b1680cca1bde8b9533e3
SHA1

39ba5c0fd5605688bf9d7cc043173616b5bcfebf
SHA256

1b25469cad4428c8f63b54b92bfa80d963c75791cac5f5868f84683fd4c71394
SHA512

2095682487b2ab2ea97c38c11d9c07113badd8991ef8c3505c0bd975742b2ec53f384698c6ec53d24ea5239feb6c3b3e8703c2241186287cdf4cc1a07fd8a73c
SSDEEP

49152:grhVOJDvuZuVhqr5Xt0E2OV+QQpHEwFV8zaPGhHj/qhj:gdVONvuN5XmE2OVDQpHEEV8GPwDa

Score

8^/10

upx vmprotect

Malware Config

Signatures

UPX packed file 27 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2016-57-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2016-60-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2016-59-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2016-62-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2016-61-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2016-68-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2016-70-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2016-74-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2016-72-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2016-76-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2016-80-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2016-90-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2016-100-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2016-102-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2016-98-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2016-96-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2016-94-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2016-92-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2016-88-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2016-86-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2016-84-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2016-82-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2016-78-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2016-66-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2016-64-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2016-104-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2016-113-0x0000000010000000-0x000000001003D000-memory.dmp	upx

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/2016-55-0x0000000000400000-0x0000000000867000-memory.dmp	vmprotect
behavioral1/memory/2016-103-0x0000000000400000-0x0000000000867000-memory.dmp	vmprotect
behavioral1/memory/2016-112-0x0000000000400000-0x0000000000867000-memory.dmp	vmprotect

Loads dropped DLL 5 IoCs

pid	Process
2016	1b25469cad4428c8f63b54b92bfa80d963c75791cac5f5868f84683fd4c71394.exe
2016	1b25469cad4428c8f63b54b92bfa80d963c75791cac5f5868f84683fd4c71394.exe
2016	1b25469cad4428c8f63b54b92bfa80d963c75791cac5f5868f84683fd4c71394.exe
2016	1b25469cad4428c8f63b54b92bfa80d963c75791cac5f5868f84683fd4c71394.exe
2016	1b25469cad4428c8f63b54b92bfa80d963c75791cac5f5868f84683fd4c71394.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\BT.dll	1b25469cad4428c8f63b54b92bfa80d963c75791cac5f5868f84683fd4c71394.exe
File created	C:\Windows\SysWOW64\BT.ime	1b25469cad4428c8f63b54b92bfa80d963c75791cac5f5868f84683fd4c71394.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	1b25469cad4428c8f63b54b92bfa80d963c75791cac5f5868f84683fd4c71394.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\yy.com	1b25469cad4428c8f63b54b92bfa80d963c75791cac5f5868f84683fd4c71394.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage	1b25469cad4428c8f63b54b92bfa80d963c75791cac5f5868f84683fd4c71394.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\yy.com\NumberOfSubdomains = "1"	1b25469cad4428c8f63b54b92bfa80d963c75791cac5f5868f84683fd4c71394.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	1b25469cad4428c8f63b54b92bfa80d963c75791cac5f5868f84683fd4c71394.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	1b25469cad4428c8f63b54b92bfa80d963c75791cac5f5868f84683fd4c71394.exe

Suspicious behavior: EnumeratesProcesses 45 IoCs

pid	Process
2016	1b25469cad4428c8f63b54b92bfa80d963c75791cac5f5868f84683fd4c71394.exe
2016	1b25469cad4428c8f63b54b92bfa80d963c75791cac5f5868f84683fd4c71394.exe
2016	1b25469cad4428c8f63b54b92bfa80d963c75791cac5f5868f84683fd4c71394.exe
2016	1b25469cad4428c8f63b54b92bfa80d963c75791cac5f5868f84683fd4c71394.exe
2016	1b25469cad4428c8f63b54b92bfa80d963c75791cac5f5868f84683fd4c71394.exe
2016	1b25469cad4428c8f63b54b92bfa80d963c75791cac5f5868f84683fd4c71394.exe
2016	1b25469cad4428c8f63b54b92bfa80d963c75791cac5f5868f84683fd4c71394.exe
2016	1b25469cad4428c8f63b54b92bfa80d963c75791cac5f5868f84683fd4c71394.exe
2016	1b25469cad4428c8f63b54b92bfa80d963c75791cac5f5868f84683fd4c71394.exe
2016	1b25469cad4428c8f63b54b92bfa80d963c75791cac5f5868f84683fd4c71394.exe
2016	1b25469cad4428c8f63b54b92bfa80d963c75791cac5f5868f84683fd4c71394.exe
2016	1b25469cad4428c8f63b54b92bfa80d963c75791cac5f5868f84683fd4c71394.exe
2016	1b25469cad4428c8f63b54b92bfa80d963c75791cac5f5868f84683fd4c71394.exe
2016	1b25469cad4428c8f63b54b92bfa80d963c75791cac5f5868f84683fd4c71394.exe
2016	1b25469cad4428c8f63b54b92bfa80d963c75791cac5f5868f84683fd4c71394.exe
2016	1b25469cad4428c8f63b54b92bfa80d963c75791cac5f5868f84683fd4c71394.exe
2016	1b25469cad4428c8f63b54b92bfa80d963c75791cac5f5868f84683fd4c71394.exe
2016	1b25469cad4428c8f63b54b92bfa80d963c75791cac5f5868f84683fd4c71394.exe
2016	1b25469cad4428c8f63b54b92bfa80d963c75791cac5f5868f84683fd4c71394.exe
2016	1b25469cad4428c8f63b54b92bfa80d963c75791cac5f5868f84683fd4c71394.exe
2016	1b25469cad4428c8f63b54b92bfa80d963c75791cac5f5868f84683fd4c71394.exe
2016	1b25469cad4428c8f63b54b92bfa80d963c75791cac5f5868f84683fd4c71394.exe
2016	1b25469cad4428c8f63b54b92bfa80d963c75791cac5f5868f84683fd4c71394.exe
2016	1b25469cad4428c8f63b54b92bfa80d963c75791cac5f5868f84683fd4c71394.exe
2016	1b25469cad4428c8f63b54b92bfa80d963c75791cac5f5868f84683fd4c71394.exe
2016	1b25469cad4428c8f63b54b92bfa80d963c75791cac5f5868f84683fd4c71394.exe
2016	1b25469cad4428c8f63b54b92bfa80d963c75791cac5f5868f84683fd4c71394.exe
2016	1b25469cad4428c8f63b54b92bfa80d963c75791cac5f5868f84683fd4c71394.exe
2016	1b25469cad4428c8f63b54b92bfa80d963c75791cac5f5868f84683fd4c71394.exe
2016	1b25469cad4428c8f63b54b92bfa80d963c75791cac5f5868f84683fd4c71394.exe
2016	1b25469cad4428c8f63b54b92bfa80d963c75791cac5f5868f84683fd4c71394.exe
2016	1b25469cad4428c8f63b54b92bfa80d963c75791cac5f5868f84683fd4c71394.exe
2016	1b25469cad4428c8f63b54b92bfa80d963c75791cac5f5868f84683fd4c71394.exe
2016	1b25469cad4428c8f63b54b92bfa80d963c75791cac5f5868f84683fd4c71394.exe
2016	1b25469cad4428c8f63b54b92bfa80d963c75791cac5f5868f84683fd4c71394.exe
2016	1b25469cad4428c8f63b54b92bfa80d963c75791cac5f5868f84683fd4c71394.exe
2016	1b25469cad4428c8f63b54b92bfa80d963c75791cac5f5868f84683fd4c71394.exe
2016	1b25469cad4428c8f63b54b92bfa80d963c75791cac5f5868f84683fd4c71394.exe
2016	1b25469cad4428c8f63b54b92bfa80d963c75791cac5f5868f84683fd4c71394.exe
2016	1b25469cad4428c8f63b54b92bfa80d963c75791cac5f5868f84683fd4c71394.exe
2016	1b25469cad4428c8f63b54b92bfa80d963c75791cac5f5868f84683fd4c71394.exe
2016	1b25469cad4428c8f63b54b92bfa80d963c75791cac5f5868f84683fd4c71394.exe
2016	1b25469cad4428c8f63b54b92bfa80d963c75791cac5f5868f84683fd4c71394.exe
2016	1b25469cad4428c8f63b54b92bfa80d963c75791cac5f5868f84683fd4c71394.exe
2016	1b25469cad4428c8f63b54b92bfa80d963c75791cac5f5868f84683fd4c71394.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2016	1b25469cad4428c8f63b54b92bfa80d963c75791cac5f5868f84683fd4c71394.exe
2016	1b25469cad4428c8f63b54b92bfa80d963c75791cac5f5868f84683fd4c71394.exe
2016	1b25469cad4428c8f63b54b92bfa80d963c75791cac5f5868f84683fd4c71394.exe
2016	1b25469cad4428c8f63b54b92bfa80d963c75791cac5f5868f84683fd4c71394.exe
2016	1b25469cad4428c8f63b54b92bfa80d963c75791cac5f5868f84683fd4c71394.exe

C:\Users\Admin\AppData\Local\Temp\1b25469cad4428c8f63b54b92bfa80d963c75791cac5f5868f84683fd4c71394.exe
"C:\Users\Admin\AppData\Local\Temp\1b25469cad4428c8f63b54b92bfa80d963c75791cac5f5868f84683fd4c71394.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\BT.ime

Filesize
52KB

MD5
b60da4e2e5aceba3ce3d87ee2cd872ee

SHA1
9bbdbf1f3ce2c000a86e0473da756a4b1031db41

SHA256
b581fcc82c0462d60286a80912ab2ce5aca7d7b11c5cff0b5f74716dbb7dc453

SHA512
664d6f893484252b339ff8f413a4cf9da9b0ef82ed74b097ba86a5f00b4d9740eef6e8a5b81e8be7e82ae4009928097baf15e65a03f31c4b92e44f593ce39874

Download Submit
\Windows\SysWOW64\BT.ime

Filesize
52KB

MD5
b60da4e2e5aceba3ce3d87ee2cd872ee

SHA1
9bbdbf1f3ce2c000a86e0473da756a4b1031db41

SHA256
b581fcc82c0462d60286a80912ab2ce5aca7d7b11c5cff0b5f74716dbb7dc453

SHA512
664d6f893484252b339ff8f413a4cf9da9b0ef82ed74b097ba86a5f00b4d9740eef6e8a5b81e8be7e82ae4009928097baf15e65a03f31c4b92e44f593ce39874

Download Submit
\Windows\SysWOW64\BT.ime

Filesize
52KB

MD5
b60da4e2e5aceba3ce3d87ee2cd872ee

SHA1
9bbdbf1f3ce2c000a86e0473da756a4b1031db41

SHA256
b581fcc82c0462d60286a80912ab2ce5aca7d7b11c5cff0b5f74716dbb7dc453

SHA512
664d6f893484252b339ff8f413a4cf9da9b0ef82ed74b097ba86a5f00b4d9740eef6e8a5b81e8be7e82ae4009928097baf15e65a03f31c4b92e44f593ce39874

Download Submit
\Windows\SysWOW64\BT.ime

Filesize
52KB

MD5
b60da4e2e5aceba3ce3d87ee2cd872ee

SHA1
9bbdbf1f3ce2c000a86e0473da756a4b1031db41

SHA256
b581fcc82c0462d60286a80912ab2ce5aca7d7b11c5cff0b5f74716dbb7dc453

SHA512
664d6f893484252b339ff8f413a4cf9da9b0ef82ed74b097ba86a5f00b4d9740eef6e8a5b81e8be7e82ae4009928097baf15e65a03f31c4b92e44f593ce39874

Download Submit
\Windows\SysWOW64\BT.ime

Filesize
52KB

MD5
b60da4e2e5aceba3ce3d87ee2cd872ee

SHA1
9bbdbf1f3ce2c000a86e0473da756a4b1031db41

SHA256
b581fcc82c0462d60286a80912ab2ce5aca7d7b11c5cff0b5f74716dbb7dc453

SHA512
664d6f893484252b339ff8f413a4cf9da9b0ef82ed74b097ba86a5f00b4d9740eef6e8a5b81e8be7e82ae4009928097baf15e65a03f31c4b92e44f593ce39874

Download Submit
memory/2016-94-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2016-88-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2016-68-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2016-70-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2016-74-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2016-72-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2016-76-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2016-80-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2016-90-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2016-100-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2016-102-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2016-98-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2016-96-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2016-54-0x0000000075A71000-0x0000000075A73000-memory.dmp

Filesize
8KB

Download
memory/2016-92-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2016-61-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2016-86-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2016-84-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2016-82-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2016-78-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2016-66-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2016-103-0x0000000000400000-0x0000000000867000-memory.dmp

Filesize
4.4MB

Download
memory/2016-64-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2016-104-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2016-62-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2016-59-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2016-60-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2016-57-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2016-55-0x0000000000400000-0x0000000000867000-memory.dmp

Filesize
4.4MB

Download
memory/2016-110-0x0000000003570000-0x000000000357E000-memory.dmp

Filesize
56KB

Download
memory/2016-112-0x0000000000400000-0x0000000000867000-memory.dmp

Filesize
4.4MB

Download
memory/2016-113-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download