a7b38d586619db0335c48667eccb2518493632484c129a4d2d71709a3e2cbb1e

General

Target

a7b38d586619db0335c48667eccb2518493632484c129a4d2d71709a3e2cbb1e.exe
Size

1.3MB
MD5

6320e731dade6b75698a406f2eaf1ac0
SHA1

4b54fc9d09b44f1d72aeb1e9be7072a65a62c51f
SHA256

a7b38d586619db0335c48667eccb2518493632484c129a4d2d71709a3e2cbb1e
SHA512

759dbe8ed8abe379e5115c2988fae1b86b8c27753314c6dca82782a97c9bd36714b043ef9ba365b12d11d8f49eab058a0aacfa53ec46a8a6557bcd109d1c71f8
SSDEEP

6144:llt/9LvG6g6vdZwhvvH9cXdq0etw9R5mY0uMZVGmoJFCvngBt43wchCREaFRVser:lL/9LYgPWcX0Nw9uZarnCvnEtShMoSB

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\smss.exe\""	a7b38d586619db0335c48667eccb2518493632484c129a4d2d71709a3e2cbb1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\smss.exe\""	smss.exe

Executes dropped EXE 2 IoCs

pid	Process
760	smss.exe
1044	smss.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
1212	netsh.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1968-56-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral1/memory/1968-60-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral1/memory/1968-59-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral1/memory/1360-63-0x0000000000400000-0x000000000054F000-memory.dmp	upx
behavioral1/memory/1968-65-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral1/memory/1968-66-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral1/files/0x000900000001273e-68.dat	upx
behavioral1/files/0x000900000001273e-69.dat	upx
behavioral1/files/0x000900000001273e-71.dat	upx
behavioral1/memory/1968-72-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral1/files/0x000900000001273e-75.dat	upx
behavioral1/memory/760-80-0x0000000000400000-0x000000000054F000-memory.dmp	upx
behavioral1/files/0x000900000001273e-78.dat	upx
behavioral1/memory/1044-87-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral1/memory/1044-88-0x0000000000400000-0x0000000000425000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
1968	a7b38d586619db0335c48667eccb2518493632484c129a4d2d71709a3e2cbb1e.exe
1968	a7b38d586619db0335c48667eccb2518493632484c129a4d2d71709a3e2cbb1e.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\smss.exe\""	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	a7b38d586619db0335c48667eccb2518493632484c129a4d2d71709a3e2cbb1e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\smss.exe\""	a7b38d586619db0335c48667eccb2518493632484c129a4d2d71709a3e2cbb1e.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	a7b38d586619db0335c48667eccb2518493632484c129a4d2d71709a3e2cbb1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\smss.exe\""	a7b38d586619db0335c48667eccb2518493632484c129a4d2d71709a3e2cbb1e.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\smss.exe\""	smss.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1360 set thread context of 1968	1360	a7b38d586619db0335c48667eccb2518493632484c129a4d2d71709a3e2cbb1e.exe	28
PID 760 set thread context of 1044	760	smss.exe	34

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	a7b38d586619db0335c48667eccb2518493632484c129a4d2d71709a3e2cbb1e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	a7b38d586619db0335c48667eccb2518493632484c129a4d2d71709a3e2cbb1e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	a7b38d586619db0335c48667eccb2518493632484c129a4d2d71709a3e2cbb1e.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1360	a7b38d586619db0335c48667eccb2518493632484c129a4d2d71709a3e2cbb1e.exe
1968	a7b38d586619db0335c48667eccb2518493632484c129a4d2d71709a3e2cbb1e.exe
760	smss.exe
1044	smss.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1360 wrote to memory of 1968	1360	a7b38d586619db0335c48667eccb2518493632484c129a4d2d71709a3e2cbb1e.exe	28
PID 1360 wrote to memory of 1968	1360	a7b38d586619db0335c48667eccb2518493632484c129a4d2d71709a3e2cbb1e.exe	28
PID 1360 wrote to memory of 1968	1360	a7b38d586619db0335c48667eccb2518493632484c129a4d2d71709a3e2cbb1e.exe	28
PID 1360 wrote to memory of 1968	1360	a7b38d586619db0335c48667eccb2518493632484c129a4d2d71709a3e2cbb1e.exe	28
PID 1360 wrote to memory of 1968	1360	a7b38d586619db0335c48667eccb2518493632484c129a4d2d71709a3e2cbb1e.exe	28
PID 1360 wrote to memory of 1968	1360	a7b38d586619db0335c48667eccb2518493632484c129a4d2d71709a3e2cbb1e.exe	28
PID 1360 wrote to memory of 1968	1360	a7b38d586619db0335c48667eccb2518493632484c129a4d2d71709a3e2cbb1e.exe	28
PID 1360 wrote to memory of 1968	1360	a7b38d586619db0335c48667eccb2518493632484c129a4d2d71709a3e2cbb1e.exe	28
PID 1360 wrote to memory of 1968	1360	a7b38d586619db0335c48667eccb2518493632484c129a4d2d71709a3e2cbb1e.exe	28
PID 1968 wrote to memory of 1212	1968	a7b38d586619db0335c48667eccb2518493632484c129a4d2d71709a3e2cbb1e.exe	31
PID 1968 wrote to memory of 1212	1968	a7b38d586619db0335c48667eccb2518493632484c129a4d2d71709a3e2cbb1e.exe	31
PID 1968 wrote to memory of 1212	1968	a7b38d586619db0335c48667eccb2518493632484c129a4d2d71709a3e2cbb1e.exe	31
PID 1968 wrote to memory of 1212	1968	a7b38d586619db0335c48667eccb2518493632484c129a4d2d71709a3e2cbb1e.exe	31
PID 1968 wrote to memory of 760	1968	a7b38d586619db0335c48667eccb2518493632484c129a4d2d71709a3e2cbb1e.exe	32
PID 1968 wrote to memory of 760	1968	a7b38d586619db0335c48667eccb2518493632484c129a4d2d71709a3e2cbb1e.exe	32
PID 1968 wrote to memory of 760	1968	a7b38d586619db0335c48667eccb2518493632484c129a4d2d71709a3e2cbb1e.exe	32
PID 1968 wrote to memory of 760	1968	a7b38d586619db0335c48667eccb2518493632484c129a4d2d71709a3e2cbb1e.exe	32
PID 760 wrote to memory of 1044	760	smss.exe	34
PID 760 wrote to memory of 1044	760	smss.exe	34
PID 760 wrote to memory of 1044	760	smss.exe	34
PID 760 wrote to memory of 1044	760	smss.exe	34
PID 760 wrote to memory of 1044	760	smss.exe	34
PID 760 wrote to memory of 1044	760	smss.exe	34
PID 760 wrote to memory of 1044	760	smss.exe	34
PID 760 wrote to memory of 1044	760	smss.exe	34
PID 760 wrote to memory of 1044	760	smss.exe	34

C:\Users\Admin\AppData\Local\Temp\a7b38d586619db0335c48667eccb2518493632484c129a4d2d71709a3e2cbb1e.exe
"C:\Users\Admin\AppData\Local\Temp\a7b38d586619db0335c48667eccb2518493632484c129a4d2d71709a3e2cbb1e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1360
- C:\Users\Admin\AppData\Local\Temp\a7b38d586619db0335c48667eccb2518493632484c129a4d2d71709a3e2cbb1e.exe
  "C:\Users\Admin\AppData\Local\Temp\a7b38d586619db0335c48667eccb2518493632484c129a4d2d71709a3e2cbb1e.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Loads dropped DLL
  - Adds Run key to start application
  - Modifies system certificate store
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\smss.exe" CityScape Enable
    3⤵
    - Modifies Windows Firewall
    PID:1212
- - C:\Users\Admin\AppData\Roaming\smss.exe
    /d C:\Users\Admin\AppData\Local\Temp\a7b38d586619db0335c48667eccb2518493632484c129a4d2d71709a3e2cbb1e.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:760
  - - C:\Users\Admin\AppData\Roaming\smss.exe
      "C:\Users\Admin\AppData\Roaming\smss.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetWindowsHookEx
      PID:1044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\smss.exe

Filesize
1.3MB

MD5
0dad7794446f8311683656f5f9218b52

SHA1
d57c83ab7880d1a2b799f3625100a6c3f740d649

SHA256
9530aeab7d39cac52d4884f7b3a542cc46f2c64262bfadf4e4d0014298a86e70

SHA512
c583341a83ac95bea3e7abf3b30e0bf08af3901bea80857700ac64320de624d060087791e5488315729c498de6a279a9fc07bc2f56b9edc08b030abf6336073a

Download Submit
C:\Users\Admin\AppData\Roaming\smss.exe

Filesize
1.3MB

MD5
0dad7794446f8311683656f5f9218b52

SHA1
d57c83ab7880d1a2b799f3625100a6c3f740d649

SHA256
9530aeab7d39cac52d4884f7b3a542cc46f2c64262bfadf4e4d0014298a86e70

SHA512
c583341a83ac95bea3e7abf3b30e0bf08af3901bea80857700ac64320de624d060087791e5488315729c498de6a279a9fc07bc2f56b9edc08b030abf6336073a

Download Submit
C:\Users\Admin\AppData\Roaming\smss.exe

Filesize
1.3MB

MD5
0dad7794446f8311683656f5f9218b52

SHA1
d57c83ab7880d1a2b799f3625100a6c3f740d649

SHA256
9530aeab7d39cac52d4884f7b3a542cc46f2c64262bfadf4e4d0014298a86e70

SHA512
c583341a83ac95bea3e7abf3b30e0bf08af3901bea80857700ac64320de624d060087791e5488315729c498de6a279a9fc07bc2f56b9edc08b030abf6336073a

Download Submit
\Users\Admin\AppData\Roaming\smss.exe

Filesize
1.3MB

MD5
0dad7794446f8311683656f5f9218b52

SHA1
d57c83ab7880d1a2b799f3625100a6c3f740d649

SHA256
9530aeab7d39cac52d4884f7b3a542cc46f2c64262bfadf4e4d0014298a86e70

SHA512
c583341a83ac95bea3e7abf3b30e0bf08af3901bea80857700ac64320de624d060087791e5488315729c498de6a279a9fc07bc2f56b9edc08b030abf6336073a

Download Submit
\Users\Admin\AppData\Roaming\smss.exe

Filesize
1.3MB

MD5
0dad7794446f8311683656f5f9218b52

SHA1
d57c83ab7880d1a2b799f3625100a6c3f740d649

SHA256
9530aeab7d39cac52d4884f7b3a542cc46f2c64262bfadf4e4d0014298a86e70

SHA512
c583341a83ac95bea3e7abf3b30e0bf08af3901bea80857700ac64320de624d060087791e5488315729c498de6a279a9fc07bc2f56b9edc08b030abf6336073a

Download Submit
memory/760-80-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/1044-88-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1044-87-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1360-63-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/1968-59-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1968-72-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1968-56-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1968-60-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1968-64-0x0000000075761000-0x0000000075763000-memory.dmp

Filesize
8KB

Download
memory/1968-66-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1968-65-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads