e12939bdbd14385f92d16b103a3f6c3e67f2b9cbc5cf8a66dce3c469ccd3dce1

Analysis

max time kernel
253s
max time network
341s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 23:27 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e12939bdbd14385f92d16b103a3f6c3e67f2b9cbc5cf8a66dce3c469ccd3dce1.exe
Size

1.1MB
MD5

231fa204c0f18729b2a10197e657a639
SHA1

8c8b9c08dc581211b467c6af6db4cee111de0ac8
SHA256

e12939bdbd14385f92d16b103a3f6c3e67f2b9cbc5cf8a66dce3c469ccd3dce1
SHA512

28aafc4e22f37511851ffaf3f846d5212a5ef7fe8ea35164e9ad6bec0da207c89f4c0b50253641b480acf070d8491966e76e8f0a45283a0102af0bb353272841
SSDEEP

24576:W9kY7vgEeJPq34ZTdQXtnqhz2cOmsRQsmjmPOIzAFMn0kb:W9kYuZTdAtS2lpSovcFA

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1176	6efed9.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1476-54-0x0000000000400000-0x00000000007AC000-memory.dmp	upx
behavioral1/files/0x0009000000012306-56.dat	upx
behavioral1/files/0x0009000000012306-57.dat	upx
behavioral1/files/0x0009000000012306-59.dat	upx
behavioral1/files/0x0009000000012306-61.dat	upx
behavioral1/memory/1176-63-0x0000000000400000-0x00000000007AC000-memory.dmp	upx
behavioral1/memory/1476-64-0x0000000000400000-0x00000000007AC000-memory.dmp	upx
behavioral1/files/0x0009000000012306-66.dat	upx
behavioral1/files/0x0009000000012306-67.dat	upx
behavioral1/files/0x0009000000012306-68.dat	upx
behavioral1/files/0x0009000000012306-69.dat	upx
behavioral1/files/0x0009000000012306-71.dat	upx
behavioral1/files/0x0009000000012306-70.dat	upx
behavioral1/files/0x0009000000012306-72.dat	upx

Loads dropped DLL 9 IoCs

pid	Process
1476	e12939bdbd14385f92d16b103a3f6c3e67f2b9cbc5cf8a66dce3c469ccd3dce1.exe
1476	e12939bdbd14385f92d16b103a3f6c3e67f2b9cbc5cf8a66dce3c469ccd3dce1.exe
1104	WerFault.exe
1104	WerFault.exe
1104	WerFault.exe
1104	WerFault.exe
1104	WerFault.exe
1104	WerFault.exe
1104	WerFault.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1104	1176	WerFault.exe	28

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	6efed9.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	6efed9.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1476	e12939bdbd14385f92d16b103a3f6c3e67f2b9cbc5cf8a66dce3c469ccd3dce1.exe
1476	e12939bdbd14385f92d16b103a3f6c3e67f2b9cbc5cf8a66dce3c469ccd3dce1.exe
1176	6efed9.exe
1176	6efed9.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 1176	1476	e12939bdbd14385f92d16b103a3f6c3e67f2b9cbc5cf8a66dce3c469ccd3dce1.exe	28
PID 1476 wrote to memory of 1176	1476	e12939bdbd14385f92d16b103a3f6c3e67f2b9cbc5cf8a66dce3c469ccd3dce1.exe	28
PID 1476 wrote to memory of 1176	1476	e12939bdbd14385f92d16b103a3f6c3e67f2b9cbc5cf8a66dce3c469ccd3dce1.exe	28
PID 1476 wrote to memory of 1176	1476	e12939bdbd14385f92d16b103a3f6c3e67f2b9cbc5cf8a66dce3c469ccd3dce1.exe	28
PID 1176 wrote to memory of 1104	1176	6efed9.exe	31
PID 1176 wrote to memory of 1104	1176	6efed9.exe	31
PID 1176 wrote to memory of 1104	1176	6efed9.exe	31
PID 1176 wrote to memory of 1104	1176	6efed9.exe	31

C:\Users\Admin\AppData\Local\Temp\e12939bdbd14385f92d16b103a3f6c3e67f2b9cbc5cf8a66dce3c469ccd3dce1.exe
"C:\Users\Admin\AppData\Local\Temp\e12939bdbd14385f92d16b103a3f6c3e67f2b9cbc5cf8a66dce3c469ccd3dce1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\6efed9.exe
  C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\6efed9.exe 7274217
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1176
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 1488
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1104

Network

DNS

www.ip138.com

6efed9.exe

Remote address:

8.8.8.8:53

Request

www.ip138.com

IN A

Response

www.ip138.com

IN CNAME

www.ip138.com.lxdns.com

www.ip138.com.lxdns.com

IN A

163.171.140.79
GET

http://www.ip138.com/ips8.asp

6efed9.exe

Remote address:

163.171.140.79:80

Request

GET /ips8.asp HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: www.ip138.com
Cache-Control: no-cache

Response

HTTP/1.1 301 Moved Permanently

Date: Sat, 10 Dec 2022 09:37:52 GMT
Content-Length: 0
Connection: keep-alive
Server: Cdn Cache Server V2.0
Location: https://www.ip138.com/ips8.asp
X-Via: 1.0 PShlamstdAMS1wt94:19 (Cdn Cache Server V2.0)
X-Ws-Request-Id: 63945370_PShlamstdAMS1wt94_43739-29156
DNS

ocsp.digicert.cn

6efed9.exe

Remote address:

8.8.8.8:53

Request

ocsp.digicert.cn

IN A
DNS

ocsp.digicert.cn

6efed9.exe

Remote address:

8.8.8.8:53

Request

ocsp.digicert.cn

IN A
DNS

ocsp.digicert.cn

6efed9.exe

Remote address:

8.8.8.8:53

Request

ocsp.digicert.cn

IN A
DNS

ocsp.digicert.cn

6efed9.exe

Remote address:

8.8.8.8:53

Request

ocsp.digicert.cn

IN A
DNS

ocsp.digicert.cn

6efed9.exe

Remote address:

8.8.8.8:53

Request

ocsp.digicert.cn

IN A
DNS

crl.digicert.cn

6efed9.exe

Remote address:

8.8.8.8:53

Request

crl.digicert.cn

IN A

Response

crl.digicert.cn

IN CNAME

crl.digicert.cn.w.cdngslb.com

crl.digicert.cn.w.cdngslb.com

IN A

47.246.48.211
GET

http://crl.digicert.cn/DigiCertGlobalRootCA.crl

6efed9.exe

Remote address:

47.246.48.211:80

Request

GET /DigiCertGlobalRootCA.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.digicert.cn

Response

HTTP/1.1 200 OK

Server: Tengine
Content-Type: application/pkix-crl
Content-Length: 779
Connection: keep-alive
Date: Sat, 10 Dec 2022 04:43:03 GMT
Last-Modified: Fri, 09 Dec 2022 00:15:06 GMT
ETag: "63927e0a-30b"
Expires: Sat, 10 Dec 2022 07:43:03 GMT
Cache-Control: max-age=10800
Cache-Control: public
Accept-Ranges: bytes
Ali-Swift-Global-Savetime: 1670647383
Via: cache1.l2de2[0,0,304-0,H], cache20.l2de2[1,0], cache4.nl2[0,0,200-0,H], cache2.nl2[1,0]
Age: 17706
X-Cache: HIT TCP_MEM_HIT dirn:6:32850116
X-Swift-SaveTime: Sat, 10 Dec 2022 04:43:25 GMT
X-Swift-CacheTime: 21578
Timing-Allow-Origin: *
EagleId: 2ff6309616706650892117201e
GET

http://crl.digicert.cn/DigiCertBasicRSACNCAG2.crl

6efed9.exe

Remote address:

47.246.48.211:80

Request

GET /DigiCertBasicRSACNCAG2.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.digicert.cn

Response

HTTP/1.1 200 OK

Server: Tengine
Content-Type: application/pkix-crl
Content-Length: 2219
Connection: keep-alive
Date: Sat, 10 Dec 2022 04:51:11 GMT
Last-Modified: Fri, 09 Dec 2022 08:15:04 GMT
ETag: "6392ee88-8ab"
Expires: Sat, 10 Dec 2022 07:51:11 GMT
Cache-Control: max-age=10800
Cache-Control: public
Accept-Ranges: bytes
Ali-Swift-Global-Savetime: 1670647871
Via: cache20.l2de2[0,0,304-0,H], cache17.l2de2[2,0], cache4.nl2[0,0,200-0,H], cache2.nl2[1,0]
Age: 17231
X-Cache: HIT TCP_MEM_HIT dirn:6:34264436
X-Swift-SaveTime: Sat, 10 Dec 2022 04:51:30 GMT
X-Swift-CacheTime: 21581
Timing-Allow-Origin: *
EagleId: 2ff6309616706651028753771e
DNS

ocsp.digicert.cn

6efed9.exe

Remote address:

8.8.8.8:53

Request

ocsp.digicert.cn

IN A

Response

ocsp.digicert.cn

IN CNAME

ocsp.digicert.cn.w.cdngslb.com

ocsp.digicert.cn.w.cdngslb.com

IN A

47.246.48.205

163.171.140.79:80

http://www.ip138.com/ips8.asp

http

6efed9.exe

385 B
814 B
5
5

HTTP Request

GET http://www.ip138.com/ips8.asp

HTTP Response

301
163.171.140.79:443

www.ip138.com

tls

6efed9.exe

744 B
5.1kB
9
10
47.246.48.211:80

http://crl.digicert.cn/DigiCertBasicRSACNCAG2.crl

http

6efed9.exe

602 B
4.8kB
7
8

HTTP Request

GET http://crl.digicert.cn/DigiCertGlobalRootCA.crl

HTTP Response

200

HTTP Request

GET http://crl.digicert.cn/DigiCertBasicRSACNCAG2.crl

HTTP Response

200
47.246.48.205:80

ocsp.digicert.cn

6efed9.exe

152 B
3

8.8.8.8:53

www.ip138.com

dns

6efed9.exe

59 B
109 B
1
1

DNS Request

www.ip138.com

DNS Response

163.171.140.79
8.8.8.8:53

ocsp.digicert.cn

dns

6efed9.exe

310 B
5

DNS Request

ocsp.digicert.cn

DNS Request

ocsp.digicert.cn

DNS Request

ocsp.digicert.cn

DNS Request

ocsp.digicert.cn

DNS Request

ocsp.digicert.cn
8.8.8.8:53

crl.digicert.cn

dns

6efed9.exe

61 B
120 B
1
1

DNS Request

crl.digicert.cn

DNS Response

47.246.48.211
8.8.8.8:53

ocsp.digicert.cn

dns

6efed9.exe

62 B
122 B
1
1

DNS Request

ocsp.digicert.cn

DNS Response

47.246.48.205

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\6efed9.exe

Filesize
1.1MB

MD5
446ff66ac4f7792bb8d208140a6cfda8

SHA1
f30d741710d1a7526826e03ed035654219f8a34c

SHA256
f49039dce5499c87cb522efbe404bfa714819c760a38626c9db15e76b64243b6

SHA512
68096b10e15af2e95b91fe2755be7984f47cb738c11c26a2c2c47a50b8d7e25de8214e367b6f03a17c48a3c79dc8ccef794836f92e4ed083b7c99bb1f8ed3cd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\6efed9.exe

Filesize
1.1MB

MD5
446ff66ac4f7792bb8d208140a6cfda8

SHA1
f30d741710d1a7526826e03ed035654219f8a34c

SHA256
f49039dce5499c87cb522efbe404bfa714819c760a38626c9db15e76b64243b6

SHA512
68096b10e15af2e95b91fe2755be7984f47cb738c11c26a2c2c47a50b8d7e25de8214e367b6f03a17c48a3c79dc8ccef794836f92e4ed083b7c99bb1f8ed3cd6

Download Submit
\Users\Admin\AppData\Local\Temp\ÅäÖÃ\6efed9.exe

Filesize
1.1MB

MD5
446ff66ac4f7792bb8d208140a6cfda8

SHA1
f30d741710d1a7526826e03ed035654219f8a34c

SHA256
f49039dce5499c87cb522efbe404bfa714819c760a38626c9db15e76b64243b6

SHA512
68096b10e15af2e95b91fe2755be7984f47cb738c11c26a2c2c47a50b8d7e25de8214e367b6f03a17c48a3c79dc8ccef794836f92e4ed083b7c99bb1f8ed3cd6

Download Submit
\Users\Admin\AppData\Local\Temp\ÅäÖÃ\6efed9.exe

Filesize
1.1MB

MD5
446ff66ac4f7792bb8d208140a6cfda8

SHA1
f30d741710d1a7526826e03ed035654219f8a34c

SHA256
f49039dce5499c87cb522efbe404bfa714819c760a38626c9db15e76b64243b6

SHA512
68096b10e15af2e95b91fe2755be7984f47cb738c11c26a2c2c47a50b8d7e25de8214e367b6f03a17c48a3c79dc8ccef794836f92e4ed083b7c99bb1f8ed3cd6

Download Submit
\Users\Admin\AppData\Local\Temp\ÅäÖÃ\6efed9.exe

Filesize
1.1MB

MD5
446ff66ac4f7792bb8d208140a6cfda8

SHA1
f30d741710d1a7526826e03ed035654219f8a34c

SHA256
f49039dce5499c87cb522efbe404bfa714819c760a38626c9db15e76b64243b6

SHA512
68096b10e15af2e95b91fe2755be7984f47cb738c11c26a2c2c47a50b8d7e25de8214e367b6f03a17c48a3c79dc8ccef794836f92e4ed083b7c99bb1f8ed3cd6

Download Submit
\Users\Admin\AppData\Local\Temp\ÅäÖÃ\6efed9.exe

Filesize
1.1MB

MD5
446ff66ac4f7792bb8d208140a6cfda8

SHA1
f30d741710d1a7526826e03ed035654219f8a34c

SHA256
f49039dce5499c87cb522efbe404bfa714819c760a38626c9db15e76b64243b6

SHA512
68096b10e15af2e95b91fe2755be7984f47cb738c11c26a2c2c47a50b8d7e25de8214e367b6f03a17c48a3c79dc8ccef794836f92e4ed083b7c99bb1f8ed3cd6

Download Submit
\Users\Admin\AppData\Local\Temp\ÅäÖÃ\6efed9.exe

Filesize
1.1MB

MD5
446ff66ac4f7792bb8d208140a6cfda8

SHA1
f30d741710d1a7526826e03ed035654219f8a34c

SHA256
f49039dce5499c87cb522efbe404bfa714819c760a38626c9db15e76b64243b6

SHA512
68096b10e15af2e95b91fe2755be7984f47cb738c11c26a2c2c47a50b8d7e25de8214e367b6f03a17c48a3c79dc8ccef794836f92e4ed083b7c99bb1f8ed3cd6

Download Submit
\Users\Admin\AppData\Local\Temp\ÅäÖÃ\6efed9.exe

Filesize
1.1MB

MD5
446ff66ac4f7792bb8d208140a6cfda8

SHA1
f30d741710d1a7526826e03ed035654219f8a34c

SHA256
f49039dce5499c87cb522efbe404bfa714819c760a38626c9db15e76b64243b6

SHA512
68096b10e15af2e95b91fe2755be7984f47cb738c11c26a2c2c47a50b8d7e25de8214e367b6f03a17c48a3c79dc8ccef794836f92e4ed083b7c99bb1f8ed3cd6

Download Submit
\Users\Admin\AppData\Local\Temp\ÅäÖÃ\6efed9.exe

Filesize
1.1MB

MD5
446ff66ac4f7792bb8d208140a6cfda8

SHA1
f30d741710d1a7526826e03ed035654219f8a34c

SHA256
f49039dce5499c87cb522efbe404bfa714819c760a38626c9db15e76b64243b6

SHA512
68096b10e15af2e95b91fe2755be7984f47cb738c11c26a2c2c47a50b8d7e25de8214e367b6f03a17c48a3c79dc8ccef794836f92e4ed083b7c99bb1f8ed3cd6

Download Submit
\Users\Admin\AppData\Local\Temp\ÅäÖÃ\6efed9.exe

Filesize
1.1MB

MD5
446ff66ac4f7792bb8d208140a6cfda8

SHA1
f30d741710d1a7526826e03ed035654219f8a34c

SHA256
f49039dce5499c87cb522efbe404bfa714819c760a38626c9db15e76b64243b6

SHA512
68096b10e15af2e95b91fe2755be7984f47cb738c11c26a2c2c47a50b8d7e25de8214e367b6f03a17c48a3c79dc8ccef794836f92e4ed083b7c99bb1f8ed3cd6

Download Submit
\Users\Admin\AppData\Local\Temp\ÅäÖÃ\6efed9.exe

Filesize
1.1MB

MD5
446ff66ac4f7792bb8d208140a6cfda8

SHA1
f30d741710d1a7526826e03ed035654219f8a34c

SHA256
f49039dce5499c87cb522efbe404bfa714819c760a38626c9db15e76b64243b6

SHA512
68096b10e15af2e95b91fe2755be7984f47cb738c11c26a2c2c47a50b8d7e25de8214e367b6f03a17c48a3c79dc8ccef794836f92e4ed083b7c99bb1f8ed3cd6

Download Submit
memory/1176-63-0x0000000000400000-0x00000000007AC000-memory.dmp

Filesize
3.7MB

Download
memory/1476-64-0x0000000000400000-0x00000000007AC000-memory.dmp

Filesize
3.7MB

Download
memory/1476-62-0x00000000028F0000-0x0000000002C9C000-memory.dmp

Filesize
3.7MB

Download
memory/1476-54-0x0000000000400000-0x00000000007AC000-memory.dmp

Filesize
3.7MB

Download
memory/1476-55-0x0000000075491000-0x0000000075493000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.