e12939bdbd14385f92d16b103a3f6c3e67f2b9cbc5cf8a66dce3c469ccd3dce1

Analysis

max time kernel
253s
max time network
341s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 23:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e12939bdbd14385f92d16b103a3f6c3e67f2b9cbc5cf8a66dce3c469ccd3dce1.exe
Size

1.1MB
MD5

231fa204c0f18729b2a10197e657a639
SHA1

8c8b9c08dc581211b467c6af6db4cee111de0ac8
SHA256

e12939bdbd14385f92d16b103a3f6c3e67f2b9cbc5cf8a66dce3c469ccd3dce1
SHA512

28aafc4e22f37511851ffaf3f846d5212a5ef7fe8ea35164e9ad6bec0da207c89f4c0b50253641b480acf070d8491966e76e8f0a45283a0102af0bb353272841
SSDEEP

24576:W9kY7vgEeJPq34ZTdQXtnqhz2cOmsRQsmjmPOIzAFMn0kb:W9kYuZTdAtS2lpSovcFA

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1176	6efed9.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1476-54-0x0000000000400000-0x00000000007AC000-memory.dmp	upx
behavioral1/files/0x0009000000012306-56.dat	upx
behavioral1/files/0x0009000000012306-57.dat	upx
behavioral1/files/0x0009000000012306-59.dat	upx
behavioral1/files/0x0009000000012306-61.dat	upx
behavioral1/memory/1176-63-0x0000000000400000-0x00000000007AC000-memory.dmp	upx
behavioral1/memory/1476-64-0x0000000000400000-0x00000000007AC000-memory.dmp	upx
behavioral1/files/0x0009000000012306-66.dat	upx
behavioral1/files/0x0009000000012306-67.dat	upx
behavioral1/files/0x0009000000012306-68.dat	upx
behavioral1/files/0x0009000000012306-69.dat	upx
behavioral1/files/0x0009000000012306-71.dat	upx
behavioral1/files/0x0009000000012306-70.dat	upx
behavioral1/files/0x0009000000012306-72.dat	upx

Loads dropped DLL 9 IoCs

pid	Process
1476	e12939bdbd14385f92d16b103a3f6c3e67f2b9cbc5cf8a66dce3c469ccd3dce1.exe
1476	e12939bdbd14385f92d16b103a3f6c3e67f2b9cbc5cf8a66dce3c469ccd3dce1.exe
1104	WerFault.exe
1104	WerFault.exe
1104	WerFault.exe
1104	WerFault.exe
1104	WerFault.exe
1104	WerFault.exe
1104	WerFault.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1104	1176	WerFault.exe	28

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	6efed9.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	6efed9.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1476	e12939bdbd14385f92d16b103a3f6c3e67f2b9cbc5cf8a66dce3c469ccd3dce1.exe
1476	e12939bdbd14385f92d16b103a3f6c3e67f2b9cbc5cf8a66dce3c469ccd3dce1.exe
1176	6efed9.exe
1176	6efed9.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 1176	1476	e12939bdbd14385f92d16b103a3f6c3e67f2b9cbc5cf8a66dce3c469ccd3dce1.exe	28
PID 1476 wrote to memory of 1176	1476	e12939bdbd14385f92d16b103a3f6c3e67f2b9cbc5cf8a66dce3c469ccd3dce1.exe	28
PID 1476 wrote to memory of 1176	1476	e12939bdbd14385f92d16b103a3f6c3e67f2b9cbc5cf8a66dce3c469ccd3dce1.exe	28
PID 1476 wrote to memory of 1176	1476	e12939bdbd14385f92d16b103a3f6c3e67f2b9cbc5cf8a66dce3c469ccd3dce1.exe	28
PID 1176 wrote to memory of 1104	1176	6efed9.exe	31
PID 1176 wrote to memory of 1104	1176	6efed9.exe	31
PID 1176 wrote to memory of 1104	1176	6efed9.exe	31
PID 1176 wrote to memory of 1104	1176	6efed9.exe	31

C:\Users\Admin\AppData\Local\Temp\e12939bdbd14385f92d16b103a3f6c3e67f2b9cbc5cf8a66dce3c469ccd3dce1.exe
"C:\Users\Admin\AppData\Local\Temp\e12939bdbd14385f92d16b103a3f6c3e67f2b9cbc5cf8a66dce3c469ccd3dce1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\6efed9.exe
  C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\6efed9.exe 7274217
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1176
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 1488
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1104

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\6efed9.exe

Filesize
1.1MB

MD5
446ff66ac4f7792bb8d208140a6cfda8

SHA1
f30d741710d1a7526826e03ed035654219f8a34c

SHA256
f49039dce5499c87cb522efbe404bfa714819c760a38626c9db15e76b64243b6

SHA512
68096b10e15af2e95b91fe2755be7984f47cb738c11c26a2c2c47a50b8d7e25de8214e367b6f03a17c48a3c79dc8ccef794836f92e4ed083b7c99bb1f8ed3cd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÅäÖÃ\6efed9.exe

Filesize
1.1MB

MD5
446ff66ac4f7792bb8d208140a6cfda8

SHA1
f30d741710d1a7526826e03ed035654219f8a34c

SHA256
f49039dce5499c87cb522efbe404bfa714819c760a38626c9db15e76b64243b6

SHA512
68096b10e15af2e95b91fe2755be7984f47cb738c11c26a2c2c47a50b8d7e25de8214e367b6f03a17c48a3c79dc8ccef794836f92e4ed083b7c99bb1f8ed3cd6

Download Submit
\Users\Admin\AppData\Local\Temp\ÅäÖÃ\6efed9.exe

Filesize
1.1MB

MD5
446ff66ac4f7792bb8d208140a6cfda8

SHA1
f30d741710d1a7526826e03ed035654219f8a34c

SHA256
f49039dce5499c87cb522efbe404bfa714819c760a38626c9db15e76b64243b6

SHA512
68096b10e15af2e95b91fe2755be7984f47cb738c11c26a2c2c47a50b8d7e25de8214e367b6f03a17c48a3c79dc8ccef794836f92e4ed083b7c99bb1f8ed3cd6

Download Submit
\Users\Admin\AppData\Local\Temp\ÅäÖÃ\6efed9.exe

Filesize
1.1MB

MD5
446ff66ac4f7792bb8d208140a6cfda8

SHA1
f30d741710d1a7526826e03ed035654219f8a34c

SHA256
f49039dce5499c87cb522efbe404bfa714819c760a38626c9db15e76b64243b6

SHA512
68096b10e15af2e95b91fe2755be7984f47cb738c11c26a2c2c47a50b8d7e25de8214e367b6f03a17c48a3c79dc8ccef794836f92e4ed083b7c99bb1f8ed3cd6

Download Submit
\Users\Admin\AppData\Local\Temp\ÅäÖÃ\6efed9.exe

Filesize
1.1MB

MD5
446ff66ac4f7792bb8d208140a6cfda8

SHA1
f30d741710d1a7526826e03ed035654219f8a34c

SHA256
f49039dce5499c87cb522efbe404bfa714819c760a38626c9db15e76b64243b6

SHA512
68096b10e15af2e95b91fe2755be7984f47cb738c11c26a2c2c47a50b8d7e25de8214e367b6f03a17c48a3c79dc8ccef794836f92e4ed083b7c99bb1f8ed3cd6

Download Submit
\Users\Admin\AppData\Local\Temp\ÅäÖÃ\6efed9.exe

Filesize
1.1MB

MD5
446ff66ac4f7792bb8d208140a6cfda8

SHA1
f30d741710d1a7526826e03ed035654219f8a34c

SHA256
f49039dce5499c87cb522efbe404bfa714819c760a38626c9db15e76b64243b6

SHA512
68096b10e15af2e95b91fe2755be7984f47cb738c11c26a2c2c47a50b8d7e25de8214e367b6f03a17c48a3c79dc8ccef794836f92e4ed083b7c99bb1f8ed3cd6

Download Submit
\Users\Admin\AppData\Local\Temp\ÅäÖÃ\6efed9.exe

Filesize
1.1MB

MD5
446ff66ac4f7792bb8d208140a6cfda8

SHA1
f30d741710d1a7526826e03ed035654219f8a34c

SHA256
f49039dce5499c87cb522efbe404bfa714819c760a38626c9db15e76b64243b6

SHA512
68096b10e15af2e95b91fe2755be7984f47cb738c11c26a2c2c47a50b8d7e25de8214e367b6f03a17c48a3c79dc8ccef794836f92e4ed083b7c99bb1f8ed3cd6

Download Submit
\Users\Admin\AppData\Local\Temp\ÅäÖÃ\6efed9.exe

Filesize
1.1MB

MD5
446ff66ac4f7792bb8d208140a6cfda8

SHA1
f30d741710d1a7526826e03ed035654219f8a34c

SHA256
f49039dce5499c87cb522efbe404bfa714819c760a38626c9db15e76b64243b6

SHA512
68096b10e15af2e95b91fe2755be7984f47cb738c11c26a2c2c47a50b8d7e25de8214e367b6f03a17c48a3c79dc8ccef794836f92e4ed083b7c99bb1f8ed3cd6

Download Submit
\Users\Admin\AppData\Local\Temp\ÅäÖÃ\6efed9.exe

Filesize
1.1MB

MD5
446ff66ac4f7792bb8d208140a6cfda8

SHA1
f30d741710d1a7526826e03ed035654219f8a34c

SHA256
f49039dce5499c87cb522efbe404bfa714819c760a38626c9db15e76b64243b6

SHA512
68096b10e15af2e95b91fe2755be7984f47cb738c11c26a2c2c47a50b8d7e25de8214e367b6f03a17c48a3c79dc8ccef794836f92e4ed083b7c99bb1f8ed3cd6

Download Submit
\Users\Admin\AppData\Local\Temp\ÅäÖÃ\6efed9.exe

Filesize
1.1MB

MD5
446ff66ac4f7792bb8d208140a6cfda8

SHA1
f30d741710d1a7526826e03ed035654219f8a34c

SHA256
f49039dce5499c87cb522efbe404bfa714819c760a38626c9db15e76b64243b6

SHA512
68096b10e15af2e95b91fe2755be7984f47cb738c11c26a2c2c47a50b8d7e25de8214e367b6f03a17c48a3c79dc8ccef794836f92e4ed083b7c99bb1f8ed3cd6

Download Submit
\Users\Admin\AppData\Local\Temp\ÅäÖÃ\6efed9.exe

Filesize
1.1MB

MD5
446ff66ac4f7792bb8d208140a6cfda8

SHA1
f30d741710d1a7526826e03ed035654219f8a34c

SHA256
f49039dce5499c87cb522efbe404bfa714819c760a38626c9db15e76b64243b6

SHA512
68096b10e15af2e95b91fe2755be7984f47cb738c11c26a2c2c47a50b8d7e25de8214e367b6f03a17c48a3c79dc8ccef794836f92e4ed083b7c99bb1f8ed3cd6

Download Submit
memory/1176-63-0x0000000000400000-0x00000000007AC000-memory.dmp

Filesize
3.7MB

Download
memory/1476-64-0x0000000000400000-0x00000000007AC000-memory.dmp

Filesize
3.7MB

Download
memory/1476-62-0x00000000028F0000-0x0000000002C9C000-memory.dmp

Filesize
3.7MB

Download
memory/1476-54-0x0000000000400000-0x00000000007AC000-memory.dmp

Filesize
3.7MB

Download
memory/1476-55-0x0000000075491000-0x0000000075493000-memory.dmp

Filesize
8KB

Download