de31908fa894a030c75f423955620326cf8c1c00bce19427b280e51b277ab5dc

General

Target

de31908fa894a030c75f423955620326cf8c1c00bce19427b280e51b277ab5dc.exe
Size

83KB
MD5

42d68211aeb022610c8c622f94683651
SHA1

5b336158cfc04c95238c1502eabc8db76a90e112
SHA256

de31908fa894a030c75f423955620326cf8c1c00bce19427b280e51b277ab5dc
SHA512

2b4051a1c9732141098410e70e072d22341bd312eaed2880aa7d35197902da38d034f694e989ebfdafc96c3e638f3fb2d4dcdbbb58d05505ac6c506971b0706f
SSDEEP

1536:8nHfhdq/LWoxOxjW2Slcnouy8oMgJKTOMlmx:aHuDtxGG8outTgJKCMgx

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1056	Acrobat.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4420-132-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral2/files/0x0008000000022df9-137.dat	upx
behavioral2/files/0x0008000000022df9-138.dat	upx
behavioral2/memory/1056-142-0x0000000000400000-0x0000000000452000-memory.dmp	upx

Enumerates connected drives 3 TTPs 3 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	de31908fa894a030c75f423955620326cf8c1c00bce19427b280e51b277ab5dc.exe
File opened (read-only)	\??\B:	de31908fa894a030c75f423955620326cf8c1c00bce19427b280e51b277ab5dc.exe
File opened (read-only)	\??\E:	de31908fa894a030c75f423955620326cf8c1c00bce19427b280e51b277ab5dc.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Windows.Manifest	Acrobat.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\TYPEDURLS	de31908fa894a030c75f423955620326cf8c1c00bce19427b280e51b277ab5dc.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2044	reg.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	de31908fa894a030c75f423955620326cf8c1c00bce19427b280e51b277ab5dc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	de31908fa894a030c75f423955620326cf8c1c00bce19427b280e51b277ab5dc.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4420	de31908fa894a030c75f423955620326cf8c1c00bce19427b280e51b277ab5dc.exe
4420	de31908fa894a030c75f423955620326cf8c1c00bce19427b280e51b277ab5dc.exe
4420	de31908fa894a030c75f423955620326cf8c1c00bce19427b280e51b277ab5dc.exe
1056	Acrobat.exe
1056	Acrobat.exe
1056	Acrobat.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4420 wrote to memory of 2488	4420	de31908fa894a030c75f423955620326cf8c1c00bce19427b280e51b277ab5dc.exe	98
PID 4420 wrote to memory of 2488	4420	de31908fa894a030c75f423955620326cf8c1c00bce19427b280e51b277ab5dc.exe	98
PID 4420 wrote to memory of 2488	4420	de31908fa894a030c75f423955620326cf8c1c00bce19427b280e51b277ab5dc.exe	98
PID 4420 wrote to memory of 1056	4420	de31908fa894a030c75f423955620326cf8c1c00bce19427b280e51b277ab5dc.exe	99
PID 4420 wrote to memory of 1056	4420	de31908fa894a030c75f423955620326cf8c1c00bce19427b280e51b277ab5dc.exe	99
PID 4420 wrote to memory of 1056	4420	de31908fa894a030c75f423955620326cf8c1c00bce19427b280e51b277ab5dc.exe	99
PID 2488 wrote to memory of 2044	2488	cmd.exe	101
PID 2488 wrote to memory of 2044	2488	cmd.exe	101
PID 2488 wrote to memory of 2044	2488	cmd.exe	101

C:\Users\Admin\AppData\Local\Temp\de31908fa894a030c75f423955620326cf8c1c00bce19427b280e51b277ab5dc.exe
"C:\Users\Admin\AppData\Local\Temp\de31908fa894a030c75f423955620326cf8c1c00bce19427b280e51b277ab5dc.exe"
1⤵
- Enumerates connected drives
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4420
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKCU\Software\yahoo\pager /v "Save Password" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKCU\Software\yahoo\pager /v "Save Password" /f
    3⤵
    - Modifies registry key
    PID:2044
- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat.exe
  "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:1056

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat.exe

Filesize
83KB

MD5
42d68211aeb022610c8c622f94683651

SHA1
5b336158cfc04c95238c1502eabc8db76a90e112

SHA256
de31908fa894a030c75f423955620326cf8c1c00bce19427b280e51b277ab5dc

SHA512
2b4051a1c9732141098410e70e072d22341bd312eaed2880aa7d35197902da38d034f694e989ebfdafc96c3e638f3fb2d4dcdbbb58d05505ac6c506971b0706f

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Acrobat.exe

Filesize
83KB

MD5
42d68211aeb022610c8c622f94683651

SHA1
5b336158cfc04c95238c1502eabc8db76a90e112

SHA256
de31908fa894a030c75f423955620326cf8c1c00bce19427b280e51b277ab5dc

SHA512
2b4051a1c9732141098410e70e072d22341bd312eaed2880aa7d35197902da38d034f694e989ebfdafc96c3e638f3fb2d4dcdbbb58d05505ac6c506971b0706f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
2KB

MD5
2e8dab0111c5f3e9103cae92a9e1cdaa

SHA1
5d16362cf320faeacf5963532354e99e0dce3e2b

SHA256
858dfc9a9af2e0400a91bf3660acb1a123960c5ad53df61b7f73663035e01ba8

SHA512
ee28bf368690e56ada1fc8538330cc22cb57a59a1a5012e73d3e0300dc7410b82f8c2a300625560e69bc19344acc333b2138ec49ca5ddf5f24a54debce685abb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\572BF21E454637C9F000BE1AF9B1E1A9

Filesize
506B

MD5
37c10f2bde92a7126e4e1a44c73c5d31

SHA1
934121e8fa137a7ee135e6955cac5f31301b23f9

SHA256
686ab30b2fd395912abec41b17f8b29dc37389393c38c364186fcd69cf573e95

SHA512
4f3800b069253d81c611ed2c4be7a2456acb0af3c4d31be9b8c465ab1c99f11b2fc6c35263b7d7c7cb411bc01e7c18a1ecd11676050204feaea7597cac7dc06a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C6872375A2E1BC120603F5605C3CEC71

Filesize
472B

MD5
50964d71646920295f4a98db21a913c1

SHA1
8ede97a36ce131830b2a69f6225790dbd3f2ef8e

SHA256
aa282f0e5e4ab3690472c8c867419ea33a4fafba1594722e8ca9dcf1325fd46a

SHA512
02c8543fc6b930a0e43727a7614edf92143701c9c81c1452faa2104cb5310c2b0b25c8d441dcac7b9e695b6e64e019d3bede3be20bede395d895e57c4da261aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
488B

MD5
42060c254ce537d681afdc4a199c7009

SHA1
24129420e1babdc45ebe03c1b654502eb9b88596

SHA256
5d1fe4580097ccadc9576da58f49f07c9d683529bf96de7e932f95363ca0fd22

SHA512
44a7f1db940cc6e494337f6c52dc624cad1fb44281662744f4b69a1f258ca10a74032efe69e61f9bd41e2fb71b5d54ec2a2cf9725e332ea44e9d89ce0d6e57fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\572BF21E454637C9F000BE1AF9B1E1A9

Filesize
248B

MD5
0dcace0d7070e8d60e3ea079040f19a2

SHA1
a127629275c9d6ff2cc0cbf7e8c20cf7f44f8915

SHA256
a05e2bfdf9f5ab312283d0a24a41ddb73596ab5f01ea3b3cd39fdd08eed55252

SHA512
dad9aac5add63ff7d286d048d43f76c606352b4c3d1244ec75b856f7581a6a4e374e43ce4bd36fc063be6724e1b712066ee27ecaf9cbcad209754f8350d20dc3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C6872375A2E1BC120603F5605C3CEC71

Filesize
484B

MD5
9f7fcf33c46d41db998ad02f4d3d6552

SHA1
1e9e60962f603baee109597faa0f5137787e82d7

SHA256
86d098afca28dc3345fa438b03affe785315d63b9e6916c6399157aab0677e22

SHA512
8adf31095731bcfa75953d0af828b2fc8369d7e09544e2de30e50ff4a669557fcbf735e62f136619d88f7d9284e0250e8327d9a3d4caed5827c9edec34ab0004

Download Submit
memory/1056-142-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4420-132-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads