2658485e218c176ba75e2ab0df841c70c8528bad5622c2f5630fd81a8214212f

Analysis

max time kernel
118s
max time network
143s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
12/01/2023, 03:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Microsoft Office 2019 + Licencia/Office/OInstall.exe
Size

9.5MB
MD5

f71556138c9eb716330063156db4a6bc
SHA1

bd91945d407cbeee830c15280c8324459f0ff61a
SHA256

41ff83c380b958e918c4061c02a6077590d7630a01d7f2f0f448dc1a6fbf284a
SHA512

259642e8b2398122f00b031f6af4e79a2cea0831b4ef00c0f118f1fd28d32c92122a118921ce2af915f141273a2774ccf9abdfdc596175ac3c190e8f891c139e
SSDEEP

196608:vp1crEM65aqMLvUcm+oz3BkeBTAUW24t13Dr7m0mitn2xe7gXQZ+3jeRBTfYNCH1:hurEzabjm+4keB0vt1Dr7m0mc2xe7gAN

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1428	setup.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral3/memory/1216-55-0x0000000000400000-0x00000000015B4000-memory.dmp	upx
behavioral3/memory/1216-57-0x0000000000400000-0x00000000015B4000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Control Panel\International\Geo\Nation	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	setup.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
1428	setup.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	1528	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1528	AUDIODG.EXE
Token: 33	1528	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1528	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1428	setup.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1216 wrote to memory of 1520	1216	OInstall.exe	28
PID 1216 wrote to memory of 1520	1216	OInstall.exe	28
PID 1216 wrote to memory of 1520	1216	OInstall.exe	28
PID 1216 wrote to memory of 1520	1216	OInstall.exe	28
PID 1216 wrote to memory of 1340	1216	OInstall.exe	31
PID 1216 wrote to memory of 1340	1216	OInstall.exe	31
PID 1216 wrote to memory of 1340	1216	OInstall.exe	31
PID 1216 wrote to memory of 1340	1216	OInstall.exe	31
PID 1340 wrote to memory of 1428	1340	cmd.exe	33
PID 1340 wrote to memory of 1428	1340	cmd.exe	33
PID 1340 wrote to memory of 1428	1340	cmd.exe	33
PID 1340 wrote to memory of 1428	1340	cmd.exe	33
PID 1340 wrote to memory of 1428	1340	cmd.exe	33
PID 1340 wrote to memory of 1428	1340	cmd.exe	33
PID 1340 wrote to memory of 1428	1340	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\Microsoft Office 2019 + Licencia\Office\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Office 2019 + Licencia\Office\OInstall.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /D /c copy C:\Windows\system32\Tasks\OInstall "C:\Windows\Temp\OInstall.tmp" /Y
  2⤵
  PID:1520
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /D /c C:\Users\Admin\AppData\Local\Temp\MICROS~1\Office\files\Setup.exe /configure Configure.xml
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1340
- - C:\Users\Admin\AppData\Local\Temp\MICROS~1\Office\files\setup.exe
    C:\Users\Admin\AppData\Local\Temp\MICROS~1\Office\files\Setup.exe /configure Configure.xml
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Modifies system certificate store
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious use of SetWindowsHookEx
    PID:1428

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x58c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MICROS~1\Office\files\Configure.xml

Filesize
542B

MD5
29fb6963f0eeb4afd22d9790e455224d

SHA1
320006caf740821af9ce9f6a05bdf218a4e91e26

SHA256
70067e1c0a1e07c7d3c62ad43693a589226ebb3e089951b203811c1b6f593a9f

SHA512
d1348b2eae945aa0d0508dc5dbe9e65bf5f8a65d22e5040c879321c696ccf3f089e37421fd1114d997aebda33e46c33fed70f969f6ef5d8f2c5edefd0e0f26bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\MICROS~1\Office\files\setup.exe

Filesize
4.8MB

MD5
d4a7c7c3c92c4e9bc9bdee1c660e60db

SHA1
505c2d09923f957f6894f15fa2fd13615de6f4d1

SHA256
b95ac36a49e79c3e63e23eca86eac3d22acd80363d0f0aa83ba7ee7799acf2a5

SHA512
50fef647df8a13bc25b2cf5fab995664404953e3385ae0eafea6939c1587743014c0a1d277bc5b4cbad2a56bde92a3854f51cd1dcf7de710f219d15ebe141fbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\MICROS~1\Office\files\setup.exe

Filesize
4.8MB

MD5
d4a7c7c3c92c4e9bc9bdee1c660e60db

SHA1
505c2d09923f957f6894f15fa2fd13615de6f4d1

SHA256
b95ac36a49e79c3e63e23eca86eac3d22acd80363d0f0aa83ba7ee7799acf2a5

SHA512
50fef647df8a13bc25b2cf5fab995664404953e3385ae0eafea6939c1587743014c0a1d277bc5b4cbad2a56bde92a3854f51cd1dcf7de710f219d15ebe141fbb

Download Submit
memory/1216-54-0x0000000075C81000-0x0000000075C83000-memory.dmp

Filesize
8KB

Download
memory/1216-55-0x0000000000400000-0x00000000015B4000-memory.dmp

Filesize
17.7MB

Download
memory/1216-57-0x0000000000400000-0x00000000015B4000-memory.dmp

Filesize
17.7MB

Download