5c063db1ef8543cd5980c62f695a30b15964ba66d9aa2d1c4432eba4716e3147

General

Target

5c063db1ef8543cd5980c62f695a30b15964ba66d9aa2d1c4432eba4716e3147.exe
Size

736KB
MD5

ff2094fd7c2a1a0c184043125709153c
SHA1

124b5fc18c34e4a8eaa980cab55f0be2c133ce79
SHA256

5c063db1ef8543cd5980c62f695a30b15964ba66d9aa2d1c4432eba4716e3147
SHA512

9c930adb19192793612d0ad5e6fdde4055926e2f40b07cc800f1ae4158cac95287e2f5c304f5f42ee926e47ccb97c5afa1d4e348e8e609fc4790fe49c2034381
SSDEEP

12288:VuldXWz7yXxbSBudVOxpdDvi/wdFC4cs06jvCso7ZF9V6p:VuldXWz7yXxGBWVcpd2odo4T0SKsEF9K

Score

8^/10

persistence

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
1600	Tool.exe
820	Yun.exe

Loads dropped DLL 4 IoCs

pid	Process
1696	5c063db1ef8543cd5980c62f695a30b15964ba66d9aa2d1c4432eba4716e3147.exe
1696	5c063db1ef8543cd5980c62f695a30b15964ba66d9aa2d1c4432eba4716e3147.exe
1600	Tool.exe
1600	Tool.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\org.Tool = "C:\\Users\\Admin\\AppData\\Local\\Programs\\Tool\\Tool.exe"	Tool.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\org.Yun = "C:\\Users\\Admin\\AppData\\Local\\Programs\\Tool\\Yun.exe"	Yun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\com.Xun = "C:\\Users\\Admin\\AppData\\Local\\XunSDK\\2.98\\Saved\\Files\\Xun.exe"	Tool.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	5c063db1ef8543cd5980c62f695a30b15964ba66d9aa2d1c4432eba4716e3147.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	5c063db1ef8543cd5980c62f695a30b15964ba66d9aa2d1c4432eba4716e3147.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1696	5c063db1ef8543cd5980c62f695a30b15964ba66d9aa2d1c4432eba4716e3147.exe
1696	5c063db1ef8543cd5980c62f695a30b15964ba66d9aa2d1c4432eba4716e3147.exe
1600	Tool.exe
1600	Tool.exe
1600	Tool.exe
1600	Tool.exe
820	Yun.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1696	5c063db1ef8543cd5980c62f695a30b15964ba66d9aa2d1c4432eba4716e3147.exe
1696	5c063db1ef8543cd5980c62f695a30b15964ba66d9aa2d1c4432eba4716e3147.exe
1600	Tool.exe
1600	Tool.exe
820	Yun.exe
820	Yun.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 1600	1696	5c063db1ef8543cd5980c62f695a30b15964ba66d9aa2d1c4432eba4716e3147.exe	29
PID 1696 wrote to memory of 1600	1696	5c063db1ef8543cd5980c62f695a30b15964ba66d9aa2d1c4432eba4716e3147.exe	29
PID 1696 wrote to memory of 1600	1696	5c063db1ef8543cd5980c62f695a30b15964ba66d9aa2d1c4432eba4716e3147.exe	29
PID 1696 wrote to memory of 1600	1696	5c063db1ef8543cd5980c62f695a30b15964ba66d9aa2d1c4432eba4716e3147.exe	29
PID 1600 wrote to memory of 820	1600	Tool.exe	30
PID 1600 wrote to memory of 820	1600	Tool.exe	30
PID 1600 wrote to memory of 820	1600	Tool.exe	30
PID 1600 wrote to memory of 820	1600	Tool.exe	30

C:\Users\Admin\AppData\Local\Temp\5c063db1ef8543cd5980c62f695a30b15964ba66d9aa2d1c4432eba4716e3147.exe
"C:\Users\Admin\AppData\Local\Temp\5c063db1ef8543cd5980c62f695a30b15964ba66d9aa2d1c4432eba4716e3147.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Users\Admin\AppData\Local\Programs\Tool\Tool.exe
  C:\Users\Admin\AppData\Local\Programs\Tool\Tool.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1600
- - C:\Users\Admin\AppData\Local\Programs\Tool\Yun.exe
    Yun.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:820

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Programs\Tool\Tool.exe

Filesize
3.8MB

MD5
000dd6813401bf1092fa4d71c6532099

SHA1
80de38d44e9bb1d9ef5d15b0e7ca3af1910552a4

SHA256
0e4f53f5bfa7ae8553e6cb3a6f5ed11da4f9034f904c76d8ecf860597c73251f

SHA512
c3e71a2ff3f50e603c95dced8f2ca93354fc7971941944d003c797ec65eeb827a22c66ad461f5a17e82d9970117a48698063d13cecbde923ea7c646768f0be8d

Download Submit
C:\Users\Admin\AppData\Local\Programs\Tool\Tool.exe

Filesize
3.8MB

MD5
000dd6813401bf1092fa4d71c6532099

SHA1
80de38d44e9bb1d9ef5d15b0e7ca3af1910552a4

SHA256
0e4f53f5bfa7ae8553e6cb3a6f5ed11da4f9034f904c76d8ecf860597c73251f

SHA512
c3e71a2ff3f50e603c95dced8f2ca93354fc7971941944d003c797ec65eeb827a22c66ad461f5a17e82d9970117a48698063d13cecbde923ea7c646768f0be8d

Download Submit
C:\Users\Admin\AppData\Local\Programs\Tool\Yun.exe

Filesize
744KB

MD5
f3391341dc27419ca256ceb9e02f5171

SHA1
9d847eb35e9265d35262e906ae7f7f88e1af6f95

SHA256
da2c549c6acff2070a37c8585ab4f1ba07d0172fbf79da50b11e2d53bba58609

SHA512
1edb9ebb68325e58132b825f9015f6318498c2a7cce021a5ef980223dbbf0da7c5c8facbb95784ca50510af0db4bf78a5a6d62404109df8889af4df3ebbc9c07

Download Submit
C:\Users\Admin\AppData\Local\Programs\Tool\Yun.exe

Filesize
744KB

MD5
f3391341dc27419ca256ceb9e02f5171

SHA1
9d847eb35e9265d35262e906ae7f7f88e1af6f95

SHA256
da2c549c6acff2070a37c8585ab4f1ba07d0172fbf79da50b11e2d53bba58609

SHA512
1edb9ebb68325e58132b825f9015f6318498c2a7cce021a5ef980223dbbf0da7c5c8facbb95784ca50510af0db4bf78a5a6d62404109df8889af4df3ebbc9c07

Download Submit
\Users\Admin\AppData\Local\Programs\Tool\Tool.exe

Filesize
3.8MB

MD5
000dd6813401bf1092fa4d71c6532099

SHA1
80de38d44e9bb1d9ef5d15b0e7ca3af1910552a4

SHA256
0e4f53f5bfa7ae8553e6cb3a6f5ed11da4f9034f904c76d8ecf860597c73251f

SHA512
c3e71a2ff3f50e603c95dced8f2ca93354fc7971941944d003c797ec65eeb827a22c66ad461f5a17e82d9970117a48698063d13cecbde923ea7c646768f0be8d

Download Submit
\Users\Admin\AppData\Local\Programs\Tool\Tool.exe

Filesize
3.8MB

MD5
000dd6813401bf1092fa4d71c6532099

SHA1
80de38d44e9bb1d9ef5d15b0e7ca3af1910552a4

SHA256
0e4f53f5bfa7ae8553e6cb3a6f5ed11da4f9034f904c76d8ecf860597c73251f

SHA512
c3e71a2ff3f50e603c95dced8f2ca93354fc7971941944d003c797ec65eeb827a22c66ad461f5a17e82d9970117a48698063d13cecbde923ea7c646768f0be8d

Download Submit
\Users\Admin\AppData\Local\Programs\Tool\Yun.exe

Filesize
744KB

MD5
f3391341dc27419ca256ceb9e02f5171

SHA1
9d847eb35e9265d35262e906ae7f7f88e1af6f95

SHA256
da2c549c6acff2070a37c8585ab4f1ba07d0172fbf79da50b11e2d53bba58609

SHA512
1edb9ebb68325e58132b825f9015f6318498c2a7cce021a5ef980223dbbf0da7c5c8facbb95784ca50510af0db4bf78a5a6d62404109df8889af4df3ebbc9c07

Download Submit
\Users\Admin\AppData\Local\Programs\Tool\Yun.exe

Filesize
744KB

MD5
f3391341dc27419ca256ceb9e02f5171

SHA1
9d847eb35e9265d35262e906ae7f7f88e1af6f95

SHA256
da2c549c6acff2070a37c8585ab4f1ba07d0172fbf79da50b11e2d53bba58609

SHA512
1edb9ebb68325e58132b825f9015f6318498c2a7cce021a5ef980223dbbf0da7c5c8facbb95784ca50510af0db4bf78a5a6d62404109df8889af4df3ebbc9c07

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads