849f6f466a8ae420834948514d5ad3e09b17acd78142c320e7a07d8ff2dc1237

General

Target

849f6f466a8ae420834948514d5ad3e09b17acd78142c320e7a07d8ff2dc1237.exe
Size

736KB
MD5

8b54c5d6c5a90cab8a3ed073cdcdb082
SHA1

83838e82eb575ca872aa049431540484f2d80383
SHA256

849f6f466a8ae420834948514d5ad3e09b17acd78142c320e7a07d8ff2dc1237
SHA512

4aac4785c2243c8212e3fe9dce89b55d13072f4f2cd019d06bccdd93c37041ec1e25cd5cd84425bd3623978bc3a0d309a5f29579cdb8a801aa023001e08a5c10
SSDEEP

12288:VuldXWz7yXxbSBudVOxpdDvi/wdFC4cs06jvCso7ZF9V6w:VuldXWz7yXxGBWVcpd2odo4T0SKsEF9L

Score

8^/10

persistence

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
108	Tool.exe
1968	Yun.exe

Loads dropped DLL 4 IoCs

pid	Process
1372	849f6f466a8ae420834948514d5ad3e09b17acd78142c320e7a07d8ff2dc1237.exe
1372	849f6f466a8ae420834948514d5ad3e09b17acd78142c320e7a07d8ff2dc1237.exe
108	Tool.exe
108	Tool.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\org.Tool = "C:\\Users\\Admin\\AppData\\Local\\Programs\\Tool\\Tool.exe"	Tool.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\org.Yun = "C:\\Users\\Admin\\AppData\\Local\\Programs\\Tool\\Yun.exe"	Yun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\com.Xun = "C:\\Users\\Admin\\AppData\\Local\\XunSDK\\2.98\\Saved\\Files\\Xun.exe"	Tool.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	849f6f466a8ae420834948514d5ad3e09b17acd78142c320e7a07d8ff2dc1237.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	849f6f466a8ae420834948514d5ad3e09b17acd78142c320e7a07d8ff2dc1237.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1372	849f6f466a8ae420834948514d5ad3e09b17acd78142c320e7a07d8ff2dc1237.exe
1372	849f6f466a8ae420834948514d5ad3e09b17acd78142c320e7a07d8ff2dc1237.exe
108	Tool.exe
108	Tool.exe
108	Tool.exe
108	Tool.exe
1968	Yun.exe
108	Tool.exe
1968	Yun.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1372	849f6f466a8ae420834948514d5ad3e09b17acd78142c320e7a07d8ff2dc1237.exe
1372	849f6f466a8ae420834948514d5ad3e09b17acd78142c320e7a07d8ff2dc1237.exe
108	Tool.exe
108	Tool.exe
1968	Yun.exe
1968	Yun.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1372 wrote to memory of 108	1372	849f6f466a8ae420834948514d5ad3e09b17acd78142c320e7a07d8ff2dc1237.exe	30
PID 1372 wrote to memory of 108	1372	849f6f466a8ae420834948514d5ad3e09b17acd78142c320e7a07d8ff2dc1237.exe	30
PID 1372 wrote to memory of 108	1372	849f6f466a8ae420834948514d5ad3e09b17acd78142c320e7a07d8ff2dc1237.exe	30
PID 1372 wrote to memory of 108	1372	849f6f466a8ae420834948514d5ad3e09b17acd78142c320e7a07d8ff2dc1237.exe	30
PID 108 wrote to memory of 1968	108	Tool.exe	31
PID 108 wrote to memory of 1968	108	Tool.exe	31
PID 108 wrote to memory of 1968	108	Tool.exe	31
PID 108 wrote to memory of 1968	108	Tool.exe	31

C:\Users\Admin\AppData\Local\Temp\849f6f466a8ae420834948514d5ad3e09b17acd78142c320e7a07d8ff2dc1237.exe
"C:\Users\Admin\AppData\Local\Temp\849f6f466a8ae420834948514d5ad3e09b17acd78142c320e7a07d8ff2dc1237.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1372
- C:\Users\Admin\AppData\Local\Programs\Tool\Tool.exe
  C:\Users\Admin\AppData\Local\Programs\Tool\Tool.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:108
- - C:\Users\Admin\AppData\Local\Programs\Tool\Yun.exe
    Yun.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Programs\Tool\Tool.exe

Filesize
3.8MB

MD5
000dd6813401bf1092fa4d71c6532099

SHA1
80de38d44e9bb1d9ef5d15b0e7ca3af1910552a4

SHA256
0e4f53f5bfa7ae8553e6cb3a6f5ed11da4f9034f904c76d8ecf860597c73251f

SHA512
c3e71a2ff3f50e603c95dced8f2ca93354fc7971941944d003c797ec65eeb827a22c66ad461f5a17e82d9970117a48698063d13cecbde923ea7c646768f0be8d

Download Submit
C:\Users\Admin\AppData\Local\Programs\Tool\Tool.exe

Filesize
3.8MB

MD5
000dd6813401bf1092fa4d71c6532099

SHA1
80de38d44e9bb1d9ef5d15b0e7ca3af1910552a4

SHA256
0e4f53f5bfa7ae8553e6cb3a6f5ed11da4f9034f904c76d8ecf860597c73251f

SHA512
c3e71a2ff3f50e603c95dced8f2ca93354fc7971941944d003c797ec65eeb827a22c66ad461f5a17e82d9970117a48698063d13cecbde923ea7c646768f0be8d

Download Submit
C:\Users\Admin\AppData\Local\Programs\Tool\Yun.exe

Filesize
744KB

MD5
f3391341dc27419ca256ceb9e02f5171

SHA1
9d847eb35e9265d35262e906ae7f7f88e1af6f95

SHA256
da2c549c6acff2070a37c8585ab4f1ba07d0172fbf79da50b11e2d53bba58609

SHA512
1edb9ebb68325e58132b825f9015f6318498c2a7cce021a5ef980223dbbf0da7c5c8facbb95784ca50510af0db4bf78a5a6d62404109df8889af4df3ebbc9c07

Download Submit
C:\Users\Admin\AppData\Local\Programs\Tool\Yun.exe

Filesize
744KB

MD5
f3391341dc27419ca256ceb9e02f5171

SHA1
9d847eb35e9265d35262e906ae7f7f88e1af6f95

SHA256
da2c549c6acff2070a37c8585ab4f1ba07d0172fbf79da50b11e2d53bba58609

SHA512
1edb9ebb68325e58132b825f9015f6318498c2a7cce021a5ef980223dbbf0da7c5c8facbb95784ca50510af0db4bf78a5a6d62404109df8889af4df3ebbc9c07

Download Submit
\Users\Admin\AppData\Local\Programs\Tool\Tool.exe

Filesize
3.8MB

MD5
000dd6813401bf1092fa4d71c6532099

SHA1
80de38d44e9bb1d9ef5d15b0e7ca3af1910552a4

SHA256
0e4f53f5bfa7ae8553e6cb3a6f5ed11da4f9034f904c76d8ecf860597c73251f

SHA512
c3e71a2ff3f50e603c95dced8f2ca93354fc7971941944d003c797ec65eeb827a22c66ad461f5a17e82d9970117a48698063d13cecbde923ea7c646768f0be8d

Download Submit
\Users\Admin\AppData\Local\Programs\Tool\Tool.exe

Filesize
3.8MB

MD5
000dd6813401bf1092fa4d71c6532099

SHA1
80de38d44e9bb1d9ef5d15b0e7ca3af1910552a4

SHA256
0e4f53f5bfa7ae8553e6cb3a6f5ed11da4f9034f904c76d8ecf860597c73251f

SHA512
c3e71a2ff3f50e603c95dced8f2ca93354fc7971941944d003c797ec65eeb827a22c66ad461f5a17e82d9970117a48698063d13cecbde923ea7c646768f0be8d

Download Submit
\Users\Admin\AppData\Local\Programs\Tool\Yun.exe

Filesize
744KB

MD5
f3391341dc27419ca256ceb9e02f5171

SHA1
9d847eb35e9265d35262e906ae7f7f88e1af6f95

SHA256
da2c549c6acff2070a37c8585ab4f1ba07d0172fbf79da50b11e2d53bba58609

SHA512
1edb9ebb68325e58132b825f9015f6318498c2a7cce021a5ef980223dbbf0da7c5c8facbb95784ca50510af0db4bf78a5a6d62404109df8889af4df3ebbc9c07

Download Submit
\Users\Admin\AppData\Local\Programs\Tool\Yun.exe

Filesize
744KB

MD5
f3391341dc27419ca256ceb9e02f5171

SHA1
9d847eb35e9265d35262e906ae7f7f88e1af6f95

SHA256
da2c549c6acff2070a37c8585ab4f1ba07d0172fbf79da50b11e2d53bba58609

SHA512
1edb9ebb68325e58132b825f9015f6318498c2a7cce021a5ef980223dbbf0da7c5c8facbb95784ca50510af0db4bf78a5a6d62404109df8889af4df3ebbc9c07

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads