765de118f31a59a06fc0252230586dd08eed13fd0fa6c1292d78111a9062aaa3

General

Target

vrc.exe
Size

5.3MB
MD5

a3d69504d077663d0ebe8d380601f9f6
SHA1

a56a95746b8da208c87346fee9d63b52d8fd6884
SHA256

765de118f31a59a06fc0252230586dd08eed13fd0fa6c1292d78111a9062aaa3
SHA512

f7cf3c80a4b99ab0eab878da632c2226705ed1ef1655afdd402e2a951bcc29b6a848a53e1cdb3ab5d8cf5accc17128d3284b03d6279ed13ed355d6099bf3d6e8
SSDEEP

98304:lK5wb+Qufg6cyoavrrzbbqbdkOnQOQfxw8vuaVtLhnRkN0o8q2iEYbXGMFW:lbKQwnHhrrza5nhQpvvlhRkNKq5E2HW

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000012732-56.dat	upx
behavioral1/files/0x0008000000012732-59.dat	upx
behavioral1/memory/1840-63-0x0000000000400000-0x00000000005C4000-memory.dmp	upx
behavioral1/memory/1840-80-0x0000000000400000-0x00000000005C4000-memory.dmp	upx

Executes dropped EXE 1 IoCs

pid	Process
1840	_getjava.exe

Loads dropped DLL 1 IoCs

pid	Process
904	vrc.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	_getjava.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	_getjava.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 904 wrote to memory of 1840	904	vrc.exe	27
PID 904 wrote to memory of 1840	904	vrc.exe	27
PID 904 wrote to memory of 1840	904	vrc.exe	27
PID 904 wrote to memory of 1840	904	vrc.exe	27
PID 904 wrote to memory of 1840	904	vrc.exe	27
PID 904 wrote to memory of 1840	904	vrc.exe	27
PID 904 wrote to memory of 1840	904	vrc.exe	27

C:\Users\Admin\AppData\Local\Temp\vrc.exe
"C:\Users\Admin\AppData\Local\Temp\vrc.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:904
- C:\Users\Admin\AppData\Local\Temp\X1BB6388\_getjava.exe
  C:\Users\Admin\AppData\Local\Temp\X1BB6388\_getjava.exe
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  PID:1840

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\X1BB6388\_getjava.exe

Filesize
889KB

MD5
fca7e3e1e249e2563f5122dc7e960351

SHA1
39e7b79e410992ef44f60eda6816ef801e12a13a

SHA256
9a1d5cb6e905830f7660656b134b453c74ff7c7baa757791bb6c7a0573fb58b0

SHA512
44f5b8ab6f8068fa2556149a1802584954f140a5ff21fab13562080a3cdb9c905f1bb421e59493774fc07fb79d55e8b860f381de72e745d7692d586b7e697959

Download Submit
\Users\Admin\AppData\Local\Temp\X1BB6388\_getjava.exe

Filesize
889KB

MD5
fca7e3e1e249e2563f5122dc7e960351

SHA1
39e7b79e410992ef44f60eda6816ef801e12a13a

SHA256
9a1d5cb6e905830f7660656b134b453c74ff7c7baa757791bb6c7a0573fb58b0

SHA512
44f5b8ab6f8068fa2556149a1802584954f140a5ff21fab13562080a3cdb9c905f1bb421e59493774fc07fb79d55e8b860f381de72e745d7692d586b7e697959

Download Submit
memory/904-62-0x0000000002B30000-0x0000000002CF4000-memory.dmp

Filesize
1.8MB

Download
memory/904-82-0x0000000002B30000-0x0000000002CF4000-memory.dmp

Filesize
1.8MB

Download
memory/1840-63-0x0000000000400000-0x00000000005C4000-memory.dmp

Filesize
1.8MB

Download
memory/1840-80-0x0000000000400000-0x00000000005C4000-memory.dmp

Filesize
1.8MB

Download

Analysis

Sharing