78f3c6c29aee2c929396a110dff21af45fac3563ea9108f136221a0107cb6ad5

Resubmissions

22/12/2023, 10:03

231222-l3e7safdhj 8

22/12/2023, 08:56

231222-kv19lsgab9 7

14/08/2023, 12:27

230814-pmrsesca25 7

Analysis

max time kernel
142s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
14/08/2023, 12:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Device/HarddiskVolume1/Users/RinuThomas/Documents/Rkays office/PAAET/transas 01-2013 mfc & tgs/david.exe
Size

5.8MB
MD5

8b15eb749457b601495c87f465c525f4
SHA1

13ddfa1862b74bdbbc06fc8766b36b9b73b25760
SHA256

3b61ce3d5d75fe4a90313741cdfa71c47ba6543fc568ab3293ed33983ff717d8
SHA512

370692e5d36d3fe4d4f42cd3d5d00987b54ca834582b6668f30d44beba1540ad1aa31f2429d0aac0350465b53e72f8ffc67ac459005b7f2a585e4219d4b2022f
SSDEEP

98304:JlN/A476UGGtP3G0FWPuJeXIWPafmioWzyN52lop0vBmL+1fKdqFT0CHVHkVE29L:JH/6UGGRGUeuoXI/mioWzm5u2gcL+tFe

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4148	ApnStub.exe

Loads dropped DLL 6 IoCs

pid	Process
4148	ApnStub.exe
4148	ApnStub.exe
3264	david.exe
3264	david.exe
3264	david.exe
3264	david.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2	ApnStub.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2\Blob = 5c0000000100000004000000000400007e0000000100000008000000000010c51e92d201620000000100000020000000e7685634efacf69ace939a6b255b7b4fabef42935b50a265acb5cb6027e44e7009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030119000000010000001000000091161b894b117ecdc257628db460cc04030000000100000014000000742c3192e607e424eb4549542be1bbc53e6174e21d000000010000001000000027b3517667331ce2c1e74002b5ff2298140000000100000014000000e27f7bd877d5df9e0a3f9eb4cb0e2ea9efdb69770b000000010000004600000056006500720069005300690067006e00200043006c006100730073002000330020005000750062006c006900630020005000720069006d00610072007900200043004100000004000000010000001000000010fc635df6263e0df325be5f79cd67670f0000000100000010000000d7c63be0837dbabf881d4fbf5f986ad853000000010000002400000030223020060a2b0601040182375e010130123010060a2b0601040182373c0101030200c07a000000010000000e000000300c060a2b0601040182375e010268000000010000000800000000003db65bd9d5012000000001000000400200003082023c308201a5021070bae41d10d92934b638ca7b03ccbabf300d06092a864886f70d0101020500305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479301e170d3936303132393030303030305a170d3238303830313233353935395a305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f7269747930819f300d06092a864886f70d010101050003818d0030818902818100c95c599ef21b8a0114b410df0440dbe357af6a45408f840c0bd133d9d911cfee02581f25f72aa84405aaec031f787f9e93b99a00aa237dd6ac85a26345c77227ccf44cc67571d239ef4f42f075df0a90c68e206f980ff8ac235f702936a4c986e7b19a20cb53a585e73dbe7d9afe244533dc7615ed0fa271644c652e816845a70203010001300d06092a864886f70d010102050003818100bb4c122bcf2c26004f1413dda6fbfc0a11848cf3281c67922f7cb6c5fadff0e895bc1d8f6c2ca851cc73d8a4c053f04ed626c076015781925e21f1d1b1ffe7d02158cd6917e3441c9c194439895cdc9c000f568d0299eda290454ce4bb10a43df032030ef1cef8e8c9518ce6629fe69fc07db7729cc9363a6b9f4ea8ff640d64	ApnStub.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3264 wrote to memory of 4148	3264	david.exe	82
PID 3264 wrote to memory of 4148	3264	david.exe	82
PID 3264 wrote to memory of 4148	3264	david.exe	82

C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume1\Users\RinuThomas\Documents\Rkays office\PAAET\transas 01-2013 mfc & tgs\david.exe
"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume1\Users\RinuThomas\Documents\Rkays office\PAAET\transas 01-2013 mfc & tgs\david.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3264
- C:\Users\Admin\AppData\Local\Temp\ApnStub.exe
  "C:\Users\Admin\AppData\Local\Temp\ApnStub.exe" /tb=IMB
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system certificate store
  PID:4148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\APNIC.dll

Filesize
240KB

MD5
197215658b8015182192e1ebca3bbcc3

SHA1
40e49124ad0b55a25f947333ca88e9d0bc30a7e3

SHA256
08db125c09eb53cc28e7bc7c427b6c2217ff6134a122e6d65d1d24f70e875d9e

SHA512
5fe9d6c96c817bd64ea78ff511734e9e11e6ca13b4506b589156a801fa4fed568c37d958cfafb96ad86ee1229ceeb35165965cb776f3a74cafaedb1a946bbf79

Download Submit
C:\Users\Admin\AppData\Local\Temp\ApnIC.dll

Filesize
240KB

MD5
197215658b8015182192e1ebca3bbcc3

SHA1
40e49124ad0b55a25f947333ca88e9d0bc30a7e3

SHA256
08db125c09eb53cc28e7bc7c427b6c2217ff6134a122e6d65d1d24f70e875d9e

SHA512
5fe9d6c96c817bd64ea78ff511734e9e11e6ca13b4506b589156a801fa4fed568c37d958cfafb96ad86ee1229ceeb35165965cb776f3a74cafaedb1a946bbf79

Download Submit
C:\Users\Admin\AppData\Local\Temp\ApnIC.dll

Filesize
240KB

MD5
197215658b8015182192e1ebca3bbcc3

SHA1
40e49124ad0b55a25f947333ca88e9d0bc30a7e3

SHA256
08db125c09eb53cc28e7bc7c427b6c2217ff6134a122e6d65d1d24f70e875d9e

SHA512
5fe9d6c96c817bd64ea78ff511734e9e11e6ca13b4506b589156a801fa4fed568c37d958cfafb96ad86ee1229ceeb35165965cb776f3a74cafaedb1a946bbf79

Download Submit
C:\Users\Admin\AppData\Local\Temp\ApnStub.exe

Filesize
139KB

MD5
c36923084822c017f69396418a999d39

SHA1
fdc2005ced8acf86c68fe1b86b0698d0539e8ce0

SHA256
7a158fdeea8f7107be5ce40242546a503193aa1c278f74a4730871b8edd0ba76

SHA512
fb1106d4f4a138cad28a4282cb00c72688e03610be1d31a7cdd7b42b23e00e4f7ca9e731a7ab016d5920411707e165e3ee48164ef520112d8ac36fad85749c44

Download Submit
C:\Users\Admin\AppData\Local\Temp\ApnStub.exe

Filesize
139KB

MD5
c36923084822c017f69396418a999d39

SHA1
fdc2005ced8acf86c68fe1b86b0698d0539e8ce0

SHA256
7a158fdeea8f7107be5ce40242546a503193aa1c278f74a4730871b8edd0ba76

SHA512
fb1106d4f4a138cad28a4282cb00c72688e03610be1d31a7cdd7b42b23e00e4f7ca9e731a7ab016d5920411707e165e3ee48164ef520112d8ac36fad85749c44

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7A04.tmp\InstallOptions.dll

Filesize
14KB

MD5
325b008aec81e5aaa57096f05d4212b5

SHA1
27a2d89747a20305b6518438eff5b9f57f7df5c3

SHA256
c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b

SHA512
18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7A04.tmp\InstallOptions.dll

Filesize
14KB

MD5
325b008aec81e5aaa57096f05d4212b5

SHA1
27a2d89747a20305b6518438eff5b9f57f7df5c3

SHA256
c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b

SHA512
18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7A04.tmp\InstallOptions.dll

Filesize
14KB

MD5
325b008aec81e5aaa57096f05d4212b5

SHA1
27a2d89747a20305b6518438eff5b9f57f7df5c3

SHA256
c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b

SHA512
18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7A04.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7A04.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7A04.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk7A04.tmp\ioSpecial.ini

Filesize
497B

MD5
cf63b168549fbc0464d445038f3e6eab

SHA1
96cd97e9d674217abb63a26bd6d0a9bb52559caa

SHA256
13b12c1e78adab4655cb6d1a8e8f37accd420bc22141791c72d5007dfd92f9e6

SHA512
c288e1b6c0ffbe304f32b96d68dd735cfc8e3522d8b96ace31bbd0625dbe88b64526aef67dd0d55dd3f3f9865daf12021ab65812996616be0e0c409224ccdd39

Download Submit