091afe600863a24769a2a7b5014ef3a0186b492bf0409b2905d92070dad19dfe

Analysis

max time kernel
152s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
27/08/2023, 14:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

091afe600863a24769a2a7b5014ef3a0186b492bf0409b2905d92070dad19dfe.exe
Size

613KB
MD5

68130a2c7147f4f537cc9e48bc16c049
SHA1

97c41147b6accfbee09e9d0d5163f44c65d77533
SHA256

091afe600863a24769a2a7b5014ef3a0186b492bf0409b2905d92070dad19dfe
SHA512

1fe44336627b6692f4e612f08004151806c0997f97834160a6107c94827ddd970ad88d8be5e387f4bed648fed44a1f599370d0aaf0fed50b1d85f603df1628bc
SSDEEP

6144:Dz1xOecgEnOxUwWz1w4mcH+dZvF4lBFusBQvqScPeAC:31seJzWz1l+LIF2

Score

8^/10

upx

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
53	3424	rundll32.exe
60	3424	rundll32.exe
64	3424	rundll32.exe
66	3424	rundll32.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/316-0-0x0000000000310000-0x00000000003A7000-memory.dmp	upx
behavioral2/memory/316-24-0x0000000000310000-0x00000000003A7000-memory.dmp	upx

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\System32\kbdibm02JIpY.sys	rundll32.exe
File created	C:\Windows\System32\WLanConnfO.sys	rundll32.exe
File created	C:\Windows\System32\TelephonyInteractiveUserRes0RU.sys	rundll32.exe
File created	C:\Windows\System32\PlayToReceiverXmW.sys	rundll32.exe
File created	C:\Windows\System32\Windows.Internal.UI.Logon.ProxyStubwv0a.sys	rundll32.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WindowRedSystem483.log	rundll32.exe
File opened for modification	C:\Windows\WindowsShell32702.log	091afe600863a24769a2a7b5014ef3a0186b492bf0409b2905d92070dad19dfe.exe
File opened for modification	C:\Windows\WindowSystemNewUpdate40.log	doskey.exe
File opened for modification	C:\Windows\WindowTerminalVaild22.log	doskey.exe
File opened for modification	C:\Windows\WindowMicrosoftNET03.log	doskey.exe
File opened for modification	C:\Windows\WindowsShell1471426.log	doskey.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\9743EE39882EFD63036E6EAD3AFFD6D765628161	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\9743EE39882EFD63036E6EAD3AFFD6D765628161\Blob = 0300000001000000140000009743ee39882efd63036e6ead3affd6d7656281612000000001000000a7030000308203a33082028ba003020102020900fbf05b1de85f7471300d06092a864886f70d01010b05003068310b3009060355040613024245311a3018060355040a0c11476c6f62616c5369676e206e762d736132313d303b06035504030c34476c6f62616c5369676e204f7267616e697a6174696f6e2056616c69646174696f6e204341202d20534841323536202d20473230301e170d3230303730343033313932375a170d3330303730323033313932375a3068310b3009060355040613024245311a3018060355040a0c11476c6f62616c5369676e206e762d736132313d303b06035504030c34476c6f62616c5369676e204f7267616e697a6174696f6e2056616c69646174696f6e204341202d20534841323536202d2047323030820122300d06092a864886f70d01010105000382010f003082010a0282010100cc61da00673a536137db9ce83a8be1de99f849f34478baf32c5c5054ce3e282a76ec8312bd3464f920bf58425395e092d085f90c213b925e0871b1ea0f4753e00fc6c125462ed2d6d9c2ef5f05f0a8962982e990871c17a0aab47730728c0adb85e9f1c3f418bf34b7518281c1f9e6c475cf4076f6bf079e5b293f8d7da1e615e77cf9c537e08cec62bc50a64680cedafa1c831e04cdbd4c2cc584d01b0e9cd8bf563aaed9073596dd47a5f251f17d2aad4a2ceab564b4eace34ac1feacb5e2fbb4708856ed8492aede77cf4efe0c9393a94f521a23b7b91d2e11d1cbfc03a30f830a10219c80bc29ecb19f8ddf90c1a33bd8a062436b449a5ebd15298d5af070203010001a350304e301d0603551d0e041604149f643ac2270b3df4fb5275f235218f24ccfab143301f0603551d230418301680149f643ac2270b3df4fb5275f235218f24ccfab143300c0603551d13040530030101ff300d06092a864886f70d01010b050003820101007146eaba5a2022fafd1e8b3691ce98ac13170cbd01306433966ba6fba7c1e71da1726f86000e111a449ee8099595a532f83adba6f1f8d3a4eff5f5ea912a4503c91107db5e5ba18393555755067f4362508b123c0bc7b9eb6c300781351ba08fced43e12801c210e3ba73f24c5bceee2890b1a690033078f10a1f708f617cae77f834be56609126cb78d72d57ffa48439ffba9f50f495e3f073b1163a1e6b761180c4dccd76b50f9350046c5a1a3befaf6ca11cd31e7997d6dd4f5193a12801aad5fbb0779745de07edb50628d4a5d39109d7381133568e363578ffa7866784a3404e4e6b7a563c9830c7607b3956e7878ca2de421aafa979f17971a47198cdf	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3424	rundll32.exe
3424	rundll32.exe
3424	rundll32.exe
3424	rundll32.exe
3424	rundll32.exe
3424	rundll32.exe
3424	rundll32.exe
3424	rundll32.exe
3424	rundll32.exe
3424	rundll32.exe
3424	rundll32.exe
3424	rundll32.exe
3424	rundll32.exe
3424	rundll32.exe
3424	rundll32.exe
3424	rundll32.exe
3424	rundll32.exe
3424	rundll32.exe
3424	rundll32.exe
3424	rundll32.exe
3424	rundll32.exe
3424	rundll32.exe
3424	rundll32.exe
3424	rundll32.exe
3424	rundll32.exe
3424	rundll32.exe
3424	rundll32.exe
3424	rundll32.exe
3424	rundll32.exe
3424	rundll32.exe
3424	rundll32.exe
3424	rundll32.exe
3424	rundll32.exe
3424	rundll32.exe
3424	rundll32.exe
3424	rundll32.exe
3424	rundll32.exe
3424	rundll32.exe
3424	rundll32.exe
3424	rundll32.exe
3424	rundll32.exe
3424	rundll32.exe
3424	rundll32.exe
3424	rundll32.exe
3424	rundll32.exe
3424	rundll32.exe
3424	rundll32.exe
3424	rundll32.exe
3424	rundll32.exe
3424	rundll32.exe
3424	rundll32.exe
3424	rundll32.exe
3424	rundll32.exe
3424	rundll32.exe
3424	rundll32.exe
3424	rundll32.exe
3424	rundll32.exe
3424	rundll32.exe
3424	rundll32.exe
3424	rundll32.exe
3424	rundll32.exe
3424	rundll32.exe
3424	rundll32.exe
3424	rundll32.exe

Suspicious behavior: LoadsDriver 5 IoCs

pid	Process
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	316	091afe600863a24769a2a7b5014ef3a0186b492bf0409b2905d92070dad19dfe.exe
Token: SeDebugPrivilege	4996	doskey.exe
Token: SeIncBasePriorityPrivilege	316	091afe600863a24769a2a7b5014ef3a0186b492bf0409b2905d92070dad19dfe.exe
Token: SeDebugPrivilege	4996	doskey.exe
Token: SeDebugPrivilege	4996	doskey.exe
Token: SeDebugPrivilege	4996	doskey.exe
Token: SeDebugPrivilege	4996	doskey.exe
Token: SeDebugPrivilege	3424	rundll32.exe
Token: SeDebugPrivilege	4996	doskey.exe
Token: SeDebugPrivilege	4996	doskey.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 316 wrote to memory of 4996	316	091afe600863a24769a2a7b5014ef3a0186b492bf0409b2905d92070dad19dfe.exe	82
PID 316 wrote to memory of 4996	316	091afe600863a24769a2a7b5014ef3a0186b492bf0409b2905d92070dad19dfe.exe	82
PID 316 wrote to memory of 4996	316	091afe600863a24769a2a7b5014ef3a0186b492bf0409b2905d92070dad19dfe.exe	82
PID 316 wrote to memory of 4996	316	091afe600863a24769a2a7b5014ef3a0186b492bf0409b2905d92070dad19dfe.exe	82
PID 316 wrote to memory of 4996	316	091afe600863a24769a2a7b5014ef3a0186b492bf0409b2905d92070dad19dfe.exe	82
PID 316 wrote to memory of 4996	316	091afe600863a24769a2a7b5014ef3a0186b492bf0409b2905d92070dad19dfe.exe	82
PID 316 wrote to memory of 1940	316	091afe600863a24769a2a7b5014ef3a0186b492bf0409b2905d92070dad19dfe.exe	84
PID 316 wrote to memory of 1940	316	091afe600863a24769a2a7b5014ef3a0186b492bf0409b2905d92070dad19dfe.exe	84
PID 316 wrote to memory of 1940	316	091afe600863a24769a2a7b5014ef3a0186b492bf0409b2905d92070dad19dfe.exe	84
PID 4996 wrote to memory of 3424	4996	doskey.exe	94
PID 4996 wrote to memory of 3424	4996	doskey.exe	94
PID 4996 wrote to memory of 3424	4996	doskey.exe	94
PID 4996 wrote to memory of 3424	4996	doskey.exe	94
PID 4996 wrote to memory of 3424	4996	doskey.exe	94
PID 4996 wrote to memory of 3424	4996	doskey.exe	94

C:\Users\Admin\AppData\Local\Temp\091afe600863a24769a2a7b5014ef3a0186b492bf0409b2905d92070dad19dfe.exe
"C:\Users\Admin\AppData\Local\Temp\091afe600863a24769a2a7b5014ef3a0186b492bf0409b2905d92070dad19dfe.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:316
- C:\Windows\SysWOW64\doskey.exe
  "C:\Windows\SysWOW64\doskey.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4996
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\SysWOW64\rundll32.exe"
    3⤵
    - Blocklisted process makes network request
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3424
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\091AFE~1.EXE > nul
  2⤵
  PID:1940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\WindowRedSystem483.log

Filesize
8KB

MD5
7b95330a628d6518b7ec2e80c9482fad

SHA1
44672586e825d91da9d4c4c6c70205d6289ff0e5

SHA256
0bcb584d64cc4f24440158c069cb14efef3f54ff502600354eed4a92e4f26b34

SHA512
8168d6d40ce526b5e5d493e15620e7af75c81f7804a7ac99328628d2323bec12e8bccd96e66a58c1d9584dcffeada3af2e13df32277d0fa8b911ec94e63b47fe

Download Submit
C:\Windows\WindowSystemNewUpdate40.log

Filesize
6KB

MD5
2cb4adb67f08754faf22abcabf76bd01

SHA1
0b3d59228ee20772d1a3a66f28a117ab4321c20a

SHA256
8784f61e6f24d348f83928b0b2a46fa95c8869237394efcd153837f562fa494b

SHA512
4ba1cd24d381ab9e46545d968a141c0f4ea070c4665852a7ee4d0b75d08779d1c167e00cf14839a1c9d5c7fcc418276603cc7d34ecaf1c7973cd0d84b24f6d96

Download Submit
memory/316-24-0x0000000000310000-0x00000000003A7000-memory.dmp

Filesize
604KB

Download
memory/316-0-0x0000000000310000-0x00000000003A7000-memory.dmp

Filesize
604KB

Download
memory/3424-132-0x0000000010000000-0x0000000010601000-memory.dmp

Filesize
6.0MB

Download
memory/3424-101-0x0000000000400000-0x0000000000A0C000-memory.dmp

Filesize
6.0MB

Download
memory/3424-213-0x0000000010000000-0x0000000010601000-memory.dmp

Filesize
6.0MB

Download
memory/3424-128-0x0000000010000000-0x0000000010601000-memory.dmp

Filesize
6.0MB

Download
memory/3424-113-0x0000000010000000-0x0000000010601000-memory.dmp

Filesize
6.0MB

Download
memory/3424-108-0x0000000000B70000-0x0000000000B8B000-memory.dmp

Filesize
108KB

Download
memory/3424-107-0x0000000000B70000-0x0000000000B8B000-memory.dmp

Filesize
108KB

Download
memory/3424-104-0x0000000000B70000-0x0000000000B8B000-memory.dmp

Filesize
108KB

Download
memory/4996-59-0x0000000003DA0000-0x0000000003E06000-memory.dmp

Filesize
408KB

Download
memory/4996-36-0x0000000003AC0000-0x0000000003BB9000-memory.dmp

Filesize
996KB

Download
memory/4996-75-0x0000000003AC0000-0x0000000003BB9000-memory.dmp

Filesize
996KB

Download
memory/4996-13-0x0000000001570000-0x000000000158B000-memory.dmp

Filesize
108KB

Download
memory/4996-50-0x0000000003590000-0x00000000035C8000-memory.dmp

Filesize
224KB

Download
memory/4996-47-0x0000000003AC0000-0x0000000003BB9000-memory.dmp

Filesize
996KB

Download
memory/4996-44-0x0000000003AC0000-0x0000000003BB9000-memory.dmp

Filesize
996KB

Download
memory/4996-45-0x0000000003AC0000-0x0000000003BB9000-memory.dmp

Filesize
996KB

Download
memory/4996-119-0x0000000003AC0000-0x0000000003BB9000-memory.dmp

Filesize
996KB

Download
memory/4996-123-0x0000000003AC0000-0x0000000003BB9000-memory.dmp

Filesize
996KB

Download
memory/4996-124-0x0000000003AC0000-0x0000000003BB9000-memory.dmp

Filesize
996KB

Download
memory/4996-69-0x0000000004790000-0x0000000004C69000-memory.dmp

Filesize
4.8MB

Download
memory/4996-5-0x0000000001570000-0x000000000158B000-memory.dmp

Filesize
108KB

Download
memory/4996-155-0x0000000003AC0000-0x0000000003BB9000-memory.dmp

Filesize
996KB

Download
memory/4996-157-0x0000000003AC0000-0x0000000003BB9000-memory.dmp

Filesize
996KB

Download
memory/4996-7-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/4996-3-0x0000000001570000-0x000000000158B000-memory.dmp

Filesize
108KB

Download
memory/4996-2-0x0000000000F90000-0x0000000000FF7000-memory.dmp

Filesize
412KB

Download
memory/4996-279-0x000000000A590000-0x000000000A913000-memory.dmp

Filesize
3.5MB

Download
memory/4996-281-0x000000000A590000-0x000000000A913000-memory.dmp

Filesize
3.5MB

Download
memory/4996-289-0x000000000A590000-0x000000000A913000-memory.dmp

Filesize
3.5MB

Download