d62691461eb5832753f96b69b659284dbb5f069659b273f1407a1c93f96bbd1b

General

Target

更新器.exe
Size

1.6MB
MD5

cdff29ac5a4f348f38579e6972019161
SHA1

0d5db19c786f0d0dfe8047a06a451b8b21a2b0fb
SHA256

d62691461eb5832753f96b69b659284dbb5f069659b273f1407a1c93f96bbd1b
SHA512

9a54c5d0c68a840b4af1996eba973246c30cada825f4d4652b316bd557f412ff81641df1d4d82395ed560310ea679737cad716976f70faa68cb861cad22d329a
SSDEEP

24576:p57Ojs72qxLZMYiIf+L3qYS/LLTphkQbauR2I9eMc2oFT/Dg8fOqsXh2O:pjHKYqqYaLTpvbauYI9ibi8GJL

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2772-1-0x0000000010000000-0x00000000100BE000-memory.dmp	upx
behavioral1/memory/2772-4-0x0000000010000000-0x00000000100BE000-memory.dmp	upx
behavioral1/memory/2772-3-0x0000000010000000-0x00000000100BE000-memory.dmp	upx
behavioral1/memory/2772-27-0x0000000010000000-0x00000000100BE000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	更新器.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	更新器.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2772	更新器.exe
2772	更新器.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2772	更新器.exe
2772	更新器.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2772 wrote to memory of 2224	2772	更新器.exe	28
PID 2772 wrote to memory of 2224	2772	更新器.exe	28
PID 2772 wrote to memory of 2224	2772	更新器.exe	28
PID 2772 wrote to memory of 2224	2772	更新器.exe	28
PID 2224 wrote to memory of 2356	2224	cmd.exe	30
PID 2224 wrote to memory of 2356	2224	cmd.exe	30
PID 2224 wrote to memory of 2356	2224	cmd.exe	30
PID 2224 wrote to memory of 2356	2224	cmd.exe	30
PID 2224 wrote to memory of 2880	2224	cmd.exe	31
PID 2224 wrote to memory of 2880	2224	cmd.exe	31
PID 2224 wrote to memory of 2880	2224	cmd.exe	31
PID 2224 wrote to memory of 2880	2224	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\更新器.exe
"C:\Users\Admin\AppData\Local\Temp\更新器.exe"
1⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Close.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 0 /f
    3⤵
    PID:2356
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "" /f
    3⤵
    PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Close.bat

Filesize
246B

MD5
8d8ddd6f8340c09eb393592f7c0280bc

SHA1
81d9c0fda17f4764d8ef2bf130b0b42c36139d34

SHA256
a7d2335aab1e69fc6326a8b9282f004a466219d9827cff173782a87195086c85

SHA512
d4b89b174943073ad880c98371968aa6bbb4a3e04d780abe6eba0a616b9791f7a4bb6a882affa0bff454eecab1ab33267b52de45d4fe8d63bf9b0616bcfcf3dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Close.bat

Filesize
246B

MD5
8d8ddd6f8340c09eb393592f7c0280bc

SHA1
81d9c0fda17f4764d8ef2bf130b0b42c36139d34

SHA256
a7d2335aab1e69fc6326a8b9282f004a466219d9827cff173782a87195086c85

SHA512
d4b89b174943073ad880c98371968aa6bbb4a3e04d780abe6eba0a616b9791f7a4bb6a882affa0bff454eecab1ab33267b52de45d4fe8d63bf9b0616bcfcf3dd

Download Submit
memory/2772-1-0x0000000010000000-0x00000000100BE000-memory.dmp

Filesize
760KB

Download
memory/2772-4-0x0000000010000000-0x00000000100BE000-memory.dmp

Filesize
760KB

Download
memory/2772-3-0x0000000010000000-0x00000000100BE000-memory.dmp

Filesize
760KB

Download
memory/2772-27-0x0000000010000000-0x00000000100BE000-memory.dmp

Filesize
760KB

Download

Analysis

Sharing