a8c9d0e1d3fc4202c4d690e199335ac9649852c5756e9877bbc95e596f743cda

General

Target

a8c9d0e1d3fc4202c4d690e199335ac9649852c5756e9877bbc95e596f743cda.dll
Size

11.3MB
MD5

91ada1603422df496fc4497eb212e0e6
SHA1

ad4424daa647d61aa2cb0a3e6467a84c1ef03dde
SHA256

a8c9d0e1d3fc4202c4d690e199335ac9649852c5756e9877bbc95e596f743cda
SHA512

2d053491122cbb616e38adf4a79e6d70791130a8d056ea5bdc3493d1e635ccbfd7484c4482c7d00ce0cf769981e3174179529bbc4d956a1f0d9dcdf08405133e
SSDEEP

196608:JbUspctu12q9EIHYNiVOdy2JLOfIK2A48UQbqtK+yrra/AZqQ1:Jb1Gu12ql4KY3FJAvUQGtK+yCT

Score

10^/10

upx

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2820 created 420	2820	rundll32.exe	1

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	2820	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
2820	rundll32.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2820-0-0x0000000010000000-0x0000000011155000-memory.dmp	upx
behavioral1/memory/2820-1-0x0000000010000000-0x0000000011155000-memory.dmp	upx
behavioral1/memory/2820-2-0x0000000010000000-0x0000000011155000-memory.dmp	upx
behavioral1/memory/2820-3-0x0000000010000000-0x0000000011155000-memory.dmp	upx
behavioral1/memory/2820-4-0x0000000002940000-0x0000000002C03000-memory.dmp	upx
behavioral1/memory/2820-5-0x0000000002940000-0x0000000002C03000-memory.dmp	upx
behavioral1/memory/2820-10-0x0000000010000000-0x0000000011155000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HPSocket4C.dll	rundll32.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\E403A1DFC8F377E0F4AA43A83EE9EA079A1F55F2\Blob = 5300000001000000230000003021301f060960864801a4a227020130123010060a2b0601040182373c0101030200c05c000000010000000400000000100000030000000100000014000000e403a1dfc8f377e0f4aa43a83ee9ea079a1f55f219000000010000001000000079d8e39856b0540913defb485e73ed621400000001000000140000000525862f6536a1e59d9eca5c0919ad0e3d96261d0f000000010000001400000052bf462203121ab271f48ff1a32d373fd9f12399040000000100000010000000dc911e8da3a186bb4d52eec0e57b515509000000010000004c000000304a060a2b0601040182370a0602060a2b0601040182370a060106082b0601050507030806082b0601050507030406082b0601050507030306082b0601050507030206082b060105050703012000000001000000d3050000308205cf308203b7a00302010202041eb132d5300d06092a864886f70d01010505003076310b300906035504061302434e31233021060355040a0c1a4a656d6d794c6f76654a656e6e7920504b492053657276696365311e301c060355040b0c15706b692e6a656d6d796c6f76656a656e6e792e746b3122302006035504030c194a656d6d794c6f76654a656e6e7920455620526f6f742043413020170d3030303130313030303030305a180f32303939313233313233353935395a3076310b300906035504061302434e31233021060355040a0c1a4a656d6d794c6f76654a656e6e7920504b492053657276696365311e301c060355040b0c15706b692e6a656d6d796c6f76656a656e6e792e746b3122302006035504030c194a656d6d794c6f76654a656e6e7920455620526f6f7420434130820222300d06092a864886f70d01010105000382020f003082020a0282020100b5bf164ce267332d80ffed87e949041ea0b8dd6e4389cc2ece1e2606c7dc4085d75631f5bf99e3b60a4dbe48dc7337e8edc95dd02aca568a119c2884dd8cecd0c174585e1b6ec89e47f37f28626bb42abb0f7cb0ee0f25d11e268026937bfc4587de5d7cd89d9cd3fee634120724a3771d3dec3ba265398f84274bc72d683be7982706d99e24f4ffe84370fb7b0c8d56449c1bdb2d53ca85a55ea12b4cb65aa691fbbceb57c3cb924ded732c252a968069030dbd3a2bf0c8fa027b7ab6afc325b439d4edc7bad1d3e57dfa244705d36bae516daa94378ea3a87e54aad21deb547b1bc659ca611b05da6f473f6dedfc7616bb9a86838cb2b1be86ff2169d4bcc9078527fa4e579acfc1d649339751c2e6521432cf6b5f26666f2c732ec567a2f5c89f62a34b4a73352238b02d981eaf905c6a66ebe570b20d6ae57d978420f34ab679268d8910217031fa6c69831f485eab30c445789242977e2c9d2df3f0f1aa4ec0cae5612418ffdf0127b7d5809e7a1803121d5b0ff82537ab112a49d7946a51ec8c4691332d5ffa415471f2d95e104400776c21250ae00d587b233b22a596db169e0583c0027c59814544963e66a5eb293ea11523e338d924244bd36b6d27227eecf848c3aef39b756123595c646d36d6cdf570b72fe9fbef779e0afa1db7cf4cc81964b366441f8032337a328f3c988997d0a27d2d8dce891c221a514ab30203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604140525862f6536a1e59d9eca5c0919ad0e3d96261d301f0603551d230418301680140525862f6536a1e59d9eca5c0919ad0e3d96261d300d06092a864886f70d01010505000382020100ad21caaf24b3bfa5ae380783453b61419a4625b1adf976ca6ee77f802063842fd2ca4879ddf39df1a0ca779bb313fb86d1241607b6df5e868ad9cddb69e19baf3107c22cf951569dc8d5f89db4b4ab7b859b61482b10df9bfcce81c4f1b86c77d40a5ee2805a460dd0d6ea165f86e67085097d159090416b07de58ece97764bd1ab9d3c197d1e52aa132182f68fe1962f194b22e1a5a9d4d25c46c9e97a8a6fde4ec57296b4a509eb6dcc8be7b25ff104ef9892d413c93662351b7f3bab4725aaadd18adf65efba74224dbd1dd718356d68e205046d648ac74e11d3be7494d0dba37c51a467af57c721a25968ab1e6a48416009cfb2ac1c063245d93ec2459ac262778e907e4b9aa5bf666db808344c83857d632ae46fe2daba83d1497a155bb9da767ca7fe567b218dffda7aa61055501b2f515cd0fd8b830a67c82b765f52cf80f077ea177480395a29c8dbe9cd572715257a7cef58ad63218e05d16f0096bd496e12d17bf7790b9ddb6318fb91a2a3f3395dd55e4ba739c2c8d15442fbc8de41bade132d1a23fb5a2844e6b08062208f9191e1f3ca0a5504e07cf4b3f2baa683bdc0dc10a8a6631b3d46481641798a4a37b35ada800104d8bc70c0fc31f6615284cb1229592ee072139b6a15a8ad9e1a8135bb4fe7b426d5e69ca1a9a420d7ce3612490d4d9421835a89a05f14e3ca3fd987c51cd62f2926945cfbff32caa	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\E403A1DFC8F377E0F4AA43A83EE9EA079A1F55F2	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2820	rundll32.exe
2820	rundll32.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeSystemtimePrivilege	2820	rundll32.exe
Token: SeDebugPrivilege	2820	rundll32.exe
Token: SeDebugPrivilege	2820	rundll32.exe
Token: SeDebugPrivilege	2820	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2820	rundll32.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1272 wrote to memory of 2820	1272	rundll32.exe	28
PID 1272 wrote to memory of 2820	1272	rundll32.exe	28
PID 1272 wrote to memory of 2820	1272	rundll32.exe	28
PID 1272 wrote to memory of 2820	1272	rundll32.exe	28
PID 1272 wrote to memory of 2820	1272	rundll32.exe	28
PID 1272 wrote to memory of 2820	1272	rundll32.exe	28
PID 1272 wrote to memory of 2820	1272	rundll32.exe	28
PID 2820 wrote to memory of 2720	2820	rundll32.exe	30
PID 2820 wrote to memory of 2720	2820	rundll32.exe	30
PID 2820 wrote to memory of 2720	2820	rundll32.exe	30
PID 2820 wrote to memory of 2720	2820	rundll32.exe	30
PID 2820 wrote to memory of 2612	2820	rundll32.exe	31
PID 2820 wrote to memory of 2612	2820	rundll32.exe	31
PID 2820 wrote to memory of 2612	2820	rundll32.exe	31
PID 2820 wrote to memory of 2612	2820	rundll32.exe	31
PID 2820 wrote to memory of 2612	2820	rundll32.exe	31
PID 2820 wrote to memory of 2612	2820	rundll32.exe	31
PID 2820 wrote to memory of 2612	2820	rundll32.exe	31

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\SysWOW64\rundll32.exe
  2⤵
  PID:2612

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a8c9d0e1d3fc4202c4d690e199335ac9649852c5756e9877bbc95e596f743cda.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1272
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\a8c9d0e1d3fc4202c4d690e199335ac9649852c5756e9877bbc95e596f743cda.dll,#1
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\System32\cmd.exe
    3⤵
    PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\HPSocket4C.dll

Filesize
2.8MB

MD5
4bc970a97300b1a725d44bba23d8697a

SHA1
6f1eb181153692814e038e2f851d0734646f78f8

SHA256
c9d8fb5311ae6018dc1ca72774cb7efeba5c115c827a5cfb795b3580499e323d

SHA512
03968ca876b7e584de0a1418cca1dd2036fd0b4744f86d69aee5691a42061e284f8d9577293ef3f656be332f7da5ca276f85c6393bd6d8eb7de181baec0285f8

Download Submit
memory/2820-0-0x0000000010000000-0x0000000011155000-memory.dmp

Filesize
17.3MB

Download
memory/2820-1-0x0000000010000000-0x0000000011155000-memory.dmp

Filesize
17.3MB

Download
memory/2820-2-0x0000000010000000-0x0000000011155000-memory.dmp

Filesize
17.3MB

Download
memory/2820-3-0x0000000010000000-0x0000000011155000-memory.dmp

Filesize
17.3MB

Download
memory/2820-4-0x0000000002940000-0x0000000002C03000-memory.dmp

Filesize
2.8MB

Download
memory/2820-5-0x0000000002940000-0x0000000002C03000-memory.dmp

Filesize
2.8MB

Download
memory/2820-10-0x0000000010000000-0x0000000011155000-memory.dmp

Filesize
17.3MB

Download
memory/2820-11-0x0000000002940000-0x0000000002C03000-memory.dmp

Filesize
2.8MB

Download

Analysis

Sharing