a8c9d0e1d3fc4202c4d690e199335ac9649852c5756e9877bbc95e596f743cda

General

Target

a8c9d0e1d3fc4202c4d690e199335ac9649852c5756e9877bbc95e596f743cda.dll
Size

11.3MB
MD5

91ada1603422df496fc4497eb212e0e6
SHA1

ad4424daa647d61aa2cb0a3e6467a84c1ef03dde
SHA256

a8c9d0e1d3fc4202c4d690e199335ac9649852c5756e9877bbc95e596f743cda
SHA512

2d053491122cbb616e38adf4a79e6d70791130a8d056ea5bdc3493d1e635ccbfd7484c4482c7d00ce0cf769981e3174179529bbc4d956a1f0d9dcdf08405133e
SSDEEP

196608:JbUspctu12q9EIHYNiVOdy2JLOfIK2A48UQbqtK+yrra/AZqQ1:Jb1Gu12ql4KY3FJAvUQGtK+yCT

Score

10^/10

upx

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4680 created 612	4680	rundll32.exe	80

Blocklisted process makes network request 1 IoCs

flow	pid	Process
40	4680	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
4680	rundll32.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4680-0-0x0000000010000000-0x0000000011155000-memory.dmp	upx
behavioral2/memory/4680-1-0x0000000002E00000-0x00000000030C3000-memory.dmp	upx
behavioral2/memory/4680-2-0x0000000002E00000-0x00000000030C3000-memory.dmp	upx
behavioral2/memory/4680-8-0x0000000010000000-0x0000000011155000-memory.dmp	upx
behavioral2/memory/4680-11-0x0000000010000000-0x0000000011155000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HPSocket4C.dll	rundll32.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\E403A1DFC8F377E0F4AA43A83EE9EA079A1F55F2	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\E403A1DFC8F377E0F4AA43A83EE9EA079A1F55F2\Blob = 5300000001000000230000003021301f060960864801a4a227020130123010060a2b0601040182373c0101030200c05c000000010000000400000000100000030000000100000014000000e403a1dfc8f377e0f4aa43a83ee9ea079a1f55f219000000010000001000000079d8e39856b0540913defb485e73ed621400000001000000140000000525862f6536a1e59d9eca5c0919ad0e3d96261d0f000000010000001400000052bf462203121ab271f48ff1a32d373fd9f12399040000000100000010000000dc911e8da3a186bb4d52eec0e57b515509000000010000004c000000304a060a2b0601040182370a0602060a2b0601040182370a060106082b0601050507030806082b0601050507030406082b0601050507030306082b0601050507030206082b060105050703012000000001000000d3050000308205cf308203b7a00302010202041eb132d5300d06092a864886f70d01010505003076310b300906035504061302434e31233021060355040a0c1a4a656d6d794c6f76654a656e6e7920504b492053657276696365311e301c060355040b0c15706b692e6a656d6d796c6f76656a656e6e792e746b3122302006035504030c194a656d6d794c6f76654a656e6e7920455620526f6f742043413020170d3030303130313030303030305a180f32303939313233313233353935395a3076310b300906035504061302434e31233021060355040a0c1a4a656d6d794c6f76654a656e6e7920504b492053657276696365311e301c060355040b0c15706b692e6a656d6d796c6f76656a656e6e792e746b3122302006035504030c194a656d6d794c6f76654a656e6e7920455620526f6f7420434130820222300d06092a864886f70d01010105000382020f003082020a0282020100b5bf164ce267332d80ffed87e949041ea0b8dd6e4389cc2ece1e2606c7dc4085d75631f5bf99e3b60a4dbe48dc7337e8edc95dd02aca568a119c2884dd8cecd0c174585e1b6ec89e47f37f28626bb42abb0f7cb0ee0f25d11e268026937bfc4587de5d7cd89d9cd3fee634120724a3771d3dec3ba265398f84274bc72d683be7982706d99e24f4ffe84370fb7b0c8d56449c1bdb2d53ca85a55ea12b4cb65aa691fbbceb57c3cb924ded732c252a968069030dbd3a2bf0c8fa027b7ab6afc325b439d4edc7bad1d3e57dfa244705d36bae516daa94378ea3a87e54aad21deb547b1bc659ca611b05da6f473f6dedfc7616bb9a86838cb2b1be86ff2169d4bcc9078527fa4e579acfc1d649339751c2e6521432cf6b5f26666f2c732ec567a2f5c89f62a34b4a73352238b02d981eaf905c6a66ebe570b20d6ae57d978420f34ab679268d8910217031fa6c69831f485eab30c445789242977e2c9d2df3f0f1aa4ec0cae5612418ffdf0127b7d5809e7a1803121d5b0ff82537ab112a49d7946a51ec8c4691332d5ffa415471f2d95e104400776c21250ae00d587b233b22a596db169e0583c0027c59814544963e66a5eb293ea11523e338d924244bd36b6d27227eecf848c3aef39b756123595c646d36d6cdf570b72fe9fbef779e0afa1db7cf4cc81964b366441f8032337a328f3c988997d0a27d2d8dce891c221a514ab30203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604140525862f6536a1e59d9eca5c0919ad0e3d96261d301f0603551d230418301680140525862f6536a1e59d9eca5c0919ad0e3d96261d300d06092a864886f70d01010505000382020100ad21caaf24b3bfa5ae380783453b61419a4625b1adf976ca6ee77f802063842fd2ca4879ddf39df1a0ca779bb313fb86d1241607b6df5e868ad9cddb69e19baf3107c22cf951569dc8d5f89db4b4ab7b859b61482b10df9bfcce81c4f1b86c77d40a5ee2805a460dd0d6ea165f86e67085097d159090416b07de58ece97764bd1ab9d3c197d1e52aa132182f68fe1962f194b22e1a5a9d4d25c46c9e97a8a6fde4ec57296b4a509eb6dcc8be7b25ff104ef9892d413c93662351b7f3bab4725aaadd18adf65efba74224dbd1dd718356d68e205046d648ac74e11d3be7494d0dba37c51a467af57c721a25968ab1e6a48416009cfb2ac1c063245d93ec2459ac262778e907e4b9aa5bf666db808344c83857d632ae46fe2daba83d1497a155bb9da767ca7fe567b218dffda7aa61055501b2f515cd0fd8b830a67c82b765f52cf80f077ea177480395a29c8dbe9cd572715257a7cef58ad63218e05d16f0096bd496e12d17bf7790b9ddb6318fb91a2a3f3395dd55e4ba739c2c8d15442fbc8de41bade132d1a23fb5a2844e6b08062208f9191e1f3ca0a5504e07cf4b3f2baa683bdc0dc10a8a6631b3d46481641798a4a37b35ada800104d8bc70c0fc31f6615284cb1229592ee072139b6a15a8ad9e1a8135bb4fe7b426d5e69ca1a9a420d7ce3612490d4d9421835a89a05f14e3ca3fd987c51cd62f2926945cfbff32caa	rundll32.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4680	rundll32.exe
4680	rundll32.exe
4680	rundll32.exe
4680	rundll32.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeSystemtimePrivilege	4680	rundll32.exe
Token: SeDebugPrivilege	4680	rundll32.exe
Token: SeDebugPrivilege	4680	rundll32.exe
Token: SeDebugPrivilege	4680	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4680	rundll32.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2628 wrote to memory of 4680	2628	rundll32.exe	86
PID 2628 wrote to memory of 4680	2628	rundll32.exe	86
PID 2628 wrote to memory of 4680	2628	rundll32.exe	86
PID 4680 wrote to memory of 4348	4680	rundll32.exe	93
PID 4680 wrote to memory of 4348	4680	rundll32.exe	93
PID 4680 wrote to memory of 4348	4680	rundll32.exe	93
PID 4680 wrote to memory of 3724	4680	rundll32.exe	94
PID 4680 wrote to memory of 3724	4680	rundll32.exe	94
PID 4680 wrote to memory of 3724	4680	rundll32.exe	94

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a8c9d0e1d3fc4202c4d690e199335ac9649852c5756e9877bbc95e596f743cda.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2628
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\a8c9d0e1d3fc4202c4d690e199335ac9649852c5756e9877bbc95e596f743cda.dll,#1
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4680
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\System32\cmd.exe
    3⤵
    PID:4348

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\SysWOW64\rundll32.exe
  2⤵
  PID:3724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\HPSocket4C.dll

Filesize
2.8MB

MD5
4bc970a97300b1a725d44bba23d8697a

SHA1
6f1eb181153692814e038e2f851d0734646f78f8

SHA256
c9d8fb5311ae6018dc1ca72774cb7efeba5c115c827a5cfb795b3580499e323d

SHA512
03968ca876b7e584de0a1418cca1dd2036fd0b4744f86d69aee5691a42061e284f8d9577293ef3f656be332f7da5ca276f85c6393bd6d8eb7de181baec0285f8

Download Submit
memory/4680-0-0x0000000010000000-0x0000000011155000-memory.dmp

Filesize
17.3MB

Download
memory/4680-1-0x0000000002E00000-0x00000000030C3000-memory.dmp

Filesize
2.8MB

Download
memory/4680-2-0x0000000002E00000-0x00000000030C3000-memory.dmp

Filesize
2.8MB

Download
memory/4680-8-0x0000000010000000-0x0000000011155000-memory.dmp

Filesize
17.3MB

Download
memory/4680-9-0x0000000002E00000-0x00000000030C3000-memory.dmp

Filesize
2.8MB

Download
memory/4680-11-0x0000000010000000-0x0000000011155000-memory.dmp

Filesize
17.3MB

Download

Analysis

Sharing