47d6b422100dd4d6cf86810837a41e3915a593c97399a52f3fc16562d6addf2c

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
15/10/2023, 17:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b83863b916a3a3d41179c974c8316c0_exe32_JC.exe
Size

405KB
MD5

1b83863b916a3a3d41179c974c8316c0
SHA1

42baf8cfae77453b7181b529c62dd69f16df556a
SHA256

47d6b422100dd4d6cf86810837a41e3915a593c97399a52f3fc16562d6addf2c
SHA512

2729d6e570f4a84208df9ae27101d8d6f8868d0377a696454872fac743c33322e534ce064e0b6c83db309786253a52b623037b3e5b10a76f0ea317ca0167fd34
SSDEEP

6144:Llfj4dhMo4GEeBVRot846iQ/5Dc6gvBve/eUsVA8rPpb:LlfsdhMo4BLdQ9c6g5vemNVA2Ppb

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3040	Sysceamnclyi.exe

Loads dropped DLL 2 IoCs

pid	Process
2284	1b83863b916a3a3d41179c974c8316c0_exe32_JC.exe
2284	1b83863b916a3a3d41179c974c8316c0_exe32_JC.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2284-0-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2284-30-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/files/0x0006000000015c87-43.dat	upx
behavioral1/files/0x0006000000015c87-42.dat	upx
behavioral1/files/0x0006000000015c87-48.dat	upx
behavioral1/files/0x0006000000015c87-44.dat	upx
behavioral1/memory/3040-50-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/files/0x0006000000015c87-49.dat	upx
behavioral1/memory/2284-64-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/3040-78-0x0000000000400000-0x0000000000468000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	1b83863b916a3a3d41179c974c8316c0_exe32_JC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	1b83863b916a3a3d41179c974c8316c0_exe32_JC.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3040	Sysceamnclyi.exe
3040	Sysceamnclyi.exe
3040	Sysceamnclyi.exe
3040	Sysceamnclyi.exe
3040	Sysceamnclyi.exe
3040	Sysceamnclyi.exe
3040	Sysceamnclyi.exe
3040	Sysceamnclyi.exe
3040	Sysceamnclyi.exe
3040	Sysceamnclyi.exe
3040	Sysceamnclyi.exe
3040	Sysceamnclyi.exe
3040	Sysceamnclyi.exe
3040	Sysceamnclyi.exe
3040	Sysceamnclyi.exe
3040	Sysceamnclyi.exe
3040	Sysceamnclyi.exe
3040	Sysceamnclyi.exe
3040	Sysceamnclyi.exe
3040	Sysceamnclyi.exe
3040	Sysceamnclyi.exe
3040	Sysceamnclyi.exe
3040	Sysceamnclyi.exe
3040	Sysceamnclyi.exe
3040	Sysceamnclyi.exe
3040	Sysceamnclyi.exe
3040	Sysceamnclyi.exe
3040	Sysceamnclyi.exe
3040	Sysceamnclyi.exe
3040	Sysceamnclyi.exe
3040	Sysceamnclyi.exe
3040	Sysceamnclyi.exe
3040	Sysceamnclyi.exe
3040	Sysceamnclyi.exe
3040	Sysceamnclyi.exe
3040	Sysceamnclyi.exe
3040	Sysceamnclyi.exe
3040	Sysceamnclyi.exe
3040	Sysceamnclyi.exe
3040	Sysceamnclyi.exe
3040	Sysceamnclyi.exe
3040	Sysceamnclyi.exe
3040	Sysceamnclyi.exe
3040	Sysceamnclyi.exe
3040	Sysceamnclyi.exe
3040	Sysceamnclyi.exe
3040	Sysceamnclyi.exe
3040	Sysceamnclyi.exe
3040	Sysceamnclyi.exe
3040	Sysceamnclyi.exe
3040	Sysceamnclyi.exe
3040	Sysceamnclyi.exe
3040	Sysceamnclyi.exe
3040	Sysceamnclyi.exe
3040	Sysceamnclyi.exe
3040	Sysceamnclyi.exe
3040	Sysceamnclyi.exe
3040	Sysceamnclyi.exe
3040	Sysceamnclyi.exe
3040	Sysceamnclyi.exe
3040	Sysceamnclyi.exe
3040	Sysceamnclyi.exe
3040	Sysceamnclyi.exe
3040	Sysceamnclyi.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 3040	2284	1b83863b916a3a3d41179c974c8316c0_exe32_JC.exe	29
PID 2284 wrote to memory of 3040	2284	1b83863b916a3a3d41179c974c8316c0_exe32_JC.exe	29
PID 2284 wrote to memory of 3040	2284	1b83863b916a3a3d41179c974c8316c0_exe32_JC.exe	29
PID 2284 wrote to memory of 3040	2284	1b83863b916a3a3d41179c974c8316c0_exe32_JC.exe	29

C:\Users\Admin\AppData\Local\Temp\1b83863b916a3a3d41179c974c8316c0_exe32_JC.exe
"C:\Users\Admin\AppData\Local\Temp\1b83863b916a3a3d41179c974c8316c0_exe32_JC.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Users\Admin\AppData\Local\Temp\Sysceamnclyi.exe
  "C:\Users\Admin\AppData\Local\Temp\Sysceamnclyi.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475

Filesize
1KB

MD5
373356c0db4f51295f79cc136719acf9

SHA1
88d68b187af2159d0e4de73ae4d1ab2b1ab25b97

SHA256
68155b59499bb96ee36bdc58a9dee155a9e41854378a94e72fe1d27789343e3a

SHA512
30651b0d18284d1eb6154e927fa0124dc0b2b80da4463770b1a475d9610db8f82152427ceeab56da7c5037347825f0c45c7f66f2903e398aa181a26dcad2af30

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
471B

MD5
c84119624f6e48050b67b54386344c56

SHA1
61d27105a60ce4f320b7a5212ef202d465d8b500

SHA256
866ead6e3b5b93179215d7cefb23d57bbc5e7e049b37f871a48e7c3b5661adca

SHA512
ffe1d462741f8714b7fdde28cef63668326ff2c8dc267cf82a31d6ecd2942e04e8cc09206c8c8e978599fb14bddab0a23ab96af9eea1a9df1a970096d03fa2cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_0EFD97AA1ED1EC939D6B2DC09A53FAC0

Filesize
471B

MD5
2babc720c53778b586da518ccd6d22d3

SHA1
7abefb949fb1f5dbdcd2cf7938b850c3b3f786e5

SHA256
f02012968fca9b39db98b8ecb5e35bbc6ea49f08d90fb02f1600d9f4fd7a2c70

SHA512
3a6e8a8ca827f7f4312a041e76910b861ed5593ebe48078969be5ed66427ddc8542bd373a7a977168920e9545a32578b3c79cc8cd06d6c5dc8352ac69f38715b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_810F262D4E1A3C00EAAC386AD696F184

Filesize
471B

MD5
a207d1e94f5c05f1a377fe81a113e7b9

SHA1
49b9e3d14ce9baa8e044408ef8f82eb23ddecc8d

SHA256
cabca97da3cdda2bcad8ba1de55f2fa63ea78de19d71f4b3c3e4a8bec36f4740

SHA512
6265ecc0af38569a8c1d3d3ec104a572f581800454e237f38b130af69df73a07db6772d6abf140fb33368feab0ef24093574bacb64d2b2fb84a4894cd85d3d69

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CF14D1855652602540DFCFECD21854DB_62869752D223B27BDF86429DD102BA2D

Filesize
1KB

MD5
8fbe3494de9cf496ed8fdb61ae4f3bef

SHA1
ee69bdc8743a33671f20a2a063013db1401b2d13

SHA256
2825da0967f17a4940a3087a5863f81c084666b46dd885f7924ff98f8ba39221

SHA512
0102e9c08e247ef88485cf6d9de44c32b6a2f308ef922ad6453a61709cc4c574c1cdb93dcf2eb869bbd6f389082007ea76750146ef2b34e3dc9a4535f9155459

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475

Filesize
500B

MD5
86e6f9474b06a742080162d4b04ba275

SHA1
a1aacb411294b223f9b3b5e7dadd051dea5c5f61

SHA256
4396cd44b8f07744a83e7dc8de42bd7dbfd6e872e6479c9f18924a72d3328285

SHA512
19ebb946cf0d47c3c1a7c994cf4b0216550cc21bd3eb493f23fe2cbae9db85b493f280ae61a190bac086dd08b98cc6bfce92696470266e6033e8a8178c46c8bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C

Filesize
398B

MD5
b9fab3eb0f58e38e297ff0b181712564

SHA1
fc5a4b343c056df57c6678c50dbd6c12fcad1f5a

SHA256
d4c0c092d11286207c46996b1e1b058e73ac1dbf70c1579a1ae718a14d041967

SHA512
dcaca3b8551a9dabe8fcf27e4848fed58fb7c88feb78f01e007c9bf5d571e2139813fab481e077cc5495e35e85171ebaed35a8205b5d317784f0d057f62ad6e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
d390760507dafe3af3c1d09140e1cfb0

SHA1
284d9c64c10b19b8d54fd659d0835c9777086674

SHA256
0ff7ac702b5754dd9bc13b51930bc0ef20c9c46764fb0548cc1bf9f9528454c9

SHA512
6affb1e6eace4e9ae992be25dbabb2bddf4e8a960ab95e0489429198095237674b4b89d45471615f8920e871b2463a578cfa72c133c34ce41b6fa534b61c6489

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_0EFD97AA1ED1EC939D6B2DC09A53FAC0

Filesize
402B

MD5
0f508dcdc970e4f6db6ad1cd8d0c53ca

SHA1
84ff7a6e59db5b5d7d14eafb4b55e443609bcc6d

SHA256
a761f0ef024a86f3a68ccb8317f7e40ec235961405d0376bd10af46c82def0f8

SHA512
1db9628e9da384d4206bb120bc517ef1b2486bf81281a1b57e81fba753245e30628c94a6152214870666ddeb75f1cc7dfb3b713e541e876d39ba43651fff1a4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_810F262D4E1A3C00EAAC386AD696F184

Filesize
402B

MD5
5e4b724db04e94326431fa9b7e1bea77

SHA1
20865a81af2bd8c595bda3d26ad6cfc9a970dd1a

SHA256
d789f30875df9586c530c5a11fc9f7c9fef2b53175b218605e82dfbd99a17ad5

SHA512
1e780bbf7f48d757757dbe2788e5c3505b510f156212ea27084a47e3c8926d7bcdb9ed3e9dfce8ac5116cab51b9445613100eb3f5f40a71074c4f1db2cc8748c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CF14D1855652602540DFCFECD21854DB_62869752D223B27BDF86429DD102BA2D

Filesize
532B

MD5
573b30a10161467d48a7f7fdaed4d22a

SHA1
b82ecfd3fef451605f9083bf5a0520ab55cea746

SHA256
9200a825b8d4897e7cfad01f51c24ec134db757a219f194ad95b82484dd3d079

SHA512
958ad286a2df04a7ae108a512279cfb301dd31374482c22337920d0e7f9d7fb3de7cb5510d406dfc0bbe4896f641b1dc65b72fdc5ba36193ed09b39c66a3d71f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabAB1E.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysceamnclyi.exe

Filesize
405KB

MD5
86a91f2751b1af3f988fe24fe150a72c

SHA1
1578a9428f799eee6a64442c0e2e6f56f316a686

SHA256
2c11d4d963f898025a6fddb9398131b9ebecc4d597b858a4f90dee5870ac9223

SHA512
3be7b1eb1f79d8fa272c50c639fce9e40c51c51424f57548821dfdfefd3f66ed4872582889de2d3b599d168d3e942f2acbb710353078bbb2cb3e224dcdef23fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysceamnclyi.exe

Filesize
405KB

MD5
86a91f2751b1af3f988fe24fe150a72c

SHA1
1578a9428f799eee6a64442c0e2e6f56f316a686

SHA256
2c11d4d963f898025a6fddb9398131b9ebecc4d597b858a4f90dee5870ac9223

SHA512
3be7b1eb1f79d8fa272c50c639fce9e40c51c51424f57548821dfdfefd3f66ed4872582889de2d3b599d168d3e942f2acbb710353078bbb2cb3e224dcdef23fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sysceamnclyi.exe

Filesize
405KB

MD5
86a91f2751b1af3f988fe24fe150a72c

SHA1
1578a9428f799eee6a64442c0e2e6f56f316a686

SHA256
2c11d4d963f898025a6fddb9398131b9ebecc4d597b858a4f90dee5870ac9223

SHA512
3be7b1eb1f79d8fa272c50c639fce9e40c51c51424f57548821dfdfefd3f66ed4872582889de2d3b599d168d3e942f2acbb710353078bbb2cb3e224dcdef23fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpath.ini

Filesize
79B

MD5
5ba779026c4a9f9ff6c425f0ed1433f4

SHA1
13fc0e1dabf2900128f7ea0b21c5272fa9033995

SHA256
d72eaa23c58b09f34e77bcdc91d805088373d3fce9fd1a19854aca7e3798b7cf

SHA512
1745da4a96f96d6d906b862488a0f5a793629111581139c92d7a707ff2dbe912a6787397cb0f195c232e66d08e1beb4b344b0f7fe5ae6ff83d69a6a3011ad176

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\NKPSU143.txt

Filesize
98B

MD5
22094bb2ad138cb0cb4c313366784cfb

SHA1
c57268951f551560ee2b53eb7c321d999ef3c815

SHA256
da37c99bf653ee9cdff18f4b59fbc400effb14d2bba922bf889360793d481c02

SHA512
eb164d18e38af8dec5c6eec19d1340d97f7f1485e67d97763380c5e68db81d15f88857dd24322cdeefb1fa61f5be6d6bb627bda1310b243bf251f36468db6127

Download Submit
\Users\Admin\AppData\Local\Temp\Sysceamnclyi.exe

Filesize
405KB

MD5
86a91f2751b1af3f988fe24fe150a72c

SHA1
1578a9428f799eee6a64442c0e2e6f56f316a686

SHA256
2c11d4d963f898025a6fddb9398131b9ebecc4d597b858a4f90dee5870ac9223

SHA512
3be7b1eb1f79d8fa272c50c639fce9e40c51c51424f57548821dfdfefd3f66ed4872582889de2d3b599d168d3e942f2acbb710353078bbb2cb3e224dcdef23fd

Download Submit
\Users\Admin\AppData\Local\Temp\Sysceamnclyi.exe

Filesize
405KB

MD5
86a91f2751b1af3f988fe24fe150a72c

SHA1
1578a9428f799eee6a64442c0e2e6f56f316a686

SHA256
2c11d4d963f898025a6fddb9398131b9ebecc4d597b858a4f90dee5870ac9223

SHA512
3be7b1eb1f79d8fa272c50c639fce9e40c51c51424f57548821dfdfefd3f66ed4872582889de2d3b599d168d3e942f2acbb710353078bbb2cb3e224dcdef23fd

Download Submit
memory/2284-64-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2284-30-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2284-0-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3040-50-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3040-78-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download