444d22059726d64e2abf82fd42a3bb5918bebc87a1884c4d0099b827e717a509

General

Target

IMG054025602016-JPG.scr
Size

238KB
MD5

af0deacaa3423b84cc1108009782f4d8
SHA1

5c98c215e335d7f1073350883366e2080f9d9286
SHA256

16ba6496c0cb6264ba6d32990546f41950cfb57951ab8303f62a841d69daf9cf
SHA512

31f65129d5ee1c30f62ca69fb01a582f8aaeae5bf85069844188977a397613db60e717f82bf9c249f1300f9fd01b7586f716d3fc2559483199858e314d7d1292
SSDEEP

6144:aJXYl0G7ZfLABcBkM5czMckVV9OzEzEVpaAF4I1ep:hrY+yjkVV9OwV64I1M

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Manager = "C:\\Windows\\M-50504502627025040596038559683020\\winmgr.exe"	IMG054025602016-JPG.scr

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1464 set thread context of 2828	1464	IMG054025602016-JPG.scr	28

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\M-50504502627025040596038559683020\winmgr.exe	IMG054025602016-JPG.scr
File opened for modification	C:\Windows\M-50504502627025040596038559683020	IMG054025602016-JPG.scr
File created	C:\Windows\M-50504502627025040596038559683020\winmgr.exe	IMG054025602016-JPG.scr

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	IMG054025602016-JPG.scr
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	IMG054025602016-JPG.scr
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	IMG054025602016-JPG.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	IMG054025602016-JPG.scr

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2828	IMG054025602016-JPG.scr
2828	IMG054025602016-JPG.scr
2828	IMG054025602016-JPG.scr
2828	IMG054025602016-JPG.scr
2828	IMG054025602016-JPG.scr
2828	IMG054025602016-JPG.scr
2828	IMG054025602016-JPG.scr
2828	IMG054025602016-JPG.scr
2828	IMG054025602016-JPG.scr
2828	IMG054025602016-JPG.scr
2828	IMG054025602016-JPG.scr
2828	IMG054025602016-JPG.scr
2828	IMG054025602016-JPG.scr

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1464 wrote to memory of 2828	1464	IMG054025602016-JPG.scr	28
PID 1464 wrote to memory of 2828	1464	IMG054025602016-JPG.scr	28
PID 1464 wrote to memory of 2828	1464	IMG054025602016-JPG.scr	28
PID 1464 wrote to memory of 2828	1464	IMG054025602016-JPG.scr	28
PID 1464 wrote to memory of 2828	1464	IMG054025602016-JPG.scr	28
PID 1464 wrote to memory of 2828	1464	IMG054025602016-JPG.scr	28
PID 1464 wrote to memory of 2828	1464	IMG054025602016-JPG.scr	28
PID 1464 wrote to memory of 2828	1464	IMG054025602016-JPG.scr	28
PID 1464 wrote to memory of 2828	1464	IMG054025602016-JPG.scr	28
PID 1464 wrote to memory of 2828	1464	IMG054025602016-JPG.scr	28

C:\Users\Admin\AppData\Local\Temp\IMG054025602016-JPG.scr
"C:\Users\Admin\AppData\Local\Temp\IMG054025602016-JPG.scr" /S
1⤵
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1464
- C:\Users\Admin\AppData\Local\Temp\IMG054025602016-JPG.scr
  "C:\Users\Admin\AppData\Local\Temp\IMG054025602016-JPG.scr"
  2⤵
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2828
- - C:\Windows\M-50504502627025040596038559683020\winmgr.exe
    C:\Windows\M-50504502627025040596038559683020\winmgr.exe
    3⤵
    PID:2684
  - - C:\Windows\M-50504502627025040596038559683020\winmgr.exe
      "C:\Windows\M-50504502627025040596038559683020\winmgr.exe"
      4⤵
      PID:3044
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\yyhcloiikg.bat" "
    3⤵
    PID:268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab5997.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\yyhcloiikg.bat

Filesize
212B

MD5
628b9b2672a6a9f5aaa6cd89c34c29ee

SHA1
96f5decb262bd989d519eef58c19f64ab2c0a661

SHA256
78c57731f5997bda672369396f6c90b99bf0d035e78af22fbd667970dc38bc0c

SHA512
bab76a2cb545c6bf294a695a92a1caff388048d1c366509657698ad39236e6b1c06b724aa4ef800a568cf8661c132d085bc17920f5b6a0f3c846081ba834b20f

Download Submit
C:\Windows\M-50504502627025040596038559683020\winmgr.exe

Filesize
125KB

MD5
7e922e52d70d94ca5149866248b62903

SHA1
5b465752a032d74851a459ef927cf2a867273d98

SHA256
74099bf9442675d7368f3f85c504e8a0c55d895587ab0ee6409169af47aae4f5

SHA512
c9793c3af16e3a06dd0a9c353358905bb611f16611f17a448dea7d679cddc925709ef7e242af4b3daafa3a3087377b4c888993ba446cd6e4f1af318393b79b28

Download Submit
C:\Windows\M-50504502627025040596038559683020\winmgr.exe

Filesize
71KB

MD5
fea31580ef85e8e03857788dd537d651

SHA1
049856cf045bf6fd325eef59be910fc82fb08c20

SHA256
a7354b017d438e6d2d6c3335413a3ba66948821a84154b720da2e912141e3765

SHA512
b6c22fcd2a2b32e5c71f71f4eb389742647f0c71661a03c10158e35e19136737a00a01d74b491ec6fa9705c2ab7ab610bef2472e76e460b07d75af1222d9270f

Download Submit
C:\Windows\M-50504502627025040596038559683020\winmgr.exe

Filesize
31KB

MD5
145b967a88d821ca51417e026006d687

SHA1
90502c88351e952cba1a27191c76cbfb3f214303

SHA256
c1260b45a9c910b9443898f100c06e4c22b67ccac58ff1c747a72780a0d5d3db

SHA512
e5a8079a9260b95b545a242d5b5fbf70ec7de5d24d86b8c8196bb08dd1bd05dc570981b5ed0e2dce85b0cb395baa118bc3988acb402421da4e74458939332c9b

Download Submit
C:\Windows\M-50504502627025040596038559683020\winmgr.exe

Filesize
39KB

MD5
6e911318b46fd2402c0e564386906947

SHA1
166a244de5b42e00a3111b334fa279a06bc965a9

SHA256
060f577b46ff50136779592ed0b18e52bb338374a4419e6ef81ae5ae6d8aa7ca

SHA512
4305f02e4e2880af126748e9eecc1590ffdc7d6c7b8a2a83c4d6210c4f220cf181c96e3c2f80075947440537282832b26464ad0d49c5d5d70ea0955fb20230b7

Download Submit
\Windows\M-50504502627025040596038559683020\winmgr.exe

Filesize
92KB

MD5
3bcf4daf93677f50d840cdc3e6c624ce

SHA1
574b0b56c9aca82324b37ec4becc0b8e757c7337

SHA256
b05b751848b26c22668574089972091a37d0c18376ac794cf6d0d694011f9f4d

SHA512
151253dbf2fc93ea92fcc35b4481552729b5bf29ddc0957d06e8b4c2c102a6f58b9b471575300d6ab8a4c2c108aa7eb11929e18b3897b2907561121ac776ffff

Download Submit
\Windows\M-50504502627025040596038559683020\winmgr.exe

Filesize
28KB

MD5
39278548e7fd3db1bfffb876b083529a

SHA1
a4f050bd26b73d255fdb1f69df4e9bf6bfd46d5c

SHA256
cc2c86b61d9e3406a0c451af7c11fcaa9d1bf8f71d772eca311efe3ded15b8c4

SHA512
28c75309df9ad82c44f9afa4bcf3033439d146015111710752751d4a5a3379f3bfd7cf50fb35eef8f9904a2a675525a0fc8cc0e77bdd0630964e437e020bdb1c

Download Submit
memory/1464-41-0x0000000074650000-0x0000000074BFB000-memory.dmp

Filesize
5.7MB

Download
memory/1464-0-0x0000000074650000-0x0000000074BFB000-memory.dmp

Filesize
5.7MB

Download
memory/1464-2-0x0000000000A60000-0x0000000000AA0000-memory.dmp

Filesize
256KB

Download
memory/1464-1-0x0000000074650000-0x0000000074BFB000-memory.dmp

Filesize
5.7MB

Download
memory/2684-53-0x0000000074600000-0x0000000074BAB000-memory.dmp

Filesize
5.7MB

Download
memory/2684-55-0x0000000074600000-0x0000000074BAB000-memory.dmp

Filesize
5.7MB

Download
memory/2684-54-0x00000000000E0000-0x0000000000120000-memory.dmp

Filesize
256KB

Download
memory/2684-78-0x0000000074600000-0x0000000074BAB000-memory.dmp

Filesize
5.7MB

Download
memory/2828-40-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2828-21-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2828-23-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2828-28-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2828-31-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2828-34-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2828-35-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2828-39-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2828-25-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3044-73-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3044-80-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads