33d64cd3508e727ef32d394667d430a31f0fef4447a19e0750b3fcfe4e3e1933

General

Target

454dfc51ed57580901987e1af7b1591b.exe
Size

123KB
MD5

454dfc51ed57580901987e1af7b1591b
SHA1

bae4b768732bfc3797b7f103c9806748fcb8a84d
SHA256

33d64cd3508e727ef32d394667d430a31f0fef4447a19e0750b3fcfe4e3e1933
SHA512

d2514fd7582a82e5e4e7b5c8a03fbd058c7779292d4baa61e270a0630948f74d062c1e98bd243a4888f4abf456d594424d1e9382cf29ab2447839cfaae77247a
SSDEEP

3072:OeSQ41MZrrOwzrq5Ss9eYfphfFQkUcot3EpeBWLLyJkHGD9M5:OVYrJrOSsRwcp0ks9S

Score

8^/10

upx

Malware Config

Signatures

Manipulates Digital Signatures 1 TTPs 1 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\62119EF862C6B3A0D853419B87EB3E2F6C78640A\Blob = 03000000010000001400000062119ef862c6b3a0d853419b87eb3e2f6c78640a2000000001000000df030000308203db30820344a00302010202033fc398300d06092a864886f70d01010405003055310b3009060355040613025a4131253023060355040a131c54686177746520436f6e73756c74696e67202850747929204c74642e311f301d0603550403131654686177746520436f6465205369676e696e67204341301e170d3035303831353031353134345a170d3037303931363133323531325a30818b310b3009060355040613024652310e300c0603550408130552686f6e65310d300b060355040713044c796f6e31193017060355040a1310656c656374726f6e69632d67726f757031273025060355040b131e536563757265204170706c69636174696f6e20446576656c6f706d656e743119301706035504031310656c656374726f6e69632d67726f757030820122300d06092a864886f70d01010105000382010f003082010a0282010100e2754d8a4e6d4db6e025b0073520ddd7eeec116a813940fda2c4c66f7a354adb3036188d4078f8891b3fe15d467dfba5e17984cac2b246c27c052e63956dfe817eb423b9615bddfddaadac5e2ac0f41f583edd24d7830f5875df2937a9152b741eef3950e5116e76d2e7e3ffdf6fcb5858af26f5e2effd019a1f82b98d7f21ed089d5bb8553cd89c823becaeb62ea1cc4b455cb4e93e8ac715320f31dc3fbc2d0be0d65c608c58c19ff06da7bc1ec48a45ef0219eef40294504e2663b1c9dad6a2241df996c59cf110b706285fbaeae0c55d776573536218c3c7ae248b82cae01513cd8b2828a94f4a70ba6e199919a0f5eae20643feaabebe2ba3b2819e92790203010001a381fd3081fa301f0603551d250418301606082b06010505070303060a2b060104018237020116301106096086480186f8420101040403020410301d0603551d0404163014300e300c060a2b0601040182370201160302078030230603551d11041c301a82187777772e656c656374726f6e69632d67726f75702e636f6d303e0603551d1f043730353033a031a02f862d687474703a2f2f63726c2e7468617774652e636f6d2f546861777465436f64655369676e696e6743412e63726c303206082b0601050507010104263024302206082b060105050730018616687474703a2f2f6f6373702e7468617774652e636f6d300c0603551d130101ff04023000300d06092a864886f70d01010405000381810075160a692f4bc2096bce67c58b0d88320552104e4d35f5018bc2ab1be03ecae3c0abe7db45629b1b3c1812039145c15d6f2774c211a2c86f93a819573d58a3c0e66d1e19e84638800e3372880b4e9cdcf70cc769bdeff236ed3ac6f20e370122fa791e71b0ea8be78077ffc288c382b201d78ea8bbf9e9457fad4ee80273279c	regedit.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	iaccess32.exe

Executes dropped EXE 1 IoCs

pid	Process
404	iaccess32.exe

Loads dropped DLL 1 IoCs

pid	Process
688	regsvr32.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3680-0-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/3680-5-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/404-6-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/404-55-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\egaccess4_1071.dll	iaccess32.exe

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Instant Access\Center\NOCREDITCARD.lnk	iaccess32.exe
File opened for modification	C:\Program Files (x86)\Instant Access\Center\NOCREDITCARD.lnk	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20100715040719\medias\p2e_logo_2.gif	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20100715040719\medias\p2e_2_3.gif	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20100715040719\medias\p2e.ico	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20100715040719\instant access.exe	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20100715040719\Common\module.php	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20100715040719\medias\p2e_1_3.gif	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20100715040719\medias\p2e_go_3.gif	iaccess32.exe
File opened for modification	C:\Program Files (x86)\Instant Access\Multi\20100715040719\dialerexe.ini	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\DesktopIcons\NOCREDITCARD.lnk	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20100715040719\medias\p2e_3_3.gif	iaccess32.exe
File created	C:\Program Files (x86)\Instant Access\Multi\20100715040719\dialerexe.ini	iaccess32.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\dialexe.epk	iaccess32.exe
File created	C:\Windows\dialerexe.ini	iaccess32.exe
File created	C:\Windows\egdhtm_pack.epk	iaccess32.exe
File created	C:\Windows\iaccess32.exe	454dfc51ed57580901987e1af7b1591b.exe
File created	C:\Windows\tmlpcert2007	iaccess32.exe
File created	C:\Windows\dialexe.zl	iaccess32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\À	iaccess32.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83}\InprocServer32\ = "C:\\Windows\\SysWow64\\egaccess4_1071.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83}	regsvr32.exe

Runs regedit.exe 1 IoCs

pid	Process
4748	regedit.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3680	454dfc51ed57580901987e1af7b1591b.exe
404	iaccess32.exe
404	iaccess32.exe
404	iaccess32.exe
404	iaccess32.exe
404	iaccess32.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3680 wrote to memory of 404	3680	454dfc51ed57580901987e1af7b1591b.exe	18
PID 3680 wrote to memory of 404	3680	454dfc51ed57580901987e1af7b1591b.exe	18
PID 3680 wrote to memory of 404	3680	454dfc51ed57580901987e1af7b1591b.exe	18
PID 404 wrote to memory of 4748	404	iaccess32.exe	22
PID 404 wrote to memory of 4748	404	iaccess32.exe	22
PID 404 wrote to memory of 4748	404	iaccess32.exe	22
PID 404 wrote to memory of 688	404	iaccess32.exe	20
PID 404 wrote to memory of 688	404	iaccess32.exe	20
PID 404 wrote to memory of 688	404	iaccess32.exe	20

C:\Users\Admin\AppData\Local\Temp\454dfc51ed57580901987e1af7b1591b.exe
"C:\Users\Admin\AppData\Local\Temp\454dfc51ed57580901987e1af7b1591b.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3680
- C:\Windows\iaccess32.exe
  C:\Windows\iaccess32.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:404
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Windows\system32\egaccess4_1071.dll"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:688
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s C:\Windows\tmlpcert2007
    3⤵
    - Manipulates Digital Signatures
    - Runs regedit.exe
    PID:4748

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

1

T1553

SIP and Trust Provider Hijacking

1

T1553.003

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/404-6-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/404-55-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3680-0-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3680-5-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing