5d750bbac8bb5f7679c939b5eb4009083e8876b4318722b4ed199989efe5b49e

Analysis

max time kernel
252s
max time network
294s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 02:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c48924269a6d9696b86b5fa6685ff71.exe
Size

420KB
MD5

4c48924269a6d9696b86b5fa6685ff71
SHA1

d2e8171d3090ef5f5a018fcddcd4e87f6610d6a7
SHA256

5d750bbac8bb5f7679c939b5eb4009083e8876b4318722b4ed199989efe5b49e
SHA512

2ec3865a8fa47e003648063fa3c873bda4cf5765539862393d22c5d8f2a30ad8964520c10915d67abde7e9e66ce3421288cb4f3ead3ca5cfe2a57af99bdfe443
SSDEEP

12288:ewaA3t7VPRw+8cOSQN2jyGFyFjISvfsJJa/oSdp:xpbw+8cze/jL4U7p

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2292-0-0x0000000000400000-0x0000000000602000-memory.dmp	upx
behavioral1/memory/2292-1-0x0000000000400000-0x0000000000602000-memory.dmp	upx
behavioral1/memory/2292-11-0x0000000000400000-0x0000000000602000-memory.dmp	upx
behavioral1/memory/2292-23-0x0000000000400000-0x0000000000602000-memory.dmp	upx
behavioral1/memory/2292-135-0x0000000000400000-0x0000000000602000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main	4c48924269a6d9696b86b5fa6685ff71.exe
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	4c48924269a6d9696b86b5fa6685ff71.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	4c48924269a6d9696b86b5fa6685ff71.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	4c48924269a6d9696b86b5fa6685ff71.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	4c48924269a6d9696b86b5fa6685ff71.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	4c48924269a6d9696b86b5fa6685ff71.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	4c48924269a6d9696b86b5fa6685ff71.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2292	4c48924269a6d9696b86b5fa6685ff71.exe
2292	4c48924269a6d9696b86b5fa6685ff71.exe
2292	4c48924269a6d9696b86b5fa6685ff71.exe
2292	4c48924269a6d9696b86b5fa6685ff71.exe

C:\Users\Admin\AppData\Local\Temp\4c48924269a6d9696b86b5fa6685ff71.exe
"C:\Users\Admin\AppData\Local\Temp\4c48924269a6d9696b86b5fa6685ff71.exe"
1⤵
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:2292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0ac8bec2db439ecc6faa10f99185910f

SHA1
1a93997b954f1f383e147ece74f34289f497583b

SHA256
cb028cdeedd2ddf7cebb7eb2a1ccda21bfa2fcab7810db2980ffdc61a1e9af09

SHA512
ab86fdfdf84bf81092d106befdec7cf57af665b3d9bf8f4465dbae72543ee564d42b0e7c6aa21067a73091783635ccaa554cbfa6e21c1afec9f87cdb70c021b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4eecf0d9bee2158355ec13d72eb34ab2

SHA1
cd2acc2900b4a0b5310a4239249bd8160029c5d6

SHA256
424dfd6e92283aa40f8ecd012f632eef2a83aba34de5b5d4699d9f0687596c79

SHA512
ae1e96fe78baa2f8f110d4853a8407026d2c23c2ebb95951d36bf553f58d5871a945d50f4352a877a7718ca0ddb1e3501a64689c250831d2b71374e302914b52

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e1455c13f491080c808ec793c9475a96

SHA1
b019eb0b04c8b1f87992263be37eaf3cbdce7e9d

SHA256
65be67c22c1f683d630be4c012182d64e440c97228c96e457c89c2fdeafcbb56

SHA512
1945ac53526a3589747799f915c3c7c399470ca67983201686635a50575cfe044b7979b7b4375f8b0591eb9b28d7ffda7638e9fc1c619d01ba37395ed36f2cf9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6a7176ccfc524dc5a9ff4f0f55248482

SHA1
a207f8327d1f8d7d5af1dc59704cb354ed9ac278

SHA256
c9b6c0a6e9c6ff9f3b7475c1bfa07526229b206b37b4c240960afea9d175780b

SHA512
d3998c1b905366516a1a9eac2a47f1dcd86f66617f89cd31bfe2b07debaa886d20f4fb622752a545f7d479fea0bae9cf36a107e238f586db80c53d900f6a6b63

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fc78f76c1dc04e917b882bfddc4768c5

SHA1
510855aaa96d9d2402ef26d9430f7945563a2e1e

SHA256
59e9029b1a20bd915bc2441c159e3f41086f95aeafb08b838af24bd496c75a8f

SHA512
092230cf2cee387c1d35de86413f0a512caac7a27968fcfe9d2fb2cd85596bd063a4b50496227d79a50227b62516070f0cde02fa8fb92eeecabc099096180b44

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5d361922cb9212ca23397d8718717f56

SHA1
e4b8c128af8c59bd06d0815767b4414c5461d29e

SHA256
d20a3abb785b920a7ae6bf4b542e02f2a725c2cfec1664b84b92e6501f35a4b2

SHA512
61a155254490d3ead8867141d25208cbb3a8d0d3bbca9ab3111e7ff7502db4b720cdcf1c38ecd9ff37b6f19e6adb064c2adf0876b5abf6b0e68ae6f0f4c0763e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
02ed72c1307d3343e97c922b945a340a

SHA1
8f3c9c73f3174f761007707e65a857bd7b45d5aa

SHA256
3590205e0fc442c7ec2cfa9d863956558bc2d28ce69e27d2913a9f345c734304

SHA512
57574a4d776232da2cc9ce72a99151d3be9870fa0533179425d6c3f1758442cd433545c259c426f771e87d4ba6401c5d8e1e18a69050e40ee00a5e7b4e12d86f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4edb876b2ad42716c82f75e0b65d9070

SHA1
1472749c830c631d2fe86c402570cc42d93299b4

SHA256
c6a8b0da89c72024398e25963cbca82ef885ed4d9d309b5d13b025f0ab1c6921

SHA512
64a26f9caf7fb3287e9a562e76d5acfc9c0c9f70f4c6ab66da9b1045deba5bbf404dcb2df707e69556a896776bba0271955b662f2bf6c7d08d5cbe54196750ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4cfac35dadafc7716f2d25eb3cbebeea

SHA1
27bc0f078c97abcee17b8fc5dbe0c05be2c1f71a

SHA256
bf971f068d5928fbc29ae2fe2c2cb29c7eb1f02b0554c95a28cb8c91bdd12696

SHA512
19ea3266de5ab2d83722395501d486c87b0cd88d1915afa538b1b00163793620f9ecf9c954458b29d4156d0ec29a92565b1ceccfc640d9090a545b2350fd1b3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9B3.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9B6.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Roaming\GetRightToGo\4c48924269a6d9696b86b5fa6685ff71.data

Filesize
969B

MD5
4890dca5b7a6f391f1ed975f3d53e0fa

SHA1
6ecc9ebde87697a770cfac6a71ff543704cf1752

SHA256
6a0aeb5defe1c6096833f7878dfd26e43b0813426b7898d1473a4de4a662e794

SHA512
d51ee2c544a2ef4e645b371b3b0491e29a4ca088f62607ea67e59fbe3dc05a070b262fb39a627cd004dc8ead39ce9c9c4d14a536ddfb6101008bb08dabad11c4

Download Submit
C:\Users\Admin\AppData\Roaming\GetRightToGo\4c48924269a6d9696b86b5fa6685ff71.htm

Filesize
87KB

MD5
2290e78ddaffaa73838e9a67d679cbc7

SHA1
5e2583a2c5bad107c82cab2a495d559e1385ae41

SHA256
ca6005b88259d61bfc9943b1236cd4f6f12833f3134a3c1553545247d95aca2d

SHA512
a2c6ae503b264e30925c685efb6389175138fb809989d5e4c61e62345662c0d7a6e0de57c6a8f883209c7bf613c6be3fb4ca2031876d562271c8b111ad338abc

Download Submit
memory/2292-135-0x0000000000400000-0x0000000000602000-memory.dmp

Filesize
2.0MB

Download
memory/2292-0-0x0000000000400000-0x0000000000602000-memory.dmp

Filesize
2.0MB

Download
memory/2292-23-0x0000000000400000-0x0000000000602000-memory.dmp

Filesize
2.0MB

Download
memory/2292-11-0x0000000000400000-0x0000000000602000-memory.dmp

Filesize
2.0MB

Download
memory/2292-1-0x0000000000400000-0x0000000000602000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads