305e3dd3f593a9514d6d5db79cac2037a9fcc1f9796c504576a70eb86367dcb4

General

Target

619dc9444a673d30e215a8d09222ca92.exe
Size

74KB
MD5

619dc9444a673d30e215a8d09222ca92
SHA1

a3a176f3b6cfa08ef423c169d40d15f383802453
SHA256

305e3dd3f593a9514d6d5db79cac2037a9fcc1f9796c504576a70eb86367dcb4
SHA512

d1cb6cbbd6859267f348de6f398f030e17a350e6f87d582c5e44f567cd01ef590e8f0deffe62a063c08d37583ec720dcb62ee5f69551045cf0fdfc3d26a13393
SSDEEP

1536:HJb7bstbnXgXSJJnxSWdXiF0x6KIiuLPjVtFi2eUNGPrbg0s9:tObnISJtx7yBiUWls9

Score

8^/10

evasion

Malware Config

Signatures

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
452	attrib.exe
1012	attrib.exe

Executes dropped EXE 1 IoCs

pid	Process
2056	simc.tmp

Loads dropped DLL 2 IoCs

pid	Process
2384	619dc9444a673d30e215a8d09222ca92.exe
2384	619dc9444a673d30e215a8d09222ca92.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\FreeRapid\resv.bin	619dc9444a673d30e215a8d09222ca92.exe
File created	C:\Program Files\FreeRapid\1.bat	619dc9444a673d30e215a8d09222ca92.exe
File created	C:\Program Files\FreeRapid\2.bat	619dc9444a673d30e215a8d09222ca92.exe
File created	C:\Program Files\FreeRapid\4.bat	619dc9444a673d30e215a8d09222ca92.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\windows\Comres.dll	simc.tmp

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\68A12DE4422589E97E1C6396FE17B5024FE0547A\Blob = 03000000010000001400000068a12de4422589e97e1c6396fe17b5024fe0547a2000000001000000600200003082025c308201c5a0030201020210a675093732e9e788423ec7ea62044de5300d06092a864886f70d01010405003036313430320603550403132b566572695369676e2054696d65205374616d70696e67205365727669636573205369676e6572202d204732301e170d3131303531393134333632345a170d3339313233313233353935395a3036313430320603550403132b566572695369676e2054696d65205374616d70696e67205365727669636573205369676e6572202d20473230819f300d06092a864886f70d010101050003818d0030818902818100ae2150b067d03ac307c1d6cfb294b8e57d1ec3335542584552a96b7926d1b95483aa79a52165c6c18b4aa502ca2f736d2ea84a299def604899f8a50b9932200c00a32c187fdfed2fb767783c1d6c27e55fee9aeb5d7b1085cb8fcc151bdebcdbecc5748cbb451b20f5ecd9e197c154e477d9d5d6a0cf8e9dabaf4e07fbf5f79f0203010001a36b306930670603551d010460305e80102128591d26a9fe32d38e84450f52f750a1383036313430320603550403132b566572695369676e2054696d65205374616d70696e67205365727669636573205369676e6572202d2047328210a675093732e9e788423ec7ea62044de5300d06092a864886f70d01010405000381810069c4dcd3b8649bd6c952a0251d6a645c98c3d94ba7a9945992ee06fdbc1d36c53f9e4c77f25f77b6ad4df7599089a7d68cf89221fc49fda540341c833f692ee6cdd740da4b599e9a902c325b2de32d3657d8cf1206883b2e8296ab9c1d4ef406603a138ce17b8ee0740c990c99774f63fe8f8d5bd35d35591d2a3d6675b49967	simc.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\68A12DE4422589E97E1C6396FE17B5024FE0547A	simc.tmp

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2056	simc.tmp

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeBackupPrivilege	2056	simc.tmp
Token: SeRestorePrivilege	2056	simc.tmp

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2056	2384	619dc9444a673d30e215a8d09222ca92.exe	29
PID 2384 wrote to memory of 2056	2384	619dc9444a673d30e215a8d09222ca92.exe	29
PID 2384 wrote to memory of 2056	2384	619dc9444a673d30e215a8d09222ca92.exe	29
PID 2384 wrote to memory of 2056	2384	619dc9444a673d30e215a8d09222ca92.exe	29
PID 2056 wrote to memory of 2500	2056	simc.tmp	32
PID 2056 wrote to memory of 2500	2056	simc.tmp	32
PID 2056 wrote to memory of 2500	2056	simc.tmp	32
PID 2056 wrote to memory of 2500	2056	simc.tmp	32

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
452	attrib.exe
1012	attrib.exe

C:\Users\Admin\AppData\Local\Temp\619dc9444a673d30e215a8d09222ca92.exe
"C:\Users\Admin\AppData\Local\Temp\619dc9444a673d30e215a8d09222ca92.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Users\Admin\AppData\Roaming\simc.tmp
  C:\Users\Admin\AppData\Roaming\simc.tmp
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c afc9fe2f418b00a0.bat
    3⤵
    PID:2500
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\619DC9~1.EXE > nul
  2⤵
  PID:1932
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FMAMzwbd12.bat" "
  2⤵
  PID:1072
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\PROGRA~1\FreeRapid\resv.bin,MainLoad
    3⤵
    PID:1068

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1456 CREDAT:275457 /prefetch:2
1⤵
PID:808

C:\Windows\SysWOW64\reg.exe
reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f
1⤵
PID:652

C:\Windows\SysWOW64\attrib.exe
attrib +s +h C:\PROGRA~1\FREERA~1\tmp
1⤵
- Sets file to hidden
- Views/modifies file attributes
PID:452

C:\Windows\SysWOW64\runonce.exe
"C:\Windows\system32\runonce.exe" -r
1⤵
PID:1672
- C:\Windows\SysWOW64\grpconv.exe
  "C:\Windows\System32\grpconv.exe" -o
  2⤵
  PID:972

C:\Windows\SysWOW64\rundll32.exe
rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\PROGRA~1\FREERA~1\2.inf
1⤵
PID:1956

C:\Windows\SysWOW64\attrib.exe
attrib +s +h C:\PROGRA~1\FREERA~1\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}
1⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1012

C:\Windows\SysWOW64\reg.exe
reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\PROGRA~1\FREERA~1\3.bat""" /f
1⤵
PID:356

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\tmp" /v "key" /d ""http://www.82133.com/?r"" /f
1⤵
PID:1096

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?r"" /f
1⤵
PID:272

C:\Users\Admin\AppData\Roaming\smap.tmp
C:\Users\Admin\AppData\Roaming\smap.tmp
1⤵
PID:324
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Roaming\smap.tmp > nul
  2⤵
  PID:2828

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?r"" /f
1⤵
PID:1680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\PROGRA~1\FREERA~1\2.bat
1⤵
PID:1120

C:\Windows\SysWOW64\rundll32.exe
rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\PROGRA~1\FREERA~1\1.inf
1⤵
PID:1156

C:\PROGRA~1\INTERN~1\iexplore.exe
C:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://WWw.cnkankan.com/?82133
1⤵
PID:1456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\PROGRA~1\FREERA~1\1.bat
1⤵
PID:1860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

2

T1564

Hidden Files and Directories

Modify Registry

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~1\FreeRapid\resv.bin

Filesize
2.3MB

MD5
fa4a62be9eccd3d0f53df4a53dfba8fa

SHA1
68daf097a03be9522f3f47a5442fb50bde566b70

SHA256
cbd3f04c4e04e2735015664fd0d601901d6a963270039be33d9a9877d3c316b6

SHA512
69382ee6698dab774cbc5efa7b394a7f40a21dc9525c28f626097244c3d9431bed7888259312171df7286c4c77939d5a4a92d1743f7d888fb2fc548474e79d47

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3efecbd9ea4690ba9e03f706f543cc21

SHA1
b5793498df17fed854fd5464990c5c48e2c4dcc7

SHA256
4aad2e98cdd1389b1b498422f68f97620cd2e52f924e376d21c39cd5c4c797a4

SHA512
d17ab088bf5523c1ef67c403d24397c148423cc66a0926baa5da993818cc7d5a7ca20119c0d46b329f18c918f3fcf0f8e13cf9aa3416ed17475305d612a46294

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
56c5e75ea7e50adf746c9ecbc1a6cdca

SHA1
9e42ca807e802383eda269e27c37da6d04f90ae9

SHA256
baeafdb713cedfc7f6875145de7d29439a6342641a859f42118fbc0b8569cb9a

SHA512
9a1d57155094a873a864f2d6233712a5820ba1c3bb3caffaeb2f72f3ae92aaac23fe7a72ffbc979e3096db50dc41dc53b2c04a9f50f623d0a9bf4fc1c6a35a03

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
220df45f8b51eb742ab2e3340825aa64

SHA1
8cf4c8840b2a40f42778efe77edde7819889563d

SHA256
fa45f5c61699780f364b06b870337f8dfcf68d1f90ad5adb0cb27059fb78e7a9

SHA512
90a465ec0fb7931184f68fdb8ae12305a85e9ca0e017f3f421f8e9af310a2d376816de4b24af7558670ed2468f7c4a036908e457fe1cdfece32994ce43366f45

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d7425f0175749b9ee5af510dc5922d25

SHA1
8d3862cc3347c147cbbd9a7cf0d47f9aaf2b55c0

SHA256
80157f7f8ee5e72a5884bfe9631a47aa726badda1213e251816f4322ea30829e

SHA512
8bb2f32e7ece5946d8d0f0bf9281acbd93a33b4e5a5b6c9c7693af9c580a32b4f1f4381014cafbbe84ae32df0d1b3ab14acbf1d3ccba755bcad00ca57209a02e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
26d1f21ffab187e1795b2cf8d9f8ace9

SHA1
cd2d129b4c606055ddd3ee73bf3966e6f9929c51

SHA256
4e2411c818b80f91be2d7e74cd7c1e1033e888585a0254eed28522c370fd4267

SHA512
f326c31282136b052dfea657f36dba9da23e7a487376dc4c03f54605b91be7149a4eeff1e82ad66425549e078d8ecda9b7bc2da3b767aca365b65a6740b15dec

Download Submit
\PROGRA~1\FreeRapid\resv.bin

Filesize
2.2MB

MD5
63ea7598258fce271829bbb6c6ca94d7

SHA1
3f2f816162c5c909c609d01329a53528978745a9

SHA256
98166af5266ee7caa894e49bac624be3431202cb839a5593256f30a64b3e90b9

SHA512
d35e9547a2a295f42d1ee057b05854f79ae73c82796511d34cb07a6c340cab390d09f3fe69ad3442b040d6550faa82a2533e2c02dfba044c29cb3e0d3b368ee1

Download Submit
memory/324-115-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/324-113-0x00000000013E0000-0x00000000013E9000-memory.dmp

Filesize
36KB

Download
memory/324-763-0x00000000013E0000-0x00000000013E9000-memory.dmp

Filesize
36KB

Download
memory/1068-1368-0x00000000750B0000-0x00000000750BA000-memory.dmp

Filesize
40KB

Download
memory/1068-1369-0x0000000000180000-0x0000000000182000-memory.dmp

Filesize
8KB

Download
memory/1072-111-0x0000000000110000-0x0000000000119000-memory.dmp

Filesize
36KB

Download
memory/1072-112-0x0000000000110000-0x0000000000119000-memory.dmp

Filesize
36KB

Download
memory/1456-104-0x0000000003330000-0x0000000003340000-memory.dmp

Filesize
64KB

Download
memory/2384-61-0x0000000000210000-0x000000000024C000-memory.dmp

Filesize
240KB

Download
memory/2384-2-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2384-60-0x0000000002D50000-0x0000000002D60000-memory.dmp

Filesize
64KB

Download
memory/2384-29-0x0000000000210000-0x000000000024C000-memory.dmp

Filesize
240KB

Download
memory/2384-6-0x0000000000210000-0x000000000024C000-memory.dmp

Filesize
240KB

Download
memory/2384-0-0x0000000000210000-0x000000000024C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads