305e3dd3f593a9514d6d5db79cac2037a9fcc1f9796c504576a70eb86367dcb4

Analysis

max time kernel
31s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 08:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

619dc9444a673d30e215a8d09222ca92.exe
Size

74KB
MD5

619dc9444a673d30e215a8d09222ca92
SHA1

a3a176f3b6cfa08ef423c169d40d15f383802453
SHA256

305e3dd3f593a9514d6d5db79cac2037a9fcc1f9796c504576a70eb86367dcb4
SHA512

d1cb6cbbd6859267f348de6f398f030e17a350e6f87d582c5e44f567cd01ef590e8f0deffe62a063c08d37583ec720dcb62ee5f69551045cf0fdfc3d26a13393
SSDEEP

1536:HJb7bstbnXgXSJJnxSWdXiF0x6KIiuLPjVtFi2eUNGPrbg0s9:tObnISJtx7yBiUWls9

Score

8^/10

evasion

Malware Config

Signatures

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
5084	attrib.exe
4876	attrib.exe

Executes dropped EXE 1 IoCs

pid	Process
380	simc.tmp

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\FreeRapid\resv.bin	619dc9444a673d30e215a8d09222ca92.exe
File created	C:\Program Files\FreeRapid\1.bat	619dc9444a673d30e215a8d09222ca92.exe
File created	C:\Program Files\FreeRapid\2.bat	619dc9444a673d30e215a8d09222ca92.exe
File created	C:\Program Files\FreeRapid\4.bat	619dc9444a673d30e215a8d09222ca92.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\windows\Comres.dll	simc.tmp

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\68A12DE4422589E97E1C6396FE17B5024FE0547A	simc.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\68A12DE4422589E97E1C6396FE17B5024FE0547A\Blob = 03000000010000001400000068a12de4422589e97e1c6396fe17b5024fe0547a2000000001000000600200003082025c308201c5a0030201020210a675093732e9e788423ec7ea62044de5300d06092a864886f70d01010405003036313430320603550403132b566572695369676e2054696d65205374616d70696e67205365727669636573205369676e6572202d204732301e170d3131303531393134333632345a170d3339313233313233353935395a3036313430320603550403132b566572695369676e2054696d65205374616d70696e67205365727669636573205369676e6572202d20473230819f300d06092a864886f70d010101050003818d0030818902818100ae2150b067d03ac307c1d6cfb294b8e57d1ec3335542584552a96b7926d1b95483aa79a52165c6c18b4aa502ca2f736d2ea84a299def604899f8a50b9932200c00a32c187fdfed2fb767783c1d6c27e55fee9aeb5d7b1085cb8fcc151bdebcdbecc5748cbb451b20f5ecd9e197c154e477d9d5d6a0cf8e9dabaf4e07fbf5f79f0203010001a36b306930670603551d010460305e80102128591d26a9fe32d38e84450f52f750a1383036313430320603550403132b566572695369676e2054696d65205374616d70696e67205365727669636573205369676e6572202d2047328210a675093732e9e788423ec7ea62044de5300d06092a864886f70d01010405000381810069c4dcd3b8649bd6c952a0251d6a645c98c3d94ba7a9945992ee06fdbc1d36c53f9e4c77f25f77b6ad4df7599089a7d68cf89221fc49fda540341c833f692ee6cdd740da4b599e9a902c325b2de32d3657d8cf1206883b2e8296ab9c1d4ef406603a138ce17b8ee0740c990c99774f63fe8f8d5bd35d35591d2a3d6675b49967	simc.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
380	simc.tmp
380	simc.tmp

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeBackupPrivilege	380	simc.tmp
Token: SeRestorePrivilege	380	simc.tmp

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4912 wrote to memory of 380	4912	619dc9444a673d30e215a8d09222ca92.exe	92
PID 4912 wrote to memory of 380	4912	619dc9444a673d30e215a8d09222ca92.exe	92
PID 4912 wrote to memory of 380	4912	619dc9444a673d30e215a8d09222ca92.exe	92
PID 380 wrote to memory of 2416	380	simc.tmp	97
PID 380 wrote to memory of 2416	380	simc.tmp	97
PID 380 wrote to memory of 2416	380	simc.tmp	97

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5084	attrib.exe
4876	attrib.exe

C:\Users\Admin\AppData\Local\Temp\619dc9444a673d30e215a8d09222ca92.exe
"C:\Users\Admin\AppData\Local\Temp\619dc9444a673d30e215a8d09222ca92.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4912
- C:\Users\Admin\AppData\Roaming\simc.tmp
  C:\Users\Admin\AppData\Roaming\simc.tmp
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c afc9fe2f418b00a0.bat
    3⤵
    PID:2416
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\619DC9~1.EXE > nul
  2⤵
  PID:856
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FMAMzwbd12.bat" "
  2⤵
  PID:1168
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\PROGRA~1\FreeRapid\resv.bin,MainLoad
    3⤵
    PID:4948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\PROGRA~1\FREERA~1\1.bat
1⤵
PID:4292
- C:\PROGRA~1\INTERN~1\iexplore.exe
  C:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://WWw.cnkankan.com/?82133
  2⤵
  PID:1320
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1320 CREDAT:17410 /prefetch:2
    3⤵
    PID:4584
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /K C:\PROGRA~1\FREERA~1\2.bat
  2⤵
  PID:4972
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f
    3⤵
    PID:1828
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\PROGRA~1\FREERA~1\2.inf
    3⤵
    PID:4080
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h C:\PROGRA~1\FREERA~1\tmp
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:5084
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h C:\PROGRA~1\FREERA~1\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:4876
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\PROGRA~1\FREERA~1\3.bat""" /f
    3⤵
    PID:1252
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\tmp" /v "key" /d ""http://www.82133.com/?r"" /f
    3⤵
    PID:3320
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?r"" /f
    3⤵
    PID:1588
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?r"" /f
    3⤵
    PID:4968
- C:\Windows\SysWOW64\rundll32.exe
  rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\PROGRA~1\FREERA~1\1.inf
  2⤵
  PID:2128

C:\Windows\SysWOW64\runonce.exe
"C:\Windows\system32\runonce.exe" -r
1⤵
PID:4940
- C:\Windows\SysWOW64\grpconv.exe
  "C:\Windows\System32\grpconv.exe" -o
  2⤵
  PID:3592

C:\Users\Admin\AppData\Roaming\smap.tmp
C:\Users\Admin\AppData\Roaming\smap.tmp
1⤵
PID:1416
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Roaming\smap.tmp > nul
  2⤵
  PID:1484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~1\FREERA~1\1.bat

Filesize
3KB

MD5
2b99b7f66b8ebba3071330bcbaccc022

SHA1
1a79cdcdd4dd3c9e22b45acdbc20a51da5f23e52

SHA256
3ed44f8ec4dd76cadb989353a1ed4a578d93fbba2eb0997443000384e2fb7f09

SHA512
03671ec8fbe45df652bddf47141fd017cfd86b25c034608be23eb82035b3e7504765d4fdc9c42e1bbb3de4b132476a5e7156d83fe1982be283c9ea51e9cc8671

Download Submit
C:\PROGRA~1\FREERA~1\1.inf

Filesize
492B

MD5
34c14b8530e1094e792527f7a474fe77

SHA1
f71c4e9091140256b34c18220d1dd1efab1f301d

SHA256
fe0dfb3458bfe2a3632d365e00765fa10f14d62e7dfa8b70a055c7eb9fdb6713

SHA512
25bb09b526e1e9f5c6052f1f7c36b37c956c1b5649936af8df3abfcf120c931f3d2603e17a061cb99d8c8074bfb1973a5423cce89762fca53cd46aeb3e8944a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\FMAMzwbd12.bat

Filesize
150B

MD5
a46b691be5eee69ff975ca45c311f018

SHA1
3b9bed578b7554252eb88f900ce398f25d01910a

SHA256
a29ce165a0fbd6c8dfec21c891ac2a4d385ef1f7b29e92ae46b131e6694628f4

SHA512
6b8acaa1871b6cb8d68bbabc48146b56f267abb329b9ac2357ac70911fd15bd668ff49260e12d54812fd4f066eed67e311414828ddbc3b9068b8b998edb9c08e

Download Submit
C:\Users\Admin\AppData\Local\Temp\afc9fe2f418b00a0.bat

Filesize
2KB

MD5
3d15f5598c7304d4620c459d16b672d6

SHA1
d5fd318f2347ef63c062aef5658c5ad5934107c6

SHA256
30d8d0e43a0eece7b003fbeb6077a07e910afe03199d3d0022fae0d4be94b7f6

SHA512
09c2b357d31851c209d078e3787407555710b2b837ad94f11f9d113259a7f8bdda199c2cea45ab6338d1a8e4ec94f0cb663f13260c4e47383886cb897e9b9a10

Download Submit
C:\Users\Admin\AppData\Local\Temp\winrar_config.tmp

Filesize
691B

MD5
97f94bb975876582715e95f7751546bb

SHA1
e1b07092d2454c2d95d8aa76bb44feedae59ce3e

SHA256
1b6df88776e4b304fe01c9f495e16fb7116a5eacea2579ea07146a6e2324f7c1

SHA512
7d1823c36abab4723094255fd98bfac8d9797f2e5d1c56930927e872ccb0f175c9046d63aaccb8ef3ebcd79adccb779c095e95cd277b383bf8c4f4ac4f2782f5

Download Submit
C:\Users\Admin\AppData\Roaming\simc.tmp

Filesize
10KB

MD5
cde16a780a318da6482a42536a61a3e3

SHA1
d5d1c33682e886ff811ee402cf11c6c4b5a905c5

SHA256
48bfcd9d959cc41e53854287127e3be044f97dca872fda43b998509fc33bf008

SHA512
4e138db65282383d0e4495af3babe8d46071b17d6fe6fee8676c9daa8867bd8f3a4a63fec5342b917787f6f041c6fd91e93f5cdf70a6f0907a2df997e14de9a4

Download Submit
C:\Users\Admin\AppData\Roaming\smap.tmp

Filesize
21KB

MD5
80cff53479e949f1ab1431395d854c61

SHA1
8f2842797f5cbb0434e7ca364a88f228124cb83c

SHA256
e80706bf5630f163ff90000e64ddda4477168b4d5e42ee3c6f5aece47b1c89a7

SHA512
70b4cd171764f6a9ce66a60c56067a5ce2786dfd55470b6310d929c4e3c69e21f27bffc3d8cd6b9a7fcaacb105793eb6e560894261a7f2bb6b51c6e3a20d5d22

Download Submit
memory/1320-135-0x00007FFD83A80000-0x00007FFD83AEE000-memory.dmp

Filesize
440KB

Download
memory/1320-126-0x00007FFD83A80000-0x00007FFD83AEE000-memory.dmp

Filesize
440KB

Download
memory/1320-100-0x00007FFD83A80000-0x00007FFD83AEE000-memory.dmp

Filesize
440KB

Download
memory/1320-97-0x00007FFD83A80000-0x00007FFD83AEE000-memory.dmp

Filesize
440KB

Download
memory/1320-113-0x00007FFD83A80000-0x00007FFD83AEE000-memory.dmp

Filesize
440KB

Download
memory/1320-120-0x00007FFD83A80000-0x00007FFD83AEE000-memory.dmp

Filesize
440KB

Download
memory/1320-124-0x00007FFD83A80000-0x00007FFD83AEE000-memory.dmp

Filesize
440KB

Download
memory/1320-134-0x00007FFD83A80000-0x00007FFD83AEE000-memory.dmp

Filesize
440KB

Download
memory/1320-139-0x00007FFD83A80000-0x00007FFD83AEE000-memory.dmp

Filesize
440KB

Download
memory/1320-140-0x00007FFD83A80000-0x00007FFD83AEE000-memory.dmp

Filesize
440KB

Download
memory/1320-150-0x00007FFD83A80000-0x00007FFD83AEE000-memory.dmp

Filesize
440KB

Download
memory/1320-151-0x00007FFD83A80000-0x00007FFD83AEE000-memory.dmp

Filesize
440KB

Download
memory/1320-156-0x00007FFD83A80000-0x00007FFD83AEE000-memory.dmp

Filesize
440KB

Download
memory/1320-141-0x00007FFD83A80000-0x00007FFD83AEE000-memory.dmp

Filesize
440KB

Download
memory/1320-167-0x00007FFD83A80000-0x00007FFD83AEE000-memory.dmp

Filesize
440KB

Download
memory/1320-172-0x00007FFD83A80000-0x00007FFD83AEE000-memory.dmp

Filesize
440KB

Download
memory/1320-170-0x00007FFD83A80000-0x00007FFD83AEE000-memory.dmp

Filesize
440KB

Download
memory/1320-169-0x00007FFD83A80000-0x00007FFD83AEE000-memory.dmp

Filesize
440KB

Download
memory/1320-166-0x00007FFD83A80000-0x00007FFD83AEE000-memory.dmp

Filesize
440KB

Download
memory/1320-165-0x00007FFD83A80000-0x00007FFD83AEE000-memory.dmp

Filesize
440KB

Download
memory/1320-164-0x00007FFD83A80000-0x00007FFD83AEE000-memory.dmp

Filesize
440KB

Download
memory/1320-163-0x00007FFD83A80000-0x00007FFD83AEE000-memory.dmp

Filesize
440KB

Download
memory/1320-96-0x00007FFD83A80000-0x00007FFD83AEE000-memory.dmp

Filesize
440KB

Download
memory/1320-131-0x00007FFD83A80000-0x00007FFD83AEE000-memory.dmp

Filesize
440KB

Download
memory/1320-129-0x00007FFD83A80000-0x00007FFD83AEE000-memory.dmp

Filesize
440KB

Download
memory/1320-128-0x00007FFD83A80000-0x00007FFD83AEE000-memory.dmp

Filesize
440KB

Download
memory/1320-127-0x00007FFD83A80000-0x00007FFD83AEE000-memory.dmp

Filesize
440KB

Download
memory/1320-98-0x00007FFD83A80000-0x00007FFD83AEE000-memory.dmp

Filesize
440KB

Download
memory/1320-125-0x00007FFD83A80000-0x00007FFD83AEE000-memory.dmp

Filesize
440KB

Download
memory/1320-122-0x00007FFD83A80000-0x00007FFD83AEE000-memory.dmp

Filesize
440KB

Download
memory/1320-119-0x00007FFD83A80000-0x00007FFD83AEE000-memory.dmp

Filesize
440KB

Download
memory/1320-118-0x00007FFD83A80000-0x00007FFD83AEE000-memory.dmp

Filesize
440KB

Download
memory/1320-116-0x00007FFD83A80000-0x00007FFD83AEE000-memory.dmp

Filesize
440KB

Download
memory/1320-115-0x00007FFD83A80000-0x00007FFD83AEE000-memory.dmp

Filesize
440KB

Download
memory/1320-111-0x00007FFD83A80000-0x00007FFD83AEE000-memory.dmp

Filesize
440KB

Download
memory/1320-110-0x00007FFD83A80000-0x00007FFD83AEE000-memory.dmp

Filesize
440KB

Download
memory/1320-90-0x00007FFD83A80000-0x00007FFD83AEE000-memory.dmp

Filesize
440KB

Download
memory/1320-89-0x00007FFD83A80000-0x00007FFD83AEE000-memory.dmp

Filesize
440KB

Download
memory/1320-93-0x00007FFD83A80000-0x00007FFD83AEE000-memory.dmp

Filesize
440KB

Download
memory/1320-104-0x00007FFD83A80000-0x00007FFD83AEE000-memory.dmp

Filesize
440KB

Download
memory/1320-92-0x00007FFD83A80000-0x00007FFD83AEE000-memory.dmp

Filesize
440KB

Download
memory/1320-99-0x00007FFD83A80000-0x00007FFD83AEE000-memory.dmp

Filesize
440KB

Download
memory/1320-95-0x00007FFD83A80000-0x00007FFD83AEE000-memory.dmp

Filesize
440KB

Download
memory/1416-108-0x0000000000FF0000-0x0000000000FF2000-memory.dmp

Filesize
8KB

Download
memory/1416-106-0x0000000000410000-0x0000000000419000-memory.dmp

Filesize
36KB

Download
memory/1416-248-0x0000000000410000-0x0000000000419000-memory.dmp

Filesize
36KB

Download
memory/4912-0-0x0000000000FA0000-0x0000000000FDC000-memory.dmp

Filesize
240KB

Download
memory/4912-1-0x00000000005E0000-0x00000000005E3000-memory.dmp

Filesize
12KB

Download
memory/4912-6-0x0000000000FA0000-0x0000000000FDC000-memory.dmp

Filesize
240KB

Download
memory/4912-12-0x00000000005E0000-0x00000000005E3000-memory.dmp

Filesize
12KB

Download
memory/4912-41-0x0000000000FA0000-0x0000000000FDC000-memory.dmp

Filesize
240KB

Download
memory/4948-252-0x0000000000770000-0x0000000000772000-memory.dmp

Filesize
8KB

Download
memory/4948-251-0x0000000075830000-0x000000007583A000-memory.dmp

Filesize
40KB

Download