a4bd7a14d8880dcd896ffc5a1452c49c376bf15bf0b2dd5c0f985f416ec31e5b

General

Target

10efe8ea205b7f0d4248fe499acc3fc9.exe
Size

975KB
MD5

10efe8ea205b7f0d4248fe499acc3fc9
SHA1

07a7a7c90ba3ec9615668255d6a4fb816d10b2d9
SHA256

a4bd7a14d8880dcd896ffc5a1452c49c376bf15bf0b2dd5c0f985f416ec31e5b
SHA512

d3b6d2f00f1f4f15ae763c38e48649346d4e631db62c869b9ffe90048c42e3970466f44cff0da08fcf90ff30bddbdba1fdd5dc6f908060b40bf2a4a0330db123
SSDEEP

12288:hu7Y7O4wXvNpWEbfmbEsnjDFXKTYvnqFoQi2kn3tQbJ:hpBRkYvwDmdQbJ

Score

8^/10

upx

Malware Config

Signatures

Downloads MZ/PE file

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4536-136-0x00000000053E0000-0x000000000563D000-memory.dmp	upx
behavioral2/memory/4536-160-0x00000000053E0000-0x000000000563D000-memory.dmp	upx
behavioral2/memory/4536-161-0x00000000053E0000-0x000000000563D000-memory.dmp	upx
behavioral2/memory/4536-162-0x00000000053E0000-0x000000000563D000-memory.dmp	upx
behavioral2/memory/4536-175-0x00000000053E0000-0x000000000563D000-memory.dmp	upx
behavioral2/memory/4536-181-0x00000000053E0000-0x000000000563D000-memory.dmp	upx

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	10efe8ea205b7f0d4248fe499acc3fc9.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	10efe8ea205b7f0d4248fe499acc3fc9.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	10efe8ea205b7f0d4248fe499acc3fc9.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4604	10efe8ea205b7f0d4248fe499acc3fc9.exe
Token: SeIncreaseQuotaPrivilege	4604	10efe8ea205b7f0d4248fe499acc3fc9.exe
Token: SeSecurityPrivilege	2268	msiexec.exe
Token: SeCreateTokenPrivilege	4604	10efe8ea205b7f0d4248fe499acc3fc9.exe
Token: SeAssignPrimaryTokenPrivilege	4604	10efe8ea205b7f0d4248fe499acc3fc9.exe
Token: SeLockMemoryPrivilege	4604	10efe8ea205b7f0d4248fe499acc3fc9.exe
Token: SeIncreaseQuotaPrivilege	4604	10efe8ea205b7f0d4248fe499acc3fc9.exe
Token: SeMachineAccountPrivilege	4604	10efe8ea205b7f0d4248fe499acc3fc9.exe
Token: SeTcbPrivilege	4604	10efe8ea205b7f0d4248fe499acc3fc9.exe
Token: SeSecurityPrivilege	4604	10efe8ea205b7f0d4248fe499acc3fc9.exe
Token: SeTakeOwnershipPrivilege	4604	10efe8ea205b7f0d4248fe499acc3fc9.exe
Token: SeLoadDriverPrivilege	4604	10efe8ea205b7f0d4248fe499acc3fc9.exe
Token: SeSystemProfilePrivilege	4604	10efe8ea205b7f0d4248fe499acc3fc9.exe
Token: SeSystemtimePrivilege	4604	10efe8ea205b7f0d4248fe499acc3fc9.exe
Token: SeProfSingleProcessPrivilege	4604	10efe8ea205b7f0d4248fe499acc3fc9.exe
Token: SeIncBasePriorityPrivilege	4604	10efe8ea205b7f0d4248fe499acc3fc9.exe
Token: SeCreatePagefilePrivilege	4604	10efe8ea205b7f0d4248fe499acc3fc9.exe
Token: SeCreatePermanentPrivilege	4604	10efe8ea205b7f0d4248fe499acc3fc9.exe
Token: SeBackupPrivilege	4604	10efe8ea205b7f0d4248fe499acc3fc9.exe
Token: SeRestorePrivilege	4604	10efe8ea205b7f0d4248fe499acc3fc9.exe
Token: SeShutdownPrivilege	4604	10efe8ea205b7f0d4248fe499acc3fc9.exe
Token: SeDebugPrivilege	4604	10efe8ea205b7f0d4248fe499acc3fc9.exe
Token: SeAuditPrivilege	4604	10efe8ea205b7f0d4248fe499acc3fc9.exe
Token: SeSystemEnvironmentPrivilege	4604	10efe8ea205b7f0d4248fe499acc3fc9.exe
Token: SeChangeNotifyPrivilege	4604	10efe8ea205b7f0d4248fe499acc3fc9.exe
Token: SeRemoteShutdownPrivilege	4604	10efe8ea205b7f0d4248fe499acc3fc9.exe
Token: SeUndockPrivilege	4604	10efe8ea205b7f0d4248fe499acc3fc9.exe
Token: SeSyncAgentPrivilege	4604	10efe8ea205b7f0d4248fe499acc3fc9.exe
Token: SeEnableDelegationPrivilege	4604	10efe8ea205b7f0d4248fe499acc3fc9.exe
Token: SeManageVolumePrivilege	4604	10efe8ea205b7f0d4248fe499acc3fc9.exe
Token: SeImpersonatePrivilege	4604	10efe8ea205b7f0d4248fe499acc3fc9.exe
Token: SeCreateGlobalPrivilege	4604	10efe8ea205b7f0d4248fe499acc3fc9.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4604	10efe8ea205b7f0d4248fe499acc3fc9.exe
4604	10efe8ea205b7f0d4248fe499acc3fc9.exe
4604	10efe8ea205b7f0d4248fe499acc3fc9.exe
4604	10efe8ea205b7f0d4248fe499acc3fc9.exe
4604	10efe8ea205b7f0d4248fe499acc3fc9.exe

C:\Users\Admin\AppData\Local\Temp\10efe8ea205b7f0d4248fe499acc3fc9.exe
"C:\Users\Admin\AppData\Local\Temp\10efe8ea205b7f0d4248fe499acc3fc9.exe"
1⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4604
- C:\Program Files\DriverUpdate\DriverUpdate.exe
  "C:\Program Files\DriverUpdate\DriverUpdate.exe" -installscan
  2⤵
  PID:4536
- - C:\Users\Admin\AppData\Local\SlimWare Utilities Inc\DriverUpdate\SCP-setup.exe
    "C:\Users\Admin\AppData\Local\SlimWare Utilities Inc\DriverUpdate\SCP-setup.exe"
    3⤵
    PID:2224

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2268
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding B30A2B0EDABB05CBE98F8DB04D5B47EE
  2⤵
  PID:864

C:\Program Files\SlimWare Utilities\Services\SlimWare.Services.exe
"C:\Program Files\SlimWare Utilities\Services\SlimWare.Services.exe"
1⤵
PID:4988

C:\Program Files\SlimWare Utilities\Services\SlimWare.Session.exe
"C:\Program Files\SlimWare Utilities\Services\SlimWare.Session.exe" -Embedding
1⤵
PID:5112

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9A19ADAD9D098E039450ABBEDD5616EB_90968CAB679DC8A66D51322A089E7CBE

Filesize
1KB

MD5
db9e3e672f17b7bba997823ad00deacd

SHA1
fe821c385ea582d611fe931726ccfca0845bf5b6

SHA256
1a6834068d91f8b25f4632c442efb6f5b196980d2d45d7ee2bd5d8d179e4db1e

SHA512
c851e52777ba73710d665845bb50c522f2a18ab1fb97a008e81f55c4c8c53a91bb88bd52f61c118a00bd47b7fcf949aa02c045a9da8e6c1dd3832b36f9724f40

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9A19ADAD9D098E039450ABBEDD5616EB_90968CAB679DC8A66D51322A089E7CBE

Filesize
398B

MD5
c1c35e7bbcd76a8683f07b4f297d1b49

SHA1
d6530eccfcfee0512d1f28254e833618085bef3f

SHA256
9c8987d9773dd517ed78736fc45ad6ff274a29deb2444913669f4530c1e0813a

SHA512
e12cf050a67785d6a6abc94274a1079bc481005e701763fd6b84e60aace53fa5892daee41b69ae838190f2bc45fa4ab2264ff932b10f922ea967f8d8e55839cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\swu441D.tmp.msi

Filesize
175KB

MD5
1dbc65c4d4d71ad7feec2dffd3d70b67

SHA1
49f0536f39b1ba47edbfaff7699088e693463adb

SHA256
b9417c51026971e26d70a11273d4b7d13e1acc48be37c6832ea7691c539a13d6

SHA512
3ca4d1b1d45bf6bd0a20e933850280dd80c9a835b096d8130baaac27061821c79a2430112f3122e4b5a3be53f65bcde81a1dae6e31c340a6edb60946075d03fb

Download Submit
C:\Windows\Installer\MSI61B7.tmp

Filesize
92KB

MD5
cf6d6051fc1d00f5bf91b6b3730f7b24

SHA1
4d048361e9da975340d60ddbfe553dd1f81617bd

SHA256
2236e80b649065707cbbd6fe673ed8309e2658a65d3ee2059a7a22dc685bbfbf

SHA512
537071166d635ac3f129e90dd81a7ee34f1d97f87761f547c66b4e5f0b8c63a19be5cce76ef90f89045c946e581ebd774363441dab259108e0d2de3e24807dbd

Download Submit
memory/4536-136-0x00000000053E0000-0x000000000563D000-memory.dmp

Filesize
2.4MB

Download
memory/4536-160-0x00000000053E0000-0x000000000563D000-memory.dmp

Filesize
2.4MB

Download
memory/4536-161-0x00000000053E0000-0x000000000563D000-memory.dmp

Filesize
2.4MB

Download
memory/4536-162-0x00000000053E0000-0x000000000563D000-memory.dmp

Filesize
2.4MB

Download
memory/4536-175-0x00000000053E0000-0x000000000563D000-memory.dmp

Filesize
2.4MB

Download
memory/4536-181-0x00000000053E0000-0x000000000563D000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing