fc1859f620c59d3e70bb6f7e12ce963afaadae57c20edfff376c89b07f5a50a4

General

Target

14e0a4f87f833d3298b4856f1dc14ae0.exe
Size

564KB
MD5

14e0a4f87f833d3298b4856f1dc14ae0
SHA1

a147dbe8f655c0a032699f29c92b749291d74029
SHA256

fc1859f620c59d3e70bb6f7e12ce963afaadae57c20edfff376c89b07f5a50a4
SHA512

747a3d64e89cbc7e7b719851cefd83f4891bb7e55143963e2e413c3a91647537cab0b08d40f5d90b3b48d9be65dc9231833057ce4053ed41ba801d876dc39dd2
SSDEEP

12288:LNr8AzhxTY5O3R4YalsuKni4Lu9oSO4SVomdu3lW:LNrdxTQGzuoSyymdUE

Score

9^/10

evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	14e0a4f87f833d3298b4856f1dc14ae0.exe

Executes dropped EXE 1 IoCs

pid	Process
2200	s1072.exe

Loads dropped DLL 4 IoCs

pid	Process
3020	14e0a4f87f833d3298b4856f1dc14ae0.exe
3020	14e0a4f87f833d3298b4856f1dc14ae0.exe
3020	14e0a4f87f833d3298b4856f1dc14ae0.exe
3020	14e0a4f87f833d3298b4856f1dc14ae0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	14e0a4f87f833d3298b4856f1dc14ae0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	14e0a4f87f833d3298b4856f1dc14ae0.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81	s1072.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce09000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c01400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e000000740068006100770074006500000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b812000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	s1072.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d03000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b810b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb57485053000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	s1072.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8120f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce09000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c01400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e000000740068006100770074006500000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b81190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	s1072.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3020	14e0a4f87f833d3298b4856f1dc14ae0.exe
2200	s1072.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2200	s1072.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2200	s1072.exe
2200	s1072.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 2200	3020	14e0a4f87f833d3298b4856f1dc14ae0.exe	28
PID 3020 wrote to memory of 2200	3020	14e0a4f87f833d3298b4856f1dc14ae0.exe	28
PID 3020 wrote to memory of 2200	3020	14e0a4f87f833d3298b4856f1dc14ae0.exe	28
PID 3020 wrote to memory of 2200	3020	14e0a4f87f833d3298b4856f1dc14ae0.exe	28

C:\Users\Admin\AppData\Local\Temp\14e0a4f87f833d3298b4856f1dc14ae0.exe
"C:\Users\Admin\AppData\Local\Temp\14e0a4f87f833d3298b4856f1dc14ae0.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Users\Admin\AppData\Local\Temp\n1072\s1072.exe
  "C:\Users\Admin\AppData\Local\Temp\n1072\s1072.exe" ins.exe /e 12848026 /u 50d1d9d5-cf90-407c-820a-35e05bc06f2f /h b04302.api.socdn.com /v "C:\Users\Admin\AppData\Local\Temp\14e0a4f87f833d3298b4856f1dc14ae0.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\n1072\s1072.exe

Filesize
110KB

MD5
223f05356942449465211022ab8ff381

SHA1
307bfc7fe8f6b04464f19c052e28d5ffa7826f09

SHA256
6265eb541c25cdd8e931e38c8591edc117724162d926f80ff677e9651a4926f2

SHA512
b90ea45d06bbcf6a09cef34cee62e616ed2b4a0049ab84b0d42e1db3e5c8e54661dff9f70e78100669f7b59f3afffef9cb2869500a03442115e9f8fbf88939f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\n1072\s1072.exe

Filesize
101KB

MD5
842f64c63dcbcd8ad412839a63239856

SHA1
ff2277fadb6eab5d3337af9c1fd0e190784066a7

SHA256
29606f49680bef555c5a60718b49c9866f78597d69238676fe15e82322c45c6e

SHA512
141f9a68a9a99e87b83306a329de655e57c5df8b530b8b12b6e2715cd03d902652820af00515e82c19560dce37aa71f71ea393607b11e76682a59fc93ab7b85d

Download Submit
C:\Users\Admin\AppData\Local\Temp\n1072\s1072.exe

Filesize
124KB

MD5
4be66bf4ed3b908d01926f586c7822c7

SHA1
01ecfac25337014563130f58e3bf9ca1cd751714

SHA256
9019d5e73a2898d80b4b007f7b819ade3d7a1815905bcf5db7c49686e7d2028e

SHA512
747a887068893a5328d6c026a68a1c343f852dc942f0cc9688942d24593223124c3bb4b037a53f92321de34583b6749eb5bc76b2e6c26d986fd593d4cc7153c3

Download Submit
\Users\Admin\AppData\Local\Temp\n1072\s1072.exe

Filesize
145KB

MD5
6ee62a8f0aa17a47fffb3fc3b4950813

SHA1
a106d7a1f0b08b1d92fd797b7a0e2a8869427c4f

SHA256
55d2287530c5af24135a464709cf334935980a41c493511f0731c162ddb3c560

SHA512
0d8773172036561b5627c7c6632c12e6da3435da92bbb491596856761c2f2b4ffb6724e17f5b9eff3f81316d217f1841772378f8068e0c103728a4dfeac9ef22

Download Submit
\Users\Admin\AppData\Local\Temp\n1072\s1072.exe

Filesize
113KB

MD5
7f0bdc4484cc01ecaafc540781b80585

SHA1
e64bea30fec84d5301a34e9d696e50fb6da4b8a2

SHA256
787b0fff6fccd69cbc722fcdf551a92fbdb3e36f014dc4f76c46a179b568710f

SHA512
57490bf01998454edc3745ceeb3f51849dcfcd199349d104a4dc0e0665f773b11655e0fbc5b647bfbebc2845af30fdcd1fd85d75bbe3c59e8743ec3100ef07b2

Download Submit
\Users\Admin\AppData\Local\Temp\n1072\s1072.exe

Filesize
411KB

MD5
13b0085a03720e67fb8c73db3f14609e

SHA1
ddf811f21e6c066b644d03e6751e16efb0fbecce

SHA256
f9449897f9ca99b99837ad322c8b6737e7a47e3827b6a4c073c6ca8911d8c340

SHA512
39b95dce14b3eea6f191d4dbaaff87ebbc8f3b6982e7b4ee5ebeed83d3b7397441665f25dec5eb9f8a1f3b12f4ddcd604d5852b781f592488263161c0d620e82

Download Submit
\Users\Admin\AppData\Local\Temp\n1072\s1072.exe

Filesize
186KB

MD5
0298eb825a482b99b678b9d9ebe8554a

SHA1
6814751bc2e8fb743e1e69b51bbfacbd4f70986e

SHA256
7d23bdba123a3efa54d84540d6d29a7e4c9fcf1607f38aa9e0eda1c5672dcb8a

SHA512
5b05bfe8b3a40af1b9837a00256c4a3bb86aaaa81671b769dda17bc73bb5b4f297709d279bfdd8de2c6e44b0f3495ef3640bde88450dba32a3d106c2e076e13e

Download Submit
memory/2200-77-0x0000000000AE0000-0x0000000000B60000-memory.dmp

Filesize
512KB

Download
memory/2200-81-0x0000000000AE0000-0x0000000000B60000-memory.dmp

Filesize
512KB

Download
memory/2200-74-0x0000000000F70000-0x0000000000F7E000-memory.dmp

Filesize
56KB

Download
memory/2200-75-0x0000000000AE0000-0x0000000000B60000-memory.dmp

Filesize
512KB

Download
memory/2200-76-0x0000000000AE0000-0x0000000000B60000-memory.dmp

Filesize
512KB

Download
memory/2200-18-0x0000000000AE0000-0x0000000000B60000-memory.dmp

Filesize
512KB

Download
memory/2200-78-0x000007FEF5430000-0x000007FEF5DCD000-memory.dmp

Filesize
9.6MB

Download
memory/2200-79-0x000007FEF5430000-0x000007FEF5DCD000-memory.dmp

Filesize
9.6MB

Download
memory/2200-82-0x0000000000AE0000-0x0000000000B60000-memory.dmp

Filesize
512KB

Download
memory/2200-17-0x000007FEF5430000-0x000007FEF5DCD000-memory.dmp

Filesize
9.6MB

Download
memory/2200-80-0x0000000000AE0000-0x0000000000B60000-memory.dmp

Filesize
512KB

Download
memory/2200-83-0x0000000000AE0000-0x0000000000B60000-memory.dmp

Filesize
512KB

Download
memory/2200-84-0x0000000000AE0000-0x0000000000B60000-memory.dmp

Filesize
512KB

Download
memory/2200-85-0x0000000000AE0000-0x0000000000B60000-memory.dmp

Filesize
512KB

Download
memory/2200-86-0x0000000000AE0000-0x0000000000B60000-memory.dmp

Filesize
512KB

Download
memory/2200-88-0x0000000000AE0000-0x0000000000B60000-memory.dmp

Filesize
512KB

Download
memory/2200-87-0x000007FEF5430000-0x000007FEF5DCD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads