0b1ba550b6365d2f2a5dc7cbcaf4624c9d028e13d2ddd5bc69b3481b103d0789

General

Target

1613468c1ec5d4771a928d8957aa50d2.exe
Size

1.4MB
MD5

1613468c1ec5d4771a928d8957aa50d2
SHA1

e61d9b7f229307c6f578d86817721a5f01952cc9
SHA256

0b1ba550b6365d2f2a5dc7cbcaf4624c9d028e13d2ddd5bc69b3481b103d0789
SHA512

02c4e8ab5f3f4e14857b33dbf3ae78151f726b679199be94c2fef9f2b1349acebbed2dd830ddccb0b037dbf32eea72275b0d574eb691f5451512f6f772efbf29
SSDEEP

24576:I8JWFWNaOvknjVHX1OE5DmvDtM29TY2mFHPc5DMRD1z4SnRbcGI8Ogc:b6WcbnjxTSv5rYVvmg4SnF8D

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1684	services32.exe
2896	sihost32.exe

Loads dropped DLL 2 IoCs

pid	Process
3032	1613468c1ec5d4771a928d8957aa50d2.exe
1684	services32.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1920	schtasks.exe
1524	schtasks.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	services32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	services32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3032	1613468c1ec5d4771a928d8957aa50d2.exe
1684	services32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3032	1613468c1ec5d4771a928d8957aa50d2.exe
Token: SeDebugPrivilege	1684	services32.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 772	3032	1613468c1ec5d4771a928d8957aa50d2.exe	29
PID 3032 wrote to memory of 772	3032	1613468c1ec5d4771a928d8957aa50d2.exe	29
PID 3032 wrote to memory of 772	3032	1613468c1ec5d4771a928d8957aa50d2.exe	29
PID 772 wrote to memory of 1920	772	cmd.exe	31
PID 772 wrote to memory of 1920	772	cmd.exe	31
PID 772 wrote to memory of 1920	772	cmd.exe	31
PID 3032 wrote to memory of 1684	3032	1613468c1ec5d4771a928d8957aa50d2.exe	32
PID 3032 wrote to memory of 1684	3032	1613468c1ec5d4771a928d8957aa50d2.exe	32
PID 3032 wrote to memory of 1684	3032	1613468c1ec5d4771a928d8957aa50d2.exe	32
PID 1684 wrote to memory of 1864	1684	services32.exe	34
PID 1684 wrote to memory of 1864	1684	services32.exe	34
PID 1684 wrote to memory of 1864	1684	services32.exe	34
PID 1864 wrote to memory of 1524	1864	cmd.exe	35
PID 1864 wrote to memory of 1524	1864	cmd.exe	35
PID 1864 wrote to memory of 1524	1864	cmd.exe	35
PID 1684 wrote to memory of 2896	1684	services32.exe	36
PID 1684 wrote to memory of 2896	1684	services32.exe	36
PID 1684 wrote to memory of 2896	1684	services32.exe	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1613468c1ec5d4771a928d8957aa50d2.exe
"C:\Users\Admin\AppData\Local\Temp\1613468c1ec5d4771a928d8957aa50d2.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Local\Temp\services32.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:772
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Local\Temp\services32.exe"'
    3⤵
    - Creates scheduled task(s)
    PID:1920
- C:\Users\Admin\AppData\Local\Temp\services32.exe
  "C:\Users\Admin\AppData\Local\Temp\services32.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1684
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Local\Temp\services32.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1864
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Local\Temp\services32.exe"'
      4⤵
      Creates scheduled task(s)
      PID:1524
- - C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"
    3⤵
    - Executes dropped EXE
    PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\services32.exe

Filesize
1.3MB

MD5
660305e5d4e0f2ad1078c8959c659258

SHA1
f9278d724cdd93de89af4efd8026f7ec1368af11

SHA256
1a3f9f2c343d343b4e8b2ccd0f9f5fe930a4239ffac765137e291ac99ec27ec2

SHA512
a07e3af19117202ef4f2421a16082ed643bbdfed31556bf1742307fecf780ea8a4e5708dbb41d8d9f0dea1dae4dfbc255c84c3c30e41b6490272acc0cff41c8f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe

Filesize
8KB

MD5
87fa77a8ced378ccb1fa67be7ef248cc

SHA1
3299cfb28bf591d17d8277ccacf460e9181f084d

SHA256
018b4218a85bc8e5b7790c79d41996b90d61177c373b12fd1bc24dcb780cbb51

SHA512
36767b9b658aa72c07fba2028c20ac6234004dd7af7a72e5c6698401e889c5037aa52a2f8b5775319379753b80bf76ffee4196c07f6c270da2765c46203ee3d6

Download Submit
\??\c:\users\admin\appdata\local\temp\services32.exe

Filesize
841KB

MD5
76b178795b46ad98ce5e7695ab0854b2

SHA1
5a60783d6430d87642620a98149680b4ec549a5b

SHA256
879b7b2e3203abb1082a52370c7a3396b9c8c4a888287acb1bef650563b8cbcf

SHA512
c8bb18a4f0c354f79d36b6c20d157e7a0f510608de19573a4c3c9a09820fddcbbc7b3184266d06f458cfe98a816cf4a6783b2dfde9f47eb84d484454750728bb

Download Submit
\Users\Admin\AppData\Local\Temp\services32.exe

Filesize
1.3MB

MD5
409253392d3474956de20e74c9d8c91d

SHA1
a484af9c5b9d739be870fc24b60a9f0ca435c9d1

SHA256
d78c70c4f296dd74f5f9eb3d48bd0c3370659f95107ecd3e4868ec2a8b554f57

SHA512
051bf95646b9f6661edc162f07c8a020748c1405ed6ca39522c6ed35e119741a5d82dfa96af2fa7b63f5dee2cbbd998c5467712562cffd631592afb8f8dd954a

Download Submit
memory/1684-29-0x000000001C490000-0x000000001C510000-memory.dmp

Filesize
512KB

Download
memory/1684-39-0x000007FEF5440000-0x000007FEF5E2C000-memory.dmp

Filesize
9.9MB

Download
memory/1684-25-0x000000013F3B0000-0x000000013F9A4000-memory.dmp

Filesize
6.0MB

Download
memory/1684-41-0x000000001C490000-0x000000001C510000-memory.dmp

Filesize
512KB

Download
memory/1684-49-0x000000013F3B0000-0x000000013F9A4000-memory.dmp

Filesize
6.0MB

Download
memory/1684-28-0x000000013F3B0000-0x000000013F9A4000-memory.dmp

Filesize
6.0MB

Download
memory/1684-50-0x000007FEF5440000-0x000007FEF5E2C000-memory.dmp

Filesize
9.9MB

Download
memory/1684-21-0x0000000077230000-0x0000000077240000-memory.dmp

Filesize
64KB

Download
memory/1684-22-0x000007FEF5440000-0x000007FEF5E2C000-memory.dmp

Filesize
9.9MB

Download
memory/2896-37-0x000007FEF5440000-0x000007FEF5E2C000-memory.dmp

Filesize
9.9MB

Download
memory/2896-36-0x000000013F300000-0x000000013F306000-memory.dmp

Filesize
24KB

Download
memory/2896-43-0x000000001BD00000-0x000000001BD80000-memory.dmp

Filesize
512KB

Download
memory/2896-42-0x000007FEF5440000-0x000007FEF5E2C000-memory.dmp

Filesize
9.9MB

Download
memory/3032-18-0x000000001D5B0000-0x000000001DBA4000-memory.dmp

Filesize
6.0MB

Download
memory/3032-9-0x0000000000170000-0x000000000017A000-memory.dmp

Filesize
40KB

Download
memory/3032-8-0x000000001C4B0000-0x000000001C530000-memory.dmp

Filesize
512KB

Download
memory/3032-26-0x000000013F080000-0x000000013F674000-memory.dmp

Filesize
6.0MB

Download
memory/3032-0-0x000000013F080000-0x000000013F674000-memory.dmp

Filesize
6.0MB

Download
memory/3032-6-0x000007FEF5440000-0x000007FEF5E2C000-memory.dmp

Filesize
9.9MB

Download
memory/3032-5-0x000000013F080000-0x000000013F674000-memory.dmp

Filesize
6.0MB

Download
memory/3032-27-0x000007FEF5440000-0x000007FEF5E2C000-memory.dmp

Filesize
9.9MB

Download
memory/3032-23-0x000007FEF5440000-0x000007FEF5E2C000-memory.dmp

Filesize
9.9MB

Download
memory/3032-4-0x000000013F080000-0x000000013F674000-memory.dmp

Filesize
6.0MB

Download
memory/3032-2-0x0000000077230000-0x0000000077240000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads