090d5d30060dbb6b2996d52b30d5df1e3462c82c7187665eff7a3487d5281e49

General

Target

221f048e3687cbe802b04571ec1aad89.exe
Size

47KB
MD5

221f048e3687cbe802b04571ec1aad89
SHA1

2eebdf1a56048c66c9b2af9b92f3cc2dd69eec4f
SHA256

090d5d30060dbb6b2996d52b30d5df1e3462c82c7187665eff7a3487d5281e49
SHA512

5e5ee5334e653a7127bbeb1274ad56b1802bdfa8deb0542567211cbcbea66ae7f4600c73e96c22d5ff498875ccfa37747876b012ef40830ebe49f96559bcc08d
SSDEEP

768:xJ5u4is6jz8fIpNeoPmgYlwQ+ayxY+PJvH6LQTpjEtZtcTGIKct8iaaMQArPZK4l:xRMAfIpNeOWtbuJFS9cMy8ifMPjo

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2736	appstart.exe

Executes dropped EXE 1 IoCs

pid	Process
2736	appstart.exe

Loads dropped DLL 4 IoCs

pid	Process
2292	221f048e3687cbe802b04571ec1aad89.exe
2292	221f048e3687cbe802b04571ec1aad89.exe
2736	appstart.exe
2736	appstart.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2292-12-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/2292-3-0x0000000000400000-0x0000000000427000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\sporder.Dll	221f048e3687cbe802b04571ec1aad89.exe
File created	C:\Windows\SysWOW64\appstart.exe	221f048e3687cbe802b04571ec1aad89.exe
File created	C:\Windows\SysWOW64\SrvDll.dll	221f048e3687cbe802b04571ec1aad89.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	appstart.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	appstart.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
2736	appstart.exe
480	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	2736	appstart.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 2736	2292	221f048e3687cbe802b04571ec1aad89.exe	14
PID 2292 wrote to memory of 2736	2292	221f048e3687cbe802b04571ec1aad89.exe	14
PID 2292 wrote to memory of 2736	2292	221f048e3687cbe802b04571ec1aad89.exe	14
PID 2292 wrote to memory of 2736	2292	221f048e3687cbe802b04571ec1aad89.exe	14

C:\Windows\SysWOW64\appstart.exe
"C:\Windows\system32\appstart.exe" delete C:\Users\Admin\AppData\Local\Temp\221f048e3687cbe802b04571ec1aad89.exe
1⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:2736

C:\Users\Admin\AppData\Local\Temp\221f048e3687cbe802b04571ec1aad89.exe
"C:\Users\Admin\AppData\Local\Temp\221f048e3687cbe802b04571ec1aad89.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\appstart.exe

Filesize
40KB

MD5
5cc1407ea4826d84153870ce1ccc6dec

SHA1
021aa793ff3bee26d9b89c725496e9d7d3dbfcb3

SHA256
d534eb0d6190e235ce5ce21a8373a7bb02c675b6a388d138897bfc5a6a185e63

SHA512
f6dfa2cd6b6489889e54437ed3e686972aceaf034bc5ac2a5dc310dd0db56cc597b7636136a82105a5d551ef27d7f69130846561c8c3b17ec56f9043ba0a8962

Download Submit
memory/2292-12-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2292-3-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2736-15-0x000000006C5F0000-0x000000006C710000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing