8ed16ae084bcd11dfd3afd1024a3a5ad7ecf1472c58e9702ce782167c3c702ee

General

Target

25d5f014f7fce7c12201f4f2bbfcfba440b6a2970ad346c0850b4b2d9de6bd57.exe
Size

12.7MB
MD5

87d547b429a7f70782a58e22d5d8a1a7
SHA1

f6ecee70210c6deac2a3373c5091d03649629a09
SHA256

25d5f014f7fce7c12201f4f2bbfcfba440b6a2970ad346c0850b4b2d9de6bd57
SHA512

16479252aa84bb31d1562862048e949365d92c02bbd986cf16df6b75a624164f301c95e89d74aae474a95735add3a9f6bbf56e4ab8b43da6f87838c14465ba43
SSDEEP

98304:Rs9fsGjSSww9XWwNs3e5MR68X//rRrjlyQtv/RfgomhNEcFgYUbEbtw:y9fdjUOLNzpq/DRrjlyuRfBmUcFgYBw

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2316	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
3000	cmd.exe
3000	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft SvcHost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	25d5f014f7fce7c12201f4f2bbfcfba440b6a2970ad346c0850b4b2d9de6bd57.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ipinfo.io
3	ipinfo.io

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	svchost.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2184	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2184	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 2184	2060	25d5f014f7fce7c12201f4f2bbfcfba440b6a2970ad346c0850b4b2d9de6bd57.exe	28
PID 2060 wrote to memory of 2184	2060	25d5f014f7fce7c12201f4f2bbfcfba440b6a2970ad346c0850b4b2d9de6bd57.exe	28
PID 2060 wrote to memory of 2184	2060	25d5f014f7fce7c12201f4f2bbfcfba440b6a2970ad346c0850b4b2d9de6bd57.exe	28
PID 2060 wrote to memory of 3000	2060	25d5f014f7fce7c12201f4f2bbfcfba440b6a2970ad346c0850b4b2d9de6bd57.exe	31
PID 2060 wrote to memory of 3000	2060	25d5f014f7fce7c12201f4f2bbfcfba440b6a2970ad346c0850b4b2d9de6bd57.exe	31
PID 2060 wrote to memory of 3000	2060	25d5f014f7fce7c12201f4f2bbfcfba440b6a2970ad346c0850b4b2d9de6bd57.exe	31
PID 3000 wrote to memory of 2316	3000	cmd.exe	33
PID 3000 wrote to memory of 2316	3000	cmd.exe	33
PID 3000 wrote to memory of 2316	3000	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\25d5f014f7fce7c12201f4f2bbfcfba440b6a2970ad346c0850b4b2d9de6bd57.exe
"C:\Users\Admin\AppData\Local\Temp\25d5f014f7fce7c12201f4f2bbfcfba440b6a2970ad346c0850b4b2d9de6bd57.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "" "Add-MpPreference -ExclusionPath 'C:\'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2184
- C:\Windows\system32\cmd.exe
  cmd /C C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabCB8B.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD7BE.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
1.2MB

MD5
c5ccedd25b92cf5d272aaeb33def4abb

SHA1
df2ac04539f1234173acd185e142a41901864793

SHA256
5573d5e425b36663877a6240fd55c5b10cd1f526b9d41dc4725fd7cf1a7f4796

SHA512
1db563b5068e513dfc1c2059bb7e10f4e43a2167c53b33b51aa56e93810c76b28ed198c5f16fb7ea8c43ff53161c152a049a03755570495d719d22bd45dd5e46

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
365KB

MD5
81775ebb7f268f877021f08d2eeca3a3

SHA1
5ccac5b70c285728f4fc7242cd178409f50de2a3

SHA256
6f0d1160c323cf08d5986b5c8ebb0aa9aa64538cb0a8e665e2c10656385e5099

SHA512
c8d73de42f7fafa0fbff3360407796f4c0b971c2cb1396070a6e9f1bf641d1b4ba1f8657800400389a3216f76bea95cfdf59d1fa58d43e4e07ed9b43a3dd6a87

Download Submit
\Users\Admin\AppData\Roaming\svchost.exe

Filesize
493KB

MD5
1d097024ff5b448a033110de8ca5cec3

SHA1
1074582d677523079b08e0a8193969a69ea6bc5d

SHA256
d9b44a092fc8e18d0bdc1f37b93e009d8e3d9112447f7401ab822d0cfe0a6668

SHA512
11c1ae9f42cd830463c97d19ab1180dd0971359e7ad4befd31f400893153ffe4859b6682229d5b5c7adc479ee93406862fb33f1539e76b4981e4a61e21f1ac49

Download Submit
\Users\Admin\AppData\Roaming\svchost.exe

Filesize
941KB

MD5
d0304edc358450baef9737d7306adc9d

SHA1
24ef7660819b76b70296e6dc06978ca997472232

SHA256
45d6d9bf8fc647b0e7b3b7899466407fb6477b45db1c4de2c6ec99680dc4e482

SHA512
0571cddf4b11d362521217282b5640f04ff3cfb2eafb7eb6645085056dba8574bf97ff18274da6fa5130af8acdedc92dc2fe1ea4f90a2c30a4e132b18a5413b4

Download Submit
memory/2184-8-0x0000000002480000-0x0000000002500000-memory.dmp

Filesize
512KB

Download
memory/2184-11-0x0000000002480000-0x0000000002500000-memory.dmp

Filesize
512KB

Download
memory/2184-12-0x000007FEF5C90000-0x000007FEF662D000-memory.dmp

Filesize
9.6MB

Download
memory/2184-10-0x000007FEF5C90000-0x000007FEF662D000-memory.dmp

Filesize
9.6MB

Download
memory/2184-9-0x0000000002480000-0x0000000002500000-memory.dmp

Filesize
512KB

Download
memory/2184-7-0x0000000002480000-0x0000000002500000-memory.dmp

Filesize
512KB

Download
memory/2184-4-0x000000001B230000-0x000000001B512000-memory.dmp

Filesize
2.9MB

Download
memory/2184-6-0x000007FEF5C90000-0x000007FEF662D000-memory.dmp

Filesize
9.6MB

Download
memory/2184-5-0x0000000001F60000-0x0000000001F68000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads