955d5d2bf1cd67196b174dde14c9871b37c72b08777915836cb246b86e3e68ba

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
09/01/2024, 00:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4cd0aa65d375f9edb94986ff5785834d.exe
Size

200KB
MD5

4cd0aa65d375f9edb94986ff5785834d
SHA1

8c3a4811588a9281011542decd827daf028eb4f2
SHA256

955d5d2bf1cd67196b174dde14c9871b37c72b08777915836cb246b86e3e68ba
SHA512

07423da446e8dd68873028336a1420567a633646142ce63e7498f60ef94f36b1303c2e8a71ac126300a51a086e58e3126a54b8c2a585a07dd6f05449ac616ace
SSDEEP

6144:jD/SXeNQCJXtEpIE5nVWJVErxIgldFaobgVl:iuNtJXjE5nV2VSldFaobgVl

Score

8^/10

evasion trojan

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 3 IoCs

evasion

Windows Service

T1543.003

pid	Process
2780	netsh.exe
2760	netsh.exe
2096	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4cd0aa65d375f9edb94986ff5785834d.exe	4cd0aa65d375f9edb94986ff5785834d.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4cd0aa65d375f9edb94986ff5785834d.exe	4cd0aa65d375f9edb94986ff5785834d.exe

Executes dropped EXE 1 IoCs

pid	Process
2264	4cd0aa65d375f9edb94986ff5785834d.exe

Loads dropped DLL 2 IoCs

pid	Process
2064	4cd0aa65d375f9edb94986ff5785834d.exe
2064	4cd0aa65d375f9edb94986ff5785834d.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4cd0aa65d375f9edb94986ff5785834d.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4cd0aa65d375f9edb94986ff5785834d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	4cd0aa65d375f9edb94986ff5785834d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	4cd0aa65d375f9edb94986ff5785834d.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2064	4cd0aa65d375f9edb94986ff5785834d.exe
2264	4cd0aa65d375f9edb94986ff5785834d.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 2264	2064	4cd0aa65d375f9edb94986ff5785834d.exe	28
PID 2064 wrote to memory of 2264	2064	4cd0aa65d375f9edb94986ff5785834d.exe	28
PID 2064 wrote to memory of 2264	2064	4cd0aa65d375f9edb94986ff5785834d.exe	28
PID 2064 wrote to memory of 2264	2064	4cd0aa65d375f9edb94986ff5785834d.exe	28
PID 2264 wrote to memory of 2792	2264	4cd0aa65d375f9edb94986ff5785834d.exe	29
PID 2264 wrote to memory of 2792	2264	4cd0aa65d375f9edb94986ff5785834d.exe	29
PID 2264 wrote to memory of 2792	2264	4cd0aa65d375f9edb94986ff5785834d.exe	29
PID 2264 wrote to memory of 2792	2264	4cd0aa65d375f9edb94986ff5785834d.exe	29
PID 2792 wrote to memory of 2780	2792	cmd.exe	31
PID 2792 wrote to memory of 2780	2792	cmd.exe	31
PID 2792 wrote to memory of 2780	2792	cmd.exe	31
PID 2792 wrote to memory of 2780	2792	cmd.exe	31
PID 2264 wrote to memory of 2732	2264	4cd0aa65d375f9edb94986ff5785834d.exe	32
PID 2264 wrote to memory of 2732	2264	4cd0aa65d375f9edb94986ff5785834d.exe	32
PID 2264 wrote to memory of 2732	2264	4cd0aa65d375f9edb94986ff5785834d.exe	32
PID 2264 wrote to memory of 2732	2264	4cd0aa65d375f9edb94986ff5785834d.exe	32
PID 2732 wrote to memory of 2760	2732	cmd.exe	34
PID 2732 wrote to memory of 2760	2732	cmd.exe	34
PID 2732 wrote to memory of 2760	2732	cmd.exe	34
PID 2732 wrote to memory of 2760	2732	cmd.exe	34
PID 2264 wrote to memory of 1752	2264	4cd0aa65d375f9edb94986ff5785834d.exe	39
PID 2264 wrote to memory of 1752	2264	4cd0aa65d375f9edb94986ff5785834d.exe	39
PID 2264 wrote to memory of 1752	2264	4cd0aa65d375f9edb94986ff5785834d.exe	39
PID 2264 wrote to memory of 1752	2264	4cd0aa65d375f9edb94986ff5785834d.exe	39
PID 1752 wrote to memory of 2096	1752	cmd.exe	41
PID 1752 wrote to memory of 2096	1752	cmd.exe	41
PID 1752 wrote to memory of 2096	1752	cmd.exe	41
PID 1752 wrote to memory of 2096	1752	cmd.exe	41

C:\Users\Admin\AppData\Local\Temp\4cd0aa65d375f9edb94986ff5785834d.exe
"C:\Users\Admin\AppData\Local\Temp\4cd0aa65d375f9edb94986ff5785834d.exe"
1⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Users\Admin\AppData\Local\Temp\jiii\4cd0aa65d375f9edb94986ff5785834d.exe
  "C:\Users\Admin\AppData\Local\Temp\jiii\4cd0aa65d375f9edb94986ff5785834d.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies system certificate store
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\jiii\nxdyalu.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2792
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall delete allowedprogram program="C:\Users\Admin\AppData\Local\Temp\jiii\4cd0aa65d375f9edb94986ff5785834d.exe" profile=All
      4⤵
      Modifies Windows Firewall
      PID:2780
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\jiii\moswtop.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Windows\SysWOW64\netsh.exe
      netsh.exe firewall add allowedprogram PROGRAM="C:\Users\Admin\AppData\Local\Temp\jiii\4cd0aa65d375f9edb94986ff5785834d.exe" NAME="lvideo" MODE=ENABLE PROFILE=ALL
      4⤵
      Modifies Windows Firewall
      PID:2760
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\jiii\rrqexjvbb.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1752
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall delete allowedprogram program="C:\Users\Admin\AppData\Local\Temp\jiii\4cd0aa65d375f9edb94986ff5785834d.exe" profile=All
      4⤵
      Modifies Windows Firewall
      PID:2096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\jiii\d.vbs

Filesize
304B

MD5
f29420d2c10ce8f8071f6ea7787e7ac2

SHA1
7779bc3048f7e79ea50ca6fa1e436c1ab079139e

SHA256
04ac562613efabc8a5c3737600840f342ff07d67edf6a9f35e54af476a9e6273

SHA512
cef1010dba4e13b0dc81dba96b216d5eb6b4c72b7ea131d5054d71ef4acc10f47dbb51baa2e0226e8b8be365d0424e53513700d18c13a845a9062714df3dde7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\jiii\moswtop.bat

Filesize
225B

MD5
1971b1b28e1b87e0b2f6d90b1428c8a4

SHA1
e7e3bc867f5a0ffaacbcb189e3423d6780896945

SHA256
b42b4df0c8285ed8de80d6f1b51a8bb71f9cc3258cf61f010e7d83b88c8ede20

SHA512
711ec88b63ef1afcb03c76c0431f89222f3baedfe95dfb32bc5a88f46cb9166ac3016bfa547f8ae82c941939e97730f41a6e6ba4072cf23e0227294bf82e9445

Download Submit
C:\Users\Admin\AppData\Local\Temp\jiii\nxdyalu.bat

Filesize
198B

MD5
e8e8d5304c47d9230ab038037fcf8760

SHA1
92b00902b0c01b33d288e7b10cb6077aa24c3d5d

SHA256
c0a06cb111326bd634ce7dba187ad9db9dcc557b1b68efd48cc0288dbfb3116c

SHA512
6ce004dbe6ecca272f104265d9c6a3ebe8c2e44ed6faec7ff86b2059138be44e161a4c4504b3d0a2d6ab3a51975ab1f31dd2a511d0f5a91d6c69d951bb859198

Download Submit
C:\Users\Admin\AppData\Local\Temp\jiii\rrqexjvbb.bat

Filesize
200B

MD5
f878aba9bfaa7fd60646d1cea072a0fd

SHA1
efa6839e232f4d463ce08c355b9b2ee7938f2d9d

SHA256
6ca435564b53947468ffcb0714f7b995bd53fdf2461d8eece9b7eece80958abb

SHA512
af41b729f7762b4015827327b85814745a5ffa08496362a1afe2d112b3dc078bba5dfe37999b7f4048a2add4343e466fea033fe81104f0e596c51fa091fa6379

Download Submit
\Users\Admin\AppData\Local\Temp\jiii\4cd0aa65d375f9edb94986ff5785834d.exe

Filesize
200KB

MD5
4cd0aa65d375f9edb94986ff5785834d

SHA1
8c3a4811588a9281011542decd827daf028eb4f2

SHA256
955d5d2bf1cd67196b174dde14c9871b37c72b08777915836cb246b86e3e68ba

SHA512
07423da446e8dd68873028336a1420567a633646142ce63e7498f60ef94f36b1303c2e8a71ac126300a51a086e58e3126a54b8c2a585a07dd6f05449ac616ace

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads