c4181c73144e1c2fd71359c5c895866eb08f19101a0e89f1dd14978d773d4cca

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
09/01/2024, 11:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4181c73144e1c2fd71359c5c895866eb08f19101a0e89f1dd14978d773d4cca.exe
Size

536KB
MD5

a6a924a5c4ed261b5956a30c4e121796
SHA1

fff4771718b680529fdf25c0412967e135bf2893
SHA256

c4181c73144e1c2fd71359c5c895866eb08f19101a0e89f1dd14978d773d4cca
SHA512

7cb64e770c63ce071861a608de607ed3d2a38b471be91525b57af609b580a680a31cd35fa586a3ce4c2f3d062ce29f629b976068293bc0751d34b9de504d5872
SSDEEP

12288:zhf0Bs9bDDq9huzJgIJzgXaEw9Stu/aB9a/Okx2LIa:zdQyDLzJTveuK0/Okx2LF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1732-2-0x0000000000D00000-0x0000000000E02000-memory.dmp	upx
behavioral1/memory/1732-92-0x0000000000D00000-0x0000000000E02000-memory.dmp	upx
behavioral1/memory/1732-629-0x0000000000D00000-0x0000000000E02000-memory.dmp	upx
behavioral1/memory/1732-715-0x0000000000D00000-0x0000000000E02000-memory.dmp	upx
behavioral1/memory/1732-788-0x0000000000D00000-0x0000000000E02000-memory.dmp	upx
behavioral1/memory/1732-903-0x0000000000D00000-0x0000000000E02000-memory.dmp	upx
behavioral1/memory/1732-912-0x0000000000D00000-0x0000000000E02000-memory.dmp	upx

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	223.5.5.5

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\1da708	c4181c73144e1c2fd71359c5c895866eb08f19101a0e89f1dd14978d773d4cca.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	c4181c73144e1c2fd71359c5c895866eb08f19101a0e89f1dd14978d773d4cca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	c4181c73144e1c2fd71359c5c895866eb08f19101a0e89f1dd14978d773d4cca.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	c4181c73144e1c2fd71359c5c895866eb08f19101a0e89f1dd14978d773d4cca.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1732	c4181c73144e1c2fd71359c5c895866eb08f19101a0e89f1dd14978d773d4cca.exe
1732	c4181c73144e1c2fd71359c5c895866eb08f19101a0e89f1dd14978d773d4cca.exe
1732	c4181c73144e1c2fd71359c5c895866eb08f19101a0e89f1dd14978d773d4cca.exe
1732	c4181c73144e1c2fd71359c5c895866eb08f19101a0e89f1dd14978d773d4cca.exe
1732	c4181c73144e1c2fd71359c5c895866eb08f19101a0e89f1dd14978d773d4cca.exe
1380	Explorer.EXE
1380	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1732	c4181c73144e1c2fd71359c5c895866eb08f19101a0e89f1dd14978d773d4cca.exe
Token: SeTcbPrivilege	1732	c4181c73144e1c2fd71359c5c895866eb08f19101a0e89f1dd14978d773d4cca.exe
Token: SeDebugPrivilege	1732	c4181c73144e1c2fd71359c5c895866eb08f19101a0e89f1dd14978d773d4cca.exe
Token: SeDebugPrivilege	1380	Explorer.EXE
Token: SeTcbPrivilege	1380	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1380	Explorer.EXE
1380	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1380	Explorer.EXE
1380	Explorer.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 1380	1732	c4181c73144e1c2fd71359c5c895866eb08f19101a0e89f1dd14978d773d4cca.exe	7
PID 1732 wrote to memory of 1380	1732	c4181c73144e1c2fd71359c5c895866eb08f19101a0e89f1dd14978d773d4cca.exe	7
PID 1732 wrote to memory of 1380	1732	c4181c73144e1c2fd71359c5c895866eb08f19101a0e89f1dd14978d773d4cca.exe	7

C:\Users\Admin\AppData\Local\Temp\c4181c73144e1c2fd71359c5c895866eb08f19101a0e89f1dd14978d773d4cca.exe
"C:\Users\Admin\AppData\Local\Temp\c4181c73144e1c2fd71359c5c895866eb08f19101a0e89f1dd14978d773d4cca.exe"
1⤵
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
6KB

MD5
302ec1659c2934b3c94c4f592d28ade6

SHA1
9870fc41f8d4ecea4f5e944fea7a5cc551b6134e

SHA256
6721481629d83ae587c62f6b9e15a4733fc85b47427e437965feec3f761d3c36

SHA512
e1c9afdd854bd111ed3b2d6e288a66b10065fefd904470a5e7de11e53ff47793adc93c92b1cec44f5176141f9659df1b4360b817167b86fbfa3abadb6bb7acd6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
827f21f8ebf7372ef3f1458d7e54e1fc

SHA1
78ae76aee4c4adf1f1aaaa5cffac8298d3fa600c

SHA256
7059b416d56914690a19530ce9bac7954b6a3c4a4119d7bb6bae71e6f9f50e9d

SHA512
5057006dc2ec774ad88831d86958b236e3accb546962a1b5e885a755df0ee6cc3cd43ae123bf060ec4eabed7fc8f9f35c523ba2fc4643dec163841f6898c8251

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
28a2d31c6e7afedb94e33d7a6f1dc3c3

SHA1
103dd91b8fa2df16d90d7790dcd05bfea50d8e16

SHA256
51ceb811ee69b22540d391287a5cc52d52f75e9e24b492505c48070f85a62620

SHA512
80cb35e634f9874b964acc81174082e2d3c70aeb1a7cc5a9a157e69ad14d6aca819ae5052e3d013aef8bc879ad3b121d209ee9071a22984d6491b0339ca070fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9cbb65a427b426f920eb79e19205d7e4

SHA1
e9bde3400a3d9f821e84e42c676277cf2e5f5a98

SHA256
9614f930955c666e7d4b33f1cc62b21611e4c74a14c7d85d04ec6180feaa7add

SHA512
9651c9d43f4761daa4691631d58c53dfe10d08d61da846f54d73b1ad8db58b6f3af580a246adfef960f711cc913ff46adcfd9c1da51514c5bccb78b17fa990aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f783904e470d832aaa43a88410a64386

SHA1
61be5138e2fcf6fc6bc9eb9959a5fd786c0da062

SHA256
af94a1989c6b134b0117e4532768326efb6ffd7b17734462ecde64a1346c766d

SHA512
61e5430a603affcde4d445157e13a45c66f74471213c12299f9eec9b27118d453b11348d65ae42de1420be21820497a7b078910fca36baeddee87a4a51fd16f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
78cfd857ceef4f8efb89ca13b7447938

SHA1
76e12160aae4017bb381695060a8c53e4d8f3886

SHA256
381dc13149e21279eefa422f3e6b33026bce916aa0fa5738a68393e901ef8631

SHA512
15a41c4e955d3d1bd60007cf5f978dbe025c00317e29b6371307ce7dca2f5d5e57a54c272489721ef52a2e534eb9d15d441f1e4c3292ffe0026f8e23bb85f114

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar218A.tmp

Filesize
156KB

MD5
297bbb51a3cfca784cbe40e08b0054be

SHA1
030f6b58004695710883450bf29574800dee4b8c

SHA256
630f3b7fbe43c382ee1ac4d1e83d732cf346edda8bfaef5068924a667065bf51

SHA512
1ac491b677319125852656431032bdfc33862b72f4f10369173d404aec54d79fa104dbb9fdabde5dec26be13a115f9bdeac18e4361a942441294e849559d87f6

Download Submit
memory/1380-3-0x0000000002530000-0x0000000002533000-memory.dmp

Filesize
12KB

Download
memory/1380-382-0x0000000004190000-0x0000000004209000-memory.dmp

Filesize
484KB

Download
memory/1380-6-0x0000000002530000-0x0000000002533000-memory.dmp

Filesize
12KB

Download
memory/1380-7-0x0000000004190000-0x0000000004209000-memory.dmp

Filesize
484KB

Download
memory/1380-4-0x0000000004190000-0x0000000004209000-memory.dmp

Filesize
484KB

Download
memory/1732-629-0x0000000000D00000-0x0000000000E02000-memory.dmp

Filesize
1.0MB

Download
memory/1732-2-0x0000000000D00000-0x0000000000E02000-memory.dmp

Filesize
1.0MB

Download
memory/1732-92-0x0000000000D00000-0x0000000000E02000-memory.dmp

Filesize
1.0MB

Download
memory/1732-715-0x0000000000D00000-0x0000000000E02000-memory.dmp

Filesize
1.0MB

Download
memory/1732-788-0x0000000000D00000-0x0000000000E02000-memory.dmp

Filesize
1.0MB

Download
memory/1732-903-0x0000000000D00000-0x0000000000E02000-memory.dmp

Filesize
1.0MB

Download
memory/1732-912-0x0000000000D00000-0x0000000000E02000-memory.dmp

Filesize
1.0MB

Download