a5bc37cf5d0bafdf8e156f6a5ac46d14c92afe8aa202e36599a8703b5fb6d581

General

Target

a5bc37cf5d0bafdf8e156f6a5ac46d14c92afe8aa202e36599a8703b5fb6d581.exe
Size

274KB
MD5

fd13dcd6428a6705db752e761ee80092
SHA1

4008d25c9171c4ccc5b5579cb8142852ca6fe603
SHA256

a5bc37cf5d0bafdf8e156f6a5ac46d14c92afe8aa202e36599a8703b5fb6d581
SHA512

4f68fe020a6f825185a5ae21c7f9f364a3273491dfc88ca118576339b6e7171c57e464c22a11e324d31b8ee1141461ade797b953c7b04876062139b4a389f28c
SSDEEP

6144:fbTirrfykiiUjh6QH/cEOkCybEaQRXr9HNdvOa:fPcrfR6ZnOkx2LIa

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
1208	Explorer.EXE

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2668-0-0x0000000000220000-0x00000000002AC000-memory.dmp	upx
behavioral1/memory/2668-65-0x0000000000220000-0x00000000002AC000-memory.dmp	upx
behavioral1/memory/2668-66-0x0000000000220000-0x00000000002AC000-memory.dmp	upx
behavioral1/memory/2668-108-0x0000000000220000-0x00000000002AC000-memory.dmp	upx
behavioral1/memory/2668-145-0x0000000000220000-0x00000000002AC000-memory.dmp	upx
behavioral1/memory/2668-194-0x0000000000220000-0x00000000002AC000-memory.dmp	upx
behavioral1/memory/2668-222-0x0000000000220000-0x00000000002AC000-memory.dmp	upx

Unexpected DNS network traffic destination 7 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	223.5.5.5
Destination IP	223.5.5.5
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/1208-523-0x0000000008A60000-0x0000000008D0B000-memory.dmp	vmprotect
behavioral1/memory/1208-525-0x0000000008A60000-0x0000000008D0B000-memory.dmp	vmprotect
behavioral1/memory/1208-531-0x0000000008A60000-0x0000000008D0B000-memory.dmp	vmprotect

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\err_2668.log	a5bc37cf5d0bafdf8e156f6a5ac46d14c92afe8aa202e36599a8703b5fb6d581.exe
File created	C:\Windows\Help\powercfg.exe	Explorer.EXE
File opened for modification	C:\Windows\Help\powercfg.exe	Explorer.EXE

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	a5bc37cf5d0bafdf8e156f6a5ac46d14c92afe8aa202e36599a8703b5fb6d581.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	a5bc37cf5d0bafdf8e156f6a5ac46d14c92afe8aa202e36599a8703b5fb6d581.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	a5bc37cf5d0bafdf8e156f6a5ac46d14c92afe8aa202e36599a8703b5fb6d581.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	a5bc37cf5d0bafdf8e156f6a5ac46d14c92afe8aa202e36599a8703b5fb6d581.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2668	a5bc37cf5d0bafdf8e156f6a5ac46d14c92afe8aa202e36599a8703b5fb6d581.exe
2668	a5bc37cf5d0bafdf8e156f6a5ac46d14c92afe8aa202e36599a8703b5fb6d581.exe
2668	a5bc37cf5d0bafdf8e156f6a5ac46d14c92afe8aa202e36599a8703b5fb6d581.exe
1208	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2668	a5bc37cf5d0bafdf8e156f6a5ac46d14c92afe8aa202e36599a8703b5fb6d581.exe
Token: SeTcbPrivilege	2668	a5bc37cf5d0bafdf8e156f6a5ac46d14c92afe8aa202e36599a8703b5fb6d581.exe
Token: SeDebugPrivilege	2668	a5bc37cf5d0bafdf8e156f6a5ac46d14c92afe8aa202e36599a8703b5fb6d581.exe
Token: SeDebugPrivilege	1208	Explorer.EXE
Token: SeDebugPrivilege	1208	Explorer.EXE

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 1208	2668	a5bc37cf5d0bafdf8e156f6a5ac46d14c92afe8aa202e36599a8703b5fb6d581.exe	14
PID 2668 wrote to memory of 1208	2668	a5bc37cf5d0bafdf8e156f6a5ac46d14c92afe8aa202e36599a8703b5fb6d581.exe	14
PID 2668 wrote to memory of 1208	2668	a5bc37cf5d0bafdf8e156f6a5ac46d14c92afe8aa202e36599a8703b5fb6d581.exe	14
PID 2668 wrote to memory of 1208	2668	a5bc37cf5d0bafdf8e156f6a5ac46d14c92afe8aa202e36599a8703b5fb6d581.exe	14
PID 2668 wrote to memory of 1208	2668	a5bc37cf5d0bafdf8e156f6a5ac46d14c92afe8aa202e36599a8703b5fb6d581.exe	14
PID 1208 wrote to memory of 1732	1208	Explorer.EXE	32
PID 1208 wrote to memory of 1732	1208	Explorer.EXE	32
PID 1208 wrote to memory of 1732	1208	Explorer.EXE	32
PID 1208 wrote to memory of 1732	1208	Explorer.EXE	32
PID 1208 wrote to memory of 1732	1208	Explorer.EXE	32
PID 1208 wrote to memory of 1732	1208	Explorer.EXE	32
PID 1208 wrote to memory of 1732	1208	Explorer.EXE	32
PID 1208 wrote to memory of 1732	1208	Explorer.EXE	32

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Users\Admin\AppData\Local\Temp\a5bc37cf5d0bafdf8e156f6a5ac46d14c92afe8aa202e36599a8703b5fb6d581.exe
  "C:\Users\Admin\AppData\Local\Temp\a5bc37cf5d0bafdf8e156f6a5ac46d14c92afe8aa202e36599a8703b5fb6d581.exe"
  2⤵
  - Drops file in Windows directory
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2668
- C:\Windows\Help\powercfg.exe
  "C:\Windows\Help\powercfg.exe"
  2⤵
  PID:1732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f8a65ea422b224f5e71edbf4a1819dbd

SHA1
3574bf23db5928874a2808b2031052480208bf0a

SHA256
0f38d2899e133464a45f6259ce1264b0d5fa07b895cde8fab680935683dbbed0

SHA512
e14976ad56cce8a1a6f5d0623bfb803d3a106761749648a3954d032e91c08ebbfc75937c9943f8e2494cfca88d28fc686b0e2437d5daa57d5839ed485446d511

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab845E.tmp

Filesize
45KB

MD5
dc38d629e51926a750b443772d7c8c65

SHA1
2868765523e76b2e6706f18ecb665f4631a00d00

SHA256
21a98ea45d4ca76fc03cd769b01345da379395b41295e1506644149d0a378883

SHA512
beb8198332e8771a0475a925a4b31a8a80df9a04dc889442d1a4e024b1b66709acc3e347d50af1868d5d0c351d489cd454fc2523f752ea9dec56b9a9d6048ef4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9AFD.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Windows\Help\powercfg.exe

Filesize
69KB

MD5
f779ee89cd1f679c91ab8848c978f086

SHA1
a2fdcc215c1ab0cb2be8a1d9db5362a6d1b756e9

SHA256
12279d4d2d7f80562f79d4dbcb7b63428e924c30a5e95f45cb0d08001a9cbddc

SHA512
5af862211a8841bd6a205ed6c9a06ab52f393d08a41c94a814f399dda28d20641ee3abbeefecaaba6bf0d0edd83d6ccf72675ca0e40e7d56966a035c3f4bb822

Download Submit
memory/1208-520-0x00000000025B0000-0x00000000025B3000-memory.dmp

Filesize
12KB

Download
memory/1208-531-0x0000000008A60000-0x0000000008D0B000-memory.dmp

Filesize
2.7MB

Download
memory/1208-530-0x00000000025B0000-0x00000000025B3000-memory.dmp

Filesize
12KB

Download
memory/1208-525-0x0000000008A60000-0x0000000008D0B000-memory.dmp

Filesize
2.7MB

Download
memory/1208-522-0x00000000025B0000-0x00000000025B3000-memory.dmp

Filesize
12KB

Download
memory/1208-523-0x0000000008A60000-0x0000000008D0B000-memory.dmp

Filesize
2.7MB

Download
memory/1732-545-0x0000000001FA0000-0x000000000222A000-memory.dmp

Filesize
2.5MB

Download
memory/1732-551-0x0000000001FA0000-0x000000000222A000-memory.dmp

Filesize
2.5MB

Download
memory/1732-535-0x00000000000E0000-0x00000000001E0000-memory.dmp

Filesize
1024KB

Download
memory/1732-537-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1732-554-0x0000000001FA0000-0x000000000222A000-memory.dmp

Filesize
2.5MB

Download
memory/1732-553-0x000007FEBF440000-0x000007FEBF450000-memory.dmp

Filesize
64KB

Download
memory/1732-540-0x0000000000210000-0x0000000000213000-memory.dmp

Filesize
12KB

Download
memory/1732-543-0x0000000001FA0000-0x000000000222A000-memory.dmp

Filesize
2.5MB

Download
memory/2668-0-0x0000000000220000-0x00000000002AC000-memory.dmp

Filesize
560KB

Download
memory/2668-65-0x0000000000220000-0x00000000002AC000-memory.dmp

Filesize
560KB

Download
memory/2668-222-0x0000000000220000-0x00000000002AC000-memory.dmp

Filesize
560KB

Download
memory/2668-66-0x0000000000220000-0x00000000002AC000-memory.dmp

Filesize
560KB

Download
memory/2668-108-0x0000000000220000-0x00000000002AC000-memory.dmp

Filesize
560KB

Download
memory/2668-145-0x0000000000220000-0x00000000002AC000-memory.dmp

Filesize
560KB

Download
memory/2668-194-0x0000000000220000-0x00000000002AC000-memory.dmp

Filesize
560KB

Download

Analysis

Sharing