16606e8c9ede6fa6e5e2eba35adacd4a8b59f6096361acf31aa48943eef015c3

General

Target

71ea2bdbb9d73538dd4ca5ea74d11754.exe
Size

574KB
MD5

71ea2bdbb9d73538dd4ca5ea74d11754
SHA1

8092886f01a74b59d86e18d0def00b5593ce17e8
SHA256

16606e8c9ede6fa6e5e2eba35adacd4a8b59f6096361acf31aa48943eef015c3
SHA512

4d3b2b55440cd60357d46106b7addea223e85ecc82ed4993c7af0e3f8ceb2e07a5218ebcdf963f78371a71fd364d822dfc87603a4b1a31129ea84c5ff6a07280
SSDEEP

12288:dDzaKlirFT0cD8lR77JAaM3auKvokDKTpYKmx8iBQaAm:dDzP0FTxPCkGKcPiK

Score

9^/10

evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	71ea2bdbb9d73538dd4ca5ea74d11754.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	71ea2bdbb9d73538dd4ca5ea74d11754.exe

Executes dropped EXE 1 IoCs

pid	Process
3256	s5530.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	s5530.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	s5530.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\Desktop.ini	s5530.exe
File opened for modification	C:\Windows\assembly	s5530.exe
File created	C:\Windows\assembly\Desktop.ini	s5530.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4800	1604	WerFault.exe	19

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	71ea2bdbb9d73538dd4ca5ea74d11754.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	71ea2bdbb9d73538dd4ca5ea74d11754.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868	s5530.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0400000001000000100000001d3554048578b03f42424dbf20730a3f0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d557e0000000100000008000000000063f58926d70168000000010000000800000000409120d035d90103000000010000001400000002faf3e291435468607857694df5e45b6885186819000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	s5530.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 5c00000001000000040000000008000019000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c03000000010000001400000002faf3e291435468607857694df5e45b6885186868000000010000000800000000409120d035d9017e0000000100000008000000000063f58926d7011d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b0400000001000000100000001d3554048578b03f42424dbf20730a3f20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	s5530.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1604	71ea2bdbb9d73538dd4ca5ea74d11754.exe
1604	71ea2bdbb9d73538dd4ca5ea74d11754.exe
3256	s5530.exe
3256	s5530.exe
3256	s5530.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3256	s5530.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3256	s5530.exe
3256	s5530.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1604 wrote to memory of 3256	1604	71ea2bdbb9d73538dd4ca5ea74d11754.exe	82
PID 1604 wrote to memory of 3256	1604	71ea2bdbb9d73538dd4ca5ea74d11754.exe	82

C:\Users\Admin\AppData\Local\Temp\71ea2bdbb9d73538dd4ca5ea74d11754.exe
"C:\Users\Admin\AppData\Local\Temp\71ea2bdbb9d73538dd4ca5ea74d11754.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks computer location settings
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1604
- C:\Users\Admin\AppData\Local\Temp\n5530\s5530.exe
  "C:\Users\Admin\AppData\Local\Temp\n5530\s5530.exe" /u 53747c9e-b4dc-48b2-845f-0a0d0a000013 /h 6d77.api.socdn.com /e 12742611 /v "C:\Users\Admin\AppData\Local\Temp\71ea2bdbb9d73538dd4ca5ea74d11754.exe"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3256
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 3820
  2⤵
  - Program crash
  PID:4800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1604 -ip 1604
1⤵
PID:4680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\n5530\s5530.exe

Filesize
355KB

MD5
827273c6e70f13af757ef17c6f653ade

SHA1
94fb9c0c54bafc7c4d42de346cb7da1dcf9fa78a

SHA256
b8f73d6e26a6c95d5087046bd2030b856c6d87f10e4c9a9d85fb6821661f0b7f

SHA512
f1f864a02820113d6a5559c58be13892e00b9e21161c6e12bfd9c26249de4f67d640c9ff54d7699a0854a8dc0f38ee49a587d4714f14971383f5502bb32f6251

Download Submit
memory/3256-14-0x00007FFEA6C00000-0x00007FFEA75A1000-memory.dmp

Filesize
9.6MB

Download
memory/3256-16-0x00000000009F0000-0x0000000000A00000-memory.dmp

Filesize
64KB

Download
memory/3256-15-0x00007FFEA6C00000-0x00007FFEA75A1000-memory.dmp

Filesize
9.6MB

Download
memory/3256-35-0x000000001B560000-0x000000001B574000-memory.dmp

Filesize
80KB

Download
memory/3256-39-0x000000001C520000-0x000000001C5BC000-memory.dmp

Filesize
624KB

Download
memory/3256-38-0x000000001BFB0000-0x000000001C47E000-memory.dmp

Filesize
4.8MB

Download
memory/3256-40-0x000000001C680000-0x000000001C6E2000-memory.dmp

Filesize
392KB

Download
memory/3256-41-0x00000000009F0000-0x0000000000A00000-memory.dmp

Filesize
64KB

Download
memory/3256-42-0x00000000009F0000-0x0000000000A00000-memory.dmp

Filesize
64KB

Download
memory/3256-43-0x000000001B550000-0x000000001B558000-memory.dmp

Filesize
32KB

Download
memory/3256-44-0x00000000009F0000-0x0000000000A00000-memory.dmp

Filesize
64KB

Download
memory/3256-45-0x00000000009F0000-0x0000000000A00000-memory.dmp

Filesize
64KB

Download
memory/3256-46-0x00000000009F0000-0x0000000000A00000-memory.dmp

Filesize
64KB

Download
memory/3256-47-0x00000000009F0000-0x0000000000A00000-memory.dmp

Filesize
64KB

Download
memory/3256-48-0x000000001FC70000-0x000000001FDAC000-memory.dmp

Filesize
1.2MB

Download
memory/3256-49-0x00000000202C0000-0x00000000207CE000-memory.dmp

Filesize
5.1MB

Download
memory/3256-50-0x0000000020BD0000-0x0000000020CD0000-memory.dmp

Filesize
1024KB

Download
memory/3256-51-0x0000000020BD0000-0x0000000020CD0000-memory.dmp

Filesize
1024KB

Download
memory/3256-52-0x00007FFEA6C00000-0x00007FFEA75A1000-memory.dmp

Filesize
9.6MB

Download
memory/3256-54-0x00007FFEA6C00000-0x00007FFEA75A1000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads