44ce8e76326d5ee7940776a146cc02b666b7d47d4fc7c4ad3dd471e25b41b2b4

General

Target

bypass pure mode/Loader.exe
Size

678KB
MD5

955a20bf9bbfc6a650f027d98de5dcde
SHA1

4e688a55950cb668f8e644230ef53f1854cfa960
SHA256

aec5fd78e242dbc6f94b87e479982b11c2d07f50b7008df3d735a45e765d9baa
SHA512

737e384f576080acf8c549c349301d3aef913235a02ca065d4a06425d21779da1a8f6a198d399e386977d4f7d92e7083a2ae46a16362782716541e460908a957
SSDEEP

12288:RD7/3BHTnGdBbrxr5kwvhnN9Lto9ghiJGZ/O:RD7/BHjGdBPxlfnN9LquhiuO

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
2536	check.exe
2400	check_pic.exe
2356	sgs.exe

Loads dropped DLL 3 IoCs

pid	Process
848	Loader.exe
2536	check.exe
2356	sgs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	Loader.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	Loader.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	Loader.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
848	Loader.exe
848	Loader.exe
848	Loader.exe
848	Loader.exe
848	Loader.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 848 wrote to memory of 2536	848	Loader.exe	30
PID 848 wrote to memory of 2536	848	Loader.exe	30
PID 848 wrote to memory of 2536	848	Loader.exe	30
PID 848 wrote to memory of 2400	848	Loader.exe	31
PID 848 wrote to memory of 2400	848	Loader.exe	31
PID 848 wrote to memory of 2400	848	Loader.exe	31
PID 848 wrote to memory of 2840	848	Loader.exe	32
PID 848 wrote to memory of 2840	848	Loader.exe	32
PID 848 wrote to memory of 2840	848	Loader.exe	32
PID 2840 wrote to memory of 2044	2840	cmd.exe	33
PID 2840 wrote to memory of 2044	2840	cmd.exe	33
PID 2840 wrote to memory of 2044	2840	cmd.exe	33
PID 2840 wrote to memory of 584	2840	cmd.exe	34
PID 2840 wrote to memory of 584	2840	cmd.exe	34
PID 2840 wrote to memory of 584	2840	cmd.exe	34
PID 2840 wrote to memory of 684	2840	cmd.exe	35
PID 2840 wrote to memory of 684	2840	cmd.exe	35
PID 2840 wrote to memory of 684	2840	cmd.exe	35
PID 2536 wrote to memory of 2356	2536	check.exe	36
PID 2536 wrote to memory of 2356	2536	check.exe	36
PID 2536 wrote to memory of 2356	2536	check.exe	36

C:\Users\Admin\AppData\Local\Temp\bypass pure mode\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\bypass pure mode\Loader.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:848
- C:\Users\Public\check.exe
  "C:\Users\Public\check.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Users\Admin\AppData\Local\Temp\onefile_2536_133578487466096000\sgs.exe
    "C:\Users\Public\check.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2356
- C:\Users\Public\check_pic.exe
  "C:\Users\Public\check_pic.exe"
  2⤵
  - Executes dropped EXE
  PID:2400
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\bypass pure mode\Loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\bypass pure mode\Loader.exe" MD5
    3⤵
    PID:2044
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:584
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4E37.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2536_133578487466096000\python311.dll

Filesize
5.5MB

MD5
1fe47c83669491bf38a949253d7d960f

SHA1
de5cc181c0e26cbcb31309fe00d9f2f5264d2b25

SHA256
0a9f2c98f36ba8974a944127b5b7e90e638010e472f2eb6598fc55b1bda9e7ae

SHA512
05cc6f00db128fbca02a14f60f86c049855f429013f65d91e14ea292d468bf9bfdeebc00ec2d54a9fb5715743a57ae3ab48a95037016240c02aabe4bfa1a2ff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2536_133578487466096000\sgs.exe

Filesize
7.1MB

MD5
098872a13a78f8257d851afccd0c2844

SHA1
2053648323f7e9dd5cb902e46b5ec4bc4c2ad847

SHA256
63068a96967ef87be04e63f5b10934e807f92f51700cc04aded591cf60f8d78a

SHA512
aaca8d2dfe8e16a5a17728ff954f76e625d9b14c4f1bdacb2bc9c8af87129f407e775c15f86c49858beb1310fb865add336dc7e00276afbf4fe14e22e5bf4436

Download Submit
C:\Users\Public\check.exe

Filesize
14.0MB

MD5
3899a0b48d9e8ea5e03620341e7629dd

SHA1
1810ab9cc98fcf63bdc56bd563c42c90fdfee822

SHA256
98cca85b218b970a6210c5200fad72f748b0c85cc7aab8aee5776015891bd61a

SHA512
5445636d3e505eba0fc69c8f27792cc82ff27f9c595cd72ce31cf7c334a83429f373d167a2be383ed4c94aeec5ad2a8eb51567d2e3ae34955d8170a8787cbfd0

Download Submit
C:\Users\Public\check_pic.exe

Filesize
91KB

MD5
2a6bcd471e17bf7e517ed75b3f96dfd9

SHA1
2a1318834be42e05de6c1a466958ce475b1bbb58

SHA256
939fed83d6381ce90f7e69833204f77be7134c62b0fef6f2d8e82722b1a30e9c

SHA512
f10bc9f91b0c3b497bb1aea79022948d56979f04f86d3992066ade731a776246231c93c1045a57c70514ddd1f3e0d87d9ec88f166f180667adac8f7c2619099c

Download Submit
\Users\Admin\AppData\Local\Temp\onefile_2536_133578487466096000\sgs.exe

Filesize
7.1MB

MD5
51e89f6bbe86994a8a2c36ea45262d7a

SHA1
15e83826928920c43311c1dde21774ccb709cb5f

SHA256
9416c69bd75dbe9499f625104354bf7880583b89f73f0c265e19f8ef69798d67

SHA512
2d44edc67d478e6330741a07362178d284b6d7bb1e76654f46920357b1164f6a62ba08423c3c36ec9a3806d42d1555a7580a076546f425cf3365d117d899fbd2

Download Submit
memory/2400-130-0x0000000000880000-0x000000000089E000-memory.dmp

Filesize
120KB

Download
memory/2400-131-0x000007FEF5410000-0x000007FEF5DFC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing