25eee366bfc5df2863f171c9de0fe6c2ae899e0588fc5485a5be31a3fad93ac9

General

Target

25eee366bfc5df2863f171c9de0fe6c2ae899e0588fc5485a5be31a3fad93ac9.exe
Size

10.2MB
MD5

64868096512b6e0abee29d12645a9077
SHA1

c272a484aca1b52eca12fb565a36d19904fa8c1b
SHA256

25eee366bfc5df2863f171c9de0fe6c2ae899e0588fc5485a5be31a3fad93ac9
SHA512

61cd7bfd7cf959d31193c127a9de94694bdba6fbd5fda73ac24232c136dc49d34887ff983f0ca3a3f20887819730f20399b3ce84c29a79015d8b0e82292b8746
SSDEEP

196608:D5IDVaHSbvxMVl1WDtyvJl2IMizYV0GRvZcDEYtOJzCLg+DJeCk8L+TtWLH:VIFvxW+tyhl2jahtWClzk8OOH

Score

7^/10

bootkit persistence upx vmprotect

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

certmgr.exe

pid process

2980 certmgr.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

2584 cmd.exe
2584 cmd.exe

pid	process
2980	certmgr.exe

pid	process
2584	cmd.exe
2584	cmd.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/3016-14-0x0000000010000000-0x00000000106F0000-memory.dmp	upx
behavioral1/memory/3016-22-0x0000000003BB0000-0x0000000003CEB000-memory.dmp	upx
behavioral1/memory/3016-21-0x0000000003BB0000-0x0000000003CEB000-memory.dmp	upx
behavioral1/memory/3016-19-0x0000000003BB0000-0x0000000003CEB000-memory.dmp	upx
behavioral1/memory/3016-18-0x0000000010000000-0x00000000106F0000-memory.dmp	upx
behavioral1/memory/3016-17-0x0000000010000000-0x00000000106F0000-memory.dmp	upx
behavioral1/memory/2304-44-0x0000000004660000-0x000000000479B000-memory.dmp	upx
behavioral1/memory/2304-43-0x0000000004660000-0x000000000479B000-memory.dmp	upx
behavioral1/memory/2304-41-0x0000000004660000-0x000000000479B000-memory.dmp	upx
behavioral1/memory/3048-61-0x0000000004560000-0x000000000469B000-memory.dmp	upx
behavioral1/memory/3048-63-0x0000000004560000-0x000000000469B000-memory.dmp	upx
behavioral1/memory/3048-64-0x0000000004560000-0x000000000469B000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\ksywzs\certmgr.exe	upx
behavioral1/memory/2980-72-0x0000000001000000-0x0000000001016000-memory.dmp	upx
behavioral1/memory/3048-75-0x0000000003590000-0x00000000035DB000-memory.dmp	upx
behavioral1/memory/3048-76-0x0000000003590000-0x00000000035DB000-memory.dmp	upx
behavioral1/memory/3048-73-0x0000000003590000-0x00000000035DB000-memory.dmp	upx

VMProtect packed file 9 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/3016-0-0x0000000000400000-0x0000000001C6F000-memory.dmp	vmprotect
behavioral1/memory/3016-11-0x0000000000400000-0x0000000001C6F000-memory.dmp	vmprotect
behavioral1/memory/3016-13-0x0000000000400000-0x0000000001C6F000-memory.dmp	vmprotect
behavioral1/memory/3016-16-0x0000000000400000-0x0000000001C6F000-memory.dmp	vmprotect
behavioral1/memory/3016-23-0x0000000000400000-0x0000000001C6F000-memory.dmp	vmprotect
behavioral1/memory/2304-33-0x0000000000400000-0x0000000001C6F000-memory.dmp	vmprotect
behavioral1/memory/3016-35-0x0000000000400000-0x0000000001C6F000-memory.dmp	vmprotect
behavioral1/memory/3048-53-0x0000000000400000-0x0000000001C6F000-memory.dmp	vmprotect
behavioral1/memory/2304-56-0x0000000000400000-0x0000000001C6F000-memory.dmp	vmprotect

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

25EEE3~1.EXE

description ioc process

File opened for modification \??\PhysicalDrive0 25EEE3~1.EXE
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

25eee366bfc5df2863f171c9de0fe6c2ae899e0588fc5485a5be31a3fad93ac9.exe25EEE3~1.EXE25EEE3~1.EXE

pid process

3016 25eee366bfc5df2863f171c9de0fe6c2ae899e0588fc5485a5be31a3fad93ac9.exe
2304 25EEE3~1.EXE
3048 25EEE3~1.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\PhysicalDrive0	25EEE3~1.EXE

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

Processes:

25eee366bfc5df2863f171c9de0fe6c2ae899e0588fc5485a5be31a3fad93ac9.exe25EEE3~1.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	25eee366bfc5df2863f171c9de0fe6c2ae899e0588fc5485a5be31a3fad93ac9.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\25eee366bfc5df2863f171c9de0fe6c2ae899e0588fc5485a5be31a3fad93ac9.exe = "7000"	25eee366bfc5df2863f171c9de0fe6c2ae899e0588fc5485a5be31a3fad93ac9.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\25EEE3~1.EXE = "7000"	25EEE3~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	25eee366bfc5df2863f171c9de0fe6c2ae899e0588fc5485a5be31a3fad93ac9.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	25eee366bfc5df2863f171c9de0fe6c2ae899e0588fc5485a5be31a3fad93ac9.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	25eee366bfc5df2863f171c9de0fe6c2ae899e0588fc5485a5be31a3fad93ac9.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

certmgr.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B47DABE24A4E3F9F808716BA294AB25F4B19B9E	certmgr.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B47DABE24A4E3F9F808716BA294AB25F4B19B9E\Blob = 0300000001000000140000002b47dabe24a4e3f9f808716ba294ab25f4b19b9e20000000010000000504000030820401308202e9a003020102020900976270bfb63b01e2300d06092a864886f70d01010b0500308195310b300906035504061302434e3110300e06035504080c076265696a696e673110300e06035504070c076265696a696e67310d300b060355040a0c04656d6963310d300b060355040b0c0474656368311e301c06035504030c156b7379772e7a7878732e656d69732e6564752e636e3124302206092a864886f70d010901161561646d696e40656d69632e6564752e676f762e636e3020170d3139303232333130313534305a180f32313139303133303130313534305a308195310b300906035504061302434e3110300e06035504080c076265696a696e673110300e06035504070c076265696a696e67310d300b060355040a0c04656d6963310d300b060355040b0c0474656368311e301c06035504030c156b7379772e7a7878732e656d69732e6564752e636e3124302206092a864886f70d010901161561646d696e40656d69632e6564752e676f762e636e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dadfc5aea0e2d7358e7895f14bafa1dd80ad41a95ac03cc40de34c12cb7c8dfa54ee412955b6f24006aa4a600d488017cff34e44d33d9c803d9d323807bba6882ca9c4bdbb8fca7cb86d06dd80a49c99da125693a8f99114f63c1ebdaa222e0033ebea44087613e9943433855edc3e0b15d8786ac07e769a8cdc10e10d1e96adbc7739f69b8b4977a1fbddfc628322cb756f82277a6713b5654f8686b584743e0ce6c627aa79b758b77a79862e76b38bf2ab0f9809d9bcea71a3e394256a785b8f721135b3b9538b2e58be25c3135a397c20863b58a518fdfbdb312b326b9e570733127b55a7d3c2129f89ac868eadad01b0f7e0fd39f10752e8bd04881296870203010001a350304e301d0603551d0e04160414513edb47cf09de0ee23f363f8f440c1be5ab7961301f0603551d23041830168014513edb47cf09de0ee23f363f8f440c1be5ab7961300c0603551d13040530030101ff300d06092a864886f70d01010b0500038201010033d3a6481b61d23310b49e9a408eacd14bd6c9812f13442a37552f69230dff6aed86d59c040490607a326f7285802ab6ba592d7116f490be1f0808aaeb7dea5acc3ef9cc1d07e09724229dd76f3b7efded78863b3a84f1e84033773aa51b87a0647229712f734ebab87f4d494b4b5acb0c56d9f22ad32280e53f51fde5fbf9fc166af4fa6e9735102dae6ce20a54a0b9c57f82697401afb0d568a4685259a672df02901e2703abac4049a32327e0ff3c25d8d624d196b04f6ac694026ce40aaba1a02ce7541ad8a5123e65e9a14483a2b4f0b434616089207d1411e37c22bb692be6f684aa96adead03d78e14ca9937211c94db5724889a5635dd9a9968fa6db	certmgr.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

25eee366bfc5df2863f171c9de0fe6c2ae899e0588fc5485a5be31a3fad93ac9.exe25EEE3~1.EXE25EEE3~1.EXE

pid	process
3016	25eee366bfc5df2863f171c9de0fe6c2ae899e0588fc5485a5be31a3fad93ac9.exe
2304	25EEE3~1.EXE
3048	25EEE3~1.EXE
3048	25EEE3~1.EXE
3048	25EEE3~1.EXE
3048	25EEE3~1.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

25eee366bfc5df2863f171c9de0fe6c2ae899e0588fc5485a5be31a3fad93ac9.exe25EEE3~1.EXE25EEE3~1.EXE

pid	process
3016	25eee366bfc5df2863f171c9de0fe6c2ae899e0588fc5485a5be31a3fad93ac9.exe
3016	25eee366bfc5df2863f171c9de0fe6c2ae899e0588fc5485a5be31a3fad93ac9.exe
3016	25eee366bfc5df2863f171c9de0fe6c2ae899e0588fc5485a5be31a3fad93ac9.exe
3016	25eee366bfc5df2863f171c9de0fe6c2ae899e0588fc5485a5be31a3fad93ac9.exe
2304	25EEE3~1.EXE
2304	25EEE3~1.EXE
2304	25EEE3~1.EXE
2304	25EEE3~1.EXE
3048	25EEE3~1.EXE
3048	25EEE3~1.EXE
3048	25EEE3~1.EXE
3048	25EEE3~1.EXE

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

25eee366bfc5df2863f171c9de0fe6c2ae899e0588fc5485a5be31a3fad93ac9.exe25EEE3~1.EXE25EEE3~1.EXEcmd.execmd.exe

description	pid	process	target process
PID 3016 wrote to memory of 2304	3016	25eee366bfc5df2863f171c9de0fe6c2ae899e0588fc5485a5be31a3fad93ac9.exe	25EEE3~1.EXE
PID 3016 wrote to memory of 2304	3016	25eee366bfc5df2863f171c9de0fe6c2ae899e0588fc5485a5be31a3fad93ac9.exe	25EEE3~1.EXE
PID 3016 wrote to memory of 2304	3016	25eee366bfc5df2863f171c9de0fe6c2ae899e0588fc5485a5be31a3fad93ac9.exe	25EEE3~1.EXE
PID 3016 wrote to memory of 2304	3016	25eee366bfc5df2863f171c9de0fe6c2ae899e0588fc5485a5be31a3fad93ac9.exe	25EEE3~1.EXE
PID 2304 wrote to memory of 3048	2304	25EEE3~1.EXE	25EEE3~1.EXE
PID 2304 wrote to memory of 3048	2304	25EEE3~1.EXE	25EEE3~1.EXE
PID 2304 wrote to memory of 3048	2304	25EEE3~1.EXE	25EEE3~1.EXE
PID 2304 wrote to memory of 3048	2304	25EEE3~1.EXE	25EEE3~1.EXE
PID 3048 wrote to memory of 2632	3048	25EEE3~1.EXE	cmd.exe
PID 3048 wrote to memory of 2632	3048	25EEE3~1.EXE	cmd.exe
PID 3048 wrote to memory of 2632	3048	25EEE3~1.EXE	cmd.exe
PID 3048 wrote to memory of 2632	3048	25EEE3~1.EXE	cmd.exe
PID 2632 wrote to memory of 2528	2632	cmd.exe	certutil.exe
PID 2632 wrote to memory of 2528	2632	cmd.exe	certutil.exe
PID 2632 wrote to memory of 2528	2632	cmd.exe	certutil.exe
PID 2632 wrote to memory of 2528	2632	cmd.exe	certutil.exe
PID 3048 wrote to memory of 2584	3048	25EEE3~1.EXE	cmd.exe
PID 3048 wrote to memory of 2584	3048	25EEE3~1.EXE	cmd.exe
PID 3048 wrote to memory of 2584	3048	25EEE3~1.EXE	cmd.exe
PID 3048 wrote to memory of 2584	3048	25EEE3~1.EXE	cmd.exe
PID 2584 wrote to memory of 2980	2584	cmd.exe	certmgr.exe
PID 2584 wrote to memory of 2980	2584	cmd.exe	certmgr.exe
PID 2584 wrote to memory of 2980	2584	cmd.exe	certmgr.exe
PID 2584 wrote to memory of 2980	2584	cmd.exe	certmgr.exe

C:\Users\Admin\AppData\Local\Temp\25eee366bfc5df2863f171c9de0fe6c2ae899e0588fc5485a5be31a3fad93ac9.exe
"C:\Users\Admin\AppData\Local\Temp\25eee366bfc5df2863f171c9de0fe6c2ae899e0588fc5485a5be31a3fad93ac9.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Users\Admin\AppData\Local\Temp\25EEE3~1.EXE
  C:\Users\Admin\AppData\Local\Temp\25EEE3~1.EXE
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2304
- - C:\Users\Admin\AppData\Local\Temp\25EEE3~1.EXE
    C:\Users\Admin\AppData\Local\Temp\25EEE3~1.EXE
    3⤵
    - Writes to the Master Boot Record (MBR)
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3048
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c certutil -store AuthRoot
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2632
    - - C:\Windows\SysWOW64\certutil.exe
        
        certutil -store AuthRoot
        5⤵
        
        PID:2528
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ksywzs\certmgr.exe /c /add C:\Users\Admin\AppData\Local\Temp\ksywzs\kspt.crt /s /r localMachine AuthRoot
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2584
    - - C:\Users\Admin\AppData\Local\Temp\ksywzs\certmgr.exe
        
        C:\Users\Admin\AppData\Local\Temp\ksywzs\certmgr.exe /c /add C:\Users\Admin\AppData\Local\Temp\ksywzs\kspt.crt /s /r localMachine AuthRoot
        5⤵
        Executes dropped EXE
        Modifies system certificate store
        
        PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ksywzs\certmgr.exe

Filesize
35KB

MD5
53d93f81c9f18bb548d1d0d8ac9b0695

SHA1
f7a620e722eede78493fdf45942d958cdb753820

SHA256
69ecd50e3a508f32dfc246523766a557fca61817e8e1fa71718fa66a1c2ae802

SHA512
4b3b942bc429bb82d073f71f115c7b5ad66191f7c51c5066431be530f03fa24a90f06286a86c3864bcd6f06e017529507f209b276635af7c9bbc8dc44b333a18

Download Submit
C:\Users\Admin\AppData\Local\Temp\ksywzs\kspt.crt

Filesize
1KB

MD5
dccaa52994def4f24a8dc7cfc5004a7a

SHA1
797d1829abb4c83f1d756056a5533b02f4011402

SHA256
f14bf733e5584841b12cb9f4b4eb189649be6310324984af2242289dd31d5387

SHA512
784aaeee8023f410eb9753b7080b57dca37a5e628311b5c9a24bb6f0db59f07ef674db0004e78da17b2e3007526ddafab1f1ac4524dd4b4095e43d74deeba6a9

Download Submit
memory/2304-33-0x0000000000400000-0x0000000001C6F000-memory.dmp

Filesize
24.4MB

Download
memory/2304-56-0x0000000000400000-0x0000000001C6F000-memory.dmp

Filesize
24.4MB

Download
memory/2304-41-0x0000000004660000-0x000000000479B000-memory.dmp

Filesize
1.2MB

Download
memory/2304-43-0x0000000004660000-0x000000000479B000-memory.dmp

Filesize
1.2MB

Download
memory/2304-44-0x0000000004660000-0x000000000479B000-memory.dmp

Filesize
1.2MB

Download
memory/2980-72-0x0000000001000000-0x0000000001016000-memory.dmp

Filesize
88KB

Download
memory/3016-22-0x0000000003BB0000-0x0000000003CEB000-memory.dmp

Filesize
1.2MB

Download
memory/3016-13-0x0000000000400000-0x0000000001C6F000-memory.dmp

Filesize
24.4MB

Download
memory/3016-19-0x0000000003BB0000-0x0000000003CEB000-memory.dmp

Filesize
1.2MB

Download
memory/3016-18-0x0000000010000000-0x00000000106F0000-memory.dmp

Filesize
6.9MB

Download
memory/3016-17-0x0000000010000000-0x00000000106F0000-memory.dmp

Filesize
6.9MB

Download
memory/3016-16-0x0000000000400000-0x0000000001C6F000-memory.dmp

Filesize
24.4MB

Download
memory/3016-23-0x0000000000400000-0x0000000001C6F000-memory.dmp

Filesize
24.4MB

Download
memory/3016-24-0x00000000049A0000-0x000000000620F000-memory.dmp

Filesize
24.4MB

Download
memory/3016-0-0x0000000000400000-0x0000000001C6F000-memory.dmp

Filesize
24.4MB

Download
memory/3016-35-0x0000000000400000-0x0000000001C6F000-memory.dmp

Filesize
24.4MB

Download
memory/3016-14-0x0000000010000000-0x00000000106F0000-memory.dmp

Filesize
6.9MB

Download
memory/3016-21-0x0000000003BB0000-0x0000000003CEB000-memory.dmp

Filesize
1.2MB

Download
memory/3016-8-0x0000000076560000-0x0000000076561000-memory.dmp

Filesize
4KB

Download
memory/3016-1-0x0000000077770000-0x0000000077771000-memory.dmp

Filesize
4KB

Download
memory/3016-11-0x0000000000400000-0x0000000001C6F000-memory.dmp

Filesize
24.4MB

Download
memory/3016-3-0x0000000000401000-0x0000000000753000-memory.dmp

Filesize
3.3MB

Download
memory/3016-4-0x0000000077770000-0x0000000077771000-memory.dmp

Filesize
4KB

Download
memory/3048-64-0x0000000004560000-0x000000000469B000-memory.dmp

Filesize
1.2MB

Download
memory/3048-63-0x0000000004560000-0x000000000469B000-memory.dmp

Filesize
1.2MB

Download
memory/3048-61-0x0000000004560000-0x000000000469B000-memory.dmp

Filesize
1.2MB

Download
memory/3048-53-0x0000000000400000-0x0000000001C6F000-memory.dmp

Filesize
24.4MB

Download
memory/3048-75-0x0000000003590000-0x00000000035DB000-memory.dmp

Filesize
300KB

Download
memory/3048-76-0x0000000003590000-0x00000000035DB000-memory.dmp

Filesize
300KB

Download
memory/3048-73-0x0000000003590000-0x00000000035DB000-memory.dmp

Filesize
300KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads