6090635a5cd426b63a8b135683b24437e759ea979b25c62578d0960692645e27

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
29-05-2024 03:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6090635a5cd426b63a8b135683b24437e759ea979b25c62578d0960692645e27.exe
Size

12.8MB
MD5

810d8c6afbadf05947dffefd88280060
SHA1

b47a69eb6e43886243a0bc54f0b96d9103b91f9e
SHA256

6090635a5cd426b63a8b135683b24437e759ea979b25c62578d0960692645e27
SHA512

7f3429666cf6180c19c310cb48cb2fb88426d044c8a51328fd820aadd20ffca967c75f084db28ec1ae309ffc766594d2b29f1c6030093a48cdc70f2f19fedce3
SSDEEP

393216:m2viMGvEwKHtICVnYtwC2b2dNBYpnuTtOT6c4Ws:3veEwKH2wYtwCDcOt2s

Score

9^/10

oss_ak upx

Malware Config

Signatures

detect oss ak 1 IoCs

oss ak information detected.

oss_ak

Processes:

resource	yara_rule
behavioral1/memory/3068-275-0x0000000000C20000-0x0000000003C4B000-memory.dmp	detect_ak_stuff

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/3068-0-0x0000000000C20000-0x0000000003C4B000-memory.dmp	upx
behavioral1/memory/3068-275-0x0000000000C20000-0x0000000003C4B000-memory.dmp	upx

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

6090635a5cd426b63a8b135683b24437e759ea979b25c62578d0960692645e27.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	6090635a5cd426b63a8b135683b24437e759ea979b25c62578d0960692645e27.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	6090635a5cd426b63a8b135683b24437e759ea979b25c62578d0960692645e27.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	6090635a5cd426b63a8b135683b24437e759ea979b25c62578d0960692645e27.exe

C:\Users\Admin\AppData\Local\Temp\6090635a5cd426b63a8b135683b24437e759ea979b25c62578d0960692645e27.exe
"C:\Users\Admin\AppData\Local\Temp\6090635a5cd426b63a8b135683b24437e759ea979b25c62578d0960692645e27.exe"
1⤵
- Modifies system certificate store
PID:3068

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
2e82e4a18292fac23468ad9e296b65f9

SHA1
6d19c663c200713c313a16729a1809c433462f17

SHA256
1245a115d806daee702230eac2467739e2e604b3ab6d15d95fbfe3c75dd64ceb

SHA512
f7937337a0d0718e1f2e3aba8d2ddb455472d308a9475a733e4e8ab171c0eb4f2b517902b4cbfe6799db4b238cc63154187a7f8348158721f885dc7d3b46a3f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar396F.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\CrackDict\IMAP-pass.txt
Filesize
647B

MD5
5441e5159032a9a8c26448cc454b2370

SHA1
aa0f8c8ccbf13c489f3ef15afaedef8a469c0d71

SHA256
8f533fab5b00e5d5d41e135311c7bb0560dce9b7814daab23b11fd727ec6a235

SHA512
35bc6d0a5c518a5851d07369c67e6b755e559951a6fa7146f508c17615639d06ce2e60d714c968e1d933ead63063f48dbf0c0cd96a13ee62597fdc6fc246533e

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\CrackDict\IMAP-user.txt
Filesize
17B

MD5
1bd45dc5fcd63654825aa693e0407326

SHA1
3a4567c70aba378d04bc4eff545c28ddc82fb5c4

SHA256
0ceaf90a3e635efcd84c5b45e7586db66136a9f4511cd4aea2072580667fbc25

SHA512
e20f89b18f88df404b63172f6bda7a03b8e63f47542ba09ba98e8255d84e3b68a8a03bcb67fdd4ace7833a786eb2ee1c896c946116aa893e95fb24306e36b6bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\CrackDict\LDAPS-pass.txt
Filesize
378B

MD5
d73991d50902727a3a89717188d8b82c

SHA1
7a9d18d4b8a1e11d11366ff221126cce27407490

SHA256
aa7f59e2247e8d87c8a534a3b911e256e412e85f3790511c9e070a5c0c4de57c

SHA512
b8c89e4721ca96a55a5c45f72ff03557701cb8a02b60f0ab4e4631f3cb18f09ae4986e08bb9475121e3a1d64b1badf273132e3b41628114d56e97d52a0efeb71

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\CrackDict\Socks5-user.txt
Filesize
17B

MD5
fb8a9623fd5b1d8c31228677d7b1aaa6

SHA1
8ae061dbdb1df384dcfb5a06684c0c6a9c361df6

SHA256
b73c856da26ebcc11a6325b6279190e36949766c7e02f95628e5a80c61b6d79d

SHA512
a05086e85ede707f89f8be9099175e011ecfef9fbc1a960d0a98f141476fb45ba6a71d500a1e988ef4712f65e31b2554bc8ff41e65ea83a147d5fa7300e3b9cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\CrackDict\VNC-user.txt
Filesize
1B

MD5
68b329da9893e34099c7d8ad5cb9c940

SHA1
adc83b19e793491b1c6ea0fd8b46cd9f32e592fc

SHA256
01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b

SHA512
be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\CrackDict\WMI-pass.txt
Filesize
648B

MD5
688652a8bdc1e5236fe249b8329e151f

SHA1
820b082e4aba175d3dddfa5ef4ec0a73a49d6330

SHA256
adb16a26d84ac2ced75863678373025555c3a11b447c2cb06ac52a93d5d5e08d

SHA512
66b3a8269ad1b49b0139d0e880a80c07fbc98a23164307a2095d2e735cdd54524be6c68067a7f818aa7924551caa7028e7ea231386c956be83c8efb632f149aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\CrackDict\Webdav-pass.txt
Filesize
582B

MD5
4cf29adaad3ef5aeae5ae8113bb703d7

SHA1
e6f01ad6ee1c541a2c54897dce4afff3711f8d41

SHA256
fb5831d6c6b82ec8ae328aefc6a1af4e60427b541463190f97d9bd92ecd1b8f3

SHA512
d15ba884536294e8b720cf735a3edce7bc1583279969e2d160e8cf02e230e2caad6f1cc68cced4748af361b21aef995f57f1ddfdc5d75cc4fce4e9c14b30f2b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\CrackDict\Zookeeper-pass.txt
Filesize
75B

MD5
c78d86e3ec6038f3e1ab6a7d0f4c449a

SHA1
6a0ac926e48e1947c5456fef1038c8c5328abb66

SHA256
6c09e4ebabb5b0752d17630700784aa637bd1db0e7d4540a1582bb93b36122fd

SHA512
907423e3a3990e53ce88cee61f45f8bc00c9c7684fedf1c5c25a63a2d57bf34f0a64abbb5b5f2849a99646912a64d7c7b4474b67bb26859a8fa680c928f5ffde

Download Submit
memory/3068-0-0x0000000000C20000-0x0000000003C4B000-memory.dmp

Filesize
48.2MB

Download
memory/3068-275-0x0000000000C20000-0x0000000003C4B000-memory.dmp

Filesize
48.2MB

Download