34d3ec88373d435294e7dfffa802b647b28548aae4165be309d58e5ab3598ec3

General

Target

9968ffa4fcd751cb7d5493ce34e0e2e0N.exe
Size

34KB
MD5

9968ffa4fcd751cb7d5493ce34e0e2e0
SHA1

90fb6a295be212ced6441f5c1749ad35130eade4
SHA256

34d3ec88373d435294e7dfffa802b647b28548aae4165be309d58e5ab3598ec3
SHA512

0394fdd5774fb5e2928762d6e54e3e57d5bfbb8d0e6d5aa67a34078eeff4624e9acce13bb3b39775c494b422a286f6338c365dc5c174ae20a0158b0aed1a16b4
SSDEEP

384:6DsjPGY2HXgr3hLZUgch1A9NB/erxiU6UvsaIapwvduzSof1wJjcU+olVr:kePG5H8x6gs1lxVNauzbfIcUjj

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1984	winupdate.exe

Loads dropped DLL 1 IoCs

pid	Process
1788	9968ffa4fcd751cb7d5493ce34e0e2e0N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9968ffa4fcd751cb7d5493ce34e0e2e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	winupdate.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	winupdate.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1788 wrote to memory of 1984	1788	9968ffa4fcd751cb7d5493ce34e0e2e0N.exe	30
PID 1788 wrote to memory of 1984	1788	9968ffa4fcd751cb7d5493ce34e0e2e0N.exe	30
PID 1788 wrote to memory of 1984	1788	9968ffa4fcd751cb7d5493ce34e0e2e0N.exe	30
PID 1788 wrote to memory of 1984	1788	9968ffa4fcd751cb7d5493ce34e0e2e0N.exe	30
PID 1788 wrote to memory of 1984	1788	9968ffa4fcd751cb7d5493ce34e0e2e0N.exe	30
PID 1788 wrote to memory of 1984	1788	9968ffa4fcd751cb7d5493ce34e0e2e0N.exe	30
PID 1788 wrote to memory of 1984	1788	9968ffa4fcd751cb7d5493ce34e0e2e0N.exe	30

C:\Users\Admin\AppData\Local\Temp\9968ffa4fcd751cb7d5493ce34e0e2e0N.exe
"C:\Users\Admin\AppData\Local\Temp\9968ffa4fcd751cb7d5493ce34e0e2e0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1788
- C:\Users\Admin\AppData\Local\Temp\winupdate.exe
  "C:\Users\Admin\AppData\Local\Temp\winupdate.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  PID:1984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\winupdate.exe

Filesize
35KB

MD5
37ee7f88ab24aa6346c70445d7b062a8

SHA1
bb0dedd6b0036b8c64406460356fc6e517232c26

SHA256
254ffbda5a494fabd338cbfbcee55e55feef23570424a7c441c41aaa530997f3

SHA512
d0a4127be3cc2fb2cabb2c44d5a309997ab29447db825963d170fd682441489664f51dcb4045194930e0d6cbd03e2a3c878e7090ca7bd37e0a1fc4bd361a662f

Download Submit
memory/1788-0-0x0000000000500000-0x0000000000508000-memory.dmp

Filesize
32KB

Download
memory/1788-2-0x0000000000501000-0x0000000000502000-memory.dmp

Filesize
4KB

Download
memory/1788-10-0x0000000000500000-0x0000000000508000-memory.dmp

Filesize
32KB

Download
memory/1788-8-0x0000000001D40000-0x0000000001D48000-memory.dmp

Filesize
32KB

Download
memory/1984-9-0x0000000000500000-0x0000000000508000-memory.dmp

Filesize
32KB

Download
memory/1984-12-0x0000000000500000-0x0000000000508000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing