40e15b4fa176fe80b124a013d2f6f30769266adebccb0c0ff4965d2eba3d25c3

General

Target

964d0cf040d3627b1fb810ae4c9c4a40N.exe
Size

3.0MB
MD5

964d0cf040d3627b1fb810ae4c9c4a40
SHA1

f2d1211d17a38550d9278f281f6d39b37ff8a682
SHA256

40e15b4fa176fe80b124a013d2f6f30769266adebccb0c0ff4965d2eba3d25c3
SHA512

d889d8e94a9e3aafbdc6f6cbba54ee64eb744b3d40f4adbc690a6f5abdb750c7840e0e0c73111e000484b5ee8bb917ab7e4cca4b2a46e7804d00725797bdafa7
SSDEEP

49152:qiH2AaajKHX/Ft0vR+Y1pxsVnmMAnBxbu2ONWWIL2wM8+AtZiti8:HHRawKHPFyvR+2VMETbu2vrSwM8zg

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	964d0cf040d3627b1fb810ae4c9c4a40N.exe

Executes dropped EXE 1 IoCs

pid	Process
1480	OOLiveUpdateWorker.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	964d0cf040d3627b1fb810ae4c9c4a40N.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\33E4E80807204C2B6182A3A14B591ACD25B5F0DB	964d0cf040d3627b1fb810ae4c9c4a40N.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\33E4E80807204C2B6182A3A14B591ACD25B5F0DB\Blob = 03000000010000001400000033e4e80807204c2b6182a3a14b591acd25b5f0db1400000001000000140000008d8c5ec454ad8ae177e99bf99b05e1b8018d61e1040000000100000010000000adab5c4df031fb9299f71ada7e18f6130f00000001000000300000008b612b2190a95b28b866b9be5d0b95f368c17534ab1da61a42dfb32766f9ae2908fe6bfd1669be140eddaf0d33e95235190000000100000010000000fc741b3b78cfb31e075744fe5d0eeb965c000000010000000400000000080000180000000100000010000000ea6089055218053dd01e37e1d806eedf4b0000000100000044000000300037004300450046003200460036003500340045003300450044003600300035003000460046004300390042003600450042003800340034003200350030005f00000020000000010000001706000030820613308203fba00302010202107d5b5126b476ba11db74160bbc530da7300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3138313130323030303030305a170d3330313233313233353935395a30818f310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f726431183016060355040a130f5365637469676f204c696d69746564313730350603550403132e5365637469676f2052534120446f6d61696e2056616c69646174696f6e205365637572652053657276657220434130820122300d06092a864886f70d01010105000382010f003082010a0282010100d67333d6d73c20d000d21745b8d63e07a23fc741ee3230c9b06cfdf49fcb12980f2d3f8d4d010c820f177f622ee9b84879fb16834eadd7322593b707bfb9503fa94cc3402ae939ffd981ca1f163241da8026b9237a87201ee3ff209a3c95446f8775069040b4329316091008233ed2dd870f6f5d51146a0a69c54f017269cfd3934c6d04a0a31b827eb19ab9edc59ec537789f9a0834fb562e58c4090e06645bbc37dcf19f2868a856b092a35c9fbb8898081b241dab3085aeafb02e9e7a9dc1c0421ce202f0eae04ad2ef900eb4c14016f06f85424a64f7a430a0febf2ea3275a8e8b58b8adc319178463ed6f56fd83cb6034c474bee69ddbe1e4e5ca0c5f150203010001a382016e3082016a301f0603551d230418301680145379bf5aaa2b4acf5480e1d89bc09df2b20366cb301d0603551d0e041604148d8c5ec454ad8ae177e99bf99b05e1b8018d61e1300e0603551d0f0101ff04040302018630120603551d130101ff040830060101ff020100301d0603551d250416301406082b0601050507030106082b06010505070302301b0603551d200414301230060604551d20003008060667810c01020130500603551d1f044930473045a043a041863f687474703a2f2f63726c2e7573657274727573742e636f6d2f55534552547275737452534143657274696669636174696f6e417574686f726974792e63726c307606082b06010505070101046a3068303f06082b060105050730028633687474703a2f2f6372742e7573657274727573742e636f6d2f555345525472757374525341416464547275737443412e637274302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300d06092a864886f70d01010c0500038202010032bf61bd0e48c34fc7ba474df89c781901dc131d806ffcc370b4529a31339a5752fb319e6ba4ef54aa898d401768f811107cd2cab1f15586c7eeb3369186f63951bf46bf0fa0bab4f77e49c42a36179ee468397aaf944e566fb27b3bbf0a86bdcdc5771c03b838b1a21f5f7edb8adc4648b6680acfb2b5b4e234e467a93866095ed2b8fc9d283a174027c2724e29fd213c7ccf13fb962cc53144fd13edd59ba96968777ceee1ffa4f93638085339a284349c19f3be0eacd52437eb23a878d0d3e7ef924764623922efc6f711be2285c6664424268e10328dc893ae079e833e2fd9f9f5468e63bec1e6b4dca6cd21a8860a95d92e85261afdfcb1b657426d95d133f6391406824138f58f58dc805ba4d57d9578fda79bfffdc5a869ab26e7a7a405875ba9b7b8a3200b97a94585ddb38be589378e290dfc0617f638400e42e41206fb7bf3c6116862dfe398f413d8154f8bb169d91060bc642aea31b7e4b5a33a149b26e30b7bfd028eb699c138975936f6a874a286b65eebc664eacfa0a3f96e9eba2d11b6869808582dc9ac2564f25e75b438c1ae7f5a4683ea51cab6f19911356ba56a7bc600b0e7f8be64b2adc8c2f1ace351eaa493e079c8e18140c90a5be1123cc1602ae397c08942ca94cf46981269bb98d0c2d30d724b476ee593c43228638743e4b0323e0ad34bbf239b1429412b9a041f932df1c739483cad5a127f	964d0cf040d3627b1fb810ae4c9c4a40N.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	964d0cf040d3627b1fb810ae4c9c4a40N.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf5c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	964d0cf040d3627b1fb810ae4c9c4a40N.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1740	msiexec.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2424	964d0cf040d3627b1fb810ae4c9c4a40N.exe
2424	964d0cf040d3627b1fb810ae4c9c4a40N.exe
1480	OOLiveUpdateWorker.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 1480	2424	964d0cf040d3627b1fb810ae4c9c4a40N.exe	95
PID 2424 wrote to memory of 1480	2424	964d0cf040d3627b1fb810ae4c9c4a40N.exe	95

C:\Users\Admin\AppData\Local\Temp\964d0cf040d3627b1fb810ae4c9c4a40N.exe
"C:\Users\Admin\AppData\Local\Temp\964d0cf040d3627b1fb810ae4c9c4a40N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Users\Admin\AppData\Local\Temp\OO Software\OO LiveUpdate\Unknown 1724135410\OOLiveUpdateWorker.exe
  "C:\Users\Admin\AppData\Local\Temp\OO Software\OO LiveUpdate\Unknown 1724135410\OOLiveUpdateWorker.exe" -ProgramName "Unknown" -InstalledLocation "C:\Users\Admin\AppData\Local\Temp\\" -WindowRec "367 176"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1480

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07A88C01EC98D34B4BDC2AA2BF874C1D

Filesize
471B

MD5
ccb5dddfea906317fad2672bc36a377a

SHA1
c7f85bd450c2b518107bc5cbf29a9b6d408bcb45

SHA256
7bce2c110b58e0d2d5ce0fe080ef5afdf068de99da6db8efb6a3f6a04ff9e16c

SHA512
1cc19d043215737a5c8b849e221db23f4539d3f16d84843d33b59315b638afa5bac89a2887cb1d9f8a697590808271382effd512ef688d73bf8493c57ecb91ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
2KB

MD5
58fd856ece8c070d5df6faffe2273c60

SHA1
8cc3b05cf38684288a27bf273d94449fd15cab5d

SHA256
1efeaf11f4fdaef3a7a15835e2ec5e70330057ade2a4334692630ffdc952555e

SHA512
7ef07526ac45e0f7ed24db22db44614f102b88e9642952a9ec2e0bc550e73fe3fccec9754a8a426d1a573d8d9c3d0ae798949a6bfeb204302267870b563d2d17

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
3a0e611157f1066d08c3e5b273aba714

SHA1
0163f166be0b036cfc2b6ce78d59ede05552de17

SHA256
20a8d02cfcfd8887394536448dc97c88d49a247a4a933ba7081faec72da8fa8e

SHA512
55a387ef662a407ececcba0fca3d0a48e3e9f36eee906684dc78053396915fb5ebe78ea2d1e7ce313001cf9d7b1ea41cda419dc554957d1a4ec80d0fa7e82f00

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07A88C01EC98D34B4BDC2AA2BF874C1D

Filesize
480B

MD5
871aacbf3714807abf428d2582300e39

SHA1
6dcbf0c307c3e93dd3d744d16e2ae0747a07dd05

SHA256
9ac2ad94209761d3726a732243e7b651d1b34d21518584c9dc27b5bd63c14ad4

SHA512
66020048bc9288c2d7e9f4d603afd17558cb182a2e2cd77a51c8b3d96d7d73d0f0280dda59dff448f1b3954679a8b5ff5ff5cb17822b52a7afbb32c151e02fcd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
488B

MD5
615c989499f37dca87a2590579910dfa

SHA1
6b36d8eaddb6c823c84525f05e668d4bbde8a052

SHA256
2bdea2a55e7ec6356783d046dbdf9c81bdd34da9c5ff00c6956984c9f69cf3cd

SHA512
e6ec18bac90e1c332cda9a41fdef1125e56eefb3898998488bb4e6d87f878d6e5e7680ad05494ecbb8186a766649d104668931874ca190e6e10a2323548302ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
19b963dfff2b3fefcd30af092b496904

SHA1
2e7a6d5619fb2f127d8fb7f738fd324f012706cf

SHA256
cace7e2eed156493e4be177b94d4c6c260a543b282cc070af9aae82a51dbfd21

SHA512
2ea1b947f54b1a57f7f78e06ef0b24c392374010928a30c24278ef3f43488ead189515fd5d844fafac792715396c9728e83f0c97e67021bad3d046e9ab6fff5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\OO Software\OO LiveUpdate\Unknown 1724135410\OOLiveUpdateWorker.exe

Filesize
3.4MB

MD5
a60244c64ce6080a7965d780970e37bd

SHA1
e0502440acf407d2a89b440f91d4127be0d7566b

SHA256
70a1ccbc632b12e89810717a7b884a964a3a24c14fc43a618564a2f1b17ec0de

SHA512
57fd2339b4719e3f45bb114a8e2b10146df6757f4e87b18a2776815c944e5babc594c3ee575bf10dee5dc0b6840534c050c54c4b570dbb6c9369bf2198815086

Download Submit

Analysis

Sharing